Citing “substantial confusion” on the issue of “whether or not a provider can charge a reasonable cost based-fee” for records access, the HHS Office for Civil Rights (OCR) is proposing to revise several requirements related to patient’s access to medical records.
OCR is also seeking to tamp down on costs patients have faced. “We do not believe a patient’s personal medical records should be profit centers for providers,” said OCR Director Roger Severino.
These efforts are spelled out in a notice of proposed rulemaking (NPRM) OCR and HHS officials announced last month,[1] but which had yet to be published in the Federal Register as of RPP’s deadline (see related story, p. 1).[2]
OCR is “clarifying, through this [proposed] rule, that providers must have a fee schedule posted and publicly available so that people know what it costs to get their own records” or protected health information (PHI), Severino said in a call with RPP and other reporters.
OCR: 30-Day Allowance Is Outdated
Severino noted that the current requirement allows providers “30 days to respond” to an access request. “We think this is a relic of a pre-internet age that should be dispensed with,” he said. “We are proposing to reduce that time period to 15 days.”
This would be in line with requirements in more than 15 states, including California and Texas. According to Severino, “major providers have already complied with [this] without issue. And we think 15 days is far more reasonable given the necessity of information and the ability of providers to provide it.”
The NPRM also would half the time an entity can take once it exceeds the first 15 days (as changed); currently one 30-day extension is permitted. If finalized as proposed, the extension could be no more than 15 days.
Other provisions would require the covered entity to provide the records, as in effect today, in the form and format desired. The change is to specify that “if an individual requests that a covered entity transmit PHI securely to the individual’s personal health application, and the covered entity has the technical capability to do so, this form and format is considered readily producible,” Severino said.
Another change is to reduce “the identity verification burden on individuals exercising their access rights, without adversely affecting the security of PHI.” In a fact sheet, OCR cites as an example of what wouldn’t be allowed as “[r]equiring an individual to obtain notarization on an access request.”[3]