An Open Letter to the People Who Brought Us HIPAA

flying cadeuciiOver the last five years, the United States has undergone more significant changes to its health care system perhaps since Medicare and Medicaid were introduced in the 1960s. The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Patient Protection and Affordable Care Act of 2010 have paved the way for tremendous changes to our system’s information backbone and aim to provide more Americans access to health care.

But one often-overlooked segment of our health care system has been letting us down. Patients’ access to their own medical information remains limited. The HIPAA Privacy Rule grants individuals the right to copies of their own medical records, but it comes at a noteworthy cost—health care providers are allowed to charge patients a fee for each record request. As explained on the Department of Health and Human Services’ website, “the Privacy Rule permits the covered entity to impose reasonable, cost-based fees.”

HIPAA is a federal regulation, so the states have each imposed guidelines outlining their own interpretations of “reasonable.” Ideally, the price of a record request would remain relatively constant—after all, the cost of producing these records does not differ significantly from state to state. But in reality, the cost of requesting one’s medical record is not only unreasonably expensive; it is also inconsistent, costing dramatically different amounts based on local regulation.The Law Offices of Thomas Lamb provide a conveniently organized list of each state’s regulation online, offering an easy mechanism for comparing the expected cost of requesting medical records. Most regulations take the form of a maximum dollar amount per page, in addition to labor, search, or postage fees. But a number of the provisions are simply absurd. Wisconsin has four price levels: for the first 25 pages of your record, you pay $1.00 per page; for the next 25 pages, you pay $0.75 per page; for the next 50 pages, you pay $0.50 per page; and for any additional pages, you pay $0.30 per page. The first 10 pages in Ohio cost $2.50 each. And Michigan charges $20 upfront for any request. On the other hand, Vermont actually imposes a price ceiling of $5.00 on all requests. While some states refuse to offer strict bounds on the price: Arizona, Hawaii, Utah, and Wyoming simply have variations of “reasonable without being in excess of the actual costs” as their description.

These price discrepancies are represented in the graph below, which shows aggregate statistics for record requests of different lengths—20, 50, 100, 150, and 200 pages.

Screen Shot 2015-01-14 at 12.36.23 PM

As you can see, the average price across states for requesting a relatively modest, 50-page medical record would be $41.26 plus the cost of postage. The actual disparity from state-to-state is also notable—from an expected $76.10 in Pennsylvania to just $5.00 in Vermont. It is arguable whether these high prices are “reasonable,” but it seems ridiculous to suggest they are in fact “cost-based.” Is it possible that there is this much variation in the cost incurred by a doctor’s office in releasing a patient’s record from state to state?

But the unfairness of these state regulations goes far beyond their inconsistency. The amount patients are required to pay for the service is proportional to the length of their medical records. Yet the length depends on a patient’s age and health—the younger and healthier you are, the shorter your medical record tends to be—but also on the doctor’s workflow and whether the office uses an electronic medical record system. These variables are almost entirely out of the patient’s control, and the result is a market that saddles some Americans with high barriers of access to information they have a legal right to obtain.

The second stage of Meaningful Use, the Department of Health and Human Service’s three-part subsidy program for incentivizing providers to adopt and utilize electronic medical record systems, focuses almost solely on the sharing of health encouraging interoperability and cooperation. It has been repeatedly shown that better information saves money and lives—medical errors currently contribute to over 200,000 (yes, thousand) deaths each year in the United States, and a dearth of information sharing is one cause of this tragedy. Policymakers realize this problem, and Meaningful Use and other programs have been tasked with kick-starting serious health information exchange (HIE) initiatives.

Meaningful Use has been integral in steering the previously paper-heavy health care system towards a digital future. Electronic medical record systems have been a polarizing topic in health care, but they offer yet another dimension to the debate surrounding the HIPAA Privacy Rule. In a system primarily run on paper, the cost to store and release a medical record depended largely on the length of that record—the number of pages one had to handle. In a digital system, the number of pages becomes an irrelevant and useless metric. Records are copied and released with a series of clicks, not page-by-page. If nothing else changes about the way medical records are made accessible to patients, policymakers should at least adapt regulation to more adequately fit the system’s current (and future) self.

But we can do better. Patients can be an important player in facilitating the exchange of health information, but the system inhibits access to their most basic health information. And for patients who stand to benefit most from increased data mobility, the barrier of entry is even higher—a relatively healthy individual might have a 50-page health record, but someone in need of lots of care or with a chronic condition will have a health record spanning hundreds of pages. Given the price dynamics of the record request market, these high-utilizers stand to be charged hundreds of dollars each time they request information from their providers. And that fee is for a single record request. We might say that patients have a right to their health information, but reality seems to offer a different impression.

I challenge policymakers to reconsider this aspect of the HIPAA Privacy Rule. Patient engagement with their medical information has incredible potential, and the first step to making that a reality is increasing the ease of access. Drop the fees—an exclusionary health care landscape doesn’t lead to better care. Better access to information might, though.

Paul Fletcher-Hill is a student at Yale.  He is the CEO and co-founder of PatientBank.

10 replies »

  1. I appreciate the article and while I agree with you in theory, I am really getting tired of everyone blaming doctors for what we all hate about healthcare.

    As a practice manager with over 15 years of experience, your assertion that records can be released with just a few clicks is not accurate – at least not with the several electronic health records (EHR) I have worked with.

    In our current EHR, it is an all or nothing approach. You either get to export the entire record, or none of it. Many of our patients request specific visits or documents over a specified time frame. Even subpoena requests ask for specific information, not the entire record. To accommodate these requests, my staff literally has to go through a patient’s electronic chart, visit by visit, document by document, print those pages to PDF, save them in a folder until all of the documents have been converted, then load them all onto a CD or flash drive, then encrypt/password protect the flash drive (separate software). Let’s not even talk about the patient’s who have listed restrictions on their requests that then require a clinical staff member to literally read every page and redact the restricted information.

    It takes on average 15 to 30 minutes depending on the number of documents needed to be converted and upwards of 2 to 4 hours if patient records must be reviewed and redacted. Given the number of requests for medical records we receive, we have a staff member dedicated to this task. How am I suppose to pay my staff’s wages if we are not allowed to charge for the time and material expense involved in releasing patient records? This is not the same as simply faxing a copy of the last visit note to the patient’s referring physician, which is allowed under HIPAA and we do not typically charge for.

    While I agree in theory with your position, how about we require all electronic health record vendors to include the ability to export patient records with just a few clicks in their EHR products. Or better yet, require the software to send all patient documents to an HIE or online patient portal account (not just a limited clinical data set) automatically without requiring any effort from the physician’s staff. You would also need to give the healthcare community immunity when the patient misinterprets their own health records (since most patients are not MDs and this is an issue as previously pointed out in an earlier post) or when unauthorized access occurs because the patient fails to follow basic online/security protocols, such as don’t share your username and password. What you are proposing sounds great in theory and most physician practices that I have worked with would love to eliminate the burden the processing medical record requests have become, but there is a lot more that needs to happen to achieve what you are proposing.

    We can have a separate debate for the patient’s who refuse to create an online portal account, share their information with a HIE, and do not want their information stored in any type of electronic format. Now, we are back to the old copy everything on paper.

  2. Dr. Bev,

    HIPAA doesn’t impede that type of sharing of information at all for family members nor for other physicians/entities involved in the patient’s care. I think you are rather more correct about the interpretation and implementation of HIPAA at that specific facility. More often than not, it is that hospital personnel, and sometimes those who give them guidance, don’t really understand HIPAA so they restrict everything even when there is no legal or regulatory basis for doing so.

  3. Thanks for your response. I’m actually a senior at Yale, studying Computer Science and Economics, while also working on PatientBank (http://www.patientbank.us). PatientBank is a personal health record service to help individuals take control of their health information.

    The problem of understanding their own records is a challenging one, and it is definitely something we have thought a lot about. Medical records can be incredibly complex or poorly formatted, and one of the benefits of PatientBank is that it can simplify the information for patients. It also offers the system a location to store patient records that is not tied to a specific hospital or provider.

    I’d be happy to meet with your connection at Yale—please feel free to reach out at paul@patientbank.us.

  4. Mr. Hill,

    Your bio did not specify if you were a med student, undergrad, etc., so my apologies. However, since your proposal to require/provide (presumably at the behest of the government) free access to medical records by patients would seemingly only benefit plaintiff lawyers, I would have to guess you are a pre-law student.

    No patient is capable of organizing, or even comprehending, the hundreds or thousands of pages of medical records associated with even ONE moderate to significant hospitalization, much less for their lifetime. They obviously can’t do it from their “smartphone” or “Ipad,” since we doctors don’t even have the time or inclination to sort out all the few scattered bits of important information from the “spam” of the EMR. Med administration and nursing notes run hundreds of pages alone. If you really want to know what’s going on, maybe you will get lucky and someone (WITH AN ACTUAL MD degree) will have dictated a decent discharge summary. Most likely it will be done by the mid-level who simply will ultrasummarize the hospitalization to “patient was sick, seen in ED, admitted to ICU, got better, went home. F/u with PCP.” – Great, thanks!

    The “spamming” of the medical record is not really the fault of HIPAA. HIPAA has lots of faults (see Dr. Bev’s note above), but the widespread adoption of crummy EMR’s is the main culprit. I’ll give you an example: I used to have some patients who received some of their care at the local VA hospital. When I would obtain their past records for my charts, they would literally have to be delivered by 18-wheeler. A 50 y/o pt with DM, HTN, stable coronary dz, and of course PTSD would have a chart that would fill 6-8 BOXES of print paper (you know, the boxes that hold 10 reams of 500 sheets of printer paper?).

    The best medical record was the old timey, paper chart maintained by the patient’s actual primary physician. A couple of pages would tell you literally volumes about that patient. Now you can spend hours perusing thousands of pages and find out nothing.

    I was not able to google your company, but if it is a repository for keeping CONCISE and UPDATED items of medical information so that it is readily accessible to the patient’s physicians (especially the ER, where I work now), then I think that’s awesome, and I’ll be glad to help you. My son’s friend is also a 4th year student at Yale and I”ll bet we can get you guys together, if you like!

  5. Terrific work, Paul. And welcome to the peculiar world of the US health (not even remotely a) ‘system’. The good news is that, with regard to finding things in need of remedy, there is plenty of low-hanging fruit. The bad news is so very much of that fruit is over-ripe & does not handle well.

    But you’ve made a great start!

  6. That’s not even the worst of it. HIPAA actually impedes transfer of health information between entities or to family and can cause actual patient harm. Last month my elderly mother was taken to the ER where she was kept overnight, after a visit from me. The next morning I called for her status and was told, since I didn’t have a mysterious “PIN” number (which they had entirely forgotten to mention to me the previous day), I could be told nothing at all about her. But of course when I walked in later claiming to be her daughter, they accepted that with no ID request. The interpretation and implementation of HIPAA by hospital lawyers is utterly insane.

  7. I understand it’s only an example that you are giving, but the CentCom hack was of their Twitter and YouTube accounts. There are no medical records on Twitter or YouTube (let’s hope not) and while it is embarrassing to CentCom that this happened, one has to question why they need Twitter and YouTube accounts to begin with. If there was any classified information in there at all, it’s already a big FAIL from day 0, before the hack even took place.

  8. Dr. Palmer, I hope you and other physicians don’t give up on interoperability. Banks solved this same problem in the 60’s and 70’s. Why do you feel the transition in healthcare has been so much more painful than in banking? Banks and credit card companies get hacked but no one has seriously entertained going back to a paper based system.

    I guess the real question is: does an integrated, interoperable healthcare system improve patient outcomes? I would say yes but I’m not a physician trying to treat patients. It sounds like these systems are making good outcomes more difficult for you.

  9. I dont know. We may have to give up on some of this digitization. We love computers and they are so useful but the whole digital technology may be too leaky and insecure. It is not going to be much more–like CentCom’s hack–before people refuse to have their sensitive data entered. We may well end up with a two tier system, with the really private stuff in some non-TCP/IP, non-internet, encrypted local area network. We may have to give up on interoperability. I hope bureaucratic inertia doesnt keep forcing us further into the compleat EHR until we nail down its security aspects.