Medical records company sues HHS over patient access fee schedule

January 12, 2018
Medicare Web

Georgia-based health IT and medical records company Ciox Health, LLC., filed a lawsuit against HHS over limits on the fees patients can be charged for copies of their own medical records. The company filed the suit on January 8 in U.S. District Court in the District of Columbia.

The lawsuit stems from guidance related to fees for copies of medical records. In 2016, HHS’ Office for Civil Rights (OCR) issued guidance to HIPAA covered entities (CE) and business associates (BA) regarding the fees they are permitted to charge patients for copies of their own protected health information (PHI). The fee may only include the cost of:

  • Labor required to create the copies
  • Supplies used to create the copies, such as paper or portable media (e.g., a USB drive)
  • Postage if the individuals asks for the copies to be mailed
  • Preparation of a summary or explanation of the PHI, if requested

The cost may be determined based on the actual cost for each request, or an organization may calculate the average cost and develop a fee schedule based on its average cost. CEs and BAs may also opt to charge a flat fee of $6.50 for electronic copies of electronic PHI. The OCR guidance points out that an organization’s actual or average costs could be higher or lower than $6.50, and that this is acceptable provided the organization followed OCR’s definitions of labor and supplies.

Ciox’s complaint alleges that the three acceptable fees defined by OCR are arbitrary and impose significant financial and administrative burdens on CEs and BAs.

The OCR guidance on these fees has previously generated confusion and controversy. Experts pointed out that although the guidance did not represent an actual change in OCR’s policies, some CEs and BAs had developed practices that were out of step with patient access requirements described in the HIPAA Privacy Rule. In addition, some CEs and BAs may have inadvertently created confusion regarding the difference between patient access requests and authorizations to release information to third parties. Some organizations used a single form for these two different types of releases, muddying the waters for patients, staff, and third parties. The American Health Information Management Association (AHIMA) attempted to address this problem by issuing a model patient access form in July 2017, a one-page form designed solely for patients requesting access to their own PHI.

However, Ciox has been hit with several lawsuits alleging it overcharged patients for access to their own records and violated the False Claims Act by submitting fraudulent Meaningful Use attestation data.

In August, Ciox reached a settlement to resolve a class action lawsuit that alleged the company charged some patients an excessive fee for copies of their PHI. Among those eligible to receive a portion of the settlement are certain patients of Florida-based physicians who requested copies of their PHI via a legal representative. Patients may request copies of their own PHI via a legal representative and these requests must be treated the same as a request made directly by the patient.

In November, a lawsuit brought against Ciox and 62 Indiana hospitals that used Ciox’s services by two Indiana malpractice attorneys was unsealed, the South Bend Tribune reported. The complaint alleged that the attorneys experienced repeated and unreasonable delays in obtaining PHI requested on behalf of their clients. Furthermore, the complaint alleges that Ciox and the hospitals inaccurately reported the results of these requests to obtain Meaningful Use payments to which they may not have been entitled. For example, in 2013, Memorial Hospital of South Bend reported that it received 16 requests for electronic PHI and fulfilled all 16 within three business days. However, the complainants alleged that they filed five requests for electronic PHI in 2013, none of which were fulfilled in three days and only one of which was fulfilled electronically.

The Indiana attorney general filed to dismiss the suit on January 4, saying that any money that might be recouped would not cover the court costs, the South Bend Tribune said.

Related Topics: 
Compliance, HIM/HIPAA