Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI? Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
Must
a covered entity inform individuals in advance of any fees that may be
charged when the individuals request a copy of their PHI?
This
guidance remains in effect only to the extent that it is consistent
with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040
(D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Yes. When an individual requests access to her PHI and the covered
entity intends to charge the individual the limited fee permitted by the
HIPAA Privacy Rule for providing the individual with a copy of her PHI,
the covered entity must inform the individual in advance of the
approximate fee that may be charged for the copy. An individual has a
right to receive a copy of her PHI in the form and format and manner
requested, if readily producible in that way, or as otherwise agreed to
by the individual. Since the fee a covered entity is permitted to charge
will vary based on the form and format and manner of access requested
or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged,
inform the individual of any associated fees that may impact the form
and format and manner in which the individual requests or agrees to
receive a copy of her PHI. The failure to provide advance notice is an
unreasonable measure that may serve as a barrier to the right of access.
Thus, this requirement is necessary for the right of access to operate
consistent with the HIPAA Privacy Rule. Further, covered entities
should post on their web sites or otherwise make available to
individuals an approximate fee schedule for regular types of access
requests. In addition, if an individual requests, covered entities
should provide the individual with a breakdown of the charges for labor,
supplies, and postage, if applicable, that make up the total fee
charged. We note that this information would likely be requested in any
action taken by OCR in enforcing the individual right of access, so
entities will benefit from having this information readily available.
| TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information. Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love. The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more |
| TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information. Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love. The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more |
| § 164.314 Organizational requirements. (a) (1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required) - (i) Business associate contracts. The contract must provide that the business associate will - (A) Comply with the applicable requirements of this subpart; (B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of ...read more |
| Pharmacy Chain Revises Process for Disclosures to Law Enforcement Covered Entity: Pharmacies Issue: Impermissible Uses and Disclosures A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from ...read more |
|
July 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1) November 2022 (54)
Blog Labels
Covered Entity (40) HIPAA Enforcement (3) EHR Fraud (1) Data Breach (1) PPP Fraud (1) BAA (4) ePHI (2) Telehealth (1) HIPAA (2)
|