How much should access to a medical record cost? It is a thorny and complicated question since access comes in many forms. For instance, is an individual requesting a copy of their record for personal use, or to send to another provider for continuity of care purposes, or are the records going to an attorney for potential litigation? Each of those scenarios often results in a different charge being imposed for a copy of the medical record. The evolving state of regulations and guidance concerning access or copy costs is now the subject of a lawsuit.
Before diving into the lawsuit, it is helpful to dive into the background on access issues. Under the HIPAA Privacy Rule, an individual has the right to request access to their record or to have a copy made (42 C.F.R. § 164.524) (the Access Rule). Under the most recent iteration of the Access Rule, access must be provided in the form and format requested by the individual, if the information is readily producible in such form and format. Additionally, the entity holding the record is authorized to impose a reasonable, cost-based fee, which fee can only include: (i) the labor for copying the record, (ii) supplies for creating the copy, (iii) postage if physically mailed, and (iv) preparing an explanation or summary of the record if agreed to by the requesting individual. The Access Rule only describes the fee that can be charged to the individual requesting. Lastly, the Access Rule requires an entity to transmit a copy of the record where directed by the individual, which means the individual can require direct transmittal to a third party.
Adding a layer of nuance onto HIPAA, many state laws impact the privacy of records and may also address fees that can be charged. Looking at privacy requirements first, state law will often impose stricter privacy restrictions than HIPAA. As such, state law may require segregation of certain information or explicit consent for release. Imposing stricter privacy obligations does not create a conflict with HIPAA, which makes such requirements permissible. The more complicated aspect of state law is when state law covers what fee can be charged for providing a copy of a medical record. If the state law operates within the outer bounds established by HIPAA, then the fee will be ok, but more often state law seems to permit a fee more generous than allowed under HIPAA. In those instances, state law must bow to HIPAA and should not be followed.
With a brief background established, the lawsuit filed by CIOX Health against the Department of Health and Human Services can be examined. The lawsuit focuses on the fee that can be charged to entities requesting a copy of a record. While the lawsuit goes through all aspects of the Access Rule, no challenge is made to limiting the amount that can or should be charged to an individual. The acknowledgment that individuals should be able to receive a copy of their record for little or no fee is a bit of a relief and suspect an aspect that was masked by many other headlines about this case.
While an individual’s ability to get a record for little or no fee is not questioned, the lawsuit strongly goes against the practical establishment of a similar “right” for third parties requesting a record about an individual. In particular, the lawsuit centers its attention on requests by life insurance companies, lawyers, or other entities in similar positions. According to CIOX, the initial version of the Privacy Rule recognized that no limitation should be imposed on fees that can be charged to third-party entities. According to the complaint filed by CIOX, this set of circumstances up until the 2013 HIPAA Omnibus Rule was promulgated and became effective.
Per CIOX, the 2013 Omnibus Rule began altering the playing field by requiring providers to grant access in the form requested. The lawsuit then points to guidance issued by the Office for Civil Rights in 2016 as “eviscerating” the fee structure when it comes to access requests. Under the 2016 guidance, the amount that could be charged to third parties was curtailed because entities were directed to charge the direct individual rate when a provider is directed to send their medical record to a third party. Per the guidance, this would occur when an individual initiates the request and the request identifies that the record should be sent to another person.
The lawsuit is premised upon fine distinctions, but a prime factor in the lawsuit is money. CIOX argues that charging third parties such as life insurance companies or lawyers more than any other requesting group helps to subsidize the losses incurred when responding to requests by individuals or between providers. CIOX alleges that it is impossible to even break even in those instances, which makes it important to recoup some of the loss in other instances. As indicated, that is the basic message behind the lawsuit, which is framed in quite strong and inflammatory language.
While the lawsuit will play out in the courts, the question that many following the case will ask is how accurate are the allegations and what does it all mean? Like any dispute, the statements contained in CIOX’s complaint are slanted to one particular position and may not necessarily full account for all of the different facts and circumstances. For instance, it is accurate that the 2016 guidance tries to impose new limits on what access fees can be charged, but the guidance does not state that third parties can never be charged a higher fee. If a request still comes directly from the third party, then the individual rate does not apply. That is acknowledged to be a fine hair to split, but it is a real one and likely one that results in actual distinctions between requests.
The fight over what fee can, should or ought to be charged ties to some deeper and more fundamental issues within the healthcare systems. Namely, the fragmentation of medical records and the remaining inability for a unified record to be created. These issues are referenced in the CIOX complaint because CIOX uses these factors as justifications and reasons for needing to charge a higher fee when comprehensive requests are submitted by third-party entities. CIOX fairly accurately describes the multitude of systems that need to be navigated the mix of paper, semi-digital and fully digital records among other issues that must be navigated and reconciled when responding to an access request. If the lawsuit can be another means of focusing attention on these fundamental issues, then optimistically the lawsuit can provide a larger benefit. That is a pretty far-reaching hope though because it would be highly unlikely that any resolution from the lawsuit can or should touch upon such issues. Addressing interoperability and fragmentation will be left to the industry, individuals, government, and others to work on.
If CIOX succeeds with its lawsuit, there will be some immediate changes. The relief sought in the lawsuit is a rolling back of the 2016 guidance and portions of the 2013 Omnibus Rule impacting the Access Rule. Arguably those changes would not have that large of an impact, but any regulatory impact often has ripple effects. The preferable outcome, as suggested above, would be a more interoperable system that meets the needs of all involved. Hope can spring eternal.
Hopefully the optimism is not misplaced and the lawsuit brought by CIOX is a public spur to change.
This article was originally published on Mirick O’Connell’s Health Law Blog.