On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). Because the Final Rule covers a broad range of topics, we will be issuing a series of alerts in our HIPAA Impact Series to provide further analysis on these topics. This alert focuses on an individual’s right to request an electronic copy of any protected health information (“PHI”) maintained electronically by a covered entity in one or more designated record sets.
The Right to Access Electronically Maintained PHI
Under the Final Rule, a covered entity that maintains medical records electronically must provide an individual with a copy of his or her medical records (or a summary or explanation thereof if agreed to by the individual) in electronic format if requested by the individual. The covered entity must provide the electronic copy in the electronic form and format requested by the individual, if such format is readily producible. The covered entity is not required, however, to purchase software to accommodate all requests for specific formats. Instead, if the format requested by the individual is not readily producible, the covered entity must be able to offer the individual at least one machine-readable electronic format as an alternative (e.g., a PDF, Excel or Word file). This may require some investment by the covered entity if it is not currently able to produce some form of an electronic copy of the information. If the requesting individual rejects all of the offered electronic formats, the covered entity must provide a hard copy of the record.
HHS provided additional guidance and clarification regarding these changes in the commentary accompanying the Final Rule. Some of the key comments provided by HHS included the following:
- Content. The electronic copy must provide all electronic PHI within the scope of the individual’s request that is maintained in the designated record set (or designated subset) at the time the request is fulfilled, including images or data linked to the record set.
- Form and Format. A covered entity is not required to scan records maintained in hard copy or to use an individual’s flash drive or other portable media to transfer the electronic PHI if there are security concerns associated with use of such devices. The covered entity also does not need to provide an individual with direct access to the covered entity’s electronic systems, but may do so through a secure portal.
- Unencrypted Email. A covered entity may send the electronic copy by unencrypted email if requested by the individual but only after the covered entity has warned the individual of the risk that the information could be read by a third party. If the individual has been properly warned of the risks and unauthorized access of PHI occurs as a result of the unencrypted transmission, the covered entity is not responsible for the breach.
- Fees. A covered entity may charge reasonable, cost-based fees for producing electronic copies. These fees may include labor costs, costs of electronic media (e.g., a CD or USB flash drive) upon request by, or agreement with, the individual and costs for postage or carrier fees to send electronic media to accommodate an individual’s requested delivery method. Labor costs may include technical staff time spent creating or copying electronic files (i.e., compiling, extracting, scanning and burning PHI to media) or time spent preparing a summary or explanation of the requested information, but may not include a retrieval fee. The covered entity may also not charge for costs related to acquiring new technology, system maintenance or data storage because the regulations do not require the covered entity to purchase or adopt new systems. Where state law imposes lower costs limits, state law would apply.
- Third Parties. A covered entity must transmit the electronic copy directly to another person designated by the individual if requested to do so in a signed writing that clearly identifies to whom and where the information should be sent. Although the covered entity can rely on information provided by the individual regarding the third-party recipient, the covered entity must still implement policies and procedures to verify the identity of the person requesting PHI and implement reasonable safeguards to protect the information being disclosed. For example, the covered entity does not need to verify an email address provided by the individual, but it must have a process in place to ensure that it correctly enters the email address provided when transmitting the data.
- Timeliness. A covered entity must respond to requests for access within 30 days, whether in hard copy or electronic format. The covered entity can still extend the response time by 30 days, if necessary, but must notify the individual of such delay in writing and must include the reason for the delay and the expected date of completion in the written notification. The Final Rule eliminates the additional 30-day extension when records are not maintained onsite, meaning the covered entity will now have a maximum of 60 days, rather than 90 days, to respond to requests for access to information maintained off-site, regardless of whether the information is in hard copy or electronic format. We note that a covered entity’s right to deny an individual access to his or her records under 45 C.F.R. § 164.524(a)(2-3) is not impacted by the Final Rule.
Practical Takeaways
In response to the Final Rule, it is recommended that a covered entity do the following:
- Review and revise policies and procedures to comply with the Final Rule.
- Consider whether the covered entity has the capability to provide electronic copies upon request, or whether new systems must be implemented to ensure compliance with the Final Rule.
- Identify personnel whose job functions will be affected by the Final Rule, and ensure they are properly trained in implementing these changes.
- Consider preparing forms for individuals to use if the covered entity will require that individuals request access to records in writing.
- Determine appropriate fees the covered entity will charge when producing electronic copies, taking into consideration applicable state laws, and develop a process to ensure fees are implemented properly.
- Revise the covered entity’s Notice of Privacy Practices to accurately reflect these changes.
If you have any questions, please contact:
- Monica Hocum at mhocum@wp.hallrender.com or 414-721-0454;
- Leia Olsen at lolsen@wp.hallrender.com or 414-721-0466;
- Stephane Fabus at sfabus@wp.hallrender.com or 414-721-0904; or
- Your regular Hall Render attorney.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.
