With the OCR issued FAQs on patient HIPAA rights to access PHI being out now for over a year, I know many of you are feeling more confident than ever on how to handle these pesky third party requestors who demand records under the HITECH Act. Or perhaps you are just as challenged as the rest of us? The FAQs clarified that individuals (patients according to HIPAA definition) have a right to access their PHI or request that it be provided to a third party at a cost-based fee for labor and supplies associated with producing the copy whether on paper or in electronic format but for some reason third party requesters still demand that this provision applies to them.
We must really dissect the FAQs and educate ourselves to better handle these requesters and explain the difference between a patient request “directing” us to release their records and a third party representing the patient with a signed patient authorization. A patient directive is different than an authorization and has been discussed since 2003 when HIPAA went into effect however its relevance has become more important now that attorneys can utilize it to save costs with gaining access to PHI.
The road of patient right of access for HIM professionals continues to get rockier when we must calculate our costs associated with producing PHI as defined in 45 CFR 164.524(c)(4). Many of us face the challenges of decentralized ROI in a hybrid environment. One must consider the cost to produce copies of the paper record and separate from the cost to produce the electronic record and charge accordingly. Those fees can be charged simultaneously on an invoice when a record maintained in paper is produced on a CD along with electronic EHR images, along with a fee of the CD, CD mailer and the appropriate postage to mail the CD. This fee is charged to the patient. Attorneys demanding HITECH can only be issued such fees if and only if a patient directive is provided with their request signed by the patient. Many attorneys will dispute this charge and in those circumstances a letter needs to be issued to the attorney explaining the cost and how they are not subject to such fees without a patient directive.
I encourage HIM professionals struggling with the fees to reference the OCR guidance at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee
The below question clarifies the difference between a patient exercising the Patient Right of Access provision versus the use of an authorization and the fees that apply.
Why depend on the individual’s right of access to facilitate the disclosure of PHI to a third party – why not just have the individual execute a HIPAA authorization to enable the covered entity to make this disclosure?
The PHI that an individual wants to have disclosed to a third party under the HIPAA right of access also could be disclosed by a covered entity pursuant to a valid HIPAA authorization. However, there are differences between the two methods – the primary difference being that one is a required disclosure and one is a permitted disclosure — that may make the right of access a more favorable choice for most disclosures the individual is initiating on her own behalf. These differences are illustrated in the following table:
|HIPAA Authorization||Right of Access|
|Permits, but does not require, a covered entity to disclose PHI||Requires a covered entity to disclose PHI, except where an exception applies|
|Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.||Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI|
|No timeliness requirement for disclosing the PHI Reasonable safeguards apply (e.g., PHI must be sent securely)||Covered entity must act on request no later than 30 days after the request is received|
|Reasonable safeguards apply (e.g., PHI must be sent securely)||Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium|
|No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration||Fees limited as provided in 45 CFR 164.524(c)(4)|
This table clearly defines the fee limits that apply to an authorization and to a patient directive exercised under 45 CFR 164.524(c)(4). With this clarification it arms the HIM Professionals, covered entities and business associates with the guidance it needs to properly execute fees associated the providing patient’s and third parties access to medical records in accordance with HIPAA and the HITECH Rule.
Amy Derlink, RHIA, CHA
MRA Vice President of Disclosure Management