The Patient Rat
When the Privacy Rule was promulgated, it set forth the permissible types of fees that could be charged to patients for accessing their own PHI. In order to ensure that patients would not be deterred from seeking such access due to cost considerations, a covered entity could only charge patients the “Patient Rate,” which consisted of the reasonable cost of copying and associated labor costs, postage, and reasonable costs associated with preparing an explanation or summary of the PHI. The Patient Rate did not include other costs typically associated with maintaining and producing PHI, such as the costs of data storage and document retrieval. Importantly, the Patient Rate did not apply to third-party requests. That is, if a third party requested a patient’s PHI, a covered entity was not limited to charging such third party the Patient Rate.
Subsequently, in response to the increase in digital record-keeping systems, Congress in 2009 passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act). With respect to patients’ right of access, the HITECH Act established a new process to deliver PHI stored in electronic form to third parties, a new concept known as the “third-party directive.” Pursuant to the third-party directive, a patient may direct a covered entity to deliver to third persons the patient’s PHI which is stored in electronic form. The HITECH Act also placed a statutory cap on the fees that a covered entity may charge patients for delivering PHI that is in electronic form. Such cap was limited to an amount that could not exceed a covered entity’s labor costs in responding to the request for the PHI.
This third-party directive was expanded in HHS’s 2013 final rule entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule). Pursuant to the Omnibus Rule, the third-party directive was broadened to apply not only to requests for PHI that was contained in electronic form, but to PHI contained in any format. Further, in January and February 2016, HHS released guidance regarding the patient access rules in the form of a Fact Sheet and a series of FAQs (collectively, “2016 Guidance”). The 2016 Guidance appeared to have been released due to concerns with covered entities’ failure to provide appropriate access. Then-OCR Director Jocelyn Samuels wrote in a blog post that “. . . based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule.” She further stated that “ . . . HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees.” Thus, the 2016 Guidance reiterated that individuals can be charged only a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.
A lawsuit filed in federal court in 2018, Ciox Health, LLC v. Azar, et al., challenged HHS’s expansion of the HITECH Act with respect to certain aspects of the patient access rules. The Ciox case involved a specialized medical-records provider, Ciox Health, LLC, which was a business associate of and contracted with covered entities on a national basis to maintain, retrieve, and produce individuals’ PHI, including in response to patient requests. HHS had imposed a penalty against a hospital serviced by Ciox for the failure to provide records at the Patient Rate to a patient who directed that the records be sent to her lawyer. Ciox argued that HHS’s 2016 Guidance was invalid on procedural grounds (i.e., that the guidance failed to follow the Administrative Procedure Act) and that the limitation of fees chargeable by third parties caused Ciox and other medical records companies to lose millions of dollars in revenue. Although by the time the Ciox case was filed, HHS had announced that it would not enforce fee limitations against business associates (although it would enforce the fee limitations against covered entities), this appears to have been too little, too late. In 2020, the court agreed with Ciox and vacated the application of the third-party directive to PHI contained in any format. The court also limited the Patient Rate to a patient’s request for access to his or her own records and stated that it does not apply to patient requests to transmit records to a third party.
As a result of this ever-changing landscape, which may or may not change again, the fee a covered entity may charge a patient to access his or her PHI is generally limited to the Patient Rate, which, in turn, is limited to a reasonable, cost-based fee that includes only the costs of the labor, supplies such as paper or USB drives, and postage associated with transmitting the PHI, as well as the cost of creating any summary of the records, as agreed to by the patient. This notably does not include costs for electronic data storage or server infrastructure because HHS has taken the position that some electronic storage and access of PHI will generate no costs that can be billed to the patient. HHS has advised that there are three ways to calculate the costs that can be assessed to each patient: the actual costs of access, the average costs of fulfilling certain types of requests, or a flat fee not to exceed $6.50 for electronic copies of PHI maintained electronically. Entities that use an average cost or a flat fee may adjust their fee for unusual requests, so long as that fee reflects only the costs allowed under the Privacy Rule. Of note, these fee caps do not apply where the patient directs the covered entity to provide the PHI to a third party.
Right of Access Initiative
In early 2019, then-OCR Director Roger Severino announced a new HIPAA enforcement initiative focusing on entities’ compliance with patients’ rights to access their own health information in a timely manner and at a reasonable cost. Throughout the year, Severino spoke about the difficulty patients were continuing to have in accessing their PHI. As a result, Severino stated that the time had come “for serious enforcement” of these patient rights and the “Right of Access Initiative” had begun.
Not long thereafter, in September 2019, OCR settled its first enforcement action under its Right of Access Initiative. The settlement was with Bayfront Health in St. Petersburg, Florida, which paid $85,000 to settle allegations that it failed to provide a mother timely access to the fetal monitoring records of her unborn child. OCR investigated the complaint filed by the mother and found that Bayfront provided the mother with the requested records nine months after her initial request. In addition to paying the noted amount, Bayfront entered into a corrective action plan which requires, among other things, that Bayfront revise its HIPAA policies and procedures and provide training to each of its workforce members and relevant business associates.
To date, 19 enforcement actions regarding alleged violations of the right to access have been settled and publicly announced. The vast majority of these alleged violations stem from untimely responses to requests for access. The most recent and most costly of these occurred in January 2021 and involved Banner Health, an Arizona health system. According to OCR, Banner Health agreed to take a number of corrective actions pursuant to a corrective action plan which involves two years of monitoring and pay $200,000 to settle allegations that it had taken approximately five months for two different patients to receive their requested records. In announcing this enforcement action, then-OCR Director Severino stated that "[T]his first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records." Interestingly, 11 of the patient access settlements occurred during 2020, notwithstanding the existence of the COVID-19 global pandemic. Of note, some covered entities could have denied requests based on statutory grounds that the requested PHI was not subject to disclosure but faced sanctions because they did not timely issue a written denial of the request. Settlement amounts have ranged from a few thousand dollars to a few hundred thousand dollars, and likely depend on the size of the allegedly offending covered entity as well as the severity of the alleged violation. Notably, all settlements required the entities to be subject to a corrective action plan, generally with one to two years of monitoring.
Compliance Considerations
As a result of OCR’s Right of Access Initiative and in light of the numerous settlements discussed above, entities should take a proactive approach to reduce the likelihood that they may become subject to patient access complaints that ultimately result in an OCR investigation, settlement, and corrective action plan. A first step in this process should be for the covered entity to review and revise its right of access policies and procedures, particularly considering the number of changes that have occurred with respect to third-party directives. Once the policies and procedures have been reviewed and revised, everyone involved in responding to and fulfilling patient and third-party requests – whether internal or external to the organization – should be properly trained, with new workforce members and business associates being trained upon hire or engagement. “Refresher” training should also occur periodically, and individuals should have the ability to ask questions of the covered entity’s Privacy Officer, Compliance Officer, or other qualified personnel, as appropriate. A tracking mechanism should also be created and implemented to track each request, how it was handled and by whom, what fees were charged (if any) and if and when the information was either provided or declined to be provided. Human Resources should be contacted if any workforce member fails to comply with the covered entity’s policies and procedures and appropriate corrective action should be taken. To the extent a business associate or third-party vendor responds to requests for patient records on a covered entity’s behalf, the contract with such business associate or vendor should incorporate the covered entity’s policies and procedures and contain monetary or other penalties for violating them. Covered entities should also consider indemnification provisions in these agreements.
Finally, as if the regulatory changes noted herein were not enough, in January 2021, HHS proposed several changes to the Privacy Rule and the patient right of access. HHS proposed reducing covered entities’ response time from 30 days to 15 days; clarifying the PHI request format; requiring covered entities to notify patients that they still have a right to obtain full PHI if only a summary is offered; specifying when electronic PHI must be provided to the patient for free; and requiring entities to post fee schedules on their websites for PHI requests. The public comment period has closed, but as of this writing no final rule has been released.
Conclusion
While the regulations surrounding the Privacy Rule and patients’ right to access their own medical records continue to evolve, it is clear that these regulations and their enforcement are a government priority. Covered entities should be familiar with the requirements of the Privacy Rule and their compliance obligations.