Such state laws (and the healthcare providers acting in accordance with them), however, cannot do an end-run around the HIPAA right of access rules, the latter of which provide that medical record copy fees must be reasonable. Medical record copy fees that are flat fees, untethered to the actual costs of reproduction, may be considered excessive under the HIPAA Privacy Rule’s right of access provisions. When the two laws are in conflict, HIPAA, the federal law, prevails.
The HIPAA Privacy Rule’s Right of Access and Medical Record Copy Fees
This point – that HIPAA preempts contrary state law – has been reiterated under guidance provided by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). This guidance specifies that HIPAA, through its right of access provisions, limits the amount that a covered entity may charge a patient requesting access to his or her medical records.
Under the HIPAA Privacy Rule right of access, medical record copy fees must be reasonable and cost-based.
This means that providers may only charge for the following:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form.
- Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.
- Labor for copying does not include:
- Costs associated with reviewing the request for access;
- Searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record,
- Segregating or otherwise preparing the PHI that is responsive to the request for copying.
- Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media.
- However, a covered entity may not require an individual to purchase portable media; individuals have the right to have their PHI e-mailed or mailed to them upon request.
- Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.
In sum, costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, and labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling an access request (e.g., verification, ensuring only information about the correct individual is included, etc.) and other costs not included above, even if authorized by State law, are not permitted for purposes of calculating the fees that can be charged to individuals.