HHS FAQs Address Permitted Costs for Copies of PHI and More

Practical Law Legal Update w-001-4722 (Approx. 8 pages)

HHS FAQs Address Permitted Costs for Copies of PHI and More

by Practical Law Employee Benefits & Executive Compensation

Fees for Providing Individuals Copies of PHI

The FAQs address questions about fees that CEs can (and cannot) charge to individuals for copies of their PHI, including the following.

Only Limited Fees May Be Charged

HIPAA's implementing regulations allow CEs to charge a reasonable, cost-based fee for providing a copy of an individual's PHI to the individual (or to direct a copy to a designated third party). Notwithstanding the regulations, it is HHS's view that CEs should forgo fees for all individuals and provide copies of PHI free of charge to individuals who request access, particularly in cases where an individual's financial situation may present a barrier to access.

Costs That May be Included in Fees for Providing Copies of PHI

In general, permitted fees include:

Labor for copying the requested PHI, whether in paper or electronic form (see Costs Included in Labor for Copying).
Supplies for creating a paper copy (such as paper and toner) or electronic media (such as a CD or jump drive) if the individual requested that the copy be provided on portable media. CEs cannot require an individual to purchase portable media and must follow an individual's request to have their PHI emailed to them.
Postage, if the individual requests that the PHI be mailed.
Labor for preparing an explanation or summary of the PHI if the individual, in advance:
- chooses to receive an explanation or summary; and
- agrees that the fee may be charged.

According to HHS, fees may not include costs for:

Reviewing a request for access.
Searching for and retrieving the PHI, including locating and reviewing the PHI in medical or other records.
Segregating or otherwise preparing the PHI in response to a request for copying.
Updating or maintaining systems and data (in addition to capital costs for data storage and maintenance).
Labor for ensuring HIPAA compliance in fulfilling the access request (for example, verification).
Outsourcing the function of providing copies of PHI to a business associate (BA) (regarding HIPAA BAs, see Standard Documents, HIPAA Business Associate Agreement and HIPAA Business Associate Policy).
Other costs, even if authorized by state law.

Under the FAQs, individuals cannot be charged for administrative and other costs of outsourcing the tasks of responding to individual requests for access.

Costs Included in Labor for Copying

Labor for copying includes only the expense of creating and delivering the electronic or paper copy in the form and format requested by the individual, after the applicable PHI has been identified and is ready to be copied.

This may include labor associated with:

Photocopying paper PHI.
Scanning paper PHI into an electronic format.
Converting electronic information in one format to the format requested by the individual.
Transferring electronic PHI (ePHI) from a CE's system to a web-based portal, portable media, email, app, personal health record, or other manner of delivery.
Creating and executing a mailing or email that contains the requested PHI.

However, labor does not include costs associated with:

Reviewing the request for access.
Searching for, retrieving, and otherwise preparing the responsive information for copying, for example:
- labor to locate the relevant designated record set about an individual;
- costs for reviewing records to identify PHI that is responsive to a request; and
- ensuring that information relates to the correct individual.

It is HHS's position that, as technology evolves and procedures become more automated, labor costs will "disappear or at least diminish in many cases."

Advance Notice of Fees Required

CEs that intend to charge an individual a permitted fee must inform the individual in advance of the approximate fee that may be charged for the copy. Any fees that may vary depending on the form, format, and manner of receipt also must be disclosed. In addition, CEs should post on their websites (or otherwise make available) an approximate fee schedule for regular types of access requests. Upon request, CEs should be able to provide the individual with a breakdown of the charges.

HHS views this advance notice requirement as necessary for the right of access to operate consistent with the HIPAA privacy regulations (see Practice Note, HIPAA Privacy Rule). Failure to provide the notice is an unreasonable measure that may serve as a barrier to the right of access. In general introductory language accompanying the FAQs, HHS states that CEs may not impose unreasonable measures on an individual requesting access that either:

Serve as barriers to an individual's access.
Unreasonably delay the individual from obtaining access.

Calculating Fees for Providing Copies

A CE may calculate fees using one of the following three methods:

Actual cost. This method reflects the actual, reasonable labor costs plus any applicable supply or postage costs. For example, the labor cost may be the time it takes an employee (or BA) to make and send the copy in the form, format, and manner requested multiplied by the reasonable hourly rate. What constitutes a reasonable hourly rate may vary depending on the level of skill needed to create and transmit the copy.
Average cost. This method includes average, reasonable labor costs plus any applicable supply or postage costs. A CE can develop a schedule of labor costs based on the average labor costs to fulfill standard types of requests. A rate charged as a per page fee is reasonable only where the PHI is maintained in paper form.
Flat fee. Under this third method, a CE may charge a flat fee for all standard requests that does not exceed $6.50 (inclusive of all labor, supplies, and postage).

Fee Limits Apply When PHI Is Sent to a Third Party

The FAQs also address fee limits applicable to an individual's request that a copy of the individual's PHI be sent to a third party. These limits apply when an individual:

Directly submits a request to the CE (see Sending PHI Directly to a Designated Third Party).
Instructs the CE to send the PHI to a third party.

The FAQs include several requirements that apply when an individual directs a copy to a third party (see Ability to Have PHI Sent to a Third Party).

The limits do not apply if the third party initiates a request for PHI on its own behalf with the individual's HIPAA authorization (see generally Standard Document, HIPAA Authorization for Health Plans to Use and Disclose PHI). However, CEs may not circumvent the fee limits by requiring an individual to fill out a HIPAA authorization when the individual requests access to PHI.

Fees Not Permitted for Inspecting PHI

Under the FAQs, a CE may not charge fees to individuals who request only to inspect their PHI at the CE's facility (as opposed to requesting a copy). CEs must arrange with the individual a convenient time and place to inspect the PHI and should implement reasonable procedures to enable individuals to inspect their PHI. For example, CEs could use the capabilities of Certified EHR Technology (CEHRT), if agreed to by the individual.

Additionally, CEs may not charge an individual who:

Takes notes regarding the PHI.
Uses a device (for example, a smartphone) to take pictures of the PHI.
Uses other personal resources to capture the information.
Makes copies using the individual's own resources.

However, the CE may establish reasonable policies and safeguards to ensure that any equipment or technology used by the individual does not disrupt the CE's operations or other records. The CE is not required to allow the individual to connect a personal device to the CE's systems.

Sending PHI Directly to a Designated Third Party

The FAQs also discuss an individual's right to have a copy of the individual's PHI sent directly to a designated third party, including the following.

Ability to Have PHI Sent to a Third Party

An individual may request a CE to send a copy of the individual's PHI directly to a third party, if the individual's request is in writing, signed by the individual, and clearly identifies the third party and where to send the PHI. A CE also may accept an electronic, faxed, or mailed copy of a signed request, or an electronically executed request with an electronic signature.

Under the FAQs, the same requirements for providing PHI to an individual (such as timeliness requirements, fee limits, the prohibition on imposing unreasonable measures, and form and format requirements) apply when an individual directs the PHI to be sent to a third party. The FAQs include examples of how these provisions apply.

CE Liability in Responding to Access Requests (HIPAA Breach Notification)

CEs may rely on the information provided by the individual regarding a request to send the individual's PHI to a third party. However, CEs must adopt safeguards for carrying out the request that include:

Taking reasonable steps to verify the identity of the individual making the request.
Entering the correct information (for example, an email address) into the CE's system.

According to an FAQ addressing this issue, a CE:

Must protect the information in transit (see Breach Notification Obligations for Information Breached in Transit).
May be liable for impermissible disclosures of PHI that occur in transit, unless the individual:
- requested that PHI be sent to a third party using an unencrypted email or another secure manner; and
- was warned of the security risks of an unsecure transmission and accepted these risks.

However, a CE is not liable for what happens to the PHI once it has been received by the designated third party.

Breach Notification Obligations for Information Breached in Transit

If a CE discovers that PHI was breached in transit to the third party, and the PHI was unsecured (that is, PHI that is not rendered unusable, unreadable, or undecipherable to unauthorized individuals using HHS-specified technology or methods), the CE must:

Notify the individual (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans: Notification to Individuals).
Notify HHS (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans: Notification to HHS).
Otherwise comply with the HIPAA breach notification rules (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans).

If the breached PHI is secured, as provided in HHS guidance, the CE does not have reporting obligations under the HIPAA breach notification rules.

Practical Impact

Though only subregulatory, these FAQs provide insight into HHS's views regarding which copying costs are permitted in the right to access context. The balance of costs under these FAQs tends to favor the individual at the CE's expense (literally, in many cases). For example, CEs may not pass along most of the general overhead expenses associated with providing copies to the individual, though these expenses represent real cost to CEs in terms of labor and other resources. Moreover, the FAQs include several references to HHS's experience in the enforcement context, suggesting that how CEs charge individuals for copying expenses may be a government priority in the audit context.

Also, some of the FAQs address additional procedures (for example, rules for allowing individuals to inspect PHI), safeguards (an individual's use of a personal device in reviewing PHI), and administrative standards (the schedule of average costs). One of the more significant procedures in these latest FAQs is the advance notice requirement that applies if a CE charges individuals for copies of PHI, which applies even if the fee is one of the specifically permitted charges.

Finally, regarding an HHS interpretation that may come as a surprise to some, CEs should note the potential HIPAA breach notification implications of responding to an individual's access report, where a breach occurs while the information is in transit.

HHS FAQs Address Permitted Costs for Copies of PHI and More | Practical Law