ONC Proposes New Rule to Advance Care Through Technology and Interoperability

The HHS’ Office of the National Coordinator of Health IT has proposed a new rule that is intended to advance care through technology and interoperability. The new rule – Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI) – implements certain provisions of the 21st Century Cures Act and makes enhancements to the ONC Health IT Certification Program.

The aim of the new rule, which runs to 556 pages, is to advance interoperability, improve transparency, and support the access, exchange, and use of electronic health information which will help to promote innovation and improve data security. The updates cover the movement of health information, introduce new data standards, improve electronic case reporting to support the response to a public health emergency, ensure greater transparency of artificial intelligence algorithms, and changes to improve patient privacy.

Implementing the Electronic Health Record Reporting Program

The new rule implements the 21st Century Cures Act requirement to establish an EHR Reporting Program condition and maintenance of certification under the ONC Health IT Certification Program. ONC proposes the adoption of nine reporting measures for developers of certified health IT, which initially focus on interoperability and emphasize individuals’ access to electronic health information, public health information exchange, clinical care information exchange, and standards adoption and conformance. Other categories specified in the 21st Century Cures Act will be addressed in future years, namely security, usability, and user-centered design, conformance to certification testing, and other categories to measure the performance of EHR technology.

New Data Standards to Encourage and Improve Data Sharing

The rule will establish a new baseline version of the United States Core Data for Interoperability (USCDI v3) to promote the establishment and use of interoperable data sets of electronic health information for interoperable health data exchange, ensuring that data that enters and leaves a system can be understood. The rule proposes USCDI v1 will expire on January 1, 2025.

USCDI v3 will increase the amount and types of data that can be used and exchanged through health IT to capture more comprehensive and complete patient characteristics reflective of patient diversity, which will help to address disparities in health outcomes and help providers identify gaps in care. The new version also supports the concept of health equity by design.

USCDI v3 will also help with the gathering, use, and sharing of data in public health emergencies and emergency response. The new rule also adopts health IT standards for certified Health IT Modules to support electronic case reporting.

Improved Transparency of Artificial Intelligence for Clinical Decision Support

Artificial intelligence algorithms could help to improve care delivery, cut costs, and improve patient outcomes, especially in areas such as clinical decision support. AI algorithms are trained on very large datasets to recognize patterns and then make recommendations. For example, they can be trained using medical images to look for signs of cancer and to identify potential adverse medication interactions. The new rule will provide greater transparency about AI algorithms that interface with certified health IT used for patient care and make that information available to providers through EHRs.

The new rule aims to improve the transparency and trustworthiness of clinical decision support tools. Under the new rule there will be a different certification class for clinical decision support algorithms and certified EHRs that enable or interface with the software will allow users to review information about additional source attributes. Developers of health IT modules would also be required to undergo risk management practices for all decision support interventions they interface with, just as healthcare providers are required to conduct regular risk analyses under the HIPAA Security Rule.

Application Programming Interface Improvements

The proposed rule updates the application programming Interface (API) Conditions of Maintenance and Certification to further ONC’s efforts to standardize APIs and help providers and patients to securely access their electronic health information through the broader adoption of standardized APIs. The rule will also foster competition by advancing foundational standards for certified API technology to improve legally permissible EHI sharing among clinicians and help individuals connect with their healthcare information through a new ecosystem of health applications.

Improvements to Respect Patient Privacy

Patients may request restrictions on certain uses and disclosures of PHI under HIPAA, such as reproductive health information and substance use information. The new rule adds new ways that developers of health IT can honor patient requests to restrict uses and disclosures, such as introducing new implementation alternatives for flagged data in health IT applications to prevent it from being added to a patient’s summary of care record, which may be viewable through patient portals or shared via an application programming interface.

New Information Blocking Provisions

The proposed rule makes several information blocking enhancements to advance interoperability, improve transparency, and support the access, exchange, and use of electronic health information. These enhancements include a definition of what it means to offer health information technology or offer health IT for purposes of the information blocking regulations, which narrows the applicability of the health IT developer of certified health IT definition. The health IT developer of certified health IT definition has been updated to make it clear that healthcare providers who self-develop certified health IT would continue to be excluded from this definition.

Organizations that participate in the voluntary Trusted Exchange Framework and Common Agreement will be provided with new information blocking flexibilities. The new condition means that if a TEFCA participant offers to fulfill a data sharing request from another TEFCA participant through the framework, they would not be required to offer the data in any other way.

The Infeasibility Exception has been revised to include two new conditions and one revision to clarify when an actor’s practice of not fulfilling a request for access, exchange, or use of EHI meets the uncontrollable events condition, and the two new conditions cover the denial of a third party’s request to enable the use of EHI in order to modify EHI, and when an actor has exhausted the manner exception.

Request for Public Comment

The proposed rule will be available for public inspection on April 18, 2023, and ONC is requesting public comment by June 20, 2023.

“In addition to fulfilling important statutory obligations of the 21st Century Cures Act, implementing these provisions is critical to advancing interoperability, promoting health equity, and supporting expansion of appropriate access, exchange, and use of electronic health information,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “We look forward to reviewing public comments on ONC’s proposed rule.”

The post ONC Proposes New Rule to Advance Care Through Technology and Interoperability appeared first on HIPAA Journal.

OCR to Produce Video Presentation on HITECH Act Recognized Security Practices

The HHS’ Office for Civil Rights (OCR) is producing a video presentation to help HIPAA-regulated entities implement “Recognized Security Practices.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act was recently amended (Public Law 116-321) to require OCR to consider recognized security practices that have been in place for at least 12 months prior to certain Security Rule enforcement and audit activities. OCR previously issued a Request for Information regarding the HITECH Act recognized security practices, the comment period for which ended last week.

There has been confusion about what constitutes recognized security practices and how it is possible to demonstrate to OCR that recognized security practices have been adopted and have been continuous for the 12 months prior to a data breach or OCR investigation.

In the video presentation, Nicholas Heesters, Senior Advisor for Cybersecurity at OCR will explain the 2021 HITECH Act amendment regarding recognized security practices, provide guidance on demonstrating security practices have been in place, how evidence of those security practices will be requested by OCR, and how to find out more information on the best security practices to implement.

Ahead of the publication of the video, OCR has requested questions from HIPAA-regulated entities to ensure they are addressed in the presentation. The deadline for submitting questions is June 17, 2022. Questions should be sent to: OCRPresents@hhs.gov

OCR will be releasing the presentation this summer and will make an announcement about how the presentation can be viewed at a later date.

The post OCR to Produce Video Presentation on HITECH Act Recognized Security Practices appeared first on HIPAA Journal.

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

The U.S Department of Health and Human Services’ has increased the civil monetary penalties for HIPAA violations to take inflation into account, in accordance with the Inflation Adjustment Act.

The final rule was issued and took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2019. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation

(2018 » 2019)

Maximum Penalty per Violation

(2018 » 2019)

New Maximum Annual Penalty

(2018 » 2019)*

1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698
2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698
3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698
4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698

Penalties for HIPAA violations that occurred prior to February 18, 2019 have increased to $159 per violation, with an annual cap of $39,936 per violation category.

Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $10,252.20 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.

Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).

The post HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.


Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

The post Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability


The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000


The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.


Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance.

The HIPAA Omnibus Final Rule and Business Associates

On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also confirmed that most data transmission service providers are also classed as business associates.

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule is detailed in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.

HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are considered conduits.

The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent.

It does not matter if the service provider says they do not access transmitted information. To be considered a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to unlock encrypted data.

Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and SMS and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.

Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply send documents from the sender to the recipient. Faxes are stored, and the storage is not considered transient.

Penalties for Misclassifying a Business Associate as a Conduit

Any vendor that has routine access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.

Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.

The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA.

In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.

The post The HIPAA Conduit Exception Rule and Transmission of PHI appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.