Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

March 2018

Is Right to Access Being Taken to Excess?
By Selena Chavis
For The Record
Vol. 30 No. 3 P. 20

Professionals weigh in on OCR guidance regarding cost structure and third-party requests.

Patients have a right to their health information. It's a clear HIPAA requirement, and few health care stakeholders would challenge that assertion. However, some have questions: Who's footing the bill? Are third parties capitalizing on fee limitations?

In 2016, the Office for Civil Rights (OCR) released new HIPAA guidance concerning a patient's right to access as it pertains to his/her health information. Of particular note, the guidance addressed appropriate fees for record requests, limiting charges to a "reasonable, cost-based fee" for information going directly to an individual or a third party. And while the guidance acknowledges that covered entities are permitted to charge fees related to such areas as the cost of labor, supplies, and postage, the tone underscores the need for benevolence:

"While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged."

Yet, survey data published in 2015 in AHIMA's Perspectives in Health Information Management suggest that most organizations have historically charged patients for their records. The article, authored by Kim Murphy-Abdouch, MPH, RHIA, FACHE, a clinical assistant professor in the HIM department at Texas State University, discussed the findings of a survey of 313 AHIMA members. Notably, 52.6% of respondents said their health care organizations charged patients for electronic copies of medical records and 64.7% charged for paper copies.

Access sits at the heart of OCR guidance, although some in the industry believe that OCR may have unintentionally opened the door for third parties to take advantage of fee limitations.

"Quite honestly, I think we are in a place of confusion," says Kathryn Ayers Wickenhauser, MBA, CHPC, CHTS, regulatory compliance officer for DataFile Technologies. "We understand that OCR saw a need to issue guidance to clarify the regulations but I believe the response has been much different than perhaps they anticipated and has created more questions, especially in regard to cost."

OCR Guidance on Right-to-Access Fees
Current OCR guidance for fees associated with medical record requests speaks to costs associated with the following:

• labor for copying protected health information (PHI) requested by an individual, whether in paper or electronic form;

• supplies for creating the paper copy or electronic media;

• labor to prepare an explanation or summary of the PHI if an individual agrees to this charge in advance; and

• postage when an individual requests a mailed copy.

The guidance also states that "costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling the access request (eg, verification, ensuring only information about the correct individual is included, etc), and other costs not included above, even if authorized by state law, are not permitted for purposes of calculating the fees that can be charged to individuals."

To calculate fees, OCR guidance offers three methods: actual costs calculated per request, development of a schedule of average costs, or a flat fee not to exceed $6.50. Regardless of the method, health care organizations must inform requestors in advance of the approximate fee.

Wickenhauser questions the practicality of the new guidance. "HHS [Health and Human Services] and the OCR looked at all of the costs of producing records like labor, auditing, and technology and whittled down the allowable costs to very specific labor items for right-to-access requests. They essentially made right-to-access requests exist in a vacuum when they do not. There are very real costs associated with producing these records, regardless of the type of request, and unfortunately the allowable charges do not cover those costs," she says. "We strongly believe OCR has created an unintended predicament for providers where they are once again expected to foot the bill."

Elizabeth Delahoussaye, RHIA, CHPS, privacy officer and senior vice president of compliance for CIOX Health, points to an organizational stance that patients should not bear the financial burden of transferring records to third-party commercial organizations. Yet the company believes third-party organizations are using the right-of-access guidance to minimize their own costs.

"While we have seen the legal industry taking advantage of the right-of-access guidance to minimize their overall costs for ligation, we are now seeing other organizations such as insurance companies invoking the right-of-access guidance," Delahoussaye says.

Wickenhauser agrees, noting that "DataFile ardently supports a patient's right to access their health information in a responsible manner. The reality, however, is that right to access is not being used for a patient to access their health information. Rather, the guidance is, in our opinion, being abused by attorneys under a guise of a patient's right to access."

In a recent postguidance internal analysis, Wickenhauser says the overall percentage of right-to-access requests escalated month over month. "Additionally, we've seen more than 90% of right-to-access requests indicate an attorney is involved," she says. "This cannot be OCR's intent that attorneys use right to access as a means to obtain records instead of a valid authorization. Our data clearly illustrate patients are not the ones obtaining these records under right to access—attorneys are."

Where Does Minimum Necessary Factor in the Equation?
According to HHS, the "minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function."

Delahoussaye notes that use of a HIPAA valid authorization helps patients control the information released to third parties in support of minimum necessary. However, she says with patient right of access, the minimum necessary standards are not as easy to implement because the parameters between a request for patient directives varies as to what is required within a HIPAA valid authorization.

A patient directive requires validation of the patient requesting the information. If the patient is directing the information to a third party, that party must be appropriately identified. In contrast, a HIPAA valid authorization has many requirements, including parameters for what specific information is released.

In its recent guidance, OCR disallowed use of HIPAA authorizations for right-to-access requests for third parties:

"We note that a covered entity (or a business associate) may not circumvent the access fee limitations by treating individual requests for access like other HIPAA disclosures—such as by having an individual fill out a HIPAA authorization when the individual requests access to her PHI (including to direct a copy of the PHI to a third party)."

"This is concerning because patients may not be fully aware of what they are granting and may not understand the use of their PHI," Delahoussaye says. "The benefit of HIPAA valid authorization is that it empowers patients to understand that they have a right to minimize what they release, that they can limit the dates of service authorized to be released, and that they have a right to place an expiration date on that release."

Wickenhauser agrees, noting that "There are certain components to a HIPAA authorization designed to protect the patient, like an expiration date and the right to revoke the authorization, and right-to-access requests do not incorporate those same protections. It truly is in a patient's best interest to use an authorization when sending records to a third party."

Murphy-Abdouch says most patients do not recognize all the components of a medical record. Therefore, an opportunity exists for HIM to assist patients in determining what might be most useful to them under right to access. "What a consumer probably needs is a discharge summary and vital lab results. The entire records probably won't be useful to them," she points out, noting that this reality does not diminish patients' rights to their information, but the facts are that much of the content in the record probably won't meet their needs. "I think we need to talk to clients and help them identify what information is most useful. I think HIM can be an advocate, educating the patient on what's going to be most useful for them."

Impact on HIM
Some industry professionals believe the OCR guidance has created confusion that impacts HIM departments in a negative way. Others view the situation as an opportunity for HIM professionals to better engage patients and improve access to health information.

"This right-to-access confusion has impacted staff immensely—it is in no way black or white," Wickenhauser says. "Third parties want this information fast, cheap, and accurate, but you cannot have all three. Right-to-access requests cannot be generated by pushing a single button. If it were that easy, we would all be doing it."

Delahoussaye says staff are burdened with trying to interpret whether requests are pursuant to an authorization or a right-to-access request. "Many patients do not understand the key differences between patient directives and a HIPAA valid authorization. Thus, they fail to understand how a HIPAA valid authorization affords more protection to their privacy," she notes. "In turn, HIM staff face challenges in ensuring that the patient's privacy is fully protected."

Diana Warner, MS, RHIA, CHPS, FAHIMA, director of HIM practice excellence with AHIMA, points out that these processes are not new and HIM departments should be schooled in how best to handle requests. A sound strategy for handling requests is built around effective information governance that ensures a program is in place to appropriately train staff and they understand the guidance, she notes.

Warner says regardless of whether patients want their records e-mailed or mailed, the entity cannot require them to come in and sign an authorization. "Patients have a right to access their designated record," she says, pointing out that health care organizations must verify requester identities and provide risk education. "It's the organization's responsibility to make sure the patient gets their information the way they want it in a timely manner," she says.

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.


In July 2017, AHIMA introduced a first-of-its-kind standardized model Patient Request for Health Information form. Diana Warner, MS, RHIA, CHPS, FAHIMA, director of HIM practice excellence with AHIMA, says the form was designed to help health care providers streamline patient health information request processes and ensure they are compliant with the Office for Civil Rights' (OCR) guidance on an individual's right of access under HIPAA.

AHIMA developed the form after hearing from several health care and patient advocacy working groups that consumers are often confused by the inconsistency of patient access forms given to them by their health care providers. The AHIMA model form is exclusively for access to personal health information by the patient or their designated personal representative and assists health care organizations by providing a standard request form with options for how patients want to receive their records.

Recommendations for using the form include the following:

• Organizations should edit the form based on system capabilities as well as operational needs.

• Organizations should read and understand the OCR guidance, 45 CFR 164.524(c)(3), to ensure compliance.

• Organizations are not precluded from developing their own internal policies that comply with the OCR guidance as long as they do not create barriers to patient access.

• Logo, barcode, and address may be added at the organization's discretion.

• OCR guidance and state laws should be consulted when developing an organization's fee structure.

"What we've done in the form is make sure it's at an eighth-grade reading level," Warner says, adding that the aim is to make it easier for patients to get their health information. "We hope that more offices and hospitals will understand that patients do have this right."

As of this writing, the form, which can be accessed at www.ahima.org/modelform, had been downloaded more than 8,000 times.

— SC