Health Information Compliance Alert

Published on Wed Feb 12, 2020 PDF

Hint: Rule updates don’t always make HIPAA compliance easier.

HIPAA updates are usually implemented to clarify the rules and streamline procedures. But sometimes the feds’ tinkering leads to more problems, and some in the industry take advantage of the legislative shortcomings.

Details: There are many reasons that Ciox Health LLC filed a case against the Department of Health & Human Services (HHS) over the 2013 HIPAA Omnibus Rule and 2016 Guidance that further explained the “Patient Rate.” However, to really understand the medical records provider’s qualms, you’ve got to go back to the beginning.

Consider History of 2013 Omnibus Rule, 2016 Guidance

“Before the 2013 Omnibus update, individuals had access rights to their information in the Designated Record Set,” says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. Back then, people would request data for specific reasons and hoped they wouldn’t be overcharged for the information.

“If other parties wanted copies of records, such as an individual’s lawyer, they would ask under a [HIPAA] Authorization and had to pay whatever rate the market would bear. Copies to other parties, like providers, were shared as necessary for treatment, generally, except where providers did not want to share information for competitive advantage, but should have done so,” points out Sheldon-Dean.

Rule updates: These issues caused HHS to instigate the 2013 Omnibus Rule followed later by the 2016 Guidance on individual access of protected health information (PHI). “HHS also added language to allow individuals to direct the delivery of their records to a third party, and in the form or format requested, if reasonably possible, still following the same rules for calculating fees as for an individual request,” Sheldon-Dean explains.

The changes were meant to ensure easy and affordable access while allowing individuals to utilize third-party delivery at a reasonable rate — but things didn’t go exactly as the HHS Office for Civil Rights (OCR) planned from implementing these updates.

As a result of the 2013 and 2016 regulatory reforms, two things happened, Sheldon-Dean says.

First, third-party records providers charged the nonpatient requesters whatever their business models would let them get away with and on top of that, lawyers abused the individual rates to stockpile records, indicates Sheldon-Dean.

Second, “healthcare providers want[ed] to see more records from more providers about their patients,” causing more friction when there should have been less because of the advent of “electronic systems, as called for under the 21st Century Cures Act and the proposed data blocking rules,” Sheldon-Dean says. “Providers didn’t necessarily get any special dispensation on fees for requests they made, so more requests were made using individual access.”

Resources: Read the 2013 Omnibus Rule at www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html and the 2016 Guidance at www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.