February 5, 2013
By Allen Killworth and Claire Turcotte*
The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule (Final Rule), released by the U.S. Department of Health & Human Services (HHS) on January 17 (published January 25 at 78 FR 5566), largely adopts the proposed rules on individuals' right of access to protected health information (PHI), thus finalizing significant changes to obligations of covered entities in this area.
Form and Format
Under the Final Rule, covered entities that maintain one or more designated record sets electronically are required to provide an individual with a copy of his or her medical record in the electronic form and format requested by the individual, if such format is readily producible. If the requested format is not readily producible, the covered entity must offer to produce the electronic PHI in at least one readable electronic format. Covered entities may use various methods to accomplish this, such as providing a disc with a PDF file, sending a secure email with a Word file, or providing access through a secure web-based portal. Although covered entities are not required to purchase software or hardware to accommodate requests for various specific formats, they must be able to provide some form of readable electronic copy, and HHS notes that it anticipates some covered entities may need to invest in order to meet this requirement. A hard copy may be provided if the requesting individual rejects any of the offered electronic formats. Commentary from HHS also clarifies the following:
- The electronic copy provided must include all of the electronic PHI held by the covered entity in a designated record set, or appropriate subset if only specific information is requested, at the time the request is fulfilled.
- If the electronic PHI contains a link to images or data, the images or other data must be included in the electronic copy provided.
- If a medical record is in mixed media (e.g., some paper and some electronic PHI), the covered entity is not required to scan the paper documents to provide a single electronic copy. Although a covered entity would have this option, a combination of electronic and hard copies may be provided.
- A covered entity is not required to use an individual's flash drive or other device to transfer the electronic PHI if the covered entity has security concerns regarding the external portable media.
- If secure email is not available and an individual requests to receive the electronic copy via unencrypted email, the covered entity may send the electronic copy in this fashion, but only if the covered entity has advised the individual of the risk that the information could be read by a third party.
The final rule adopts the proposed rule's requirement that, if requested by an individual, a covered entity must transmit the electronic copy directly to another person designated by the individual. HHS clarified that covered entities may rely on information provided by the individual regarding the third-party recipient, but they must implement policies and procedures to verify the identity of any person requesting PHI and implement reasonable safeguards to protect the information disclosed.
The final rule adopts proposed amendments to include labor costs for copying PHI, whether in paper or electronic form, as one factor that may be included in the reasonable, cost-based fees that may be charged to individuals. HHS clarified that labor costs could include the technical staff time spent creating or copying electronic files, such as compiling, extracting, scanning, and burning PHI to media. Reasonable, cost-based fees also may include: (1) the costs of supplies for creating electronic media (e.g., discs, flash drives) if the individual requests the copy on portable media; and (2) postage if the individual requests mailing or delivery of electronic media. However, under the Final Rule, covered entities may not: (1) include costs of new technology, maintaining systems for electronic PHI, data access, and storage infrastructure; or (2) charge a retrieval fee (whether a standard fee or actual costs) for electronic copies. Finally, under the state law preemption provisions of HIPAA, a state law imposing lower costs limits would apply. Thus, if costs permitted under HIPAA exceed the state law limits, the covered entity may not charge more than the state law allows.
The final rule decreases the time within which covered entities must respond to requests for access from 90 to 60 days by removing the provision allowing an additional 30 days to respond if PHI is not maintained onsite. Covered entities now have 30 days to respond, but they may have a one-time extension of up to 30 days upon provision of written notice to the individual, including the reason for the delay and the expected date of completion. HHS considered, but declined to adopt different timelines for electronic versus paper copies, opting instead for a single standard.
*We would like to thank Allen R. Killworth, Esquire, and Claire M. Turcotte, Esquire (Bricker & Eckler LLP, Columbus and West Chester, OH), for providing this email alert. We would also like to thank the Health Information and Technology Practice Group leadership for sharing this alert with other Practice Groups.