is it legal to charge patients for patient portal access

The Centers for Medicare and Medicaid Services (CMS) has advised that charging for this access is inappropriate under the meaningful use criteria. Under HIPAA, patients have a right to see and obtain copies of their medical records. HIPAA allows providers to charge a “reasonable cost-based” fee for providing these copies.

Full Answer

Can I charge for access to my medical records?

Feb 02, 2015 · But the fact remains that adopting a patient portal is still a costly investment. And with the costs of running a medical organization rising, …

How are patients using the patient portal?

Oct 19, 2020 · Specifically, the Final Rule outlaws any kind of information blocking, and this includes blocking of patient data access. Starting in the beginning of November, healthcare organizations must provide patients access to their electronic health data, free of charge.

How many patients are using the portal to share data?

Apr 25, 2016 · A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage. While the Privacy Rule permits the limited fee as described, covered entities should provide individuals who request access to …

How can patients access and share their health information?

Incentive Programs must meet the Patient Electronic Access objective, which gives patients access to their health information in a timely manner. Providers participating in Stage 1 are required to meet one patient electronic access measure, and providers participating in Stage 2 need to meet two measures. Measure #1 for Stage 1 and Stage 2:

Do patient portals cost money?

Holmes estimates portal costs in the range of $30-$40 per provider per month, on average. Some vendors charge a fee per patient per month. Partly to compensate for this extra cost, some practices charge patients for viewing their own records on the portal.Apr 29, 2015

What are the 3 patient rights under the HIPAA Privacy Rule?

HIPAA Patient Rights: Prohibitions on Use or Disclosure of PHI. HIPAA protects patients by generally prohibiting the sale of PHI; the use and disclosure of genetic information for underwriting purposes; and the use or disclosure of psychotherapy notes. Do you have an effective HIPAA compliance program?Nov 20, 2020

How do patient health information portals contribute to patient rights?

Further, portals help providers educate their patients and prepare them for future care encounters. When patients have access to their health data, they are better informed, and have the potential to generate deep and meaningful conversations regarding patient wellness during doctor's appointments.May 13, 2016

What percentage of patients use patient portals?

FINDINGS. Nearly 40 percent of individuals nationwide accessed a patient portal in 2020 – this represents a 13 percentage point increase since 2014.Sep 21, 2021

What is considered a HIPAA violation?

What is a HIPAA Violation? The Health Insurance Portability and Accountability, or HIPAA, violations happen when the acquisition, access, use or disclosure of Protected Health Information (PHI) is done in a way that results in a significant personal risk of the patient.Jul 3, 2018

Can someone access my medical records without my permission?

General Rules. HIPAA provides that individuals generally have a right to access their own healthcare records.

Is it a HIPAA violation to access your own chart?

A. No. It is NOT a HIPAA violation to view your own medical record.

What is the difference between a personal health record and a patient portal?

The Portal is controlled by the source system (EMR/EHR/Hospital). On the other hand, the Personal Health Record (PHR) is more patient centric, is controlled by a patient or family member, and may or may not be connected to a doctor or hospital (i.e. it may be tethered or untethered).Sep 6, 2012

What is a valid reason for denying an amendment request?

Reasons for Denial. The provider who received the amendment request had not created the original record. The record was created at another office. There is an exception if the creator is no longer available and the mistake in the record is apparent.

Why do patients not use patient portals?

The researchers found no demographic differences among nonusers who said that a technology hurdle, lack of internet access or no online medical record was the reason why they did not make use of a patient portal.May 14, 2019

What is a patient portal in healthcare?

A patient portal is a secure online website that gives patients convenient, 24-hour access to personal health information from anywhere with an Internet connection. Using a secure username and password, patients can view health information such as: Recent doctor visits. Discharge summaries. Medications.Sep 29, 2017

What are the disadvantages of patient portals?

Even though they should improve communication, there are also disadvantages to patient portals....Table of ContentsGetting Patients to Opt-In.Security Concerns.User Confusion.Alienation and Health Disparities.Extra Work for the Provider.Conclusion.Nov 11, 2021

Who has the right to access health records?

The Privacy Rule generally also gives the right to access the individual’s health records to a personal representative of the individual. Under the Rule, an individual’s personal representative is someone authorized under State or other applicable law to act on behalf of the individual in making health care related decisions. With respect to deceased individuals, the individual’s personal representative is an executor, administrator, or other person who has authority under State or other law to act on behalf of the deceased individual or the individual’s estate. Thus, whether a family member or other person is a personal representative of the individual, and therefore has a right to access the individual’s PHI under the Privacy Rule, generally depends on whether that person has authority under State law to act on behalf of the individual. See 45 CFR 164.502 (g) and 45 CFR 164.524.

Who has the right to access PHI?

An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request, consistent with the scope of such representation and the requirements discussed below. See 45 CFR 164.502 (g) and http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html for more information about the rights that can be exercised by personal representatives.

Why is it important to have access to health information?

Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, ...

What is the HIPAA Privacy Rule?

With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.

What does it mean when a lab report is complete?

For purposes of the HIPAA Privacy Rule, clinical laboratory test reports become part of the laboratory’s designated record set when they are “complete,” which means that all results associated with an ordered test are finalized and ready for release.

Can I send a copy of my PHI to a third party?

Yes, but only within specific limits. The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage:

Can a covered entity charge for access to a PHI?

Yes. When an individual requests access to her PHI and the covered entity intends to charge the individual the limited fee permitted by the HIPAA Privacy Rule for providing the individual with a copy of her PHI, the covered entity must inform the individual in advance of the approximate fee that may be charged for the copy. An individual has a right to receive a copy of her PHI in the form and format and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. Since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of her PHI. The failure to provide advance notice is an unreasonable measure that may serve as a barrier to the right of access. Thus, this requirement is necessary for the right of access to operate consistent with the HIPAA Privacy Rule. Further, covered entities should post on their web sites or otherwise make available to individuals an approximate fee schedule for regular types of access requests. In addition, if an individual requests, covered entities should provide the individual with a breakdown of the charges for labor, supplies, and postage, if applicable, that make up the total fee charged. We note that this information would likely be requested in any action taken by OCR in enforcing the individual right of access, so entities will benefit from having this information readily available.

When will the Cures Act go into effect?

The portion of the law, which goes into effect on November 2, 2020, comes as a part of the final rules on information blocking released by the Office of the National Coordinator for Health IT in ...

Why is the 21st century cures act important?

This facet of the 21 st Century Cures Act is important because it includes not just patient data access—which in some cases could start and end with a copy of one’s health records —but also clinical notes.

What is patient centered healthcare?

Patient-centered healthcare initiatives are underway to enable patients to take more responsibility for their healthcare. To do so, patients must be able to access and share their health information. 1–3 Under the Health Insurance Portability and Accountability Act (HIPAA), patients have a right to see and obtain a copy of their medical records.

When did the HITECH Act become effective?

Under the HITECH Act, effective September 23, 2013, patients have the right to request their health information in electronic form. The act requires that any fee imposed to provide the electronic copy cannot exceed the labor and supply costs of responding to the request.

What is the healthcare industry?

The healthcare industry is at a crossroad of converging technology and regulations influencing patients’ access to their personal health information. This research revealed wide variation in contemporary practices affecting patient access.

What is the privacy rule?

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage:

What is actual cost?

Actual costs . A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity.

What is a covered entity?

A covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests (e.g. paper records, electronic records, mailed records, etc.) A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, ...

What is labor for copying?

Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.

Does HIPAA override state laws?

In contrast to State laws that authorize higher or different fees than are permitted under HIPAA, HIPAA does not override those State laws that provide individuals with greater rights of access to their health information than the HIPAA Privacy Rule does . See 45 CFR 160.202 and 160.203.

Can a covered entity charge for access to a PHI?

Yes. When an individual requests access to her PHI and the covered entity intends to charge the individual the limited fee permitted by the HIPAA Privacy Rule for providing the individual with a copy of her PHI, the covered entity must inform the individual in advance of the approximate fee that may be charged for the copy. An individual has a right to receive a copy of her PHI in the form and format and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. Since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of her PHI. The failure to provide advance notice is an unreasonable measure that may serve as a barrier to the right of access. Thus, this requirement is necessary for the right of access to operate consistent with the HIPAA Privacy Rule. Further, covered entities should post on their web sites or otherwise make available to individuals an approximate fee schedule for regular types of access requests. In addition, if an individual requests, covered entities should provide the individual with a breakdown of the charges for labor, supplies, and postage, if applicable, that make up the total fee charged. We note that this information would likely be requested in any action taken by OCR in enforcing the individual right of access, so entities will benefit from having this information readily available.

What is EHR incentive?

The Medicare and Medicaid EHR Incentive Programs encourage patient involvement in their health care. Online access to health information allows patients to make informed decisions about their care and share their most recent clinical information with other health care providers and personal caregivers.

Does CMS require growth charts?

However, because this certification capability is not required, eligible professionals and hospitals do not need to generate and make growth charts available in order to meet the objective.

Can a patient opt out of health information?

A: A patient can choose not to access their health information, or “opt-out.” Patients cannot be removed from the denominator for opting out of receiving access. If a patient opts out, a provider may count them in the numerator if they have been given all the information necessary to opt back in without requiring any follow up action from the provider, including, but not limited to, a user ID and password, information on the patient website, and how to create an account.

Can a provider withhold information from a patient's website?

However, the provider may withhold any information from online disclosure if he or she believes that providing such information may result in significant harm.

When are clinical notes required to be shared?

Under this new rule, clinical notes must be shared by health systems by April 5, 2021, and shared with a patient’s 3rd party application (“app”) that may be downloaded to a smart phone or other device by the end of 2022. Highlighted Regulatory Dates – Information Blocking Provisions ( see full PDF ).

What is the prevent harm exception?

Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

What are clinical notes?

Clinical notes to which the rules do not apply: 1 Psychotherapy notes that are separated from the rest of the individual’s medical record and are recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. Note: All clinicians and organizations are required to share medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. 2 Information compiled in reasonable anticipation of, or use in a civil, criminal or administrative action or proceeding.

Fees That Can Be Charged to Individuals For Copies of Their Phi

• May a covered entity charge individuals a fee for providing the individuals with a copy of their P…
  Yes, but only within specific limits. The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may i…
• What labor costs may a covered entity include in the fee that may be charged to individuals to pr…
  A covered entity may include reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to recei…

See more on hhs.gov

Right to Have Phi Sent Directly to A Designated Third Party

Scope of Information Covered by Access Right

timelines For Providing Access

Other Questions on Access Right

Other Access Topics

Abstract

• Patient-centered healthcare initiatives are underway to enable patients to take more responsibility for their healthcare. To do so, patients must be able to access, utilize, and share their health information. Access to health information through patient portals and other electronic means is increasing with the adoption of electronic health records (EHRs), but not all providers have EHR…

See more on perspectives.ahima.org

Introduction

Background

Methods

Results

Discussion

Conclusion

Acknowledgments

Notes