Owning and operating a healthcare-related company can be difficult, especially when you are trying to comply with all of the laws, rules, and regulations. One issue that often comes up relates to HIPAA compliance. Do your company’s policies comply with state and HIPAA medical records laws?
While much of the healthcare sector focuses on the COVID-19 pandemic, big changes to federal law impact healthcare billing rates. A recent ruling in January 2020 changes the way companies can charge for delivering protected health information.
What Is Protected Health Information?
Federal law protects a set of information arising out of the provision of medical services known as protected health information (more commonly “PHI”).¹ Because the rules surrounding who can request and look at PHI are highly complex, companies have sprung up that specialize in retrieving and holding onto PHI for healthcare suppliers.
What Restrictions Exist for PHI?
To ensure that those companies don’t gouge exorbitant fees out of their clients for their services, the United States Department of Health and Human Services (“HHS”) adopted restrictions limiting how much they can charge for delivering PHI. The collective body of restrictions is known in healthcare law as the ‘Patient Rate.’
Does the Patient Rule Apply?
The medical industry’s longstanding interpretation of the Patient Rate was that the restrictions limited costs when a request was made by a patient. On the other hand, requests by businesses for PHI, such as requests by an insurance company, were not limited by the Patient Rate.
In 2016, HHS issued new guidance that applied the Patient Rate to all requests, even those by third parties.² This included a flat maximum fee of $6.50 per-patient records. Not surprisingly, healthcare information companies like Ciox Health were furious. Ciox claimed the change cost the company millions in lost revenue, and it sued HHS to undo the damage caused by the new guidance.
In Ciox Health v. Azar, Judge Amit Mehta has declared much of the 2016 guidance unlawful. Requests for PHI by third parties are no longer subject to the Patient Rate.³ There is one exception: Judge Mehta maintained the Patient Rate’s limitations on third-party requests for electronic health records of an individual’s PHI. So, when dealing with healthcare data management companies like Ciox, the Patient Rate won’t limit most of their charges.
Make sure your PHI charges comply with the law. Contact Counxel Legal Firm to review your HIPAA compliance policies today.
Contact Counxel Legal Firm
If you have a healthcare-related business, then you need to make sure you are compliant with the complex laws, rules, and regulations. We are here to simplify your legal experience! Let us help you take care of your business’s legal needs. Give us a call at 480-536-6122 or email us at intake@wordpress-457010-3165254.cloudwaysapps.com to see how we can help you.
This article is intended for informational purposes only and does not constitute legal advice for your specific situation. Use of and access to this article does not create an attorney-client relationship between you and Counxel Legal Firm. Please contact intake@wordpress-457010-3165254.cloudwaysapps.com or 480-536-6122 to request specific information for your situation. All legal matters must be reviewed for conflict checks.
*Conveniently located off the 101 Freeway and the US 60 in the middle of Phoenix, Scottsdale, Tempe, Chandler, Gilbert, Mesa, and Queen Creek!
¹ Some states have passed medical-record fee statutes as well, which constrain the rate at which companies are allowed to bill. When federal and state laws concerning PHI charges for a patient conflict, the general rule of thumb has been to follow the law that mandates the lower billing rate for the patient. However, it’s not so simple for charges applied to third-party requests, and careful analysis of relevant state and federal laws may be required.
² See HHS, “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524”, Compl. Ex. A, ECF 1-1 at 16-17 (2016).
³ No. 18-cv-0040 (D.D.C. Jan. 23, 2020).
