Now here’s one for the ages – a vendor taking HHS head-on. The vendor, CIOX Health, has sued HHS in an effort to stop the agency from enforcing HIPAA rules limiting how much providers and business associates can charge patient records. While the vendor may not get anywhere, the lawsuit raises the important question of what patient record retrieval should cost.
According to Becker’s Hospital Review, the suit focuses on changes to the privacy law put into place in 2013 and 2016. The article notes that these modifications broadened the type of information providers and BAs must send while capping the fees vendors could charge for doing so. Specifically, the changes made in 2016 require that vendors that the costs associated with record requests for a reasonable or flat rate of about $6.50.
In its complaint, CIOX says the flat fee “was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.” It contends that the HIPAA provisions in question established the limits “unlawfully, unreasonably, arbitrarily and capriciously.”
It’s hard to tell whether CIOX will get anywhere (though my guess is “not very far”). Government agencies are all but immovable, and HHS particularly so. I appreciate the spunk involved in filing the suit, the premise of which actually sounds reasonable to me, but I think the company has about as much chance of prevailing as a gnat fighting a combine harvester.
That being said, I think this suit focuses on an important issue, which is that the fee limits imposed by states and the federal government for providing medical records are all over the map. While such limits may be necessary to protect consumers, it’s probably fair to say that they aren’t exactly based on actual estimates of provider and vendor costs.
The truth is, the healthcare industry hasn’t come to grips yet with the cost of delivering healthcare information to patients. After all, while basic information delivered by a portal may be good enough for patients, these aren’t real medical records and they can’t be used as a basis for care. And delivering an entire medical record can be expensive.
Plus, this issue is really complicated by the number of records requests that healthcare organizations are receiving from parties other than the patient. The number of records request from insurance companies, lawyers, and other third parties has increased dramatically. Not to mention how much of the record these organizations want to get. If it were just patients requesting their records, this question would be much simpler.
I can only think of a few ways to handle this problem, none of which are really satisfactory. For example, HHS or the states could create some sort of system which permits different fees depending on the difficulty of retrieving the information. Providers and business associates could submit their fees to some kind of review board which would approve or reject the proposal. Or perhaps we could just allow vendors to charge whatever the market would bear. None of these sound great to me.
If we want patients to manage their health effectively, they need to be able to share their records, and they must be able to access those records without paying a fortune for the privilege. At the same time, we can’t ask providers and business associates to share records at their own expense. Given the importance of this problem, I think it’s high time that healthcare leaders look for solutions.