Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Access of Individuals to Protected Health Information: Provision of Access - § 164.524(c)

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Individual's Right to Access Health Information

     

    HHS Regulations as Amended January 2013
    Access of Individuals to Protected Health Information: Provision of Access - § 164.524(c)

     

    (c) Implementation specifications: Provision of access. If the covered entity provides an individual with access, in whole or in part, to protected health information, the covered entity must comply with the following requirements.

    (1) Providing the access requested. The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the protected health information once in response to a request for access.

    (2) Form of access requested. (i) The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.

    (ii) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.

    (iii) The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if:

    (A) The individual agrees in advance to such a summary or explanation; and

    (B) The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.

    (3) Time and manner of access. (i) The covered entity must provide the access as requested by the individual in a timely manner as required by paragraph (b)(2) of this section, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual's request. The covered entity may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access.

    (ii) If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.

    (4) Fees. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:

    (i) Labor for copying the protected health information requested by the individual, whether in paper or electronic form;

    (ii) Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;

    (iii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and

    (iv) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(iii) of this section.

     

    HHS Description and Commentary From the January 2013 Amendments
    Access of Individuals to Protected Health Information: Provision of Access

     

    Proposed Rule

    Section 164.524 of the Privacy Rule currently establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their protected health information to the extent such information is maintained in the designated record set(s) of a covered entity. An individual’s right of access exists regardless of the format of the protected health information, and the standards and implementation specifications that address individuals’ requests for access and timely action by the covered entity (i.e., provision of access, denial of access, and documentation) apply to an electronic environment in a similar manner as they do to a paper-based environment. See The HIPAA Privacy Rule’s Right of Access and Health Information Technology (providing guidance with respect to how § 164.524 applies in an electronic environment and how health information technology can facilitate providing individuals with this important privacy right), available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/eaccess.pdf.

    Section 13405(e) of the HITECH Act strengthens the Privacy Rule’s right of access with respect to covered entities that use or maintain an electronic health record (EHR) on an individual. Section 13405(e) provides that when a covered entity uses or maintains an EHR with respect to protected health information of an individual, the individual shall have a right to obtain from the covered entity a copy of such information in an electronic format and the individual may direct the covered entity to transmit such copy directly to the individual’s designee, provided that any such choice is clear, conspicuous, and specific. Section 13405(e) also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity’s labor costs in responding to the request for the copy.

    Section 13405(e) applies by its terms only to protected health information in EHRs. However, incorporating these new provisions in such a limited manner in the Privacy Rule could result in a complex set of disparate requirements for access to protected health information in EHR systems versus other types of electronic records systems. As such, the Department proposed to use its authority under section 264(c) of HIPAA to prescribe the rights individuals should have with respect to their individually identifiable health information to strengthen the right of access as provided under section 13405(e) of the HITECH Act more uniformly to all protected health information maintained in one or more designated record sets electronically, regardless of whether the designated record set is an EHR. The public comments and final regulation on the scope are discussed here. The proposed amendments to each provision implicated by section 13405(e), together with the public comments and final regulation, are discussed more specifically in separate sections below.

    Overview of Public Comments

    Most commenters were opposed to the proposal to expand the scope of the individual access provision to include all electronic designated record sets and favored limiting the requirement to EHRs. These commenters felt that limiting the access provision to EHRs was consistent with congressional intent and questioned the authority of the Department to expand the scope. Commenters also argued that having disparate requirements for different systems would not be confusing, and requiring electronic access to electronic designated record sets that are not EHRs would be highly burdensome for covered entities. Specifically, commenters stated that the proposed requirement for electronic access would include numerous types of legacy systems, many of which are incapable of producing reports in easily readable formats that can be transmitted electronically. These commenters indicated that a significant amount of information technology development and investment would be needed to comply with this requirement if it applies to all electronic designated record sets.

    A number of consumer advocates supported the expanded scope to include all electronic designated records sets in addition to EHRs. These commenters felt that this would provide complete transparency for consumers, help individuals gain access to their medical records and make better-informed decisions about their health care, and promote consistent and uniform practices.

    Final Rule

    The final rule adopts the proposal to amend the Privacy Rule at § 164.524(c)(2)(ii) to require that if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. In such cases, to the extent possible, we expect covered entities to provide the individual with a machine readable copy of the individual’s protected health information.

    The Department considers machine readable data to mean digital information stored in a standard format enabling the information to be processed and analyzed by computer. For example, this would include providing the individual with an electronic copy of the protected health information in the format of MS Word or Excel, text, HTML, or text-based PDF, among other formats.

    We disagree with commenters that questioned the Department’s authority to extend the strengthened electronic access right to all protected health information maintained electronically in designated record sets, and believe that this extended electronic right of access is important for individuals as covered entities increasingly transition from paper to electronic records. With regard to the additional burdens on covered entities, we note that providing access to protected health information held in electronic designated record sets was already required under the Privacy Rule at § 164.524, which applies to protected health information in both paper and electronic designated record sets, and which requires providing the copy in the form and format requested by the individual, including electronically, if it is readily producible in such form and format. We anticipate the additional burden to be small due to the flexibility permitted in satisfying this new requirement, as discussed in the section on Form and Format.

    Response to Other Public Comments

    Comment: Some commenters worried that giving individuals access to administrative systems (in contrast to clinical systems) would present a security concern to covered entities.

    Response: Covered entities are not required by this provision to provide individuals with direct access to their systems. They must only provide individuals with an electronic copy of their protected health information.

    Comment: Commenters requested clarification on what constitutes an EHR.

    Response: Under this final rule, the requirement to provide individuals with access to an electronic copy includes all protected health information maintained in an electronic designated record set held by a covered entity. Because we are not limiting the right of electronic access to EHRs, we do not believe there is a need to define or further clarify the term at this time.

    Comment: One commenter requested clarification that this electronic access requirement preempts State laws that diminish, block, or limit individual access to their records.

    Response: We clarify that this HIPAA electronic right of access requirement does preempt contrary State law unless such law is more stringent. In the case of right of access, more stringent means that such State law permits greater rights of access to the individual.

    Comment: Several commenters sought clarification of how the new e-access provisions would apply to business associates. One commenter asked whether business associates could continue to provide patients access to records when permitted and acting on behalf of a covered entity. Another commenter asked whether business associates are required to provide information to covered entities and not to individuals directly. One commenter was opposed to direct access from a business associate because of security concerns and increased burden on business associates if corrections are needed.

    Response: How and to what extent a business associate is to support or fulfill a covered entity’s obligation to provide individuals with electronic access to their records will be governed by the business associate agreement between the covered entity and the business associate. For example, the business associate agreement may provide for the business associate to give copies of the requested information directly to the individual, or to the covered entity for the covered entity to provide the copies to the individual.

    There is no separate requirement on business associates to provide individuals with direct access to their health records, if that is not what has been agreed to between the covered entity and the business associate in the business associate agreement.

    Form and Format

    Proposed Rule

    Section 164.524(c)(2) of the Privacy Rule currently requires a covered entity to provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format, or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual. Section 13405(e) of the HITECH Act expands this requirement by explicitly requiring a covered entity that uses or maintains an EHR with respect to protected health information to provide the individual with a copy of such information in an electronic format.

    We proposed to implement this statutory provision, in conjunction with our broader authority under section 264(c) of HIPAA, by requiring, in proposed § 164.524(c)(2)(ii), that if the protected health information requested is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. This provision would require any covered entity that electronically maintains the protected health information about an individual, in one or more designated record sets, to provide the individual with an electronic copy of such information (or summary or explanation if agreed to by the individual in accordance with proposed § 164.524(c)(2)(iii)) in the electronic form and format requested or in an otherwise agreed upon electronic form and format. While an individual’s right of access to an electronic copy of protected health information is currently limited under the Privacy Rule by whether the form or format requested is readily producible, covered entities that maintain such information electronically in a designated record set would be required under these proposed modifications to provide some type of electronic copy, if requested by an individual.

    Because we did not want to bind covered entities to standards that may not yet be technologically mature, we proposed to permit covered entities to make some other agreement with individuals as to an alternative means by which they may provide a readable electronic copy to the extent the requested means is not readily producible. If, for example, a covered entity received a request to provide electronic access via a secure web-based portal, but the only readily producible version of the protected health information was in portable document format (PDF), proposed § 164.524(c)(2)(ii) would require the covered entity to provide the individual with a PDF copy of the protected health information, if agreed to by the covered entity and the individual. We noted that while a covered entity may provide individuals with limited access rights to their EHR, such as through a secure web-based portal, nothing under the current Rule or proposed modifications would require a covered entity to have this capability.

    We noted that the option of arriving at an alternative agreement that satisfies both parties is already part of the requirement to provide access under § 164.524(c)(2)(i), so extension of such a requirement to electronic access should present few implementation difficulties. Further, as with other disclosures of protected health information, in providing the individual with an electronic copy of protected health information through a web-based portal, e-mail, on portable electronic media, or other means, covered entities should ensure that reasonable safeguards are in place to protect the information. We also noted that the proposed modification presumes that covered entities have the capability of providing an electronic copy of protected health information maintained in their designated record set(s) electronically through a secure web-based portal, via e-mail, on portable electronic media, or other manner. We invited public comment on this presumption.

    Overview of Public Comments

    We received many comments and requests for clarification and guidance regarding the permitted methods for offering protected health information on electronic media, and the acceptable form and format of the electronic copy. Several commenters suggested that covered entities be permitted flexibility in determining available electronic formats and requested clarification on what is considered “readily producible.” These commenters expressed concerns that a limited number of permissible electronic formats may result in a situation where protected health information could not be converted from a particular electronic system. Other commenters indicated that there should be minimum standards and clearly defined media that are permissible to meet this requirement. One commenter felt that this requirement is important but should be deferred until covered entities have improved their technological capabilities.

    Many commenters requested guidance on how to proceed if a covered entity and an individual are unable to come to an agreement on the medium of choice and what is expected in terms of accommodating the individual’s medium of choice. Some commenters suggested various alternate solutions if an agreement cannot be reached, including any readily producible format, PDF, or hard copy protected health information. Some covered entities felt that individuals should not have an unlimited choice in terms of the electronic media they are willing to accept, and should only be permitted to confine their choices of electronic media to a couple of options that the covered entity has available.

    Final Rule

    The final rule adopts the proposal to require covered entities to provide electronic information to an individual in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. We recognize that what is available in a readable electronic form and format will vary by system and that covered entities will continue to improve their technological capabilities over time. We therefore allow covered entities the flexibility to provide readily producible electronic copies of protected health information that are currently available on their various systems. A covered entity is not required to purchase new software or systems in order to accommodate an electronic copy request for a specific form that is not readily producible by the covered entity at the time of the request, provided that the covered entity is able to provide some form of electronic copy. We note that some legacy or other systems may not be capable of providing any form of electronic copy at present and anticipate that some covered entities may need to make some investment in order to meet the basic requirement to provide some form of electronic copy.

    We agree with covered entities that individuals should not have an unlimited choice in the form of electronic copy requested. However, covered entities must still provide individuals with some kind of readable electronic copy. If an individual requests a form of electronic copy that the covered entity is unable to produce, the covered entity must offer other electronic formats that are available on their systems. If the individual declines to accept any of the electronic formats that are readily producible by the covered entity, the covered entity must provide a hard copy as an option to fulfill the access request. While we remain neutral on the type of technology that covered entities may adopt, a PDF is a widely recognized format that would satisfy the electronic access requirement if it is the individual’s requested format or if the individual agrees to accept a PDF instead of the individual’s requested format. Alternatively, there may be circumstances where an individual prefers a simple text or rich text file and the covered entity is able to accommodate this preference. A hard copy of the individual’s protected health information would not satisfy the electronic access requirement. However, a hard copy may be provided if the individual decides not to accept any of the electronic formats offered by the covered entity.

    Response to Other Public Comments

    Comment: Several covered entities commented on the form of a request for access to electronic protected health information. Some expressed appreciation for permitting an electronic request process, including e-signatures and authentication. Some expressed opposition to the requirement for a signed request in writing, as it would be highly burdensome and cause delays. Covered entities sought guidance on elements that would be required or permitted in a request form for individuals.

    Response: We clarify that the requirement at § 164.524(b)(1), which states that the covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement, remains unchanged. Therefore, covered entities may at their option require individuals to make requests for electronic copies of their protected health information in writing. We note that the Privacy Rule allows for electronic documents to qualify as written documents, as well as electronic signatures to satisfy any requirements for a signature, to the extent the signature is valid under applicable law. If the covered entity chooses to require a written request, it has flexibility in determining what information to put into the request form. However, the request form may not be in any way designed to discourage an individual from exercising his or her right. A covered entity may also choose to accept an individual’s oral request for an electronic copy of their protected health information without written signature or documentation.

    Comment: We received several comments on the content that covered entities are required to provide in response to an electronic access request. Some commenters felt that there should be a defined minimum set of data elements to satisfy this requirement, particularly for non-EHR data. Covered entities also requested clarification on how to handle links to images or other data.

    Response: We clarify that just as is currently required for hard copy protected health information access requests, covered entities must provide an electronic copy of all protected health information about the individual in an electronically maintained designated record set, except as otherwise provided at § 164.524(a). If the designated record set includes electronic links to images or other data, the images or other data that is linked to the designated record set must also be included in the electronic copy provided to the individual. The electronic copy must contain all protected health information electronically maintained in the designated record set at the time the request is fulfilled. The individual may request, however, only a portion of the protected health information electronically maintained in the designated record set, in which case the covered entity is only required to provide the requested information.

    Comment: One commenter asserted that the request for protected health information should only apply to protected health information the covered entity has at the time of the request, not any additional protected health information that it obtains while processing the request.

    Response: We clarify that the electronic copy must reflect all electronic protected health information held by the covered entity in a designated record set, or the subset of electronic protected health information specifically requested by the individual, at the time the request is fulfilled.

    Comment: One commenter asked for confirmation that the new electronic requirement does not include a requirement to scan paper and provide electronic copies of records held in paper form.

    Response: We clarify that covered entities are not required to scan paper documents to provide electronic copies of records maintained in hard copy. We note that for covered entities that have mixed media, it may in some cases be easier to scan and provide all records in electronic form rather than provide a combination of electronic and hard copies, however this is in no way required.

    Comment: Many commenters expressed security concerns related to this new requirement. Covered entities felt that they should not have to use portable devices brought by individuals (particularly flash drives), due to the security risks that this would introduce to their systems. Some covered entities additionally asserted that requiring the use of individually-supplied media is prohibited by the Security Rule, based on the risk analysis determination of an unacceptable risk to the confidentiality, integrity and availability of the covered entity’s electronic protected health information.

    Response: We acknowledge these security concerns and agree with commenters that it may not be appropriate for covered entities to accept the use of external portable media on their systems. Covered entities are required by the Security Rule to perform a risk analysis related to the potential use of external portable media, and are not required to accept the external media if they determine there is an unacceptable level of risk. However, covered entities are not then permitted to require individuals to purchase a portable media device from the covered entity if the individual does not wish to do so. The individual may in such cases opt to receive an alternative form of the electronic copy of the protected health information, such as through email.

    Comment: Several commenters specifically commented on the option to provide electronic protected health information via unencrypted email. Covered entities requested clarification that they are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. Some felt that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities. Covered entities also requested clarification that they would not be responsible for breach notification in the event that unauthorized access of protected health information occurred as a result of sending an unencrypted email based on an individual’s request. Finally, one commenter emphasized the importance that individuals are allowed to decide if they want to receive unencrypted emails.

    Response: We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

    Third Parties

    Proposed Rule

    Section 164.524(c)(3) of the Privacy Rule currently requires the covered entity to provide the access requested by the individual in a timely manner, which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of protected health information at the individual’s request. The Department had previously interpreted this provision as requiring a covered entity to mail the copy of protected health information to an alternative address requested by the individual, provided the request was clearly made by the individual and not a third party. Section 13405(e)(1) of the HITECH Act provides that if the individual chooses, he or she has a right to direct the covered entity to transmit an electronic copy of protected health information in an EHR directly to an entity or person designated by the individual, provided that such choice is clear, conspicuous, and specific.

    Based on section 13405(e)(1) of the HITECH Act and our authority under section 264(c) of HIPAA, we proposed to expand § 164.524(c)(3) to expressly provide that, if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual. This proposed amendment is consistent with the Department’s prior interpretation on this issue and would apply without regard to whether the protected health information is in electronic or paper form. We proposed to implement the requirement of section 13405(e)(1) that the individual’s “choice [be] clear, conspicuous, and specific” by requiring that the individual’s request be “in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.” We noted that the Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the Rule’s requirements, as well as electronic signatures to satisfy any requirements for a signature, to the extent the signature is valid under applicable law.

    Thus, a covered entity could employ an electronic process for receiving an individual’s request to transmit a copy of protected health information to his or her designee under this proposed provision. Whether the process is electronic or paper-based, a covered entity must implement reasonable policies and procedures under § 164.514(h) to verify the identity of any person who requests protected health information, as well as implement reasonable safeguards under § 164.530(c) to protect the information that is used or disclosed.

    Overview of Public Comments

    Commenters requested clarification regarding the proposal to transmit an electronic copy of protected health information to another person designated by the individual. In particular, covered entities sought clarification on whether or not an authorization is required prior to transmitting the requested electronic protected health information to a third party designated by the individual. Some commenters supported the ability to provide electronic protected health information access to third parties without individual authorization, while others felt that authorization should be required. Covered entities requested clarification that they are not liable when making reasonable efforts to verify the identity of a third party recipient identified by the individual.

    Final Rule

    The final rule adopts the proposed amendment § 164.524(c)(3) to expressly provide that, if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual. In contrast to other requests under § 164.524, when an individual directs the covered entity to send the copy of protected health information to another designated person, the request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the protected health information. If a covered entity has decided to require all access requests in writing, the third party recipient information and signature by the individual can be included in the same written request; no additional or separate written request is required. This written request for protected health information to be sent to a designated person is distinct from an authorization form, which contains many additional required statements and elements (see § 164.508(c)).

    Covered entities may rely on the information provided in writing by the individual when providing protected health information to a third party recipient identified by the individual, but must also implement reasonable policies and procedures under § 164.514(h) to verify the identity of any person who requests protected health information, as well as implement reasonable safeguards under § 164.530(c) to protect the information that is used or disclosed. For example, reasonable safeguards would not require the covered entity to confirm that the individual provided the correct e-mail address of the third party, but would require reasonable procedures to ensure that the covered entity correctly enters the e-mail address into its system.

    Fees

    Proposed Rule

    Section 164.524(c)(4) of the Privacy Rule currently permits a covered entity to impose a reasonable, cost-based fee for a copy of protected health information (or a summary or explanation of such information). However, such a fee may only include the cost of: (1) the supplies for, and labor of, copying the protected health information; (2) the postage associated with mailing the protected health information, if applicable; and (3) the preparation of an explanation or summary of the protected health information, if agreed to by the individual. With respect to providing a copy (or summary or explanation) of protected health information from an EHR in electronic form, however, section 13405(e)(2) of the HITECH Act provides that a covered entity may not charge more than its labor costs in responding to the request for the copy.

    In response to section 13405(e)(2) of the HITECH Act, we proposed to amend § 164.524(c)(4)(i) to identify separately the labor for copying protected health information, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based fee. While we did not propose more detailed considerations for this factor within the regulatory text, we retained all prior interpretations of labor with respect to paper copies – that is, that the labor cost of copying may not include the costs associated with searching for and retrieving the requested information. With respect to electronic copies, we asserted that a reasonable cost-based fee includes costs attributable to the labor involved to review the access request and to produce the electronic copy, which we expected would be negligible. However, we did not consider a reasonable cost-based fee to include a standard “retrieval fee” that does not reflect the actual labor costs associated with the retrieval of the electronic information or that reflects charges that are unrelated to the individual’s request (e.g., the additional labor resulting from technical problems or a workforce member’s lack of adequate training). We invited public comment on this aspect of our rulemaking, specifically with respect to what types of activities related to managing electronic access requests should be compensable aspects of labor.

    We also proposed to amend § 164.524(c)(4)(ii) to provide separately for the cost of supplies for creating the paper copy or electronic media (i.e., physical media such as a compact disc (CD) or universal serial bus (USB) flash drive), if the individual requests that the electronic copy be provided on portable media. This reorganization and the addition of the phrase “electronic media” reflected our understanding that since section 13405(e)(2) of the HITECH Act permits only the inclusion of labor costs in the charge for electronic copies, it by implication excludes charging for the supplies that are used to create an electronic copy of the individual’s protected health information, such as the hardware (computers, scanners, etc.) or software that is used to generate an electronic copy of an individual’s protected health information in response to an access request.

    We noted that this limitation is in contrast to a covered entity’s ability to charge for supplies for hard copies of protected health information (e.g., the cost of paper, the prorated cost of toner and wear and tear on the printer). See 65 FR 82462, 82735, Dec. 28, 2000 (responding to a comment seeking clarification on “capital cost for copying” and other supply costs by indicating that a covered entity was free to recoup all of their reasonable costs for copying). We asserted that this interpretation was consistent with the fact that, unlike a hard copy, which generally exists on paper, an electronic copy exists independent of media, and can be transmitted securely via multiple methods (e.g., e-mail, a secure web-based portal, or an individual’s own electronic media) without accruing any ancillary supply costs. We also noted, however, that our interpretation of the statute would permit a covered entity to charge a reasonable and cost-based fee for any electronic media it provided, as requested or agreed to by an individual.

    While we proposed to renumber the remaining factors at § 164.524(c)(4), we did not propose to amend their substance. With respect to § 164.524(c)(4)(iii), however, we noted that our interpretation of the statute would permit a covered entity to charge for postage if an individual requests that the covered entity transmit portable media containing an electronic copy through mail or courier (e.g., if the individual requests that the covered entity save protected health information to a CD and then mail the CD to a designee).

    Overview of Public Comments

    Commenters generally supported and appreciated the inclusion of a reasonable, cost-based fee that includes both labor and, in some cases, supply costs to support the new electronic access requirement. Several commenters disagreed that the cost related to reviewing and responding to requests would be negligible, particularly if the scope includes information in designated record sets and not only EHRs, since more technically trained staff would be necessary to perform this function.

    Commenters provided many suggestions of costs that should be permitted in the fees, including those associated with labor, materials, systems, retrieval (particularly for old data maintained in archives, backup media or legacy systems), copying, transmission, and capital to recoup the significant investments made for data access, storage and infrastructure. Commenters offered additional suggestions on labor-related costs, including: skilled technical staff time; time spent recovering, compiling, extracting, scanning and burning protected health information to media, and distributing the media; and preparation of an explanation or summary if appropriate. Suggestions of materials-related costs included: CDs, flash drives, tapes or other portable media; new types of technology needed to comply with individual requests; office supplies; and mail copies. Systems-related costs included: software necessary to conduct protected health information searches; and implementation and maintenance of security systems and secure connectivity.

    Final Rule

    The final rule adopts the proposed amendment at § 164.524(c)(4)(i) to identify separately the labor for copying protected health information, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based fee. We acknowledge commenters’ assertions that the cost related to searching for and retrieving electronic protected health information in response to requests would be not be negligible, as opposed to what we had anticipated, particularly in regards to designated record set access that will require more technically trained staff to perform this function. We clarify that labor costs included in a reasonable cost-based fee could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning protected health information to media, and distributing the media. This could also include the time spent preparing an explanation or summary of the protected health information, if appropriate.

    The final rule also adopts the proposed amendment at § 164.524(c)(4)(ii) to provide separately for the cost of supplies for creating the paper copy or electronic media (i.e., physical media such as a compact disc (CD) or universal serial bus (USB) flash drive), if the individual requests that the electronic copy be provided on portable media. We do not require that covered entities obtain new types of technology needed to comply with specific individual requests, and therefore the cost of obtaining such new technologies is not a permissible fee to include in the supply costs.

    With respect to § 164.524(c)(4)(iii), we clarify that a covered entity is permitted to charge for postage if an individual requests that the covered entity transmit portable media containing an electronic copy through mail or courier (e.g., if the individual requests that the covered entity save protected health information to a CD and then mail the CD to a designee).

    Fees associated with maintaining systems and recouping capital for data access, storage and infrastructure are not considered reasonable, cost-based fees, and are not permissible to include under this provision. Covered entities are not required to adopt or purchase new systems under this provision, and thus any costs associated with maintaining them are present regardless of the new electronic access right. Additionally, although the proposed rule indicated that a covered entity could charge for the actual labor costs associated with the retrieval of electronic information, in this final rule we clarify that a covered entity may not charge a retrieval fee (whether it be a standard retrieval fee or one based on actual retrieval costs). This interpretation will ensure that the fee requirements for electronic access are consistent with the requirements for hard copies, which do not allow retrieval fees for locating the data.

    Response to Other Public Comments

    Comment: Commenters requested clarification on how to proceed when State laws designate fees.

    Response: When a State law provides a limit on the fee that a covered entity may charge for a copy of protected health information, this is relevant in determining whether a covered entity’s fee is “reasonable” under § 164.524(c)(4). A covered entity’s fee must be both reasonable and cost-based. For example, if a State permits a charge of 25 cents per page, but a covered entity is able to provide an electronic copy at a cost of five cents per page, then the covered entity may not charge more than five cents per page (since that is the reasonable and cost-based amount). Similarly, if a covered entity’s cost is 30 cents per page but the State law limits the covered entity’s charge to 25 cents per page, then the covered entity may not charge more than 25 cents per page (since charging 30 cents per page would be the cost-based amount, but would not be reasonable in light of the State law).

    Comment: One commenter suggested that labor-related costs should include preparation of an affidavit certifying that the information is a true and correct copy of the records.

    Response: We do not consider the cost to prepare an affidavit to be a copying cost. Thus, where an individual requests that an affidavit accompany the copy of protected health information requested by the individual for litigation purposes or otherwise, a covered entity may charge the individual for the preparation of such affidavit and is not subject to the reasonable, cost-based fee limitations of § 164.524(c)(4). However, a covered entity may not withhold an individual’s copy of his or her protected health information for failure by the individual to pay any fees for services above and beyond the copying, such as for preparing an affidavit.

    Comment: Some commenters recommended defining the following terms: “preparing,” “producing,” and “transmitting.”

    Response: We decline to define the terms “preparing,” “producing,” and “transmitting,” as we believe the terms have been adequately understood and utilized in the context of hard copy access to protected health information.

     

    HHS Description From the Original Rulemaking
    Access of Individuals to Protected Health Information: Provision of Access

     

    In the NPRM, we proposed to require covered health care providers and health plans, upon accepting a request for access, to notify the individual of the decision and of any steps necessary to fulfill the request; to provide the information requested in the form or format requested, if readily producible in such form or format; and to facilitate the process of inspection and copying.

    We generally retain the proposed approach in the final rule. If a covered entity accepts a request, in whole or in part, it must notify the individual of the decision and provide the access requested. Individuals have the right both to inspect and to copy protected health information in a designated record set. The individual may choose whether to inspect the information, to copy the information, or to do both.

    In the final rule, we clarify that if the same protected health information is maintained in more than one designated record set or at more than one location, the covered entity is required to produce the information only once per request for access. We intend this provision to reduce covered entities’ burden in complying with requests without reducing individuals’ access to protected health information. We note that summary information and reports are not the same as the underlying information on which the summary or report was based. Individuals have the right to obtain access both to summaries and to the underlying information. An individual retains the right of access to the underlying information even if the individual requests access to, or production of, a summary. (See below regarding requests for summaries.)

    The covered entity must provide the information requested in the form or format requested if it is readily producible in such form or format. For example, if the covered entity maintains health information electronically and the individual requests an electronic copy, the covered entity must accommodate such request, if possible. Additionally, we specify that if the information is not available in the form or format requested, the covered entity must produce a readily readable hard copy of the information or another form or format to which the individual and covered entity can agree. If the individual agrees, including agreeing to any associated fees (see below), the covered entity may provide access to a summary of information rather than all protected health information in designated record sets. Similarly, a covered entity may provide an explanation in addition to the protected health information, if the individual agrees in advance to the explanation and any associated fees.

    The covered entity must provide the access requested in a timely manner, as described above, and arrange for a mutually convenient time and place for the individual to inspect the protected health information or obtain a copy. If the individual requests that the covered entity mail a copy of the information, the covered entity must do so, and may charge certain fees for copying and mailing. For requests to inspect information that is maintained electronically, the covered entity may print a copy of the information and allow the individual to view the print-out on-site. Covered entities may discuss the request with the individual as necessary to facilitate the timely provision of access. For example, if the individual requested a copy of the information by mail, but the covered entity is able to provide the information faster by providing it electronically, the covered entity may discuss this option with the individual.

    We proposed in the NPRM to permit the covered entity to charge a reasonable, cost-based fee for copying the information.

    We clarify this provision in the final rule. If the individual requests a copy of protected health information, a covered entity may charge a reasonable, cost-based fee for the copying, including the labor and supply costs of copying. If hard copies are made, this would include the cost of paper. If electronic copies are made to a computer disk, this would include the cost of the computer disk. Covered entities may not charge any fees for retrieving or handling the information or for processing the request. If the individual requests the information to be mailed, the fee may include the cost of postage. Fees for copying and postage provided under state law, but not for other costs excluded under this rule, are presumed reasonable. If such per page costs include the cost of retrieving or handling the information, such costs are not acceptable under this rule.

    If the individual requests an explanation or summary of the information provided, and agrees in advance to any associated fees, the covered entity may charge for preparing the explanation or summary as well.

    The inclusion of a fee for copying is not intended to impede the ability of individuals to copy their records. Rather, it is intended to reduce the burden on covered entities. If the cost is excessively high, some individuals will not be able to obtain a copy. We encourage covered entities to limit the fee for copying so that it is within reach of all individuals.

    We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes.

     

    HHS Response to Comments Received From the Original Rulemaking
    Access of Individuals to Protected Health Information: Provision of Access

     

    Note: The HHS Response to Comments Received is the same as in § 164.524(a)

    Comment: Some commenters recommended that there be no access to disease registries.

    Response: Most entities that maintain disease registries are not covered entities under this regulation; examples of such non-covered entities are public health agencies and pharmaceutical companies. If, however, a disease registry is maintained by a covered entity and is used to make decisions about individuals, this rule requires the covered entity to provide access to information about a requesting individual unless one of the rule’s conditions for denial of access is met. We found no persuasive reasons why disease registries should be given special treatment compared with other information that may be used to make decisions about an individual.

    Comment: Some commenters stated that covered entities should be held accountable for access to information held by business partners so that individuals would not have the burden of tracking down their protected health information from a business partner. Many commenters, including insurers and academic medical centers, recommended that, to reduce burden and duplication, only the provider who created the protected health information should be required to provide individuals access to the information. Commenters also asked that other entities, including business associates, the Medicare program, and pharmacy benefit managers, not be required to provide access, in part because they do not know what information the covered entity already has and they may not have all the information requested. A few commenters also argued that billing companies should not have to provide access because they have a fiduciary responsibility to their physician clients to maintain the confidentiality of records.

    Response: A general principle in responding to all of these points is that a covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not. Thus, we agree with the first point: in order to meet its requirements for providing access, a covered entity must not only provide access to such protected health information it holds, but must also provide access to such information in a designated record set of its business associate, pursuant to its business associate contract, unless the information is the same as information maintained directly by the covered entity. We require this because an individual may not be aware of business associate relationships. Requiring an individual to track down protected health information held by a business associate would significantly limit access. In addition, we do not permit a covered entity to limit its duty to provide access by giving protected health information to a business associate.

    We disagree with the second point: if the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access (unless it may deny access in accordance with this rule). In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider. The originating provider may no longer be in business or may no longer have the information, or the non-originating provider may have the information in a modified or enhanced form.

    We disagree with the third point: other entities must provide access only if they are covered entities or business associates of covered entities, and they must provide access only to protected health information that they maintain (or that their business associates maintain). It would not be efficient to require a covered entity to compare another entity’s information with that of the entity to which the request was addressed. (See the discussion regarding covered entities for information about whether a pharmacy benefit manager is a covered entity.)

    We disagree with the fourth point: a billing company will be required by its business associate contract only to provide the requested protected health information to its physician client. This action will not violate any fiduciary responsibility. The physician client would in turn be required by the rule to provide access to the individual.

    Comment: Some commenters asked for clarification that the clearinghouse function of turning non-standardized data into standardized data does not create non-duplicative data and that “duplicate” does not mean “identical.” A few commenters suggested that duplicated information in a covered entity’s designated record set be supplied only once per request.

    Response: We consider as duplicative information the same information in different formats, media, or presentations, or which have been standardized. Business associates who have materially altered protected health information are obligated to provide individuals access to it. Summary information and reports, including those of lab results, are not the same as the underlying information on which the summaries or reports were based. A clean document is not a duplicate of the same document with notations. If the same information is kept in more than one location, the covered entity has to produce the information only once per request for access.

    Comment: A few commenters suggested requiring covered entities to disclose to third parties without exception at the requests of individuals. It was argued that this would facilitate disability determinations when third parties need information to evaluate individuals’ entitlement to benefits. Commenters argued that since covered entities may deny access to individuals under certain circumstances, individuals must have another method of providing third parties with their protected health information.

    Response: We allow covered entities to forward protected health information about an individual to a third party, pursuant to the individual’s authorization under § 164.508. We do not require covered entities to disclose information pursuant to such authorizations because the focus of the rule is privacy of protected health information. Requiring disclosures in all circumstances would be counter to this goal. In addition, a requirement of disclosing protected health information to a third party is not a necessary substitute for the right of access to individuals, because we allow denial of access to individuals under rare circumstances. However, if the third party is a personal representative of the individual in accordance with § 164.502(g) and there is no concern regarding abuse or harm to the individual or another person, we require the covered entity to provide access to that third party on the individual’s behalf, subject to specific limitations. We note that a personal representative may obtain access on the individual’s behalf in some cases where covered entity may deny access to the individual. For example, an inmate may be denied a copy of protected health information, but a personal representative may be able to obtain a copy on the individual’s behalf. See § 164.502(g) and the corresponding preamble discussion regarding the ability of a personal representative to act on an individual’s behalf.

    Comment: The majority of commenters supported granting individuals the right to access protected health information for as long as the covered entity maintains the protected health information; commenters argued that to do otherwise would interfere with existing record retention laws. Some commenters advocated for limiting the right to information that is less than one or two years old. A few commenters explained that frequent changes in technology makes it more difficult to access stored data. The commenters noted that the information obtained prior to the effective date of the rule should not be required to be accessible.

    Response: We agree with the majority of commenters and retain the proposal to require covered entities to provide access for as long as the entity maintains the protected health information. We do not agree that information created prior to the effective date of the rule should not be accessible. The reasons for granting individuals access to information about them do not vary with the date the information was created.

    Comment: A few commenters argued that there should be no grounds for denying access, stating that individuals should always have the right to inspect and copy their protected health information.

    Response: While we agree that in the vast majority of instances individuals should have access to information about them, we cannot agree that a blanket rule would be appropriate. For example, where a professional familiar with the particular circumstances believes that providing such access is likely to endanger a person’s life or physical safety, or where granting such access would violate the privacy of other individuals, the benefits of allowing access may not outweigh the harm. Similarly, we allow denial of access where disclosure would reveal the source of confidential information because we do not want to interfere with a covered entity’s ability to maintain implicit or explicit promises of confidence.

    We create narrow exceptions to the rule of open access, and we expect covered entities to employ these exceptions rarely, if at all. Moreover, we require covered entities to provide access to any protected health information requested after excluding only the information that is subject to a denial. The categories of permissible denials are not mandatory, but are a means of preserving the flexibility and judgment of covered entities under appropriate circumstances.

    Comment: Many commenters supported our proposal to allow covered entities to deny an individual access to protected health information if a professional determines either that such access is likely to endanger the life or physical safety of a person or, if the information is about another person, access is reasonably likely to cause substantial harm to such person.

    Some commenters requested that the rule also permit covered entities to deny a request if access might be reasonably likely to cause psychological or mental harm, or emotional distress. Other commenters, however, were particularly concerned about access to mental health information, stating that the lack of access creates resentment and distrust in patients.

    Response: We disagree with the comments suggesting that we expand the grounds for denial of access to an individual to include a likelihood of psychological or mental harm of the individual. We did not find persuasive evidence that this is a problem sufficient to outweigh the reasons for providing open access. We do allow a denial for access based on a likelihood of substantial psychological or mental harm, but only if the protected health information includes information about another person and the harm may be inflicted on such other person or if the person requesting the access is a personal representative of the individual and the harm may be inflicted on the individual or another person.

    We generally agree with the commenters concerns that denying access specifically to mental health records could create distrust. To balance this concern with other commenters’ concerns about the potential for psychological harm, however, we exclude psychotherapy notes from the right of access. This is the only distinction we make between mental health information and other types of protected health information in the access provisions of this rule. Unlike other types of protected health information, these notes are not widely disseminated through the health care system. We believe that the individual’s privacy interests in having access to these notes, therefore, are outweighed by the potential harm caused by such access. We encourage covered entities that maintain psychotherapy notes, however, to provide individuals access to these notes when they believe it is appropriate to do so.

    Comment: Some commenters believed that there is a potential for abuse of the provision allowing denial of access because of likely harm to self. They questioned whether there is any experience from the Privacy Act of 1974 to suggest that patients who requested and received their records have ever endangered themselves as a result.

    Response: We are unaware of such problems from access to records that have been provided under the Privacy Act but, since these are private matters, such problems might not come to our attention. We believe it is more prudent to preserve the flexibility and judgment of health care professionals familiar with the individuals and facts surrounding a request for records than to impose the blanket rule suggested by these commenters.

    Comment: Commenters asserted that the NPRM did not adequately protect vulnerable individuals who depend on others to exercise their rights under the rule. They requested that the rule permit a covered entity to deny access when the information is requested by someone other than the subject of the information and, in the opinion of a licensed health care professional, access to the information could harm the individual or another person.

    Response: We agree with the commenters that such protection is warranted and add a provision in § 164.524(a)(3), which permits a covered health care provider to deny access if a personal representative of the individual is making the request for access and a licensed health care professional has determined, in the exercise of professional judgment, that providing access to such personal representative could result in substantial harm to the individual or another person. Access can be denied even if the potential harm may be inflicted by someone other than the personal representative.

    This provision is designed to strike a balance between the competing interests of ensuring access to protected health information and protecting the individual or others from harm. The “substantial harm” standard will ensure that a covered entity cannot deny access in cases where the harm is de minimus.

    The amount of discretion that a covered entity has to deny access to a personal representative is generally greater than the amount of discretion that a covered entity has to deny access to an individual. Under the final rule, a covered entity may deny access to an individual if a licensed health care professional determines that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. In this case, concerns about psychological or emotional harm would not be sufficient to justify denial of access. We establish a relatively high threshold because we want to assure that individuals have broad access to health information about them, and due to the potential harm that comes from denial of access, we believe denials should be permitted only in limited circumstances.

    The final rule grants covered entities greater discretion to deny access to a personal representative than to an individual in order to provide protection to those vulnerable people who depend on others to exercise their rights under the rule and who may be subjected to abuse or neglect. This provision applies to personal representatives of minors as well as other individuals. The same standard for denial of access on the basis of potential harm that applies to personal representatives also applies when an individual is seeking access to his or her protected health information, and the information makes reference to another person. Under these circumstances, a covered entity may deny a request for access if such access is reasonably likely to cause substantial harm to such other person. The standard for this provision and for the provision regarding access by personal representatives is the same because both circumstances involve one person obtaining information about another person, and in both cases the covered entity is balancing the right of access of one person against the right of a second person not to be harmed by the disclosure.

    Under any of these grounds for denial of access to protected health information, the covered entity is not required to deny access to a personal representative under these circumstances, but has the discretion to do so.

    In addition to denial of access rights, we also address the concerns raised by abusive or potentially abusive situations in the section regarding personal representatives by giving covered entities discretion to not recognize a person as a personal representative of an individual if the covered entity has a reasonable belief that the individual has been subjected to domestic violence, abuse, or neglect by or would be in danger from a person seeking to act as the personal representative. (See § 164.502(g))

    Comment: A number of commenters were concerned that this provision would lead to liability for covered entities if the release of information results in harm to individuals. Commenters requested a “good faith” standard in this provision to relieve covered entities of liability if individuals suffer harm as a result of seeing their protected health information or if the information is found to be erroneous. A few commenters suggested requiring providers (when applicable) to include with any disclosure to a third party a statement that, in the provider’s opinion, the information should not be disclosed to the patient.

    Response: We do not intend to create a new duty to withhold information nor to affect other laws on this issue. Some state laws include policies similar to this rule, and we are not aware of liability arising as a result.

    Comment: Some commenters suggested that both the individual’s health care professional and a second professional in the relevant field of medicine should review each request. Many commenters suggested that individuals have a right to have an independent review of any denial of access, e.g., review by a health care professional of the individual’s choice.

    Response: We agree with the commenters who suggest that denial on grounds of harm to self or others should be determined by a health professional, and retain this requirement in the final rule. We disagree, however, that all denials should be reviewed by a professional of the individual’s choice. We are concerned that the burden such a requirement would place on covered entities would be significantly greater than any benefits to the individual. We believe that any health professional, not just one of the individual’s choice, will exercise appropriate professional judgment. To address some of these concerns, however, we add a provision for the review of denials requiring the exercise of professional judgment. If a covered entity denies access based on harm to self or others, the individual has the right to have the denial reviewed by another health care professional who did not participate in the original decision to deny access.

    Comment: A few commenters objected to the proposal to allow covered entities to deny a request for access to health information if the information was obtained from a confidential source that may be revealed upon the individual’s access. They argued that this could be subject to abuse and the information could be inherently less reliable, making the patient’s access to it even more important.

    Response: While we acknowledge that information provided by confidential sources could be inaccurate, we are concerned that allowing unfettered access to such information could undermine the trust between a health care provider and patients other than the individual. We retain the proposed policy because we do not want to interfere with a covered entity’s ability to obtain important information that can assist in the provision of health care or to maintain implicit or explicit promises of confidence, which may be necessary to obtain such information. We believe the concerns raised about abuse are mitigated by the fact that the provision does not apply to promises of confidentiality made to a health care provider. We note that a covered entity may provide access to such information.

    Comment: Some commenters were concerned that the NPRM did not allow access to information unrelated to treatment, and thus did not permit access to research information.

    Response: In the final rule, we eliminate the proposed special provision for “research information unrelated to treatment.” The only restriction on access to research information in this rule applies where the individual agrees in advance to denial of access when consenting to participate in research that includes treatment. In this circumstance, the individual's right of access to protected health information created in the course of the research may be suspended for as long as the research is in progress, but access rights resume after such time. In other instances, we make no distinction between research information and other information in the access provisions in this rule.

    Comment: A few commenters supported the proposed provision temporarily denying access to information obtained during a clinical trial if participants agreed to the denial of access when consenting to participate in the trial. Some commenters believed there should be no access to any research information. Other commenters believed denial should occur only if the trial would be compromised. Several recommended conditioning the provision. Some recommended that access expires upon completion of the trial unless there is a health risk. A few commenters suggested that access should be allowed only if it is included in the informed consent and that the informed consent should note that some information may not be released to the individual, particularly research information that has not yet been validated. Other commenters believed that there should be access if the research is not subject to IRB or privacy board review or if the information can be disclosed to third parties.

    Response: We agree with the commenters that support temporary denial of access to information from research that includes treatment if the subject has agreed in advance, and with those who suggested that the denial of access expire upon completion of the research, and retain these provisions in the final rule. We disagree with the commenters who advocate for further denial of this information. These comments did not explain why an individual’s interest in access to health information used to make decisions about them is less compelling with respect to research information. Under this rule, all protected health information for research is subject either to privacy board or IRB review unless a specific authorization to use protected health information for research is obtained from the individual. Thus, this is not a criterion we can use to determine access rights.

    Comment: A few commenters believed that it would be “extremely disruptive of and dangerous” to patients to have access to records regarding their current care and that state law provides sufficient protection of patients’ rights in this regard.

    Response: We do not agree. Information about current care has immediate and direct impact on individuals. Where a health care professional familiar with the circumstances believes that it is reasonably likely that access to records would endanger the life or physical safety of the individual or another person, the regulation allows the professional to withhold access.

    Comment: Several commenters requested clarification that a patient not be denied access to protected health information because of failure to pay a bill. A few commenters requested clarification that entities may not deny requests simply because producing the information would be too burdensome.

    Response: We agree with these comments, and confirm that neither failure to pay a bill nor burden are lawful reasons to deny access under this rule. Covered entities may deny access only for the reasons provided in the rule.

    Comment: Some commenters requested that the final rule not include detailed procedural requirements about how to respond to requests for access. Others made specific recommendations on the procedures for providing access, including requiring written requests, requiring specific requests instead of blanket requests, and limiting the frequency of requests. Commenters generally argued against requiring covered entities to acknowledge requests, except under certain circumstances, because of the potential burden on entities.

    Response: We intend to provide sufficient procedural guidelines to ensure that individuals have access to their protected health information, while maintaining the flexibility for covered entities to implement policies and procedures that are appropriate to their needs and capabilities. We believe that a limit on the frequency of requests individuals may make would arbitrarily infringe on the individual’s right of access and have, therefore, not included such a limitation. To limit covered entities’ burden, we do not require covered entities to acknowledge receipt of the individuals’ requests, other than to notify the individual once a decision on the request has been made. We also permit a covered entity to require an individual to make a request for access in writing and to discuss a request with an individual to clarify which information the individual is actually requesting. If individuals agree, covered entities may provide access to a subset of information rather than all protected health information in a designated record set. We believe these changes provide covered entities with greater flexibility without compromising individuals’ access rights.

    Comment: Commenters offered varying suggestions for required response time, ranging from 48 hours because of the convenience of electronic records to 60 days because of the potential burden. Others argued against a finite time period, suggesting the response time be based on mutual convenience of covered entities and individuals, reasonableness, and exigencies. Commenters also varied on suggested extension periods, from one 30-day extension to three 30- day extensions to one 90-day extension, with special provisions for off-site records.

    Response: We are imposing a time limit because individuals are entitled to know when to expect a response. Timely access to protected health information is important because such information may be necessary for the individual to obtain additional health care services, insurance coverage, or disability benefits, and the covered entity may be the only source for such information. To provide additional flexibility, we eliminate the requirement that access be provided as soon as possible and we lengthen the deadline for access to off-site records. For on-site records, covered entities must act on a request within 30 days of receipt of the request. For off-site records, entities must complete action within 60 days. We also permit covered entities to extend the deadline by up to 30 days if they are unable to complete action on the request within the standard deadline. These time limits are intended to be an outside deadline rather than an expectation. We expect covered entities to be attentive to the circumstances surrounding each request and respond in an appropriate time frame.

    Comment: A few commenters suggested that, upon individuals’ requests, covered entities should be required to provide protected health information in a format that would be understandable to a patient, including explanations of codes or abbreviations. The commenters suggested that covered entities be permitted to provide summaries of pertinent information instead of full copies of records; for example, a summary may be more helpful for the patient’s purpose than a series of indecipherable billing codes.

    Response: We agree with these commenters’ point that some health information is difficult to interpret. We clarify, therefore, that the covered entity may provide summary information in lieu of the underlying records. A summary may only be provided if the covered entity and the individual agree, in advance, to the summary and to any fees imposed by the covered entity for providing such summary. We similarly permit a covered entity to provide an explanation of the information. If the covered entity charges a fee for providing an explanation, it must obtain the individual’s agreement to the fee in advance.

    Comment: Though there were recommendations that fees be limited to the costs of copying, the majority of commenters on this topic requested that covered entities be able to charge a reasonable, cost-based fee. Commenters suggested that calculation of access costs involve factors such as labor costs for verification of requests, labor and software costs for logging of requests, labor costs for retrieval, labor costs for copying, expense costs for copying, capital cost for copying, expense costs for mailing, postal costs for mailing, billing and bad-debt expenses, and labor costs for refiling. Several commenters recommended specific fee structures.

    Response: We agree that covered entities should be able to recoup their reasonable costs for copying of protected health information, and include such provision in the regulation. We are not specifying a set fee because copying costs could vary significantly depending on the size of the covered entity and the form of such copy (e.g., paper, electronic, film). Rather, covered entities are permitted to charge a reasonable, cost-based fee for copying (including the costs of supplies and labor), postage, and summary or explanation (if requested and agreed to by the individual) of information supplied. The rule limits the types of costs that may be imposed for providing access to protected health information, but does not preempt applicable state laws regarding specific allowable fees for such costs. The inclusion of a copying fee is not intended to impede the ability of individuals to copy their records.

    Comment: Many commenters stated that if a covered entity denies a request for access because the entity does not hold the protected health information requested, the covered entity should provide, if known, the name and address of the entity that holds the information. Some of these commenters additionally noted that the Uniform Insurance Information and Patient Protection Act, adopted by 16 states, already imposes this notification requirement on insurance entities. Some commenters also suggested requiring providers who leave practice or move offices to inform individuals of that fact and of how to obtain their records.

    Response: We agree that, when covered entities deny requests for access because they do not hold the protected health information requested, they should inform individuals of the holder of the information, if known; we include this provision in the final rule. We do not require health care providers to notify all patients when they move or leave practice, because the volume of such notifications would be unduly burdensome.