Electronic Healthcare Records , HIPAA/HITECH

Lawsuit: Hospitals Lied About Providing Quick Records Access

Complaint Alleges Dozens of Hospitals Falsely Attested to Meeting HITECH Act Requirements
Lawsuit: Hospitals Lied About Providing Quick Records Access

Two Indiana attorneys, frustrated by delays in obtaining patient records on behalf of clients, have filed a lawsuit against 60 hospitals in the state seeking more than $1 billion in damages. The suit alleges the hospitals that received HITECH Act electronic health record incentive payments failed to live up to the program's initial requirements for providing prompt access to records.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The lawsuit alleges the hospitals are guilty of submitting fraudulent attestations that they met the HITECH Act electronic health record incentive program's original requirement that they could provide patients or their agents electronic copies of their data within three business days upon request at least 50 percent of the time.

The complaint, filed in 2016 in a U.S. district court in Indiana, was recently unsealed.

In addition to meeting the three-day turnaround deadline for patient requests of health records, the HITECH Act mandated "that charges by hospitals for the provision of this electronic health record 'shall not be greater than the entity's labor costs' in responding to a patient's request," the lawsuit states.

'Repeated Frustrations'

The complaint notes that the two attorneys filing the lawsuit - Michael Misch and Bradley Colborn of the South Bend, Indiana-based law firm, Anderson, Agostino & Keller, P.C., regularly handle personal injuries and medical malpractice cases. "As a natural requirement of this work, the firm, its attorneys and its clients make routine requests for medical records from medical providers."

The attorneys allege that "as a result of repeated frustrations and delays in obtaining fast, inexpensive access to electronic medical records," Misch and Colborn began to research and investigate how to improve their own attempts to assist clients in getting electronic medical records.

"The original goal of this investigation was merely to streamline and minimize the time, difficulty and costs utilized in obtaining patient records, as these costs were ultimately passed on to patients," court documents note.

During their investigation, the lawsuit says, the attorneys found that numerous hospitals that had received HITECH Act funding did not meet the record's access requirements.

Also named as a defendant in the lawsuit is CIOX Health, formerly Healthport Technologies of Alpharetta, Georgia, which allegedly handles processes such as billing for the medical records of patients and release of information for several of the hospitals named in the complaint.

CIOX Health did not immediately respond to an Information Security Media Group request for comment.

The defendant hospitals were paid $324.4 million in HITECH Act grant funding, the complaint alleges. In turn, part of their obligation was to provide patients "with fast, cheap, easy access to their electronic health records, and these hospitals have failed to keep that promise," the complaint alleges.

In addition to allegations of fraudulently obtaining HITECH Act funding, the lawsuit alleges violations of the False Claims Act and Anti-Kickback Statute as well as violations of various Indiana statutes.

Neither Misch nor Colborn immediately responded to an ISMG request for comment on the lawsuit.

A statement provided by their law firm says the lawsuit "alleges that hospitals have falsely reported compliance with certain federally funded programs to gain access to millions in public funding, and it seeks to hold the hospitals responsible for the promises they made to the American taxpayer."

Additionally, the statement says: "The complaint also alleges that there are companies and subcontractors who may have profited from or otherwise gave information to the hospitals which resulted in the reporting of false program compliance. However, we wish to be clear that this case does not involve allegations of individual wrongdoing by hospital administrators, or that local hospital administrators are personally benefiting from any noncompliance."

High Expectations

Attorney Carolyn Metnick of the law firm Akerman LLP, who is not involved in the case, notes that HITECH Act requirements for hospitals in Stage 1 of the incentive program, which lasted three years, were measured by more than 50 percent of all patients receiving a copy of their information within three business days. Later, HHS replaced this objective with one requiring that patients could view, download and transmit health information online within 36 hours of hospital discharge, she notes.

"This is how patient portals are used to great affect for accomplishing this," says Joe Gillespie, senior privacy and security consultant at consultancy tw-Security.

David Holtzman, vice president of compliance at security consultancy CynergisTek, says the meaningful use requirements of the HITECH Act are tighter in terms of the timeline for fulfilling patient requests for obtaining their health information than HIPAA's provisions for patient access.

"The HIPAA Privacy Rule, with limited exceptions, requires covered entities and their business associates to provide an individual an electronic or paper copy of their protected health information within 30 calendar days from receipt of the request," Holtzman notes. "Some states and territories - for example California and Puerto Rico - have established shorter time periods to provide patients their records."

Holtzman also notes other important differences between the HIPAA provisions and the HITECH Act meaningful use requirements for allowing patients' access to their health information. For example, in Stage 2 requirements of HITECH, "the clinical summaries or emergency room encounter report is very limited in scope to the information about the patient and the care provided in that encounter. [But] the right of access under the HIPAA privacy rule is very broad in scope...it includes all PHI within the designated record set."

And many healthcare providers appear to have difficulty meeting HIPAA's requirements, let alone the shorter deadlines set by the HITECH Act for providing patients with their health records in a timely manner, whether it be through electronic copies or other access.

"Healthcare providers make several common mistakes when dealing with access requests," Metnick says. That includes charging unreasonable fees for production and copying and creating inflexible procedural barriers, she notes.

"A healthcare entity may deny a patient's request for records because the patient has not paid for healthcare services rendered. This is not allowed under the law," Gillespie says.

In addition, "the healthcare entity may charge unreasonably high fees for fulfilling requests. HIPAA allows only "reasonable, cost-based fees" and provides some clarity on how those are to be determined. Many states have now enacted fee schedules that lock down what the entities may charge," Gillespie notes.

"Healthcare organizations face challenges when they create bureaucratic barriers to obtaining access to their PHI," Holtzman says. Those barriers include "requiring the use of a facility-created form that can only be obtained or submitted in person" by the patients requesting their records, he says.

Other barriers and problems arise by "not providing patients the choice of obtaining their PHI as an electronic copy when it is maintained in an electronic format by the healthcare organization, and not adequately monitoring the processes and performance of third-party vendors contracted to fulfill patient requests for copies of their PHI," he notes.

Metnick adds: "Providing individuals with easy access to their health information is an important right. It has also been a focus point of the recent OCR phase 2 [HIPAA compliance] desk audits of covered entities."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network