• (888) 849-6818
  • 9 AM to 5 PM Eastern Monday - Friday
  • Global Data Systems Inc. 33 Riverside Drive Pembroke, MA 02359

3 Important Guidelines

You must provide your patients with a copy of their healthcare records if they ask for them. However, whether or not you can charge a fee for this mandatory service might be a little less clear.

So, the question remains: Can you charge patients for their medical records? The Answer Is “Yes”— Within reasonable limits. But there are restrictions and guidelines you must follow.

You Must Follow HIPAA Guidelines

Hospitals and physicians’ offices often charge a fee for sending medical records to patients. Under many state laws, you are permitted to charge a per-page amount, such as one dollar. But could this violate HIPAA guidelines? The short answer is that it can.

This issue was addressed in the spring of 2016 by the Office of Civil Rights (OCR). OCR works within the U.S. Department of Health and Human Services (HHS), and they are tasked with enforcing HIPAA regulations.

You Must Follow The Access Guidance Provided By Your State

The OCR deals with topics like Access Guidance. They remind everyone that each state has its own laws regarding medical record access. And these laws usually preempt HIPAA. There are certain cases where HIPAA guidelines must be followed regardless of state laws. If you’re unsure how to proceed, get help from someone who is well-versed on these laws and guidelines.

You Must Comply With Timeframes & Consent Requirements

There are also time frames enforced in these guidelines. For instance, if a patient orders their medical records, you must send them off within 30 days. In some cases, the law allows you 60 days to deliver the records.

If you’ve been contacted by a patient and asked to forward their medical records to another healthcare provider or hospital, be sure to include an express written consent notification. Ordinarily, the owner of the medical record must give his or her consent before it can be sent to another entity.

HIPAA guidelines are all about keeping an individual’s medical records safe and secure. So consent from the owner of the records is an important part of the transaction.

You Must Tell The Patient How Much They Will Be Charged In Advance

As long as you haven’t “hiked up the price,” the patient is aware that you will be charging them, and they know that the ePHI or PHI is going to be delivered, you should be within the limits enforced by HHS and OCR — That is, as long as you take the following into consideration.

3 Costs You Can Charge Patients For When Sending Medical Records:

1. Labor: The time and labor it takes to deliver the PHI or ePHI can be imposed as a fee. Not the time it took to create the PHI or ePHI, but only the time it took to print and deliver it.

You can charge for the labor involved in copying the PHI requested by the individual, whether in paper or electronic form. Labor for copying includes only what it takes to create and deliver the electronic or paper copy in the format requested or agreed upon by the individual.

Labor for copying should not include costs associated with reviewing the request for access, or searching for and retrieving the PHI/ePHI. You cannot charge for the costs to locate or review the PHI/ePHI or segregating and preparing it.

Labor costs can be charged for preparing an explanation or summary of the PHI/ePHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that is being charged.

2. Supplies: If you printed out the ePHI and used ink and toner, you can add these costs. If you’re delivering the ePHI on a CD or USB, these costs can be applied as a fee. (Note: The patient cannot provide you with the CD or USB; this is against regulations.)

You can charge for supplies to create the paper copy such as paper and toner, or electronic media such as a CD or USB drive if the individual requests that the electronic copy be provided on portable media.

You cannot require an individual to purchase portable media; however, they do have the right to have their ePHI e-mailed or mailed to them upon request.

3. Postage: Postage can be included in the charge, but only if the patient requests that their medical records are mailed to them.

3 Costs You Cannot Charge For:

  1. Costs that are incurred for maintaining updates, IT systems or EMRs.
  2. Costs for data storage.
  3. Costs for support of your EMR.

You may not include costs that are incurred or associated with updates or maintenance of systems and data, capital for data storage, or any labor associated with ensuring compliance with HIPAA and other applicable State laws. Nor can you charge for costs not included above, even if authorized by State law.

In other words, costs associated with maintaining and supporting your EMR maintenance, including security and compliance, are all costs that cannot be passed on to the patient.

These are your practice expenses and don’t fall under the category of costs that you can charge.

You Must Always Abide By HHS & OCR Regulations

Below is a statement from HHS/OCR’s website that may clear things up:

“The U.S. Department of Health and Human Services (HHS) allows hospitals and doctors to charge fees to patients for copies of their protected health information (PHI). A covered entity is permitted to impose a reasonable, cost-based fee to provide the individual with a copy of that individual’s PHI. Additionally, the covered entity can direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage AND the individual must be informed in advance of the fee that will be charged.”

Under the HIPAA Privacy Rule 45 CFR 164.524(c)(4) a covered entity cannot charge an individual a fee when it fulfills their HIPAA access request using the View, Download, and Transmit functionality of the provider’s CEHRT.

If the owner of the record learns that their medical record was sent without his or her consent, they can file a complaint with the Office of Civil Rights and/or U.S. Department of Health and Human Services.

An investigation may ensue and fines may be levied against negligent parties. So it’s always important to know the rules and follow them precisely. In addition, there are certain types of health information, like test reports, that may not fall under the same guidelines and instead be preempted by HIPAA.

Seek Expert Advise

If all this seems confusing, then it might be best to hire an outside consultant who is fully educated on these issues to help your organization put together some guidelines of your own for your healthcare practice or organization.

Once you have someone to help you develop and write out your guidelines on these topics, an important next step is to send them out to all your employees. Let everyone know how cases should be handled when requests are made for medical records. And make sure copies of these guidelines are posted around the office.

Although this may seem like a lot, if you don’t know what to do, and you violate HIPAA guidelines, then you may incur a large fine. HIPAA has been issuing huge fines over violations because they want everyone to know that these are serious matters and all employees, including physicians, should understand what’s required and how things should be carried out.

GDS works with Local Hospitals, Covered Entities and Business Associates Across the United States.

Connect with GDS for your complimentary IT costs analysis and technology consultation.

Fill out the form below.

Note: GDS is one the top IT companies in New England and we will never SPAM you. Your information is safe with us.

Contact Info

Have A Healthcare Technology Question?
Reach Out To The GDS Healthcare IT Consulting Team.