HIPAA Privacy Rule Access Right: Assessing Fees When an Individual Requests Electronic Access to PHI Privacy and Security Workgroup Stan Crosley, Chair.

HIPAA Privacy Rule Access Right: Assessing Fees When an Individual Requests Electronic Access to PHI

Privacy and Security Workgroup

Stan Crosley, Chair

September 21, 2015

2

Agenda

• Background – HIPAA Access Rule– HITECH changes to HIPAA– State laws

• Questions on fees to provide electronic copies of PHI

• Synopsis of stakeholders’ written testimony

3

PSWG Workplan - Detail

Meetings Task

September 21, 2015 2:00-3:30pm ETFees for Electronic Access

• Understand background issues surrounding HIPAA Access Rule and HITECH modifications to HIPAA.

• Gather information regarding key questions surrounding assessment of fees for electronic access to PHI, including accepting written testimony from stakeholders.

• Develop strawman recommendations based on discussion.

September 28, 2015 2:00-3:30pm ETFees for Electronic Access

• Continue discussing fees for electronic access.• Review strawman recommendations.• Develop final, key recommendations to inform

OCR’s forthcoming sub-regulatory guidance.

4

Meeting Purpose

Access Guidance Requested for PMI• President’s Precision Medicine Initiative (PMI)

requires the HHS Office for Civil Rights (OCR) and ONC to collaborate to address barriers that prevent patients from accessing their health data. (https://www.whitehouse.gov/the-press-office/2015/07/08/fact-sheet-new-patient-focused-commitments-advance-president%E2%80%99s-precision).

• OCR is to develop additional guidance materials to educate the public and health care providers about a patient’s right to access his or her health information under HIPAA.

HIPAA Access Rule and Fees:Background

HIPAA Access Rule

• § 164.524 of the HIPAA Privacy Rule gives individuals the right to access their health information, regardless of format.

• Covered entities (CEs) may charge a “reasonable, cost-based fee” for providing copies of health information to individuals.

• For paper records, fees are charged on a per page basis, with state laws setting limits on maximum charges.

5

6

HIPAA Access Rule and Fees:Background (cont’d)

2013 Omnibus Rule made amendments as required by the HITECH Act:• Gives individuals the right to obtain a copy of their

health information in the “form and format” they wish, as long as that form and format is “readily producible” by the CE.

• Fees for electronic copies cannot include costs associated with searching for or retrieving the requested information.

7

HIPAA Access Rule and Fees:Background (cont’d)

Other changes made by the 2013 Omnibus Rule:• Individuals must be able to request an electronic copy

of their health information maintained in an electronic format– No access to provider admin systems (not designated

record set) – Applies only to information present at the time the request

is fulfilled– CE may reject use of external portable media if

unacceptable level of risk (Security Rule risk analysis)

• Individual can direct a CE to transmit directly to an individual's designee (third party)

8

State Laws on Fees for Access to Medical Records

States’ maximum copying fees for one page of medical records range from free to $40.00, with some states allowing maximum fees of $180.00 for copying 100 pages.* • Kentucky allows each individual to obtain one copy of their

medical record free of charge. [Ky. Rev. Stat. Ann. § 422.317 (2008)]

• Michigan, allows doctors and hospitals to charge $1.08 per page for pages 1–20; 54¢ per page for pages 21–50, and 22¢ per page for additional pages [Mich. Comp. Laws § 333.26269 (2008)].

*Source: https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf

9

State Laws on Fees for Access to Medical Records

Few states have addressed fees for access to electronic health records, and those that do allow fees on par with those charged for paper records.*• Illinois allows doctors and hospitals to charge 50 percent of the paper-based

per page fee for “electronic records, retrieved from a scanning, digital imaging, electronic information or other digital format in an electronic document.” The electronic per-page charge includes the cost of each CD-ROM, DVD, or other storage media [735 Ill. Comp. Stat. 5/8-2001 (2008)].

• Ohio does not distinguish between paper and electronic records and allows providers to charge the same per-page fee for both [Ohio Rev. Code § 3701.741(A) & (B)(1) (2008)].

*Source: https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf

10

HIPAA Access Rule and Fees: Relationship with State Law

Preemption • In general, under HIPAA, state laws that are less

protective of patients’ privacy (e.g., access rights) than HHS regulations or guidance, would be preempted and the HHS regulation or guidance would apply.

• OCR seeks input on fees in an electronic environment so that states can follow suit, and ensure that patients’ privacy or access rights are protected in an electronic environment.

11

HIPAA Access Rule and Fees:Key Issues

• Fees charged to provide electronic access to PHI must be based on a CE’s labor costs incurred in responding to the request.

• Fees must not include costs associated with searching for or retrieving the requested information, but may include “skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning protected health information to media.”

12

Key Questions for Stakeholder Input

1. Is an electronic file size an appropriate proxy for “pages” in setting fees for electronic access, or is it simply a substitute for a per-page proxy? If file size is appropriate, how should cost be

calculated, particularly considering the questions below?

If not, what is a better proxy for calculating labor costs for electronic access?

13

Key Questions for Stakeholder Input (cont’d)

2. Connection of patient access right to “view, download, or transmit (VDT)” requirement of Meaningful Use. Should the producible form and format of the

electronic copy the individual requests affect how the individual is charged? (For example, an individual downloads an electronic copy onto a portable thumb drive or CD vs. using the download or transmit capabilities of certified EHR technology or email.) This issue may also arise when an individual uses personal health records or mobile health devices.

14

3. If, due to interoperability issues between an EHR where the requested information is maintained, and the software used to create the copy for the individual, the business associate must download the file from the EHR, and subsequently upload it to the business associate’s software before generating an electronic copy for an individual, should labor costs associated with this process be charged to the individual?

If so, how should they be calculated? Additionally, if the information is located in several different

EHRs, downloaded, and uploaded to a separate software or system, should labor costs associated with this process be charged, as well – and if so, how should they be calculated?

Key Questions for Stakeholder Input (cont’d)

15

4. Similarly, if information from an EHR has to be printed on paper (therefore paginated) and then scanned and uploaded to a different software program used to create and/or send the copy for/to the individual, should the individual be charged?

If so, how should the cost be calculated?

Key Questions for Stakeholder Input (cont’d)

16

Key Questions for Stakeholder Input (cont’d)

5. Would you answer anything differently if the copy of the data from the designated record set were being transmitted to a non-HIPAA covered business associate, such as a PHR vendor compared to another HIPAA covered entity or that organization’s business associate?

17

Stakeholder Input Solicited

Stakeholder Group Organization POC Testimony Received?

Provider

Association of Health Information Outsourcing Services (AHIOS)

Bonnie Coffey

Yes

American Health Information Management Association (AHIMA)

Yes

Medical Group Management Association (MGMA)

Rob Tennant Yes

EHR Vendor

Epic Carl DvorakKara RettenmundJudy Faulkner

No. Epic deferred to consumers to provide responses.

Cerner David McCallie Yes

Electronic Health Record Association (EHRA)

Angela Gordon Yes

No More Clipboard – Parent company is Medical Informatics Engineering

Jeff Donnell Yes

Surescripts Sara A. Juster Yes

CareSync Amy Gleason No. Unable to meet deadline, as testimony was requested with quick turnaround.

PatientGetMyHealthData.org Christine Bechtel Yes

18

Summary of Stakeholder Responses

Q1: Is an electronic file size an appropriate proxy for “pages” in setting fees for electronic access, or is it simply a substitute for a per-page proxy?

• Provider Summary: File size should not be used as a proxy because many factors affect file size. Costs to reproduce EHRs should include labor costs for labor expended, including segmenting sensitive information. Per page may still be a viable option.

• EHR Vendor Summary: File size should not be used as a proxy because many factors affect file size. Can use “virtual pages” or a flat fee based on transaction/record, or a one time fee for the portable storage media being used.

• Patient Summary: No fees should be charged for patients to receive health record, unless it presents a significant burden on staff time.

19

Summary of Stakeholder Responses (cont’d)

Q2: Should the producible form and format of the electronic copy the individual requests affect how the individual is charged?• Provider Summary: Some provider organizations agree that if an

individual requests a form or format that is not easily accessible or easy to provide, there should be an additional charge. However, some of those asked, stated that the labor costs should be built into view, download, transmit capabilities.

• EHR Vendor Summary: Deviation from an EHR defined standardized format would allow the imposition of an additional cost to the patient. Other vendors stated that view, download, transmit requires CCDA, and if what is requested is more than that, there should be additional charges.

• Patient Summary: There should not be fees based on format and format requested.

20

Q3: If, due to interoperability issues between an EHR where the requested information is maintained, and the software used to create the copy for the individual, the business associate must download the file from the EHR, and subsequently upload it to the business associate’s software before generating an electronic copy for an individual, should labor costs associated with this process be charged to the individual? • Provider Summary: Should allow BAs to charge labor fees.• EHR Vendor Summary: Allow charges on a flat fee or per

transaction basis.• Patient Summary: Labor costs are not reasonable because it

is a business decision to maintain differing, non-interoperable systems.

Summary of Stakeholder Responses (cont’d)

21

Summary of Stakeholder Responses (cont’d)

Q4: If information from an EHR has to be printed on paper, and then scanned and uploaded to a different software program used to create and/or send the copy for/to the individual, should the individual be charged, and how should cost be calculated?• Provider Summary: All felt costs should be allowed if

they are required to do this.• EHR Vendor Summary: Mixed responses on this. Some

felt charges were allowable, and one responded that charging such fees was debatable.

• Patient Summary: Charges NOT reasonable

22

Summary of Stakeholder Responses (cont’d)

Q5: Would you answer anything differently if the copy of the data from the designated record set were being transmitted to a non-HIPAA covered business associate, such as a PHR vendor compared to another HIPAA covered entity or that organization’s business associate? • Provider Summary: Most did not think there would be a difference as

long as it was a HIPAA compliant request; one provider also noted that the provider should not be responsible for any charges if the patient is paying for the third-party service

• EHR Vendor Summary: Most stakeholders said there would not be a difference, while one said there would be a difference if there was a competitive risk.

• Patient Summary: There is no difference in delivery mechanisms.

Table of Compiled Summary Responses

23

Stakeholder Provider Groups Vendor Groups Patient Groups

Q1: File size as proxy for page?

No No No

Q2: Form and format requested affect charge?

Yes, if not standard format or easily accessible

Yes, if not standard format or easily accessible

No

Q3: Labor costs for BA labor to generate electronic copy for patient?

Yes, should allow BAs to charge labor fees.

Yes, allow charges on a flat fee or per transaction basis.

No, because it is a business decision to have non-interoperable systems.

Q4: Charge if EHR has to be printed, scanned and uploaded?

Yes, if providers are required to do this.

Mixed responses. Some said charges are allowed, while others said was debatable.

No, because labor costs here would not be reasonable.

Q5: Different if copy of data was transmitted to non-HIPAA CE?

No difference as long as it is HIPAA compliant request.

No difference, but one stakeholder said may be difference if competitive risk.

No difference.

24

Next Steps

• Next meeting on Sept. 28, 2015 at 2:00-3:30pm.

• Continue discussing fees for electronic access.

• Review strawman recommendations.

• Develop final, key recommendations to inform OCR’s forthcoming sub-regulatory guidance.