HIPAA Privacy Rule Access Right: Assessing Fees When an Individual Requests Electronic Access to PHI Privacy and Security Workgroup Stan Crosley, Chair September 28, 2015
Agenda Continuation of discussion on fees to provide electronic copies of PHI Review strawman suggestions Develop key discussion points to inform OCR’s upcoming sub-regulatory guidance. 1
PSWG Workplan - Detail 2 MeetingsTask September 21, :00-3:30pm ET Fees for Electronic Access Understand background issues surrounding HIPAA Access Rule and HITECH modifications to HIPAA. Gather information regarding key questions surrounding assessment of fees for electronic access to PHI, including accepting written testimony from stakeholders. Develop strawman recommendations based on discussion. September 28, :00-3:30pm ET Fees for Electronic Access Continue discussing fees for electronic access. Review strawman suggestions. Develop final discussion points to inform OCR’s forthcoming sub-regulatory guidance.
Meeting Purpose – Restated Access Guidance Requested for PMI President’s Precision Medicine Initiative (PMI) requires the HHS Office for Civil Rights (OCR) and ONC to collaborate to address barriers that prevent patients from accessing their health data. ( office/2015/07/08/fact-sheet-new-patient-focused- commitments-advance-president%E2%80%99s- precision). office/2015/07/08/fact-sheet-new-patient-focused- commitments-advance-president%E2%80%99s- precision OCR is to develop additional guidance materials to educate the public and health care providers about a patient’s right to access his or her health information under HIPAA. 3
Table of Compiled Summary Responses 4 StakeholderProvider GroupsVendor GroupsPatient Groups Q1: File size as proxy for page? No Q2: Form and format requested affect charge? Yes, if not standard format or easily accessible No Q3: Labor costs for BA labor to generate electronic copy for patient? Yes, should allow BAs to charge labor fees. Yes, allow charges on a flat fee or per transaction basis. No, because it is a business decision to have non- interoperable systems. Q4: Charge if EHR has to be printed, scanned and uploaded? Yes, if providers are required to do this. Mixed responses. Some said charges are allowed, while others said was debatable. No, because labor costs here would not be reasonable. Q5: Different if copy of data was transmitted to non- HIPAA CE? No difference as long as it is HIPAA compliant request. No difference, but one stakeholder said may be difference if competitive risk. No difference.
Discussion Summary Q1 Is an electronic file size an appropriate proxy for “pages” in setting fees for electronic access, or is it simply a substitute for a per-page proxy? General agreement with provider summary responses May be appropriate to have fee structure but file size not a proxy – Labor charge – Media charge VA uses regulatory driven calculation and has a set minimum amount. Cost under that amount waived. Charges specific to request. 5
Discussion Summary Q2 Should the producible form and format of the electronic copy the individual requests affect how the individual is charged? May be useful to review FOIA definitions for form and format. Should there be a differentiation of costs for patients? 6
Discussion Summary Q3 If, due to interoperability issues between an EHR where the requested information is maintained, and the software used to create the copy for the individual, the business associate must download the file from the EHR, and subsequently upload it to the business associate’s software before generating an electronic copy for an individual, should labor costs associated with this process be charged to the individual? No consensus for when and when not to charge but consensus that there should be a line between making a copy and actually searching and retrieving. Must establish what is search and retrieval and how you calculate labor. Use FOIA definition of search. 7
Discussion Summary Q4 If information from an EHR has to be printed on paper (therefore paginated) and then scanned and uploaded to a different software program used to create and/or send the copy for/to the individual, should the individual be charged? Hard to set policy based on process Fact patterns/categorization of charges could be useful The more examples (hypotheticals) the guidance from OCR includes, the easier it would be to provide recommendations and input. Streamline process to result in cost reduction 8
Discussion Summary Q5 Would you answer anything differently if the copy of the data from the designated record set were being transmitted to a non-HIPAA covered business associate, such as a PHR vendor compared to another HIPAA covered entity or that organization’s business associate? Have heard concerns about security risks Legal review implications Patient in control Organizations may not be fully informed Other confidentiality laws apply This may be an issue, depending on who the third party is, and may pose a competitive risk. 9
FOIA Definitions and Key Terms for Fees FOIA Statute: 5 U.S.C. § 552 Fee schedules must allow charges only for “direct costs of search, duplication, or review.” Review costs may only include direct costs incurred during the initial examination of a document in determining whether the documents must be disclosed or in determining whether any part of the document is exempt from disclosure. Review costs may not include costs incurred in resolving issues of law or policy raised in processing a FOIA request. (5 U.S.C. § 552(a)(4)(A)(iv)). “Search” is defined as: “to review, manually or by automated means, agency records for the purpose of locating those records which are responsive to a request.” (5 U.S.C. § 552(a)(3)(D)). The law requires an agency to provide “the record in any form or format requested by the person if the record is readily reproducible by the agency in that form or format. Each agency shall make reasonable efforts to maintain its records in forms or formats that are reproducible for purposes of this section.” (5 U.S.C. § 552(a)(3)(B)). 10
HHS FOIA Regulations: Definitions and Key Terms for Fees HHS Regulations on FOIA: 45 C.F.R. § 5 FOIA requests that are made for commercial purposes are charged for search, review, and duplication. Educational institution or a non- commercial scientific institutions, as defined under the FOIA statute will only be charged for duplication after the first 100 pages. All other FOIA requesters will be charged only for search and the duplication. HHS will not charge for the first two hours of search time or for the copying costs of the first 100 pages of duplication. (45 C.F.R.§ 5.41). HHS regulations define a search as: “looking for records or portions of records responsive to a request. It includes reading and interpreting a request, and also page-by-page and line-by-line examination to identify responsive portions of a document. However, it does not include line-by- line examination where merely duplicating the entire page would be a less expensive and quicker way to comply with the request.” (45 C.F.R.§ 5.5). If HHS performs other special services that are requested by the requester, HHS will charge fees associated with the actual costs of operating any machinery, plus actual cost of any materials used, plus charges for the time of employees, at the rates given above. (45 C.F.R.§ 5.43(g)). 11
Further clarification required: How to define “search and retrieval”? When does search and retrieval end and copying begin? If patient wants a CE to send a record to a third party, how to handle state laws that are more restrictive (privacy protective) than HIPAA? Use of examples or hypothetical scenarios will be more helpful. 12 Development of Final Key Suggestions
Strawman Suggestion # 1 File size should not a proxy for pages. In future guidance, OCR should provide more precision around calculation of labor, media, and search and retrieval costs as well as provide examples of hypothetical scenarios for clarity. 13
Strawman Suggestion # 2 In future guidance, OCR should define search and retrieval and distinguish between search and retrieval costs versus copying and duplication costs. OCR should also review the FOIA definitions of key terms such as “form and format” and “search.” 14
Strawman Suggestion # 3 OCR should clarify how to handle more restrictive (privacy protective) state laws if patient wants a CE to send a record to a third party. 15
Next Steps Develop final discussion points to inform OCR’s forthcoming sub-regulatory guidance. 16
Back up Slides 17
Summary of Question 1 and Stakeholder Responses Q1: Is an electronic file size an appropriate proxy for “pages” in setting fees for electronic access, or is it simply a substitute for a per-page proxy? Provider Summary: File size should not be used as a proxy because many factors affect file size. Costs to reproduce EHRs should include labor costs for labor expended, including segmenting sensitive information. Per page may still be a viable option. EHR Vendor Summary: File size should not be used as a proxy because many factors affect file size. Can use “virtual pages” or a flat fee based on transaction/record, or a one time fee for the portable storage media being used. Patient Summary: No fees should be charged for patients to receive health record, unless it presents a significant burden on staff time. 18
Summary of Question 2 and Stakeholder Responses Q2: Should the producible form and format of the electronic copy the individual requests affect how the individual is charged? Provider Summary: Some provider organizations agree that if an individual requests a form or format that is not easily accessible or easy to provide, there should be an additional charge. However, some of those asked, stated that the labor costs should be built into view, download, transmit capabilities. EHR Vendor Summary: Deviation from an EHR defined standardized format would allow the imposition of an additional cost to the patient. Other vendors stated that view, download, transmit requires CCDA, and if what is requested is more than that, there should be additional charges. Patient Summary: There should not be fees based on format and format requested. 19
Q3: If, due to interoperability issues between an EHR where the requested information is maintained, and the software used to create the copy for the individual, the business associate must download the file from the EHR, and subsequently upload it to the business associate’s software before generating an electronic copy for an individual, should labor costs associated with this process be charged to the individual? Provider Summary: Should allow BAs to charge labor fees. EHR Vendor Summary: Allow charges on a flat fee or per transaction basis. Patient Summary: Labor costs are not reasonable because it is a business decision to maintain differing, non-interoperable systems. 20 Summary of Question 3 and Stakeholder Responses
Summary of Question and Stakeholder Responses Q4: If information from an EHR has to be printed on paper, and then scanned and uploaded to a different software program used to create and/or send the copy for/to the individual, should the individual be charged, and how should cost be calculated? Provider Summary: All felt costs should be allowed if they are required to do this. EHR Vendor Summary: Mixed responses on this. Some felt charges were allowable, and one responded that charging such fees was debatable. Patient Summary: Charges NOT reasonable 21
Summary of Question and Stakeholder Responses Q5: Would you answer anything differently if the copy of the data from the designated record set were being transmitted to a non-HIPAA covered business associate, such as a PHR vendor compared to another HIPAA covered entity or that organization’s business associate? Provider Summary: Most did not think there would be a difference as long as it was a HIPAA compliant request; one provider also noted that the provider should not be responsible for any charges if the patient is paying for the third-party service EHR Vendor Summary: Most stakeholders said there would not be a difference, while one said there would be a difference if there was a competitive risk. Patient Summary: There is no difference in delivery mechanisms. 22