Previously, we presented a high-level summary of the Department of Health and Human Services’ (HHS) recently released proposed rule to revise the HIPAA Privacy Rule and a deep dive into the Individual Right of Access Proposals.
This week's post inspects the proposed changes to permitted fees under HIPAA for accessing PHI and electronic-PHI.
For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible.
When Would These Changes Need to Be Implemented?
HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now.
Proposed Changes to HIPAA Policies on Fees for Access to PHI and ePHI
The Proposed Rule describes categories for which covered entities cannot charge a fee.
Current Requirement
You can charge a reasonable, cost-based fee to fulfill access requests from individuals for copies of their PHI with the following limits on the allowable fees to:
You may not charge any fee or include in fee calculations the costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above.
Proposed New Requirement
HHS is categorizing the proposed permitted fees based on the method of PHI access and who the recipient of the PHI is (either the individual/personal representative or a third party to which the patient directs you to send their PHI.
HHS published the table below to summarize the proposed changes.
Important notes:
HHS proposes to require you to provide advance notice of approximate fees for copies of PHI requested under the Individual Right of Access.
Current Requirement
You must currently provide advance notice of fees under HIPAA However, since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of their PHI.
Proposed New Requirement
In addition to the current requirement, HHS proposes to require you to do the following:
HHS proposes that the notice must include:
In addition to the above requirements, HHS proposes to require you to provide, upon an individual's request, the following:
More Blogs on the HIPAA Privacy Proposed Rule
Part 2: Individual Right of Access Deep Dive