We discussed the patient rights to access medical records a few episodes ago. Since then, a new study came out that says a majority of providers are not complying with patient medical records requests. I have also gotten more questions about law firms demanding to pay only $6.50 for medical records requests. We are going to discuss these issues with specifics about fees for patient requests in this episode.
Six fifty is not required
There are too many cases where patients have trouble getting their records. There are way too many cases of attorney’s demanding to pay only $6.50 (six-fifty) to get a copy of patient records in personal injury and those other types of cases. This is it. We are going to make both very clear here. The information did get a bit muddy in our previous episode on it (Medical Record Release Fees – Ep 199) because we covered all medical records requests and there were some gray areas we can clean up here.
Patient access to records
Ask and they receive
If a patient wants their records you should give them their records without it being a big hassle or expense. There are a few things you can leave out but you are supposed to do so within limits and show why you felt it was necessary.
Reasons you can exclude information:
- Psychotherapy notes
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
The records should also be provided without reasonable delay.
Formats requested should be provided or a reasonable alternative
If you maintain the records electronically, then the patient should be able to receive them electronically. That does not mean every single type of media could be requested. It means you should have some method that is electronic to provide their information. So what does that mean?
If all the information they need is accessible on your portal then encourage them to go to their portal page. However, you can NOT require them to get the data or the information from the portal.
Most systems have some method for creating electronic copies of records. Find out what those are and make sure you understand how to securely create and deliver them in your office with the technology you maintain in your organization.
Most systems will generate a report to a PDF. If the patient asks for PDF copies you are set. In fact, that is what most patients will ask for unless they are doing something very specific. As time goes on, they will be asking for data stored in a format that can be imported into other systems. If you can’t do PDF now, then you will be really behind the times when they want this kind of access.
Do not breach security policy unless the patient specifically asks you to do it
You should offer a secure method for exchanging information that does not impact the security of your network or data nor make things overly complicated for the patient. It is a balancing trick we must do every day and this is no different.
The easiest way would be for you to create it in an agreed-upon manner and then have a reasonable time for patients to come by and pick them up. That won’t always work.
Again, you can encourage your patients to use the portal. However, if the portal does not have the records other than statements and billing, you can’t direct them there for medical record copies. Hopefully, you can exchange secure messages with them there and they have the ability to access them and retrieve them from there.
You are not required to allow the patient to provide a thumb drive or other media that you are expected to load the information onto for the patient. You can not risk the security issues that unknown media can create.
You can keep your own supply of media to store the information and provide it to your patients. See the next section about how to pay for that, though. The issue here is whether or not you encrypt the records when you place them on a thumb drive or CD or any other kind of media. If you are not going to encrypt the records on the device then the patient must be informed clearly that information is not encrypted and therefore should be protected from unauthorized access.
Actually getting the data to the patient must be addressed also. You can mail the media just like you have with paper records. However, you should make sure that it is a strong envelope because those tiny media things slip out of holes in envelopes and create new issues for you.
Using secure email may work for some but not everyone has the ability to navigate these systems. They are complex, confusing, and frustrating, even for technical people sometimes. If the patient requests the information to be emailed to them AND they confirm they understand there will be no security on those records sent in that manner then you can email them in that manner.
A secure method that isn’t email but is fairly easy is a file sharing service. You can upload the file to the secure site and email the patient a link to the file. You explain that the link is only for their use and make it expire after 24 hours. You can email them the link again and give them another 24 hours if they need it. I am a fan of this method.
Paper doesn’t give you a pass
If you do not store the data electronically, then you are not required to create the information in electronic format. Although, doing so in scanned PDFs would be a standup thing to do. Just because you are paper should not mean everyone else must accommodate you, especially your patients.
Instead of just making a paper copy, scan them to a PDF. Most copiers in offices today have the ability to scan to a USB stick or network drive. If you have the ability, then why not offer it to your patients instead of more stacks of paper that someone else will probably have to scan into a system. Come on man!
Third-party requests are allowed by a simple letter
Also included in this section of the law is an option to write a letter asking for the records to be sent to a third party. All it requires is that simple letter signed by the patient. The idea was to follow all patient requests for record requirements the same way whether direct to them or to a third party.
The idea here was that patients could engage other treatment providers, research and more options in their care by sending the information directly to them. This was considered for cases such as companies managing personal health records and treatment options, etc. They fall outside the normal provider to provider exchange but they are still involved in treatment.
Then, personal injury and other of those type attorneys discovered it as a loop-hole they started using to get records instead of using the standard authorized releases they always used before. Those standard release fees were governed by state laws, not HIPAA. The problem here is they chose the wrong fees to hang their hats on and it has created a big mess. First, we can talk about what you can charge and then get to those attorney requests.
What can you charge for patient requested copies of their medical records
Ideally, HHS would like you to provide patients their records free of charge. However, there are options available to charge a reasonable fee for creating copies
As long as this a request from the patient directly then there are limitations on the fees set out under HIPAA as updated by HITECH. There is then further guidance from OCR as to what they consider acceptable fees to charge.
Under the law, you are allowed to charge a cost-based fee. That is what the law requires. OCR guidance allows for two other options. Make note of this when we discuss the attorney’s next.
The cost-based fee can include the actual costs for the person who performs medical record requests to do the work. That includes:
- Labor for copying whether in paper or electronic form
- Supplies for creating the paper copy or electronic media
- Postage, if the patient requests it to be mailed
- A patient can request a complex record to be summarized. If so, you can charge for the appropriate labor to summarize the details of the records.
Note, that these should be reasonable fees. If the person doing the work is the practice administrator and they make substantially more than a normal medical records processing employee, be reasonable. If the time it takes a new person to do the work is twice as long as the time a trained person can do the work, be reasonable.
The important thing is to be able to show your math. You can make it just like an invoice with line items if you want. You need to show the charges included only these elements and that the amount charged was reasonable and appropriate for the size of the patient records. This next part is where that will come in really handy.
Alternatives to the cost-based fee defined in the law
OCR published guidance that allows you to calculate your fees in two other manners not included in the law.
Calculate an average of what the fees are for labor in the cost-based calculation. Charge that average fee plus costs for supplies and postage as allowed in the law. This simplifies the calculation of labor so you don’t have to track it each time.
Charge a flat, all-inclusive fee of $6.50 to provide the records to the patient. This is considered the “safe harbor” option. It is the easiest method of calculation. Here is where we have the attorney’s only reading this option and claiming you are required to do it.
What about attorney’s demanding $6.50 fees
There are so many of these that I want to scream. If you are an attorney please find a way to send this information to everyone you know that can share it with everyone they know.
Let me be very clear here: Six fifty is not required! $6.50 is NOT required.
I have had repeated cases of attorney’s who write the letter for the patient requesting PDF versions of their records to be sent to the attorney. It then goes on to demand that the charge be no more than $6.50 that they claim is required by HITECH. They also write letters threatening to file complaints with OCR if they do not supply the records for any more than $6.50.
It is actually cheaper for them to switch back to the old way of doing it in Georgia. They limited it to $25 base plus some costs. I am astonished by how many times they will demand the fee for a single patient. If they charge the patient $100 per letter and send 4 letters trying to pay $6.50 instead of $26.87 you have to wonder what the issue is really about here.
What do we recommend?
Determine what methods you have to easily create electronic copies of patient records. Can you create a PDF file with all the records? Then you are set. You tell patients this is what you offer.
Then, make sure you have thick envelopes to mail the media. It is so easy to slice those open and get them out. Sucks, yes, but still a problem.
Set up a secure file sharing account with a signed BAA. We use Sharefile but there are many others. Just make sure you vet the BA properly after they sign the BAA. Do not assume. Also, do not get a huge amount of storage. You should just clean that up regularly and only keep things out there that patients still need to access. It isn’t for long term storage, it is for data exchange.
There are other methods like some new features in G Suite that David has tried. Again, there must be a BAA in place.
Prepare your memo to reply to the attorney’s who demand the six-fifty fee. Make it a form letter or a snippet you insert into letters as needed. This is one I just wrote to reply to one of those when I was copied on an email where the attorney suggest you need to read the law.
The HITECH addition to HIPAA requires the fee for a patient request for records to be a reasonable cost-based fee. If the documentation relating to the fee supplied is unclear or you disagree with that calculation please explain your issues. We will be happy to review the fees to provide an explanation as to why we consider this a reasonable cost-based fee.
If you are asking for a fee of $6.50, that is not a requirement of HITECH although it has been suggested by OCR in their guidance as a safe harbor option. Our organization is not choosing that “safe harbor” option for fee structures with these patient requests.
Do not become a roadblock to your patients who ask for access to their records. It shouldn’t be expensive or a major hassle. Do not forget that this is supposed to be about patient care.
If you are in a mess with one of the attorneys then don’t give in. Protect your patient but also don’t let them tell you what you are supposed to do so they can play games with the law.
One more side note – do not release records to an attorney suing your patient without a signed judges order requiring you to release them without notifying the patient. Always notify your patient if you get a subpoena or demand for their records or the records of their children. This one has been happening a lot too. If I have seen two cases in the past 6 months it has to be going on a lot. Interesting, they don’t care what you charge them. That might be a clue. These are still threatening you with state law requirements. Remember, HIPAA is always more important than state law UNLESS state law provides more stringent requirements to protect patient privacy. Don’t let them bully you into it.