HHS Issues New HIPAA Guidance

By: Angela L. Carr and Kristen M. Whittle

The Department of Health and Human Services recently issued new guidance concerning patients’ right to access protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). In connection with this guidance, HHS’s Office of Civil Rights issued the following statement:

“At the Office for Civil Rights (OCR), we believe strongly that every individual should be able to easily exercise their right to access their health information, allowing them to be fully engaged in their care and empowered to make the health care decisions that are right for them. The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans. But this right has not always been well-understood, and far too often individuals face obstacles accessing their health information, even from entities required to comply with HIPAA…[W]e are providing additional information to make this HIPAA right more of a reality…”

This new guidance is aimed primarily at covered entities, including providers, hospitals, and health plans, and seeks to clarify the requirements that providers must follow in sharing medical records with patients. Topics within the guidance materials, including frequently asked questions and answers about HIPAA’s Access Right, are: fees that can be charged to individuals for copies of their PHI; an individual’s right to have PHI sent directly to a designated third party; the scope of information covered by HIPAA’s access right; timelines for providing access to PHI; and the form, format, and manner of access to PHI.

Specifically with respect to fees, the new guidance provides that covered entities are permitted to impose a reasonable, cost-based fee if the individual requests a copy of the PHI. However, “the fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”

The full text of the new guidance is available here: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html