While conducting a workshop focused on privacy, the question came up about what covered entities and business associates supporting covered entities can charge for an electronic copy of a patient’s designated record set (aka PHI). My answer to the audience was partially correct and partially wrong.
The following is an excerpt from the preamble to the Omnibus Rule.
Reference: 5636 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
A word of caution: The preamble to any rule is does not have the force or effect of law. Consider it guidance when attempting to comply with a rule. Guidance may change following the finalization of a rule for any number of reasons.
Commenters requested clarification on how to proceed when state laws designate fees.
When a State law provides a limit on the fee that a covered entity may charge for a copy of protected health information, this is relevant in determining whether a covered entity’s fee is ‘‘reasonable’’ under § 164.524(c)(4). A covered entity’s fee must be both reasonable and cost-based. For example, if a State permits a charge of 25 cents per page, but a covered entity is able to provide an electronic copy at a cost of five cents per page, then the covered entity may not charge more than five cents per page (since that is the reasonable and cost-based amount). Similarly, if a covered entity’s cost is 30 cents per page but the State law limits the covered entity’s charge to 25 cents per page, then the covered entity may not charge more than 25 cents per page (since charging 30 cents per page would be the cost-based amount, but would not be reasonable in light of the State law).
What This Means to Covered Entities:
Covered entities cannot charge a patient more than the reasonable costs associated with labor, supplies (e.g., USB drive, CD ROM), and if the patient requests the electronic media be sent via US Postal, for mailing costs. When it comes to the interplay with state law, covered entities may charge the patient for the reasonable cost to prepare and send the designated record set unless the cost to provide a copy of the designated record as set by state law is less than the amount determined to be a reasonable cost under HIPAA.
For business associates who provide release of information (ROI) services to covered entities operating in multiple states, and for covered entities who operate in multiple states, it’s important to review the charges allowed under state law in each of the states they operate in and to calculate what would be considered a reasonable charge to supply an electronic copy of the designated record set.
If state laws where these entities operate permit charges greater than reasonable costs associated with providing a patient with a copy of his or her designated record set under HIPAA, charges would be capped at what is a reasonable cost. On the other hand, if the permitted charge under state law is less than the HIPAA reasonable cost to provide a copy of the designated record set, entities must adhere to state law to determine what can be charged to provide a patient a copy of his or her designated record set.
In the end it comes down to whether or not state law is more stringent than HIPAA. State law would preempt HIPAA if the cost to prepare and send a copy of a designated record set (aka PHI) to a patient is less than what is determined to be a reasonable cost as defined by HIPAA .
Chris Apgar, CISSP, CEO, is a frequent educator and panelist for OMA, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. For all of your privacy and security compliance consulting needs, call the HIPAA experts at Apgar & Associates: 503-384-2538.