Requests for Access to Medical Records

July 24, 2019

Records requests are a constant concern for many health care providers.  This memo addresses a few of the more frequent questions we receive relating to the costs that facilities can charge in response to an individuals’ access request.

What is an Access Request? 

There are two overarching types of requests that can be made in regard to an individual’s medical records: access requests and third-party disclosure requests. Access requests include those requests made by the individual or his/her personal representative (1) for information to be provided to the individual, and (2) for information to be sent to a designated personal representative. Third-party requests are those where a third party, such as an attorney, obtains permission from the patient (via a HIPAA authorization) and then makes a request for the patient’s medical records. The guidance below applies ONLY to access requests. 

What fees does HIPAA allow?

HIPAA regulations state that covered entities are permitted to charge a “reasonable, cost-based fee” in fulfilling access requests. Under 45 CFR § 164.524(c)(4), a covered entity may only charge for:

  1. Labor for copying (whether in paper or electronic form);
  2. Supplies for creating the paper copy (or electronic media if the individual requests that the electronic copy be on portable media);
  3. Postage (when the individual has requested that the information be mailed); and
  4. Preparing an explanation or summary of the protected health information, if agreed to by the individual.

In recent years, the Office of Civil Rights (OCR) has published additional guidance on what constitutes a reasonable, cost-based fee. One key item from this guidance is that costs related to “labor for copying” include only the time spent actually photocopying or scanning paper records and/or transferring electronic records to portable media, email or app. In other words, copying does not include the time it takes for the staff member to review the request for access or to search for or retrieve the information (and therefore the covered entity cannot charge for such time/costs). Further, OCR has stated that a covered entity cannot charge an individual a fee when it fulfills the access request using the view, download, and transmit functions of the covered entity’s Certified Electronic Health Records Technology (CEHRT), as there are no permissible costs associated with this process. 

OCR has also taken a strong position on the use of so-called “per-page fees” declaring that, although potentially acceptable where the records are maintained only in paper form, using per page fees as the basis of covered entity’s costs is not permitted when the records are maintained electronically. OCR provided some background to its position by stating per-page fees have “resulted in fees being charged . . . that do not appropriately reflect the permitted labor costs associated with generating copies from information maintained in electronic form. Therefore, OCR does not consider per page fees for copies of PHI maintained electronically to be reasonable . . . .”

What fees are permitted under New York’s Public Health Law?

State laws regarding access to medical records are typically subject to (or preempted by) HIPAA. Accordingly, New York’s laws and regulations allowing for health care providers to impose fees on access requests are only permitted to the extent that they do not contradict HIPAA.

New York’s Public Health Law allows for a health care provider to “impose a reasonable charge for all inspections and copies, not exceeding the costs incurred by such provider” and that “the reasonable charge for paper copies shall not exceed seventy five cents per page.” Although the language of the statute does not contradict the HIPAA rules, some health care providers have interpreted this language in a way the leads to a violation of both the state law and the HIPAA rules. Specifically, providers mistakenly believe that the Public Health Law enables them to charge 75 cents per page regardless of how the information is maintained and regardless of how the information is provided. This is not the case; costs must be reasonable as defined under both state and federal laws.

Conclusion

Please know that OCR will take action against covered entities that it finds do not meet the cost restrictions set forth by the HIPAA rules, and that other federal and state agencies may impose similar requirements. 

If you have questions about whether your practices are compliant with these standards, please contact any of the attorneys in our Health Care Practice, or the attorney in the firm with whom you are regularly in contact.