Records Requests: Is Your Practice HIPAA Compliant?

January 21, 2015

What is a provider supposed to do to ensure HIPAA compliance with copying charges when a request for medical records is made? It’s not always easy.

HIPAA imposes many requirements on medical practices and providers.  One requirement of HIPAA, which impacts practices on an almost daily basis, is handling requests by patients for copies of their medical records.  Whatever the reason (obtaining a second opinion, transferring care to a new physician, etc.), HIPAA requires providers to generally provide patients with a copy of their medical records within 30 days of that request. 

A recent survey by the American Health Information Management Association (AHIMA) and Texas State University demonstrated that fees being charged, especially for paper medical records, vary widely from state to state (while it’s unlikely that the cost of actually copying the record varies much from state to state).  According to AHIMA, in a survey of its members, out of 313 members that responded to the survey, about 65 percent said they charged less than $1 per page. More than half (52.6 percent) said they charged for electronic copies, while 64.7 percent reported they charged patients for paper copies. 

What is a provider supposed to do to ensure HIPAA compliance with copying charges when a request for medical records is made? It’s not always easy. 

For example, let’s look at Illinois state law, which has specific maximum charges which a physician can charge for copying medical records.  This includes a per-page formula plus the cost of actual postage and a handling fee.  Electronic records are charged at 50 percent of the per page fee.  On the other hand, HIPAA refers only to a “reasonable, cost-based fee,” which includes only the cost of the copying (and related supplies and labor, postage if the individual requests the copy be mailed) and the supplies (i.e. flash drive).  There is no allowance for a flat handling fee under HIPAA nor is it considered reasonable to charge for pulling, reviewing, or extracting the record. 

How can providers know what to charge for copies of medical records in order not to run afoul of either state or HIPAA requirements?  The answer generally is that a physician should charge the lesser of the amount required by state law or the amount allowed under HIPAA.  It’s also important to know that HIPAA appears to apply only to copies made for and sent to the individual (or his or her representative for healthcare purposes). 

Arguably, HIPAA does not apply to requests made by others on behalf of the patient, such as attorneys, insurance companies, etc., with limited exceptions. Therefore, it’s important to know who is making the request and why when assessing the copying charges.  When HIPAA does not apply, physicians should just charge what state law allows and this can include a handling fee.

Many practices still continue to charge flat fees for medical records, and can be somewhat oblivious to the requirements of state and federal laws.  Other practices fail to make the necessary analysis in order to ensure they are charging the correct amounts.  This can not only cost the practice money in some instances (where they could have charged more), but where the policies being followed are noncompliant, it can open the practice to risk of violating HIPAA.

Although the Office for Civil Rights (OCR) has not yet fully refined its protocols to allow HIPAA audits to commence in full force, you can be sure that OCR’s procedures will include reviewing all practice policies in order to ensure compliance with HIPAA. 

To avoid an investigation, audit, or civil penalties, every practice needs to examine all of the policies it has in place that in any way relate to HIPAA.  Charges to patients for medical records is a very small part of HIPAA compliance, but can be a good indicator of whether appropriate steps have been taken practice-wide to otherwise ensure compliance with the law. 

As part of your practice’s overall goal of ensuring HIPAA compliance, start by looking at how medical records are billed and processed.  If you have concerns, talk to legal counsel or even your state medical society for guidance.