HIPAA Privacy Rule Access Right: Assessing Fees When an Individual Requests Electronic Access to PHI
Privacy and Security Workgroup
Stan Crosley, Chair
September 21, 2015
2
Agenda
• Background – HIPAA Access Rule– HITECH changes to HIPAA– State laws
• Questions on fees to provide electronic copies of PHI
• Synopsis of stakeholders’ written testimony
3
PSWG Workplan - Detail
Meetings Task
September 21, 2015 2:00-3:30pm ETFees for Electronic Access
• Understand background issues surrounding HIPAA Access Rule and HITECH modifications to HIPAA.
• Gather information regarding key questions surrounding assessment of fees for electronic access to PHI, including accepting written testimony from stakeholders.
• Develop strawman recommendations based on discussion.
September 28, 2015 2:00-3:30pm ETFees for Electronic Access
• Continue discussing fees for electronic access.• Review strawman recommendations.• Develop final, key recommendations to inform
OCR’s forthcoming sub-regulatory guidance.
4
Meeting Purpose
Access Guidance Requested for PMI• President’s Precision Medicine Initiative (PMI)
requires the HHS Office for Civil Rights (OCR) and ONC to collaborate to address barriers that prevent patients from accessing their health data. (https://www.whitehouse.gov/the-press-office/2015/07/08/fact-sheet-new-patient-focused-commitments-advance-president%E2%80%99s-precision).
• OCR is to develop additional guidance materials to educate the public and health care providers about a patient’s right to access his or her health information under HIPAA.
HIPAA Access Rule and Fees:Background
HIPAA Access Rule
• § 164.524 of the HIPAA Privacy Rule gives individuals the right to access their health information, regardless of format.
• Covered entities (CEs) may charge a “reasonable, cost-based fee” for providing copies of health information to individuals.
• For paper records, fees are charged on a per page basis, with state laws setting limits on maximum charges.
5
6
HIPAA Access Rule and Fees:Background (cont’d)
2013 Omnibus Rule made amendments as required by the HITECH Act:• Gives individuals the right to obtain a copy of their
health information in the “form and format” they wish, as long as that form and format is “readily producible” by the CE.
• Fees for electronic copies cannot include costs associated with searching for or retrieving the requested information.
7
HIPAA Access Rule and Fees:Background (cont’d)
Other changes made by the 2013 Omnibus Rule:• Individuals must be able to request an electronic copy
of their health information maintained in an electronic format– No access to provider admin systems (not designated
record set) – Applies only to information present at the time the request
is fulfilled– CE may reject use of external portable media if
unacceptable level of risk (Security Rule risk analysis)
• Individual can direct a CE to transmit directly to an individual's designee (third party)
8
State Laws on Fees for Access to Medical Records
States’ maximum copying fees for one page of medical records range from free to $40.00, with some states allowing maximum fees of $180.00 for copying 100 pages.* • Kentucky allows each individual to obtain one copy of their
medical record free of charge. [Ky. Rev. Stat. Ann. § 422.317 (2008)]
• Michigan, allows doctors and hospitals to charge $1.08 per page for pages 1–20; 54¢ per page for pages 21–50, and 22¢ per page for additional pages [Mich. Comp. Laws § 333.26269 (2008)].
*Source: https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf
9
State Laws on Fees for Access to Medical Records
Few states have addressed fees for access to electronic health records, and those that do allow fees on par with those charged for paper records.*• Illinois allows doctors and hospitals to charge 50 percent of the paper-based
per page fee for “electronic records, retrieved from a scanning, digital imaging, electronic information or other digital format in an electronic document.” The electronic per-page charge includes the cost of each CD-ROM, DVD, or other storage media [735 Ill. Comp. Stat. 5/8-2001 (2008)].
• Ohio does not distinguish between paper and electronic records and allows providers to charge the same per-page fee for both [Ohio Rev. Code § 3701.741(A) & (B)(1) (2008)].
*Source: https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf
10
HIPAA Access Rule and Fees: Relationship with State Law
Preemption • In general, under HIPAA, state laws that are less
protective of patients’ privacy (e.g., access rights) than HHS regulations or guidance, would be preempted and the HHS regulation or guidance would apply.
• OCR seeks input on fees in an electronic environment so that states can follow suit, and ensure that patients’ privacy or access rights are protected in an electronic environment.
11
HIPAA Access Rule and Fees:Key Issues
• Fees charged to provide electronic access to PHI must be based on a CE’s labor costs incurred in responding to the request.
• Fees must not include costs associated with searching for or retrieving the requested information, but may include “skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning protected health information to media.”
12
Key Questions for Stakeholder Input
1. Is an electronic file size an appropriate proxy for “pages” in setting fees for electronic access, or is it simply a substitute for a per-page proxy? If file size is appropriate, how should cost be
calculated, particularly considering the questions below?
If not, what is a better proxy for calculating labor costs for electronic access?
13
Key Questions for Stakeholder Input (cont’d)
2. Connection of patient access right to “view, download, or transmit (VDT)” requirement of Meaningful Use. Should the producible form and format of the
electronic copy the individual requests affect how the individual is charged? (For example, an individual downloads an electronic copy onto a portable thumb drive or CD vs. using the download or transmit capabilities of certified EHR technology or email.) This issue may also arise when an individual uses personal health records or mobile health devices.
14
3. If, due to interoperability issues between an EHR where the requested information is maintained, and the software used to create the copy for the individual, the business associate must download the file from the EHR, and subsequently upload it to the business associate’s software before generating an electronic copy for an individual, should labor costs associated with this process be charged to the individual?
If so, how should they be calculated? Additionally, if the information is located in several different
EHRs, downloaded, and uploaded to a separate software or system, should labor costs associated with this process be charged, as well – and if so, how should they be calculated?
Key Questions for Stakeholder Input (cont’d)
15
4. Similarly, if information from an EHR has to be printed on paper (therefore paginated) and then scanned and uploaded to a different software program used to create and/or send the copy for/to the individual, should the individual be charged?
If so, how should the cost be calculated?
Key Questions for Stakeholder Input (cont’d)
16
Key Questions for Stakeholder Input (cont’d)
5. Would you answer anything differently if the copy of the data from the designated record set were being transmitted to a non-HIPAA covered business associate, such as a PHR vendor compared to another HIPAA covered entity or that organization’s business associate?
17
Stakeholder Input Solicited
Stakeholder Group Organization POC Testimony Received?
Provider
Association of Health Information Outsourcing Services (AHIOS)
Bonnie Coffey
Yes
American Health Information Management Association (AHIMA)
Yes
Medical Group Management Association (MGMA)
Rob Tennant Yes
EHR Vendor
Epic Carl DvorakKara RettenmundJudy Faulkner
No. Epic deferred to consumers to provide responses.
Cerner David McCallie Yes
Electronic Health Record Association (EHRA)
Angela Gordon Yes
No More Clipboard – Parent company is Medical Informatics Engineering
Jeff Donnell Yes
Surescripts Sara A. Juster Yes
CareSync Amy Gleason No. Unable to meet deadline, as testimony was requested with quick turnaround.
PatientGetMyHealthData.org Christine Bechtel Yes
18
Summary of Stakeholder Responses
Q1: Is an electronic file size an appropriate proxy for “pages” in setting fees for electronic access, or is it simply a substitute for a per-page proxy?
• Provider Summary: File size should not be used as a proxy because many factors affect file size. Costs to reproduce EHRs should include labor costs for labor expended, including segmenting sensitive information. Per page may still be a viable option.
• EHR Vendor Summary: File size should not be used as a proxy because many factors affect file size. Can use “virtual pages” or a flat fee based on transaction/record, or a one time fee for the portable storage media being used.
• Patient Summary: No fees should be charged for patients to receive health record, unless it presents a significant burden on staff time.
19
Summary of Stakeholder Responses (cont’d)
Q2: Should the producible form and format of the electronic copy the individual requests affect how the individual is charged?• Provider Summary: Some provider organizations agree that if an
individual requests a form or format that is not easily accessible or easy to provide, there should be an additional charge. However, some of those asked, stated that the labor costs should be built into view, download, transmit capabilities.
• EHR Vendor Summary: Deviation from an EHR defined standardized format would allow the imposition of an additional cost to the patient. Other vendors stated that view, download, transmit requires CCDA, and if what is requested is more than that, there should be additional charges.
• Patient Summary: There should not be fees based on format and format requested.
20
Q3: If, due to interoperability issues between an EHR where the requested information is maintained, and the software used to create the copy for the individual, the business associate must download the file from the EHR, and subsequently upload it to the business associate’s software before generating an electronic copy for an individual, should labor costs associated with this process be charged to the individual? • Provider Summary: Should allow BAs to charge labor fees.• EHR Vendor Summary: Allow charges on a flat fee or per
transaction basis.• Patient Summary: Labor costs are not reasonable because it
is a business decision to maintain differing, non-interoperable systems.
Summary of Stakeholder Responses (cont’d)
21
Summary of Stakeholder Responses (cont’d)
Q4: If information from an EHR has to be printed on paper, and then scanned and uploaded to a different software program used to create and/or send the copy for/to the individual, should the individual be charged, and how should cost be calculated?• Provider Summary: All felt costs should be allowed if
they are required to do this.• EHR Vendor Summary: Mixed responses on this. Some
felt charges were allowable, and one responded that charging such fees was debatable.
• Patient Summary: Charges NOT reasonable
22
Summary of Stakeholder Responses (cont’d)
Q5: Would you answer anything differently if the copy of the data from the designated record set were being transmitted to a non-HIPAA covered business associate, such as a PHR vendor compared to another HIPAA covered entity or that organization’s business associate? • Provider Summary: Most did not think there would be a difference as
long as it was a HIPAA compliant request; one provider also noted that the provider should not be responsible for any charges if the patient is paying for the third-party service
• EHR Vendor Summary: Most stakeholders said there would not be a difference, while one said there would be a difference if there was a competitive risk.
• Patient Summary: There is no difference in delivery mechanisms.
Table of Compiled Summary Responses
23
Stakeholder Provider Groups Vendor Groups Patient Groups
Q1: File size as proxy for page?
No No No
Q2: Form and format requested affect charge?
Yes, if not standard format or easily accessible
Yes, if not standard format or easily accessible
No
Q3: Labor costs for BA labor to generate electronic copy for patient?
Yes, should allow BAs to charge labor fees.
Yes, allow charges on a flat fee or per transaction basis.
No, because it is a business decision to have non-interoperable systems.
Q4: Charge if EHR has to be printed, scanned and uploaded?
Yes, if providers are required to do this.
Mixed responses. Some said charges are allowed, while others said was debatable.
No, because labor costs here would not be reasonable.
Q5: Different if copy of data was transmitted to non-HIPAA CE?
No difference as long as it is HIPAA compliant request.
No difference, but one stakeholder said may be difference if competitive risk.
No difference.
24
Next Steps
• Next meeting on Sept. 28, 2015 at 2:00-3:30pm.
• Continue discussing fees for electronic access.
• Review strawman recommendations.
• Develop final, key recommendations to inform OCR’s forthcoming sub-regulatory guidance.
Top Related