Lawsuit: HHS' Patient Record Access Regulations 'Unlawful'Case Spotlights Confusion, Hurdles In Providing PHI to Patients
A federal lawsuit alleges that Department of Health and Human Services regulations "unlawfully ... and capriciously" restrict the fees healthcare providers and their medical record vendors can charge for gathering and disseminating a variety of health information upon patients' requests.
See Also: Threat Intelligence - Hype or Hope?
The case also spotlights some of the hurdles and confusion that healthcare entities often face in providing patients with secure access to their health information.
The lawsuit was filed on Jan. 8 in the Washington, D.C. circuit court by medical record retrieval firm CIOX Health against Eric Hargan in his official capacity as acting HHS secretary.
In court documents, CIOX alleges that changes implemented by HIPAA Omnibus regulations in 2013 and modified in 2016 "threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately - mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss."
CIOX Health alleges that the regulatory changes broadened the medical information that patients can request transmitted "from any form whatsoever - for example electronic health record or non-EHR - in any form whatsoever - for example, paper, electronic, radiologic film, etc. - to any third party including profit-seeking commercial parties like insurers and lawyers." However, CIOX argues that HHS regulations also limit the fees which providers can charge to fulfill a patient's record request.
"Producing such information in accordance with these laws is both complex and costly," CIOX says in its complaint. "The costs required to fulfill each request for a patient's PHI include not only the supplies and technology used to produce PHI to the requesting party, but also the extensive labor costs associated with receiving, compiling, verifying and processing such requests...In many cases, these materials are located in multiple physical and virtual locations, which requires staff to be dispatched to physically obtain or retrieve records from an array of sources," the suit says.
"This process is time-consuming ... Once responsive PHI is located, it takes significant effort to fulfill a request for paper or electronic copies of patient medical records in a manner that complies with both federal law and the patchwork of applicable state privacy laws."
Maximum Fee, or Not?
The suit further alleges that a $6.50 flat fee referenced by HHS regulations for electronic copies of PHI s "irrational, arbitrary, capricious and absurd."
HHS on its website says "a covered entity may charge individuals a flat fee for all requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage. Charging a flat fee not to exceed $6.50 is therefore an option for entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically."
However, HHS in "clarification" guidance issued in May 2016, noted that "$6.50 is not the maximum amount that can be charged for all individual requests for a copy of PHI under the right of access."
HHS in its clarification guidance adds, "charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating the actual or average costs for requests for electronic copies of PHI maintained electronically as permitted by the Privacy Rule."
Privacy attorney David Holtzman, vice president of compliance at security consultancy Cynergistek, says HHS used "government prescribed processes" to estimate the costs of compliance on healthcare organizations. "With the support of Congress and past administrations, HHS leveled the playing field for consumers who were blocked from exercising their HIPAA rights because of their inability to pay photocopying and service fees imposed by for-profit third-party vendors hired by healthcare organizations to manage healthcare records," he notes.
CIOX in a statement to Information Security Media Group says, "the long-term viability of the medical-records industry is critical to the delivery of high-quality, error-free and cost-effective healthcare services to patients by ensuring that healthcare providers have timely access to individual medical records."
HHS' Office for Civil Rights, which enforces HIPAA, declined to comment on the CIOX Health lawsuit, saying the agency does not comment on pending litigation.
CIOX is also the co-defendant in a separate lawsuit filed in 2016 by a pair of attorneys who among other claims, allege CIOX and more than 60 hospitals in Indiana failed to meet a three-day turnaround deadline for patient requests of health records, as mandated by early requirements in the HITECH Act incentive program (see Lawsuit: Hospitals Lied About Providing Quick Records Access).
Obstacles and Confusion
Some experts say the CIOX Health lawsuit against HHS sheds a spotlight on some of the confusion and obstacles that the healthcare sector faces in complying with HIPAA's regulations around patients' right to access.
That includes a HHS provision that entities provide patients electronic access to their health records in the manner requested by the individual, "if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format."
For instance, that includes requests by individuals that their PHI be electronically transmitted, including via unsecure email, as long as patients are made aware of risks associated with unencrypted e-mail.
Other times, complying promptly with patient record requests are complicated by the diverse array of systems that store pieces of the patient's information, including the records often being maintained in a combination of paper-based and electronic systems, says Joe Gillespie, senior privacy and security consultant at consultancy, tw-Security.
"Typically, it is the staff within the health information management, or HIM, department that responds to requests from patients for their PHI," Gillespie says.
"The problem I've always had with the [HIPAA] term of 'designated record set' is that it may include PHI in systems that HIM staff may not have access to where some limited PHI may exist, such as cost-accounting systems, lab information systems and analyzers, radiology systems ... and pharmacy systems, etc.," he says.
"And if the facility outsources this disclosure function, that company will likely have even less access. So, if a facility is asked to provide the entire 'designated record set,' the HIM staff would have to coordinate that with many other departments and that takes much more time," Gillespie says.
"If electronic, depending upon the electronic medical record vendor used, these requests can be much easier to fulfill than with paper records or hybrid paper/electronic records," he notes.
The evolution of web-based patient portals is helping to make it more convenient for patients to securely access their digital health information in a timely manner, Gillespie notes. However, there are limitations with portals as well.
"Portals have most certainly been successful in allowing access and engaging patients with their own care," he says. However, portals - while usually offering secure means to communicate directly with clinicians - typically only provide a subset of a patient's 'designated record set,' such as immunizations, lab results, medical problem list, and medications, Gillespie notes.
Also, "the security of any portal has to be balanced with the ease of use," he says. If the security is too tight - such as frequent password changes, really strong/complex password rules, etc. - patients will stop using the portal. If the rules are too weak, the portal is more vulnerable to hacking. It's a difficult balancing act. "
Holtzman notes that healthcare organizations, when fulfilling patient request for records, must have policies and processes in place to verify the identity of the person, the PHI, as well as the individual's authority to act as a personal representative. "Organizations have flexibility to use in-person identify checking or technologies that allow for identity proofing. Recently, the National Institute of Standards and Technology's SP 800-63 publication provided an updated set of digital identity guidelines to help health care organizations standardize secure identify proofing safeguards."