AHIOS Responds to the Court Ruling on Third-Party Directives
By the Association of Health Information Outsourcing Services
When the Health and Human Services (HHS) guidance came out in February 2016, provider organizations and HIM outsourcing companies were struck by a number of new components. Although HHS claimed this was just its interpretation of the law as it already existed, the requirement to apply patient rates to third-party directed requests, the pricing methodologies allowed, and the requirement to send paper records electronically when requested were among the surprises.
The lawsuit brought by Ciox Health targeted the fact that HHS had made substantive changes to existing legislation without following the appropriate legislative process. These changes had such a significant impact on the release of information (ROI) industry that it required a six-month period to address the changes needed to meet the guidance.
While the guidance was not promulgated to law, it was being used by attorneys and third-party record retrieval companies (RRCs) to pressure provider organizations to follow the 2016 guidance and allow them to receive information from the designated record set at the $6.50 safe-harbor rate. Several offices of the HHS Office for Civil Rights (OCR) treated the guidance as law by enforcing the rates.
The US Court Ruling
On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual ... in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records and does not apply to an individual’s request to transmit records to a third party.
On January 29, US District Court Judge Amit Mehta issued a ruling to HHS for its 2013 HIPAA Right of Access rule around the scope of information finding that some sections of its rule were impermissible under the Administrative Procedure Act. The scope of information subject to the Patient Rate limitations is now records stored in an EHR that are part of the Designated Record Set, rather than all records regardless of format.
The court ruling agreed with Ciox Health that HHS had overstepped when it issued its guidance in February 2016 and vacated certain elements of the guidance as being unlawful. With the ruling, the court affirmed that the guidance was never binding or lawful. This meant that requesters were improperly using guidance that was unlawful in the first place. As a result, when patients request copies of their own records that are stored in an EHR and that are part of the Designated Record Set, they can be charged only the rate as prescribed in the guidance. However, when a patient directs the copies to be sent to a third party such as an attorney or insurance company, the patient rates do not apply and instead are governed by state guidelines.
Effective immediately with the federal ruling and in support of OCR, the guidance can no longer be used by attorneys or RRCs to obtain medical records at the safe harbor rate that was designated for patient access. As Ciox Health claimed, “A $6.50 flat fee … was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.”
Impact on Provider Organizations
Prior to the ruling, attorneys and RRCs were shifting some of their cost of doing business to health care organizations. The ruling allows for a return to state rates so covered entities will now be fairly compensated for, and better able to control, their health record production costs.
The Association of Health Information Outsourcing Servicesrecommends that health care providers urge their patients to not sign “any and all” releases from their attorney or allow them to utilize a directive to get more records than are needed for the particular purpose. Patient privacy was significantly hindered when attorneys began using patient access letters that were not subject to the same privacy constraints as a HIPAA authorization. Requesters should go back to using a HIPAA authorization, which is the mechanism that protects patient privacy.
In addition, the ruling should curtail the ominous voicemails threatening to file complaints with the OCR regarding adherence to the 2016 guidance. While these complaints were often unfounded, they were upsetting nonetheless and required HIM and legal resources to investigate and address. Now providers can get back to taking care of patients instead of dealing with unwarranted complaints made by attorneys and RRCs to OCR.
Another consequence of the HHS guidance was that record request volumes soared due to the limitations on fees. This resulted in workload challenges for HIM staff and longer processing times for provider organizations and the HIM outsourcing companies that support about 80% of the industry. Staff also struggled with the added complexities that arose from the guidance, eg, determining what actually constitutes a patient-directed request.
Back to the Past for Third-Party Requestors
Attorneys and RRCs will also be impacted by the US court ruling, as they are now required to return to paying state rates for medical record copies. This is likely to result in fewer record requests and fewer pages when they do request records. It will also likely mean that state statutory rates will be questioned or attempts will be made to modify these rates in their favor.
This ruling will enable ROI companies to continue servicing the health care industry and medical record requesters and keep up to date with innovations and new technologies to provide records to medical record requesters on par with non–health care industries. It will shift the cost of the ROI process back on those who are requesting records for commercial purposes and off the health care industry.
The court ruling will also help put an end to the practice where attorneys and RRCs padded their bottom lines and misused patient-directed requests in a manner that sacrificed patient privacy safeguards.
Operationalizing the New Ruling: Best Practices for Providers
In response to this ruling, provider organizations should consider creating an action plan within their organization, or in conjunction with their ROI vendor. The plan should identify requestors that had previously taken advantage of the loophole in the guidance and proactively reach out to them to minimize confusion and/or future complaints.
For those providers who do their own ROI, switching back to state rates is much simpler than the switch was to meet the 2016 guidance. If they are working with an ROI service company, their service provider will be able to make the switch quickly and provide support if needed.
As the industry moves forward from this key court ruling, all stakeholders have a role to play to support patient access and privacy. It is important for providers to educate their patients on why they should be diligent about using a HIPAA authorization and how it protects their privacy. Patients should not have blind trust in the entities (eg, attorneys, RRCs, insurance companies) utilizing their protected health information, as their medical records are more valuable to data aggregators and on the black market than pretty much any other piece of information about them.
The Association of Health Information Outsourcing Services also have an important role to play in continuing to shine a light on legislation that may have unintended consequences for patients and providers—while also raising awareness for key rulings like this one by Judge Mehta that help strike the right balance between patient access and patient privacy.
— The Association of Health Information Outsourcing Services authors include Rita Bowen, vice president of privacy, compliance, and HIM policy at MRO; Ryan Hallman, director of operations at Diversified Medical Records Services, Inc; and Steve Socha, senior vice president of central operations at Sharecare Health Data Services, LLC.