OCR Issues Updated FAQ on HIPAA Rights of Access and Guidance for Health Application Developers.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released clarification regarding individuals’ rights under the Health Insurance Portability and Accountability Act (HIPAA). OCR clarified the calculation methods a covered entity may use to charge individuals for obtaining a copy of their own protected health information (PHI). Under the HIPAA Privacy Rule, covered entities must provide individuals with access to their PHI upon request. Access includes the right to inspect or obtain records, regardless of whether the PHI is maintained in paper or electronic format, remotely, or in archives.
OCR clarified that:
- The maximum chargeable fee to individuals requesting a copy of their PHI is not necessarily $6.50;
- Utilizing a flat fee method is optional for covered entities;
- If a provider charges a flat fee for copies of an individual’s PHI, the flat fee cannot exceed $6.50;
- An entity that does not charge a flat fee must inform the individual, in advance, of the approximate fee to provide a copy of the requested record(s); and
- Covered entities may opt to calculate actual or average costs or utilize other methods as long as the method is appropriate to the entity and permissible under the Privacy Rule.
OCR also issued additional guidance for health information technology (IT) and health application developers. OCR developed and launched a new “Health App Developers: Questions about HIPAA?” website page linking developers with guidance and clarification on general and scenario-specific HIPAA questions. The site also provides an interactive tool that assists developers in assessing which federal laws apply to their mobile health applications. The tool provides guidance related to HIPAA; the Federal Food, Drug, and Cosmetic Act; Federal Trade Commission (FTC) Act; and the FTC Health Breach Notification Rule. All Health IT questions received and answered by OCR have been published on the new resource page.
The OCR resource webpage for health application developers is available at:
http://hipaaqsportal.hhs.gov/a/pages/helpful-links.
The OCR’s frequently asked questions and guidance on individuals’ right to access is available at:
http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
Department of Health and Human Services Office for Civil Rights. “Health App Developers: Questions about HIPAA?” Helpful Links. 25 May 2016.
Department of Health and Human Services Office for Civil Rights. “New Clarification – Up to $6.50 Flat Rate Option.” Frequently Asked Questions. 24 May 2016.