Paying the Price for Patient PHI
What access should you have to your own medical information? Should you have to pay for it? And if so, how much should it cost?
These are three key questions raised by a recent enforcement action conducted by the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). The answers are instructive, not only for individuals seeking access to their own protected health information (PHI) but also for the organization that possesses it.
The Korunda Case
According to an HHS press release, the case began when a patient launched a complaint against Korunda Medical, LLC (Korunda), a primary care provider located in Naples, Florida, alleging that the provider was refusing to forward the patient’s medical record to a third party in the electronic format that the patient had requested and that Korunda was charging its patients an unreasonable fee in excess of the cost to the provider for the service.
After the OCR stepped in and worked with Korunda to correct the situation, HHS closed the case. However, less than a week later, OCR received a second complaint against Korunda for another infringement of the Privacy Rule concerning an individual’s right to access their own PHI under 45 C.F.R. § 164.524 of the of the Health Insurance Portability and Accountability Act, or HIPAA.
At this point, the OCR opened up an investigation, which resulted in Korunda being found guilty of failing “to provide timely access to protected health information from April 22, 2019 to May 12, 2019.” OCR assessed Korunda an $85,000 penalty for the HIPAA infringement and imposed a corrective action plan (CAP) on the provider, according to the resolution agreement that HHS and Korunda eventually settled upon.
The Privacy Rule and PHI Access
So, what did Korunda do wrong?
Essentially, 45 C.F.R. § 164.524 guarantees an individual “a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans,” according to HHS.
Under the rule, a covered entity (in this case, a provider such as Korunda) may require that the individual request access to their PHI in writing, in an email, a message on a secure web portal or via a form provided by the entity. Upon receipt of the request, the entity then has 30 calendar days to provide the individual access to the information. Within that timeframe, the entity can deny the patient access to their own PHI only under very strict circumstances (for example, a psychotherapy provider may deny release of case notes for use in a trial). But for the most part, the entity has to agree to the individual’s request.
In Korunda’s case, the first issue was not providing the patient with their PHI in a timely manner.
Furnish the Format
The Korunda case also raises the issue of the format in which the PHI should be given to the requesting patient. Korunda’s patient had requested that their information be sent to the third party in an electronic, rather than paper, format.
Legally, the entity has to honor this part of the patient’s request and provide the information in whatever form the patient requests it, whether that be paper or electronic. If the entity only keeps paper records, it is obligated to scan the information and make it available electronically; similarly, if the entity only has electronic copies of the patient’s PHI, the entity has to provide printouts of everything the patient is requesting as hard copies.
The privacy rule does allow the entity to recover the cost of the format from the patient,but within reason.
Calculate the Cost
Once the entity has received and agreed to provide the patient’s PHI, in whatever format the patient requests, the entity is within its rights to charge its patients for releasing their HPI. But the entity cannot charge the individual an unreasonable amount of money for the service.
“The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party,” according to HHS. They include:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form …;
- Supplies for creating the paper copy (e.g. paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media …;
- Labor to prepare an explanation or summary of the PHI …; and
- Postage, when the individual requests that the copy, or the summary or explanation, be mailed” (Source: May a covered entity charge individuals a fee for providing the individuals with a copy of their PHI?).
For Korunda, this meant having to calculate “a reasonable cost-based fee for access to PHI” as a part of the CAP imposed on them by HHS.
For patients, this means the ability to obtain information about the medical state of their arms or legs shouldn’t cost them … well … an arm and a leg.