Before 1996, no uniform standard existed in the United States to obtain records. Many states and local governments had unique request requirements and fee schedules.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), outlining uniform rights and responsibilities for accessing, managing and securing protected health information (PHI). HIPAA was a significant step forward, but over time, deficiencies of HIPAA became apparent. Various congressional responses since then have aimed at alleviating some of these issues, the most recent of which was due this year, but has been delayed until March 2023.
WHAT IS CHANGING?
Fundamental changes to the HIPAA privacy rule normalize the electronic health record definition, clarify privacy practices, provide transparency for access fees and reaffirm an individual’s access rights. Most importantly, a new section, §164.524(d), clearly describes the individual’s right to direct PHI in an electronic format to a third party and imposes a reasonable, cost-based fee for the record production. The section is critical for the legal community to get records from health care providers promptly and at a reasonable cost.
The access granted through Section §164.524(d) only applies to an electronic health record. The new definition covers the same scope as the “individually identified information” defined in Section §160.103. It removes previous ambiguity and includes everything about the individual's past, present and future health care, provisioning of care, and all payments related to the individual’s care. However, if the information is not stored electronically, it will not be subject to the rule. In the event a provider still relies on paper records or has information stored outside the electronic health record system, access is granted with a standard third-party authorization form.
A health care provider may require a written request to access PHI. Still, it cannot create an unreasonable measure that impedes access to PHI. Requiring an individual to complete an extensive third-party authorization form in lieu of a proper individual right of access request is an unreasonable measure. Other unreasonable measures include requiring a notarization, only accepting paper submissions, only accepting in-person requests or only accepting requests through the provider’s online portal.
Under the new rule, a health care provider’s time to respond is reduced. Once it goes into effect, providers must act upon the request as soon as practical, but not later than 15 calendar days. However, providers are entitled to one 15-calendar-day extension if they explain the delay and commit to a response date. In other words, providers will not be able to drag out their reply for months. It will force health care providers to manage their release of information process and address inefficiencies.
The most significant change aligns the cost of electronic records with the effort required to produce an electronic copy. If an individual requests a copy of their records delivered to them electronically, the new rule dictates that the reasonable, cost-based fee is limited to labor. Even if a provider sends it to them on a CD through the postal service, the provider can only charge for the labor component. The provider cannot charge for the media, envelope, mailer, labels or other miscellaneous items.
The cost-based fee, limited to labor, will also apply to an electronic copy in an electronic health record directed to a third party. Providers and release of information vendors should not be profiteering by being PHI gatekeepers and charging hundreds or thousands of dollars for a PDF file.