Hitech Means Low Costs
Total Page:16
File Type:pdf, Size:1020Kb
HITECH MEANS LOW COSTS
It seems, now more than ever, costs associated with files are on the rise – especially if you practice personal injury or another area of law where you need to obtain medical records and billing information for your clients or potential clients.
However, the Health Information Technology for Economic and Clinical Health
Act (“HITECH Act”) is a game changer and will substantially reduce costs for obtaining medical records and bills.
The HITECH Act encompasses a lot of different areas dealing with healthcare providers and health information technology. The intent of this article is not to discuss the whole Act, but instead highlight the important areas of the Act that will allow attorneys to access a client’s medical records and bills at a substantially lower rate, or even for free, as opposed to the rates in place in the Wisconsin Statutes.
Background
The HITECH Act was signed into law on February 17, 2009. The purpose of the
Act was to promote the adoption and meaningful use of health information technology in healthcare.1 The Act was part of the American Recovery and Reinvestment Act of 2009.
The Act included incentives for healthcare providers to accelerate the adoption of electronic health record (EHR) systems among providers. The Act anticipated that the incentives for healthcare providers would lead to a massive expansion in the exchange of electronic protected health information (ePHI), so the Act contains provisions that widen the scope of privacy and security protections available under HIPAA.
1 See generally HITECH ACT, 42 USC § 300jj-11. Importantly, the Act gave the government more bite in its ability to prosecute healthcare providers (“covered entities” and “business associates”) who violate the Act.
A “covered entity” includes health care providers, health plans, health clearinghouses and business associates.2 “Business associates” includes anyone who creates, receives, maintains or transmits protected health information (PHI) governed by HIPAA, or provides claims processing, data administration, or billing, or any subcontractor who conducts these functions for a business associate, which could include record copying service providers, software vendors and third party billing companies.3
The Office of Civil Rights (“OCR”) of the Department of Health and Human
Services (“DHHS”) can investigate complaints and levy fines for violations of the Act.4
If a healthcare provider is found to have “willfully neglected” a provision or provisions of the Act, the OCR will impose mandatory fines of up to $250,000 and up to $1.5 million for repeat or uncorrected violations.5 Obviously, if you are having trouble getting medical records and bills under the Act, the threat of, or a complaint to, the OCR can be a powerful tool.
There have been many times I have been told the records I am requesting are unavailable or are going to cost me thousands of dollars to obtain because of retrieval fees, copying costs of voluminous records and certification. After a letter explaining the
Act and consequences if the provider does not comply with the Act, the medical records magically appear a few days later – free of charge.
2 45 CFR § 160.103 3 45 CFR § 160.103 4 See generally 42 USC 1320d-5 5 See generally 42 USC 1320d-5 Health Record Access
Under the HITECH Act, an individual has a right to obtain their personal health information.6 Under the Act, a personal representative, if a patient is deceased or the representative under applicable law is the person who has the authority to act for the individual, is to be treated “as the individual” for purposes of making a records request for protected health information.7
Protected health information (PHI) means all information (e.g., records, bills, graphs) that is: (1) transmitted in electronic media; (2) maintained in electronic media; or
(3) transmitted or maintained in any other form or medium.8 That is an incredibly broad and incredibly powerful definition at your disposal.
The Act includes language that the individual making the request for PHI can designate a third-party to receive the information9 – i.e., an attorney. The Act only applies to first-party requests. A third-party request would still incur the fees under
Wisconsin Statute. It is common in my practice, whether it be for a potential client or our client, to have the individual sign a request letter with the only reference to a law firm being the designated third-party who should receive the information, and send that letter to the healthcare provider.
Significantly, aside for some exceptions,10 a covered entity must act on the request no later than 30 days from the receipt of the request11 by: (1) providing the requested
6 45 CFR § 164.524(a)(1) 7 45 CFR § 164.502(g)(1), (2); 45 CFR § 164.502(g)(4) 8 45 CFR § 160.103 9 42 USC § 17935(e)(1) 10 See 45 CFR 164.524(a)(2)(i-v) 11 45 CFR § 164.524(b)(2)(i) information,12 or (2) providing the individual with written denial of the information.13
(As a side note, by using the HITECH Act, I have had complete copies of records arrive within days of the request, as opposed to the old, make the request, wait for the pre-pay, pay the pre-pay, wait 45-90 days or more to receive the records only to find out the provider still did not send everything requested.)
If the covered entity is unable to either provide the requested information or provide a written denial no later than 30 days from receipt of the request, then the covered entity can extend the time by no more than 30 days,14 provided that: (1) within in the time limit in (b)(2)(i), provides individual with written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and (2) the covered entity may have only one such extension of time.15
The personal health information requested by an individual must be provided in the form requested by the individual, including in a readable electronic form if the covered entity uses electronic health records.16 This could be a .PDF, or as commented by DHHS, via unencrypted email if the individual is warned of the security risk associated with unencrypted email.17
This applies to all protected health information that is “maintained in one or more designated records sets electronically.”18 Further, DHHS has stated that any “images or
12 45 CFR § 164.524(b)(2)(i)(A) 13 45 CFR § 164.524(b)(2)(i)(B) 14 45 CFR § 164.524(b)(2)(ii) 15 45 CFR § 164.524(b)(2)(ii)(A), (B) 16 45 CFR § 164.524(c)(2)(i), (ii); 42 USC § 17935(e)(1), (2) 17 78 Fed. Reg. 5636, at p. 5634 (Jan. 25, 2013). 18 45 CFR § 164.52(c)(2)(ii) other data that is linked to the designated record set must also be included in the electronic copy provided to the individual.”19
Fees
Perhaps most importantly for an attorney, and possibly the client in the end, are the fees associated with requesting medical records and bills. The fees should be reasonable and cost-based.20 It is possible that what is “reasonable” and “cost-based” could be determined on a case-by-case basis if there is a dispute.21 Importantly though, the Act preempts state law.22
Under the Act, any fee that the covered entity may impose for providing an individual with a copy of electronic personal information shall not be greater than the entity’s labor costs in responding to the request for the copy.23
An entity’s labor costs for providing electronic records can only include: (1) labor for copying, whether in paper or electronic form, (2) supplies for creating the paper copy or electronic media, (3) postage if the individual has requested the information be mailed, and (4) if an individual has requested or agreed to a explanation or summary, the costs associated with preparing an explanation or summary of the PHI.24
Oddly, 42 U.S.C. § 17935(e)(2) dealing with fees under the Act only mentions requests for “an electronic form,” while 45 CFR § 164.524(c)(4)(i-iv), as mentioned above, discusses both paper and electronic records to be provided to an individual. It is
19 78 Fed. Reg. 5636, at p. 5633 (Jan. 25, 2013). 20 45 CFR § 164.524(c)(4) 21 See 78 Fed. Reg. 5636 (Jan. 25, 2013) 22 45 CFR § 160.203; 45 CFR § 160.202 23 42 USC § 17935(e)(2) 24 45 CFR § 164.524(c)(4)(i-iv) this author’s belief that it is immaterial whether paper copies or electronic copies are requested under the Act, as the individual is able to choose the method of production of
PHI under the Act,25 and the regulations state it can be in paper or electronic form.26
Conclusion
The HITECH Act is a powerful tool to use when requesting an individual’s medical records and bills. It directs covered entities to provide the requested information within in a short amount of time and at a reasonable, cost-based fee, or deal with mandatory fees from the OCR for non-compliance. This will allow attorney’s to obtain much needed information in a shorter time period and at a much lower cost than the state rate. Expect push back from covered entities and their business associates who want more money or are ignorant on the law. But, in my experience, a simple letter laying it all out to the entity will deliver the intended result.
25 45 CFR § 164.524(a)(1) 26 45 CFR § 164.524(c)(4)(i-iv)