In 2003, a federal law called the Health Insurance Portability and Accountability Act (HIPAA) was passed, creating national standards for protecting sensitive patient health information. Among other things, HIPAA set rules and limits on who can look at or receive an individual’s health records. This was followed up in 2009 with the Health Information Technology for Economic and Clinical Health Act (HITECH), which encouraged the use of technology with health information and medical records. HITECH also allowed for stiff penalties to be assessed for HIPAA violations. Anyone who has ever had the need to request their health records be sent from one medical provider to another has done so under the guidance of HIPAA law.
The management of releasing medical records has proven to be quite a challenge as there is little to no interoperability between various Electronic Medical Record (EMR) systems. The answer for many healthcare organizations was to hire third-party medical records management companies, like ScanSTAT Technologies, to facilitate the exchange of information between providers, payers, individuals, and other entities such as law firms. ScanSTAT and other companies in the medical information management realm are regulated by HIPAA and specific state laws that ensure patient confidentiality is protected, and also that requested information is exchanged promptly. The fees that health information management providers can charge a commercial entity that is seeking medical records are highly regulated by state laws.
To put this issue into perspective, a large hospital typically receives hundreds of medical record release requests each day. Of those requests, a very small percentage are usually originated by an individual looking for their medical record to be sent to a specialist or other medical provider. Most of the requests are from other providers that need the information to treat a patient in their office or facility. Another 15% of the requests are generated by the Social Security Administration, while 20% are typically from insurance companies. The bulk of the remaining requests are made by law firms engaged in some form of legal issue.
In 2016, Health and Human Services (HHS) published guidance on their website regarding patients requesting their medical records and the fees associated with that process. This guidance basically conflicted with the actual law or regulations that were already part of the HITECH Act. The guidance provided specific instructions on amounts and directions regarding requests for medical information from third parties. As part of the HITECH Act, individuals who were initiating a request for their own health records were to be charged a cost-based fee that would be capped under HIPAA. In place of a provider trying to determine their specific costs, HHS stated that the fee could not exceed $6.50. Unfortunately, as is often the case, there was confusion and unintended consequences created by the information published by HHS. It also opened up the door for opportunistic third-parties who began to manipulate the system by trying to force providers into providing the health records at this flat rate that was intended for individuals.
Specifically, law firms, previously charged for medical record releases according to state pricing guidelines, began to submit the requests as if they were an individual, instead of a commercial entity. Companies like ScanSTAT and their provider-customers began to receive records requests that appeared to be from an individual, and that they expected to be charged at the cost-based rate cited in the HHS guidance. In many cases, these release requests came in on law firm letterhead. They were a blatant attempt to manipulate the intentions of the HHS guidelines. ScanSTAT always interpreted the provisions of the HITECH Act as applying to an individual requesting their medical information and did not dignify these attempts by law firms exploiting the patient request language.
Law firms and other third-parties that were manipulating the spirit of this guidance were creating a serious conflict within the medical records management industry. Vendors, like ScanSTAT, typically deliver their services to providers at little to no cost because of the fees they can charge commercial entities. Individuals and other healthcare providers had always received their medical records at a very low or no cost at all. Now, with the unscrupulous tactics being utilized by law firms, the entire medical records management business model was in jeopardy. As more law firms began manipulating the requests, they began using bullying tactics to force the records management providers to invoice them at the $6.50 rate.
Some companies, like ScanSTAT, pushed back and invoiced the law firms at the state-authorized commercial levels. Then, the law firms began refusing to pay the invoices and started filing complaints with the Office for Civil Rights (OCR) of HHS. If these tactics were allowed to continue, hospital systems and other medical providers would no longer be receiving the records management services at such a favorable ROI, leading them to manage the information release process on their own. Managing this process is something that is a challenge for Providers and they are ill-equipped to handle. Patients, insurance companies, medical providers, and even the law firms creating the issue, would be negatively impacted if the release requests were no longer being handled efficiently or accurately.
Fortunately, in 2018, one of the largest health information management providers, Ciox Health, filed a lawsuit against the Office for Civil Rights of HHS. The suit claimed that the cost-based guidance provided by HHS was illegal, and further argued against other hardships incurred by the HHS guidance. On January 23, 2020, a District Court Judge declared the HHS guidance unlawful and vacated the expansion of the HITECH Act that was being taken advantage of by law firms and other third-party entities.
The court ruling is a win for health information management providers and is beneficial to every patient, healthcare provider, or any other business entity that routinely utilizes patient health information.