Latest Legal Developments In HIPAA and Release of

Information

2016 AAHIM Annual Meeting Jim Hoover • Partner

Suite 3400 • 420 North 20th Street • Birmingham, Alabama 35203 direct 205-458-5111 • jhoover@burr.com • www.burr.com

Privacy Rule Refresher • Is the foundation of HIPAA.

• Although the Privacy Rule has been amended over the years, its intent remains simple: to define and limit the circumstances under which PHI may be used or disclosed by covered entities, in whatever format.

• The Privacy Rule imposes a long laundry list of requirements on a covered entity when dealing with PHI.

• The covered entity needs to have established written policies and procedures that restrict access and use of PHI, both internally and externally.

• The policies and procedures must be reviewed regularly.

• A covered entity (“CE”) and business associate (“BA”) must train its workforce members on proper handling of PHI.

• It is not scalable

Security Rule Refresher • The Security Rule requires administrative, physical and technical

safeguards to ensure confidentiality and security of electronic PHI (“ePHI”).

• The Security Rule thus only applies to ePHI, which is considered a subset of the more encompassing PHI addressed by the Privacy Rule.

• A covered entity is expected to implement audit controls, access controls, integrity controls, and electronic transmission security measures - all designed to ensure that ePHI is not being improperly accessed or altered.

• Under the Security Rule, a covered entity must adopt and conduct risk analysis of its EHR systems.

• As with the Privacy Rule, a designated compliance officer (Security Officer) must be named.

• Failure to reasonably identify weaknesses that invite data breach may be harshly scrutinized anyway, and much more so where the entity's own routine assessment policies have been ignored.

• Is Scalable

Enforcement Authority

• Civil Monetary Penalties (“CMP”) may now be levied by the Office of Civil Rights.

• For violations occurring after February 18, 2009, monetary penalties of $100 to $50,000 per violation may be imposed, with a calendar year cap of $1.5M.

• Penalties, per se, will generally be avoided if the failure was not the result of willful neglect, and was corrected after the entity knew or should have known about the failure, or if the Department of Justice, which is responsible for criminal prosecutions, has already imposed a penalty for knowing or willful violations.

• The DOJ may seek fines of up to $250,000 and/or imprisonment of up to 10 years depending on the nature of the violation.

Historical Enforcement Actions • In 2004, the total number of investigations "resolved" by

the OCR was 1,516 • In 2014, that number was 17,748 • Regardless of the number or the year, the majority of

complaints were "resolved" after intake and review (generally about 50%), or required corrective action (ranging between about 20% and 30%)

• Complaints dismissed with a finding of "no violation" after investigation are well in the minority (ranging from 4% in 2014 to a high of 17% in 2010)

• Thus, the anecdotal assumption is an OCR investigation will generally (about 75% of the time) result in a finding that will require resolution or corrective action and a finding of "no violation" once an investigation ensues has been the historical exception, not the rule

Enforcement In Alabama

From April 14, 2003 through December 31, 2014:

• Investigated no violation = 10%

• Resolved after intake and review = 62%

• Investigated and corrective action = 27%

Non-Breach Compliance Review Results 2013 & 2014

Breach Compliance Reviews Results 2013 & 2014

Feinstein Institute for Medical Research – March 17, 2016

• f/k/a North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices

• Agreed to pay $3.9 million and undertake a corrective action plan to settle potential violations of HIPAA.

• OCR’s investigation began after Feinstein filed a breach report. • According to the report, on September 2, 2012, a laptop computer containing the ePHI

of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

• OCR concluded that: Feinstein’s security management process was limited in scope, incomplete, and insufficient; it lacked policies and procedures for authorizing access to ePHI by its workforce members; it failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

• Importantly, OCR also found that for electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

North Memorial Health Care March 16, 2016

• North Memorial is a comprehensive, not-for-profit health care system in Minnesota. • The settlement includes a monetary payment of $1,550,000 and a “robust” corrective

action plan. • OCR initiated its investigation following receipt of a breach report on September 27,

2011. The report indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle.

• The loss allegedly impacted ePHI of 9,497 individuals. • Interestingly, OCR’s investigation indicated that North Memorial failed to have in place

a business associate agreement so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

• North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

Complete P.T. Physical Therapy, Inc. February 16, 2016

• Complete P.T. is a physical therapy practice located in the Los Angeles area.

• Complete P.T. agreed to payment $25,000, implement a corrective action plan, and make annual reports of compliance efforts for a one year period.

• OCR received a complaint on August 8, 2012, alleging that Complete P.T. had impermissibly disclosed numerous individuals’ PHI when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations. The specific violations were: – Failed to reasonably safeguard PHI; – Impermissibly disclosed PHI without an authorization; and – Failed to implement policies and procedures with respect to PHI that were

designed to comply with HIPAA’s requirements with regard to authorization.

Lincare, Inc. ALJ Hearing and Decision

• a/k/a “A husband scorned” – The ex-husband of a manager complained to OCR that his ex-wife left him in 2008 and left behind documents containing the PHI of 278 patients.

• OCR investigated the case determined Lincare violated HIPAA’s Privacy Rule.

• OCR issued a letter on January 28, 2014 to Lincare that it proposed imposing a CMP of $239,800.

• Lincare appealed so the matter was set for hearing in front of a DHHS’ ALJ.

Lincare (cont’d) • Prior to hearing, OCR moved for a summary judgment. • OCR submitted several affidavits to which Lincare objected.

Interestingly, one of the affidavits was from Laurie Rinehart-Thomas, Director of HIMS at Ohio State University who is certified by the AHIMA as a registered health information administrator. She offered expert testimony.

• According to the ALJ, Lincare did not present any evidence suggesting that OCR’s evidence is unreliable and did not “even allege that it disputes the underlying facts established by these documents.”

• The ALJ concluded that Lincare did not come forward with admissible evidence showing a dispute of material fact and imposed the OCR’s suggested fine of $239,800.

Lincare (cont’d) Interesting Facts

• The parties agreed that because Lincare employees provided services away from the company’s offices employees had to remove records containing PHI.

• They also agreed the company instructed its center managers to maintain copies of the procedures manuals “secured” in their vehicle so employees would have access to patient contact information if a center office were destroyed or not accessible.

• The manager admitted to leaving the documents in her car even though she knew her husband had the keys. She also admitted that when she left she didn’t know where the car was parked.

• Neither the manager nor anyone at Lincare knew the documents were missing until the ex-husband filed the complaint with OCR and reported them to Lincare.

Lincare (cont’d)

Affirmative Defenses for Violations after February 18, 2009

• CE did not know about the violation and would not have

known with the exercise of reasonable diligence • Despite the use of ordinary business care circumstances

made it unreasonable for the CE to comply with the violated provisions, the violation was not caused by “willful neglect” and it was corrected within 30 days of when the CE knew or should have known about it.

• OCR may extend the 30 day period as it deems appropriate “based on the nature and extent of the failure to comply

Lincare ALJ’s Comments • “Lincare has not come forward with a shred of evidence to

substantiate its defamatory allegations.” • “The Company filed a criminal complaint against him and

had him arrested but the charges were dropped.” • “Thus, undisputed evidence establishes that Manager

Shaw, a Lincare workforce member, [1] removed her patient’s PHI from the company office, [2] left it in places to which her husband, an unauthorized person, had access, and [3] then abandoned it altogether. Neither she nor anyone else at Lincare even knew that the information was missing until months later.”

• “In fact, no written policy even addressed staff’s protecting PHI that was removed from the offices.”

Lincare Take Aways

• Lincare argued it satisfied HIPAA because it trained its employees in privacy policies.

• “Even if training were flawless (and no evidence suggests that it was even adequate), staff training does not compensate for missing policies.”

• “Respondent offers no real evidence describing the training curriculum. It relies on selected quotes from company employees describing their training.”

ALJ Hearing Procedures in the HIPAA Context

• The ALJ must conduct a hearing on the record in order to determine whether the respondent should be found liable.

• The CE/BA has the burden of going forward and the burden of persuasion with respect to any: (i) Affirmative defenses;(ii) challenge to the amount of a proposed penalty pursuant, including any factors raised as mitigating factors; or (iii) claim that a proposed penalty should be reduced or waived; and(iv) compliance with the Notification in the Case of Breach of Unsecured PHI provisions.

• The Secretary has the burden of going forward and the burden of persuasion with respect to all other issues, including issues of liability other than with respect to the Notification in the Case of Breach of Unsecured PHI provisions, and the existence of any factors considered aggravating factors in determining the amount of the proposed penalty.

• The burden of persuasion will be judged by a preponderance of the evidence. • The hearing must be open to the public unless otherwise ordered by the ALJ for good

cause shown. • Subject to some limitations, either party may introduce, during its case in chief, items

or information that arose or became known after the date of the issuance of the notice of proposed determination or the request for hearing, as applicable.

• After both parties have presented their cases, evidence may be admitted in rebuttal even if not previously exchanged.

Enforcement Take Aways

• While the majority of violations are resolved through voluntary compliance or settlement agreements, those resolutions are often costly.

• Office of Civil Rights Director, Jocelyn Samuels, is quoted as saying: "All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise . . . . An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

• To do list: (1) risk assessment, (2) review policies and procedures and (3) train, train train and document your training!!!

Audit Authority

• Audits are part of the compliance tools for OCR that supplements its other enforcement tools, such as complaint investigations and compliance reviews.

• Phase 1 - In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements.

• Phase 2 – Announced on March 21, 2016 and are currently underway. OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

Audit – Phase 2

• OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools.

• Every covered entity and business associate is eligible for an audit.

• Communications from OCR will be sent via email.

• If your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam email folder for emails from OCR.

• Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to covered entities and business associates. As a part of the pre-audit screening questionnaire, OCR is asking that entities identify their business associates.

Audit – Phase 2 (cont’d)

• OCR plans to conduct desk and onsite audits for both covered entities and their business associates.

• The first set of audits will be desk audits of covered entities.

• The second set of audits will be desk audits of business associates.

• All desk audits in this phase will be completed by the end of December 2016.

• The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits.

• Some desk auditees may be subject to a subsequent onsite audit.

Audit – Phase 2 (cont’d)

Desk Audits • OCR will notify the selected covered entities in writing through email

about their selection for a desk audit. • The letter will include initial requests for documentation. OCR expects

covered entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request.

• All documents are to be in digital form and submitted electronically via the secure online portal.

• After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings.

• Auditees will have 10 business days to review and return written comments, if any, to the auditor.

• The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.

Audit – Phase 2 (cont’d) Onsite Audits

• Entities will be notified via email of their selection for an onsite audit

• Auditors will schedule an entrance conference and provide more information about the onsite audit process and expectations for the audit.

• Each onsite audit will be conducted over three to five days onsite, depending on the size of the entity.

• Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules.

• Entities will have 10 business days to review the draft findings and provide written comments to the auditor.

• The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response.

• OCR will share a copy of the final report with the audited entity.

Audit – Phase 2 (cont’d) • Generally, OCR will use the audit reports to determine what

types of technical assistance should be developed and what types of corrective action would be most helpful.

• Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

• Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.

• OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.

• However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. In the event OCR receives such a request, we will abide by the FOIA regulations.

Historical Issues

Breach Notification Rule

• The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.

Definition of Breach • A breach is an impermissible use or disclosure of PHI under

the Privacy Rule that compromises the security or privacy of the PHI.

• An impermissible use or disclosure of PHI is presumed to be a breach unless you can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: – The nature and extent of the PHI involved, including the

types of identifiers and the likelihood of re-identification; – The unauthorized person who used the PHI or to whom the

disclosure was made; – Whether the PHI was actually acquired or viewed; and – The extent to which the risk to the PHI has been mitigated.

Exceptions to Definition of Breach

1. The unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith and within the scope of authority.

2. The inadvertent disclosure of PHI by a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA, or organized health care arrangement in which the CE participates.

3. The final exception applies if the CE or BA has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

• For both cases in 1 and 2 above, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

Unsecured PHI Guidance

• Covered entities and business associates must only provide the required notifications if the breach involved unsecured PHI.

• Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.

Unsecured PHI (cont’d) PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: Encryption: has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” The following encryption processes have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard (i) valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, (ii) valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Unsecured PHI (cont’d) PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: Destruction of Media Storage: The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

• Paper, film, or other hard copy media have been shredded or

destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.

• Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved

Notice of Breach • A covered entity must notify the Secretary if it discovers a

breach of unsecured PHI. All notifications must be submitted to the Secretary using the HHS.gov’s Web portal.

• A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.

Breach Notification Requirements

Less than 500 individuals

• Must be in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.

• If the CE has insufficient or out-of-date contact information for 10 or more individuals, the CE must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside.

• The CE must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.

• The individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include:

– a brief description of the breach,

– a description of the types of information that were involved in the breach,

– the steps affected individuals should take to protect themselves from potential harm,

– a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity

Breach Notification Requirements

Breaches Affecting 500 or More Individuals If the breach affects more than 500 residents of a State or jurisdiction are must: • Notify the affected individuals, • Provide notice to prominent media outlets serving the State or

jurisdiction typically in the form of a press release serving the affected area. The media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

• must notify the Secretary without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.

• The covered entity must submit the notice electronically by clicking on the link at HHS.gov and completing all of the required fields of the breach notification form.

Breach Notification Administrative Requirements and Burden of Proof

Breach Administrative Requirements and Burden of Proof

• Covered entities have the burden of demonstrating: – that all required notifications have been provided or – that a use or disclosure of unsecured protected health information did not

constitute a breach.

• With respect to an impermissible use or disclosure, a covered entity should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: – its risk assessment demonstrating a low probability that the protected health

information has been compromised by the impermissible use or disclosure; or – the application of any other exceptions to the definition of “breach.”

• Covered entities are also required to comply with certain administrative

requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.

Release of Information Guidance

• Individuals’ Right to Access their PHI

– covered entities must provide individuals, upon request, with access to their PHI maintained in a “designated record set.”

– This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.

Information Included in the Right of Access: The “Designated Record Set”

A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

– Medical records and billing records about individuals maintained by or for a covered health care provider;

– Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

– Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

• The term “record” means any item, collection, or grouping

of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Information Excluded from the Right of Access

• PHI that is not part of a designated record set because the information is not used to make decisions about individuals. Typically includes: – quality assessment or improvement records, – patient safety activity records, – business planning, development, and management records that are used for

business decisions more generally rather than to make decisions about individuals and

– a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records.

• In addition, two categories of information are expressly excluded from

the right of access: – Psychotherapy notes, which are the personal notes of a mental health care

provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.

– Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Personal Representatives • A person authorized (under State or other applicable law,

e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.”

• The personal representative stands in the patient’s shoes. • However, where the authority to act is limited or specific to

particular health care decisions, the personal representative is to be treated as the individual only with respect to PHI that is relevant to the representation. For example, if the authority is limited to only a specific treatment, such as use of artificial life support, then the personal representative is limited to only PHI that relates to that health care decision.

Minors

• In most cases, a parent, guardian, or other person acting as the “parent” is the personal representative of the minor.

• Three exceptions: – When the state law does not require the consent of a

parent before a minor can obtain a particular health care service, and the minor consents to the health care service (age of consent laws);

– When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent

– When a parent agrees to a confidential relationship between the minor and a health care provider

Deceased Persons

• When an individual dies, the personal representative for the deceased is the executor or administrator of the deceased individual’s estate.

• State law determines who has authority to act on behalf of an estate.

• A CE may disclose to a family member, or other persons who were involved in the individual's care or payment for health care prior to the individual's death, PHI of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

Access to PHI

• May require individuals to request access in writing, provided the CE informs the individuals.

• May offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access.

• May require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI.

Unreasonable Measures

a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. Examples:

– A patient who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.

– To use a web portal for requesting access, as not all individuals will have ready access to the portal.

– to mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.

Form, Format and Manner Requests for Paper Copies: Where an individual requests a paper copy of PHI, OCR expects that the covered entity will be able to provide the individual with the paper copy requested. Requests for Electronic Copies:

– If an individual requests an electronic copy of PHI but the covered entity only maintains paper records, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual.

– If an individual requests an electronic copy of PHI and the covered entity maintains it electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in the form and format requested.

– When the PHI is not readily producible in the electronic form and format requested, then the covered entity must provide access to an agreed upon alternative readable electronic format.

– Thus, while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, the covered entity must have the capability to provide some form of electronic copy of PHI maintained electronically. It is only if the individual declines to accept any of the electronic formats readily producible by the covered entity that the covered entity may satisfy the request for access by providing the individual with a readable hard copy of the PHI.

Fees for Copies The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI. The fee may include only the cost of: • labor for copying the PHI requested by the individual, whether in paper

or electronic form; • supplies for creating the paper copy or electronic media (e.g., CD or USB

drive) if the individual requests that the electronic copy be provided on portable media;

• postage, when the individual requests that the copy, or the summary or explanation, be mailed; and

• preparation of an explanation or summary of the PHI, if agreed to by the individual.

• The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

Cost Based Fees

• Labor (whether in paper or electronic form): – Labor for copying includes only labor for creating

and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.

– Labor for copying does not include costs associated with reviewing the request for access; or searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record, and segregating or otherwise preparing the PHI that is responsive to the request for copying.

Cost Based Fees (cont’d) Labor (cont’d): labor for copying does not include labor costs associated with:

– Reviewing the request for access. – Searching for, retrieving, and otherwise preparing the

responsive information for copying. This includes labor to locate the appropriate designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile, and otherwise prepare the responsive information for copying.

– Comment from the OCR – “While we allow labor costs for these limited activities, we note that as technology evolves and processes for converting and transferring files and formats become more automated, we expect labor costs to disappear or at least diminish in many cases.”

Calculating Costs

• Actual Costs

• Average Costs

• Flat Fee for Electronic copies of PHI maintained electronically - A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.

HIPAA Authorization v. Right of Access HIPAA Authorization Right of Access

Permits, but does not require, a covered entity to disclose PHI

Requires a covered entity to disclose PHI, except where an exception applies

Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI

No timeliness requirement for disclosing the PHI Reasonable safeguards apply (e.g., PHI must be sent securely)

Covered entity must act on request no later than 30 days after the request is received

Reasonable safeguards apply (e.g., PHI must be sent securely)

Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium

No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration

Fees limited as provided in 45 CFR 164.524(c)(4)