The guidance includes several FAQs about permissible fees that may be charged for providing copies (electronic or paper) of PHI and methods of transmitting PHI to a requesting individual—FAQs which may prove useful to covered entities and business associates whose policies and procedures on such subjects are outdated.
While the guidance notes that providing copies of PHI free of charge is encouraged, three fee structures, which must reflect reasonable, cost-based fees and are permitted under HIPAA, are outlined as follows:
(i) Actual costs: This fee structure allows the covered entity to charge actual labor costs for fulfilling a request for access, which may not include labor for retrieving and examining records to determine the appropriate subset of PHI that is responsive to the request.
(ii) Average costs: This fee structure allows the covered entity to charge individuals based upon a fee schedule comprising fees calculated based on average labor costs to fulfill standard types of requests for access. Per-page fees are permissible only when PHI is maintained and requested in paper form or when an individual requests paper to be scanned into electronic format.
(iii) Flat fee for electronic copies of PHI maintained electronically: This fee structure allows the covered entity to charge individuals a flat fee for standard requests for electronic copies of PHI maintained electronically (inclusive of all labor, supplies, and postage), as long as the flat fee does not exceed $6.50.
In responding to individuals’ requests that PHI be provided in a particular electronic format, covered entities are generally expected to comply with such requests, provided the PHI is maintained electronically and the PHI is “readily producible” in that requested format. Covered entities are not required, however, to purchase new software or equipment in order to fulfill a request that PHI be provided in a certain electronic format. The guidance explains that the covered entity is also not required to honor a request which would pose an unacceptable security risk to the covered entity’s systems, such as allowing an individual to connect a USB drive directly to the covered entity’s system. When an individual specifically requests that the covered entity transmit PHI through an unencrypted email, the covered entity warns the individual of the security risks involved in such a transmission and the individual nonetheless wishes to go ahead with it, the covered entity must honor the request but is not liable for any resulting breach that occurs in transmission. The guidance notes the advantages for covered entities in transmitting PHI in a more secure manner, such as through use of certified EHR technology that allows the covered entity the opportunity to demonstrate meaningful use for purposes of obtaining its EHR incentive payments and, at the same time, satisfying its HIPAA obligation to respond to an individual’s request for access.
The clarification provided in the guidance offers an opportunity for covered entities and business associates to modify and streamline their policies and practices in responding to individuals’ requests for access to PHI. With expanded guidance on permissible practices, health care providers and Business Associates may wish to build more flexibility into their approvals for recouping costs for copies of PHI, and solidify parameters regarding accountability of requests that specify formats for PHI access. Moreover, health care providers and business associates should continue to follow developments in privacy law, regulations and guidance.