Tech

An Open Letter to the People Who Brought Us HIPAA

flying cadeuciiOver the last five years, the United States has undergone more significant changes to its health care system perhaps since Medicare and Medicaid were introduced in the 1960s. The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Patient Protection and Affordable Care Act of 2010 have paved the way for tremendous changes to our system’s information backbone and aim to provide more Americans access to health care.

But one often-overlooked segment of our health care system has been letting us down. Patients’ access to their own medical information remains limited. The HIPAA Privacy Rule grants individuals the right to copies of their own medical records, but it comes at a noteworthy cost—health care providers are allowed to charge patients a fee for each record request. As explained on the Department of Health and Human Services’ website, “the Privacy Rule permits the covered entity to impose reasonable, cost-based fees.”

HIPAA is a federal regulation, so the states have each imposed guidelines outlining their own interpretations of “reasonable.” Ideally, the price of a record request would remain relatively constant—after all, the cost of producing these records does not differ significantly from state to state. But in reality, the cost of requesting one’s medical record is not only unreasonably expensive; it is also inconsistent, costing dramatically different amounts based on local regulation.The Law Offices of Thomas Lamb provide a conveniently organized list of each state’s regulation online, offering an easy mechanism for comparing the expected cost of requesting medical records. Most regulations take the form of a maximum dollar amount per page, in addition to labor, search, or postage fees. But a number of the provisions are simply absurd. Wisconsin has four price levels: for the first 25 pages of your record, you pay $1.00 per page; for the next 25 pages, you pay $0.75 per page; for the next 50 pages, you pay $0.50 per page; and for any additional pages, you pay $0.30 per page. The first 10 pages in Ohio cost $2.50 each. And Michigan charges $20 upfront for any request. On the other hand, Vermont actually imposes a price ceiling of $5.00 on all requests. While some states refuse to offer strict bounds on the price: Arizona, Hawaii, Utah, and Wyoming simply have variations of “reasonable without being in excess of the actual costs” as their description.

These price discrepancies are represented in the graph below, which shows aggregate statistics for record requests of different lengths—20, 50, 100, 150, and 200 pages.

Screen Shot 2015-01-14 at 12.36.23 PM

As you can see, the average price across states for requesting a relatively modest, 50-page medical record would be $41.26 plus the cost of postage. The actual disparity from state-to-state is also notable—from an expected $76.10 in Pennsylvania to just $5.00 in Vermont. It is arguable whether these high prices are “reasonable,” but it seems ridiculous to suggest they are in fact “cost-based.” Is it possible that there is this much variation in the cost incurred by a doctor’s office in releasing a patient’s record from state to state?

But the unfairness of these state regulations goes far beyond their inconsistency. The amount patients are required to pay for the service is proportional to the length of their medical records. Yet the length depends on a patient’s age and health—the younger and healthier you are, the shorter your medical record tends to be—but also on the doctor’s workflow and whether the office uses an electronic medical record system. These variables are almost entirely out of the patient’s control, and the result is a market that saddles some Americans with high barriers of access to information they have a legal right to obtain.

The second stage of Meaningful Use, the Department of Health and Human Service’s three-part subsidy program for incentivizing providers to adopt and utilize electronic medical record systems, focuses almost solely on the sharing of health encouraging interoperability and cooperation. It has been repeatedly shown that better information saves money and lives—medical errors currently contribute to over 200,000 (yes, thousand) deaths each year in the United States, and a dearth of information sharing is one cause of this tragedy. Policymakers realize this problem, and Meaningful Use and other programs have been tasked with kick-starting serious health information exchange (HIE) initiatives.

Meaningful Use has been integral in steering the previously paper-heavy health care system towards a digital future. Electronic medical record systems have been a polarizing topic in health care, but they offer yet another dimension to the debate surrounding the HIPAA Privacy Rule. In a system primarily run on paper, the cost to store and release a medical record depended largely on the length of that record—the number of pages one had to handle. In a digital system, the number of pages becomes an irrelevant and useless metric. Records are copied and released with a series of clicks, not page-by-page. If nothing else changes about the way medical records are made accessible to patients, policymakers should at least adapt regulation to more adequately fit the system’s current (and future) self.

But we can do better. Patients can be an important player in facilitating the exchange of health information, but the system inhibits access to their most basic health information. And for patients who stand to benefit most from increased data mobility, the barrier of entry is even higher—a relatively healthy individual might have a 50-page health record, but someone in need of lots of care or with a chronic condition will have a health record spanning hundreds of pages. Given the price dynamics of the record request market, these high-utilizers stand to be charged hundreds of dollars each time they request information from their providers. And that fee is for a single record request. We might say that patients have a right to their health information, but reality seems to offer a different impression.

I challenge policymakers to reconsider this aspect of the HIPAA Privacy Rule. Patient engagement with their medical information has incredible potential, and the first step to making that a reality is increasing the ease of access. Drop the fees—an exclusionary health care landscape doesn’t lead to better care. Better access to information might, though.

Paul Fletcher-Hill is a student at Yale.  He is the CEO and co-founder of PatientBank.

Livongo’s Post Ad Banner 728*90

10
Leave a Reply

7 Comment threads
3 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
10 Comment authors
MaryLauJennifer CPCOMeg Grimaldipfhlawyerdoctor Recent comment authors
newest oldest most voted
MaryLau
Guest

This is a very great article, thanks so much.

Jennifer CPCO
Guest
Jennifer CPCO

I appreciate the article and while I agree with you in theory, I am really getting tired of everyone blaming doctors for what we all hate about healthcare. As a practice manager with over 15 years of experience, your assertion that records can be released with just a few clicks is not accurate – at least not with the several electronic health records (EHR) I have worked with. In our current EHR, it is an all or nothing approach. You either get to export the entire record, or none of it. Many of our patients request specific visits or documents… Read more »

lawyerdoctor
Guest

Mr. Hill, Your bio did not specify if you were a med student, undergrad, etc., so my apologies. However, since your proposal to require/provide (presumably at the behest of the government) free access to medical records by patients would seemingly only benefit plaintiff lawyers, I would have to guess you are a pre-law student. No patient is capable of organizing, or even comprehending, the hundreds or thousands of pages of medical records associated with even ONE moderate to significant hospitalization, much less for their lifetime. They obviously can’t do it from their “smartphone” or “Ipad,” since we doctors don’t even… Read more »

pfh
Guest

Thanks for your response. I’m actually a senior at Yale, studying Computer Science and Economics, while also working on PatientBank (http://www.patientbank.us). PatientBank is a personal health record service to help individuals take control of their health information. The problem of understanding their own records is a challenging one, and it is definitely something we have thought a lot about. Medical records can be incredibly complex or poorly formatted, and one of the benefits of PatientBank is that it can simplify the information for patients. It also offers the system a location to store patient records that is not tied to… Read more »

civisisus
Guest
civisisus

Terrific work, Paul. And welcome to the peculiar world of the US health (not even remotely a) ‘system’. The good news is that, with regard to finding things in need of remedy, there is plenty of low-hanging fruit. The bad news is so very much of that fruit is over-ripe & does not handle well.

But you’ve made a great start!

bev M.D.
Guest
bev M.D.

That’s not even the worst of it. HIPAA actually impedes transfer of health information between entities or to family and can cause actual patient harm. Last month my elderly mother was taken to the ER where she was kept overnight, after a visit from me. The next morning I called for her status and was told, since I didn’t have a mysterious “PIN” number (which they had entirely forgotten to mention to me the previous day), I could be told nothing at all about her. But of course when I walked in later claiming to be her daughter, they accepted… Read more »

Meg Grimaldi
Guest
Meg Grimaldi

Dr. Bev,

HIPAA doesn’t impede that type of sharing of information at all for family members nor for other physicians/entities involved in the patient’s care. I think you are rather more correct about the interpretation and implementation of HIPAA at that specific facility. More often than not, it is that hospital personnel, and sometimes those who give them guidance, don’t really understand HIPAA so they restrict everything even when there is no legal or regulatory basis for doing so.

Matthew C
Guest

Dr. Palmer, I hope you and other physicians don’t give up on interoperability. Banks solved this same problem in the 60’s and 70’s. Why do you feel the transition in healthcare has been so much more painful than in banking? Banks and credit card companies get hacked but no one has seriously entertained going back to a paper based system. I guess the real question is: does an integrated, interoperable healthcare system improve patient outcomes? I would say yes but I’m not a physician trying to treat patients. It sounds like these systems are making good outcomes more difficult for… Read more »

William Palmer MD
Guest
William Palmer MD

I dont know. We may have to give up on some of this digitization. We love computers and they are so useful but the whole digital technology may be too leaky and insecure. It is not going to be much more–like CentCom’s hack–before people refuse to have their sensitive data entered. We may well end up with a two tier system, with the really private stuff in some non-TCP/IP, non-internet, encrypted local area network. We may have to give up on interoperability. I hope bureaucratic inertia doesnt keep forcing us further into the compleat EHR until we nail down its… Read more »

Kingdon
Guest
Kingdon

I understand it’s only an example that you are giving, but the CentCom hack was of their Twitter and YouTube accounts. There are no medical records on Twitter or YouTube (let’s hope not) and while it is embarrassing to CentCom that this happened, one has to question why they need Twitter and YouTube accounts to begin with. If there was any classified information in there at all, it’s already a big FAIL from day 0, before the hack even took place.