Office for Civil Rights

The Report to Congressional Committees of the U.S. Government Accountability Office (“GAO Report”), required under the 21st Century Cures Act, came out about a month earlier than required, but this early bird failed to catch what continues to be a wriggling worm – what can a covered entity charge for these copies?

As discussed in our February 2017 blog post, the Office for Civil Rights issued guidance (“OCR Guidance”) over 2 years ago attempting to clarify that HIPAA charge limits (to a “reasonable, cost-based fee”) apply when an individual (or a third party) requests access to the individual’s medical records. The HIPAA charge limits applicable to access requests apply even if state law permits higher charges for the copies. The OCR Guidance includes a table illustrating the differences between a HIPAA authorization and an access request and notes that the “primary difference” between the two being that one (the authorization) is a “permitted disclosure” and one (the access request) is a “required disclosure”.

In another of our posts on this topic (back in May of 2016), we highlighted the difficulty faced by a covered entity in knowing what amounts may be charged for medical records copies, particularly when a third party requests the copy. We noted HHS’s suggestion that the covered entity ask the individual “whether the request was a direction of the individual or a request from the third party.” The former would be an access request subject to charge limits and other HIPAA requirements, whereas the latter would be “merely a HIPAA authorization”. A wriggling worm, indeed.

The GAO Report attempts to pin down the worm. It describes three types of medical record requests:

*          a patient request, whereby the patient or former patient requests access to or a copy of medical records

*          a patient-directed request, whereby the patient or former patient requests that a copy of the patient’s medical records be sent directly to another person or entity (“For example, a patient might request that her medical records be forwarded to another provider because the patient is moving or wants a second opinion.”)

*          a third-party request, whereby a third party, such as an attorney, obtains permission from the patient (via a HIPAA authorization) to access the patient’s medical records

An explanatory footnote suggests that the first two types of requests are access requests under HIPAA (meaning that charge limits and other HIPAA requirements apply), while the third type of request is an authorization under HIPAA (meaning that the provider is not required to disclose the records and the access request charge limits do not apply). Later, the GAO Report states: “In contrast with patient and patient-directed requests, the fees for third-party requests are not limited by HIPAA’s reasonable, cost-based standard for access requests and are instead governed by state laws.”

Unfortunately, this is where the worm has a chance to get away. First, the example used to describe a patient-directed request implies that a patient access request is required for the provider to forward the medical records to another treating provider. In fact, HIPAA permits disclosure of medical records for treatment purposes without the need for a HIPAA authorization or access request (see OCR Guidance language following table), and, thus, charging even a “reasonable, cost-based” fee for such disclosures may be frowned upon by OCR. Second, these three examples overlook the possibility that a patient-directed request may come from a third party. An access request must be in writing, be signed by the individual, and clearly identify where the medical record copies should be sent, but HIPAA does not prohibit the individual from directing that a third party (such as the individual’s attorney) transmit the individual’s access request to the provider.

Moreover, a recent court decision further muddies this issue. In a February 2018 U.S. district court decision from Alabama, Bocage v. Acton Corp., the court rejected plaintiffs’ claim that they were overcharged search and retrieval fees in violation of HIPAA. The plaintiffs’ attorneys had requested medical records by way of HIPAA authorizations, so the court determined that the fee limitations associated with individual access requests did not apply. Unfortunately, while the decision quotes the OCR Guidance (“The [access request] fee limits apply … regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual (such as by an app being used by the individual)… ”), the decision incorrectly suggests that the individual’s attorney cannot be the third party making an access request on behalf of and at the direction of the individual.

The short-term fix for patients hoping to avoid high fees when requesting medical records? Make sure the request is not identified as a HIPAA authorization and, if you are requesting the records in connection with litigation, consider sending it yourself rather than directing your attorney to send it.

Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared.  Proposed rules published by CMS in the December 8, 2014 Federal Register (the “Proposed Rules”) tweak the data sharing “opt-out” process slightly, but significantly.

Under the current MSSP regulations, a Medicare beneficiary that is a “preliminarily prospective assigned beneficiary” (meaning the beneficiary’s primary care provider participates in the ACO, but the beneficiary has not yet sought primary care services during the ACO performance year) may get a letter from his or her provider’s ACO informing the beneficiary that the ACO “may request [from Medicare] personal health information*  about the beneficiary for purposes of its care coordination and quality improvement work… .”  The beneficiary has 30 days from the date the letter is sent “to decline having his/her claims information shared with the ACO.”

*          Interestingly, the regulation references “personal health information”, rather than “protected health information”, the term used by the Office for Civil Rights (which, like CMS, resides in the Department of Health and Human Services) in the HIPAA regulations, but the widely-used PHI acronym works for both, so what the heck?  But I digress… .

The current regulation only allows the ACO to request “identifiable claims data” (aka “personal health information” /“claims information”) from this “preliminarily prospective assigned beneficiary” if the beneficiary does not decline the data sharing within 30 days after the ACO letter is sent.

Under the Proposed Rules, Medicare fee-for-service beneficiaries will be “notified about the opportunity to decline claims data sharing through materials such as the CMS Medicare & You Handbook and through the notifications” received at the point of care.  These notifications are deemed “received” by the Medicare beneficiary when posted as signs at the ACO provider’s facility or office (and, in settings in which primary care is provided, when given to the beneficiary in writing upon request).  The beneficiary can still opt-out, but the notice itself will make it clear that data sharing may have already occurred:  “The notifications … must state that the ACO may have requested beneficiary identifiable claims data about the beneficiary for purposes of its care coordination and quality improvement work… .”

Data sharing is a key aspect of any successful ACO and can certainly be achieved in a HIPAA-compliant manner.  Notably, as CMS explains in the preamble to the Proposed Rules, care coordination and quality improvement activities, when performed by an ACO that is a covered entity or, by an ACO that is a business associate, on behalf of a covered entity, qualify as “health care operations” functions or activities under HIPAA.  The elimination of the ACO letters and 30-day opt-out period for “preliminarily prospective assigned beneficiaries” is likely to reduce beneficiary confusion and ACO administrative expense.

As noted in the preamble to the Proposed Rules, only 2% of beneficiaries have historically opted out of ACO claims data sharing, anyway.  Perhaps only 2% of Medicare beneficiaries care about claims data sharing.  If the Proposed Rules are adopted, hopefully the “preliminarily prospective assigned beneficiaries” in the (however small) pool of future opt-outs will find the “Medicare & You” website and the ACO information (currently located on page 138) buried deep within it.

On the twelfth day of breaches
my hacker sent to me:

Twelve Data Downloads

Eleven Plundered Patches

Ten Missed BA Contracts

Nine Malware Installs

Eight Mis-sent Faxes

Seven Stolen Laptops

Six Snooping Staffers

Five Old NPPs

Four Lost Thumbdrives

Three Re-sent Texts

Two Pop-up Links …

And a Bill for Compliance Auditing.

For a glimpse at what the U.S. Department of Health and Human Services, Office for Civil Rights (HHS) expects a HIPAA covered entity to do to remedy faulty Security Rule Policies and Procedures, see the “Corrective Action Obligations” listed in the Resolution Agreement between HHS and Anchorage Community Mental Health Services, Inc.

Happy Holidays to All!

 Contributed by David Restaino, Esq.

 Last month a posting was made on this blog series regarding action being taken by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) relating to the fact that government audits for HIPAA compliance with privacy and security standards are finally beginning.  In this regard, OCR recently released a “sample” letter (the “Sample Letter”) that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for audit in 2012.  As OCR noted in the Sample Letter, recipients of actual letters will find that the audit process will begin within 30 to 90 calendar days from the date of the letter. 


OCR has hired KPMG LLP (“KPMG”), one of the “Big Four” certified public accounting firms, to conduct the audits in accordance with government auditing standards.  OCR’s release of the Sample Letter likely represents its way of communicating to all regulated facilities that KPMG’s actions will have the same force and effect as actions by OCR itself.  As a result, when KPMG requests detailed information at the beginning of and during the audit process, the covered entity under audit should assume that the KPMG request carries with it the full weight of the United States government. 


Release of the Sample Letter can also be viewed as OCR’s effort to prepare the regulated community for the seriousness of the upcoming audits.  Perhaps more importantly, recipients of actual letters should use the 30 to 90 calendar day period to get prepared — although facilities would be well advised to take appropriate steps to ensure compliance now rather than risk the adverse results that can occur from last-minute efforts to organize for an audit.  Those facilities that are unprepared will have a difficult time getting ready if KPMG comes knocking. 


(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)

Contributed by David Restaino, Esq.

Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which will increase the frequency and depth of government audits for HIPAA/HITECH compliance over the next year. This initiative may be in direct response to some critics that OCR was not doing sufficient monitoring of compliance with HIPAA/HITECH.


Preliminary Audit Procedures. Specifically, OCR awarded a contract worth over $9 million to KPMG, LLP for administration of the audits, which will begin shortly. The audits are required by the American Recovery and Reinvestment Act of 2009 (ARRA), which states at Section 13411, “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements … comply with such requirements.”   Details are sketchy regarding the process to identify the entities that will be audited. However, this much is known:


● The first step will be creation of audit protocols, followed by an undertaking of the actual audits.

● OCR will base its decision to audit upon risk.

● Audits will not be based upon complaints or actual reported privacy or security breaches. 

● KPMG will assist OCR in establishing the program to audit covered entities and business associates, and their compliance with the privacy and security rules.

● HHS staff will guide KPMG’s conduct during the audits.

● The audits will include site visits, interviews with leadership, documentation, an examination of operations, and an assessment of the consistency with which process is married to policy.

● Each audit will be followed by a report that will, among other things, address compliance efforts and corrective actions taken. 


Who Will Be Audited?  HHS reports that every covered entity and business associate is eligible to be audited. The initial round of recipients is expected to provide a broad assessment of a complex and diverse health care industry. Thus, the audit process is designed to have OCR audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered. OCR has also made it explicitly clear that covered entities must fully cooperate with the auditors – as obligated under the HIPAA “enforcement rule.” Finally, HHS reports that business associates will be included in future audits.


What can covered entities do now to be ready? For starters, they can make sure that all policies and procedures are in place now. For example, the HHS website states that covered entities will have only ten (10) days to produce documents; this is not much time if policies and procedures are not already in good order. 


Based on the above, the best way to get prepared is to make sure that compliance protocols are in place, and being followed, today. Stated differently, all covered entities and business associates should assess their compliance efforts, ensure that timely corrective actions are taken when necessary, and remain on their guard.  Documentation of the proactive assessment and corrective measures should also assist in demonstrating that the compliance efforts are effective.


(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)