Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

The State Of Healthcare Cybersecurity (Part 1)

Posted on May 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare data has never been under more outside threats than it is today. For a number of reasons, this data has become more attractive to cybercriminals and can be sold on the dark web for a pretty penny. Not only that, emerging threats like ransomware attacks are hitting home and wreaking havoc with the institutions they target.

Unfortunately, according to a new study by Black Book Market Research, healthcare organizations don’t seem to be adequately prepared for this onslaught.

The survey, which collected responses from more than 2,464 security pros working at 680 provider organizations, found that health IT leaders aren’t confident they can defend themselves against cyberattacks. In fact, 96% of IT professionals who responded said that the attackers are significantly ahead of them and could probably cut through the protection their organizations have in place.

Given that stat, it’s not surprising that over 90% of healthcare organizations have seen a data breach since Q3 2016. Worse, almost 50% reported that they had more than five data breaches during this period. Not only that, more than 180 million records have been stolen since 2015, a staggering haul which affects roughly one in every 12 healthcare consumers.

On the surface, it might seem surprising that healthcare organizations haven’t toughened their defenses given the number of threats they face. Actually, they are, but they’re being outgunned. It’s not that they’re not making cybersecurity investments, but both the level of investment and their strategy for deployment may be inadequate.

In a surprisingly frank set of disclosures, one-third of hospital executives that bought cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or understanding of what they were getting for their money. Respondents said that 92% of data security product and services buying decisions were made at the C-level, and the process didn’t include any users or affected department managers.

One reason that C-level executives with little relevant knowledge are making security investment decisions because they don’t have anyone senior to consult – and the problem is extremely common.

The survey found that 84% of hospitals responding had no dedicated security executive in place. Most say that it’s difficult to recruit a qualified chief security officer, which is why they’re going bare on data security and stumbling through the buying process as best they can.

Some organizations are responding to the shortage of C-level tech talent by outsourcing the function. Twenty-one percent said they outsource security to partners, consultants or selected security-as-a-service options as a placeholder.

Given this interest in outsourcing, healthcare organizations are signing deals with security services and outsourcing companies five times more often than they’re buying cybersecurity products and software. Vendors, in turn, are responding by diversifying the portfolio of services they offer. Still, that’s unlikely to be enough over the long term.

All of this suggests that the healthcare industry is in a security crisis. I’ll offer more details on the situation in part two of this series.

Why You Shouldn’t Take Calculated Risks with Security

Posted on May 9, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

Calculated risks are often lauded in innovation.  However, with increasing security breaches in the tech industry, it is time to reassess the calculated risks companies take in healthcare.

Time and again, I have advised technology companies and medical practices to invest in security and yet I am often met with resistance, a culture of calculated risk prevails.  To these companies and practices, this risk may make sense to them in the short term. Resources are often limited and so they often believe that they needn’t spend the time and money in security.  However, the notion that a company or a practice can take this chance is ill advised.

As a recent study conducted by HIMSS (and reviewed by Ann Zieger here) warns, “significant security incidents are projected to continue to grow in number, complexity and impact.” Thus in taking the calculated risk not to invest in security, companies and practices are creating greater risk for in the long run, one that comes with severe consequences.

As we have seen outside of healthcare, even “simple” breaches of user names and passwords as happened to Under Armour’s MyFitnessPal app, become relatively important use cases as examples of the impact a security breach can have. While healthcare companies typically think of this in terms of HIPAA compliance and oversight by the Office for Civil Rights (OCR), the consequences reach far wider.  Beyond the fines or even jail time that the OCR can impose, what these current breaches show us is how easy it is for the public to lose trust in an entity.  For a technology company, this means losing valuation which could signal a death knell for a startup. For a practice, this may mean losing patients.  For any entity, it will likely result in substantial legal fees.

Why take the risk not to invest in security? A company may think they are saving time and money up front and the likelihood of a breach or security incident is low. But in the long run, the risk is too great – no company wants to end up with their name splashed across the headlines, spending more money on legal fees, scrambling to notify those whose information has been breached, and rebuilding lost trust.  The short term gain of saving resources is not worth this risk.

The best thing a company or practice can do to get started is to run a detailed risk assessment. This is already required under HIPAA but is not always made a priority.  As the HIMSS report also discussed, there is no one standard for risk assessment and often the OCR is flexible knowing entities may be different sizes and have different resource. While encryption standards and network security should remain a high priority with constant monitoring, there are a few standard aspects of risk assessment including:

  • Identifying information (in either physical or electronic format) that may be at risk including where it is and whether the entity created, received, and/or is storing it;
  • Categorizing the risk of each type of information in terms of high, medium, or low risk and the impact a breach would have on this information;
  • Identifying who has access to the information;
  • Developing backup systems in case information is lost, unavailable, or stolen; and
  • Assessing incidence response plans.

Additionally, it is important to ensure proper training of all staff members on HIPAA policies and procedures including roles and responsibilities, which should be detailed and kept up to date in the office.

This is merely a start and should not be the end of the security measures companies and practices take to ensure they do not become the next use case. When discussing a recent $3.5 million settlement, OCR Director Roger Severino recently emphasized that, “there is no substitute for an enterprise-wide risk analysis for a covered entity.” Further, he stressed that “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Though this may seem rudimentary, healthcare companies and medical practices are still not following simple steps to address security and are taking the calculated risk not to – which will likely be at their own peril.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.

Barriers to Better Healthcare Cybersecurity

Posted on May 4, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We often say in healthcare that we need to learn from other industries. We try to do that as much as possible on this blog and this is one of those cases. HIPAAEx recently shared this image that illustrates many of the barriers that local governments face to better cybersecurity. Many of them are money issues like paying high prices cybersecurity salaries and hiring and training cybersecurity staff, but the largest barrier is lack of support. See the details below:

Does this sound like some of the same issues that we have when it comes to barriers to effective cybersecurity in healthcare? It does to me.

While healthcare does deal with these same challenges, I have to admit how drastic the change has been when it comes to support for cybersecurity efforts from healthcare leaders. It used to not even be an after thought. That’s still sadly true in many healthcare organizations. However, I’m seeing more and more healthcare organizations that have seen cybersecurity as a strategic priority.

Healthcare organizations know the damage that’s caused when they have a massive breach occur that shouldn’t happen. They’re finally starting to wake up to this fact. Most are taking a two fold approach: how do I prevent a breach from occurring and what’s my process when a breach occurs?

The problem with cybersecurity is that it’s never done. You can’t look at cybersecurity as a project that’s complete and now you can move on to something else. Cybersecurity is always changing and has to become part of the culture of your organization if you want to have any hope of keeping up and avoiding any major cybersecurity disasters.

How does this chart stack up with your experience? What are your barriers to healthcare cybersecurity? Please share your thoughts and experiences in the comments and with us on social media @HealthcareScene.

Privacy Fears May Be Holding Back Digital Therapeutics Adoption

Posted on May 3, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Consumers were already afraid that their providers might not be able to protect the privacy of their health data. Given the daily news coverage of large data breaches and since the Facebook data scandal blew up, consumers may be even less likely try out new digital health approaches.

For example, a new study by innovation consultancy Enspektos has concluded that patients may be afraid to adopt digital therapeutics options. Many fear that the data might be compromised or the technology may subject them to unwanted personal surveillance.

Without a doubt, digital therapeutics could have a great future. Possibilities include technologies such as prescription drugs with embedded sensors tracking medication compliance, as well as mobile apps that could potentially replace drugs. However, consumers’ appetite for such innovations may be diminishing as consumer fears over data privacy grow.

The research, which was done in collaboration with Savvy Cooperative, found that one-third of respondents fear that such devices will be used to track their behavior in invasive ways or that the data might be sold to a third party without the permission. As the research authors note, it’s hard to argue that the Facebook affair has ratcheted up these concerns.

Other research by Enspektos includes some related points:

  • Machine-aided diagnosis is growing as AI, wearables and data analytics are combined to predict and treat diseases
  • The deployment of end-to-end digital services is increasing as healthcare organizations work to create comprehensive platforms that embrace a wide range of conditions

It’s worth noting that It’s not just consumers who are worried about new forms of hacker intrusions. Industry CIOs have been fretting as it’s become more common for cybercriminals to attack healthcare organizations specifically. In fact, just last month Symantec identified a group known as Orangeworm that is breaking into x-ray, MRI and other medical equipment.

If groups like Orangeworm have begun to attack medical devices — something cybersecurity experts have predicted for years — we’re looking at a new phase in the battle to protect hospital devices and data. If one cybercriminal decides to focus on healthcare specifically, it’s likely that others will as well.

It’s bad enough that people are worried about the downsides of digital therapeutics. If they really knew how insecure their overall medical data could be going forward, they might be afraid to even sign in to their portal again.

Is Health Data Privacy On Its Way Out?

Posted on April 30, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As healthcare providers gradually improve their HIPAA data security and privacy compliance, one might think that the odds of a breach occurring are getting lower. Maybe that’s true within the provider organizations themselves, but there are forces outside of healthcare which will make it impossible to protect personal data in the future, according to a post on Axoblog.

The piece argues that the notion of data privacy is dying. “To the extent that emails and other communications meant for designated recipients are analyzed, scraped aggregated and stored it is the opinion of this author that the protection of PHI is illusory,” the article says.

As the piece correctly notes, unscrupulous companies and can learn a great deal about consumers by analyzing their Internet search history. And of course, there are social media stalkers like Facebook, which monitors Internet activity even when the subscriber is logged off. (It’s hard to believe that other Internet companies aren’t doing the same thing in a less public manner.)

By using a rich source like Facebook user data and aggregating it with information from other social media networks, outsiders can pull together a personal profile of users. This database could easily expose medical information that should be protected under HIPAA and HITECH.

And it’s not just Facebook data that is of concern. By buying available data from all the social media networks, then matching that data with commercial databases offering details such as address, phone number and location, it’s possible to develop an astonishingly detail portrait of individuals.

So what should providers do in the age of minimum privacy? Be aware of emerging threats, the author suggests:

  • Be aware that social media outlets aren’t subject to the legal requirements providers are when compiling health information.
  • Keep your eye on data aggregators, which are selling data to everyone you can think of, plus others you wouldn’t even have considered, including marketers, advertisers and researchers.
  • The government has only now begun trying to understand how social media networks handle privacy and how well they explain their practices to consumers
  • In the wake of Facebook scandals, social media giants might develop protocols for managing sensitive data, but they may fail at doing this, in which case the government is likely to step in
  • Though Facebook has been asked by regulators how the company manages and shares data, it seems that no one’s asking about the aggregation of data and how it is stored and protected

Now, I’d like to think the article described above is a bit too pessimistic. If nothing else, I’m not sure that the aggregation of other forms of data means that medical privacy will become impossible to defend. Still, the piece makes it clear that we have a long way to go before we can sure PHI is protected by companies like Facebook.

Should Apps with Personal Health Information Be Subject to HIPAA?

Posted on April 10, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

With news of Grindr’s sharing of user’s HIV status and location data, many wonder how such sensitive information could be so easily disclosed and the answer is quite simply a lack of strong privacy and security standards for apps.  The question then becomes whether apps that store personal health information should be subject to HIPAA? Should apps like Grindr have to comply with the Privacy and Security Rules as doctors, insurance companies, and other covered entities already do?

A lot of people already think this information is protected by HIPAA as they do not realize that HIPAA only applies to “covered entities” (health care providers, health plans, and health care clearininghouses) and “business associates” (companies that contract with covered entities).  Grindr is neither of these. Nor are most apps that address health issues – everything from apps with mental health tools to diet and exercise trackers. These apps can store all manner of information ranging simply from a name and birthdate to sensitive information including diagnoses and treatments.

Grindr is particularly striking because under HIPAA, there are extra protections for information including AIDS/HIV status, mental health diagnoses, genetics, and substance abuse history.  Normally, this information is highly protected and rightly so given the potential for discrimination. The privacy laws surrounding this information were hard fought by patients and advocates who often experienced discrimination themselves.

However, there is another reason this is particularly important in Grindr’s case and that’s the issue of public health.  Just a few days before it was revealed that the HIV status of users had been exposed, Grindr announced that it would push notifications through the app to remind users to get tested.  This was lauded as a positive move and added to the culture created on this app of openness. Already users disclose their HIV status, which is a benefit for public health and reducing the spread of the disease. However, if users think that this information will be shared without explicit consent, they may be less likely to disclose their status. Thus, not having privacy and security standards for apps with sensitive personal health information, means these companies can easily share this information and break the users’ trust, at the expense of public health.

Trust is one of the same reasons HIPAA itself exists.  When implemented correctly, the Privacy and Security Rules lend themselves to creating an environment of safety where individuals can disclose information that they may not want others to know.  This then allows for discussion of mental health issues, sexually transmitted diseases, substance use issues, and other difficult topics. The consequences of which both impact the treatment plan for the individual and greater population health.

It would be sensible to apply a framework like HIPAA to apps to ensure the privacy and security of user data, but certainly some would challenge the idea.  Some may make the excuse that is often already used in healthcare, that HIPAA stifles innovation undue burden on their industry and technology in general.  While untrue, this rhetoric holds sway with government entities who may oversee these companies.

To that end, there is a question of who would regulate such a framework? Would it fall to the Office for Civil Rights (OCR) where HIPAA regulation is already overseen? The OCR itself is overburdened, taking months to assess even the smallest of HIPAA complaints.  Would the FDA regulate compliance as they look to regulate more mobile apps that are tied to medical devices?  Would the FCC have a roll?  The question of who would regulate apps would be a fight in itself.

And finally, would this really increase privacy and security? HIPAA has been in effect for over two decades and yet still many covered entities fail to implement proper privacy and security protocols.  This does not necessarily mean there shouldn’t be attempts to address these serious issues, but some might question whether the HIPAA framework would be the best model.  Perhaps a new model, with new standards and consequences for noncompliance should be considered.

Regardless, it is time to start really addressing privacy and security of personal health information in apps. Last year, both Aetna and CVS Caremark violated patient privacy sending mail to patients where their HIV status could be seen through the envelope window. At present it seems these cases are under review with the OCR. But the OCR has been tough on these disclosures. In fact, in May 2017, St. Luke’s Roosevelt Hospital Center Inc. paid the OCR $387,200 in a settlement for a breach of privacy information including the HIV status of a patient. So the question is, if as a society, we recognize the serious nature of such disclosures, should we not look to prevent them in all settings – whether the information comes from a healthcare entity or an app?

With intense scrutiny of privacy and security in the media for all aspects of technology, increased regulation may be around the corner and the framework HIPAA creates may be worth applying to apps that contain personal health information.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.

Cybersecurity Report Card:  Better Performance, But Not Great

Posted on March 29, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new research report from HIMSS has concluded that while healthcare organizations are improving their cybersecurity programs, there’s still a number of things they could do better.

The study drew on responses from 239 health information security professionals. Their responses were gathered from December 2017 to January 2018. While respondents came from a number of settings, the largest number (31.5%) were with hospitals, multi-hospital systems or integrated delivery networks.

One key point made by the study was that significant security incidents are projected to continue to grow in number, complexity and impact. That’s reflected by responses from survey participants, 75.7% of whom said that their organizations experienced a significant security incident in the past 12 months.

The top threat actors attacking these organizations included online scam artists deploying phishing and spear phishing attacks (37.6%), followed by negligent insiders (20.8 %) or hackers (20.1%). In many cases, the initial point of security compromise was by email. Time it took to discover the incident included less than 24 hours (47.1%), one to two days (13.2%) and 3 to 7 days (7.4%).

Despite these risks, and the effort required to protect their data, healthcare organizations with cybersecurity programs are improving their performance. They’re devoting more resources to those programs (55.8% of current IT budgets), responding to problems identified by regular risk assessments (with 83.1% adopting new and improved security measures in the wake of those assessments) and regularly conducting penetration testing and security awareness training.

On the other hand, HIMSS found that most healthcare organizations, cybersecurity programs still need improvement. For example, staffers face major obstacles in remediating and mitigating security incidents, particularly having too few cybersecurity personnel on board and a lack of financial resources. HIMSS also noted that educating and testing “human components” for security vulnerabilities is critical, but may not be included in many efforts.

In some cases, organizations don’t have formal insider threat management programs. While many respondents (44.9%) said they do have insider threat management programs and policies in place, another 27% said those programs were informal. And 24.2% said their organization had no insider threat management program at all.

In addition, risk assessments vary widely across the industry. Popular sources used to gather cyber threat intelligence include US CERT alerts and bulletins (60%) and HIMSS resources (53.8%), but many others are used as well.

The net of all of this seems to be that while healthcare organizations have gotten smarter where cybersecurity is concerned, they need to invest more in specialized personnel, improve staff training, remediation and risk assessments and stay alert. As the number of attacks continues to grow, nothing else will get the job done.

Texting Patients Is OK Under HIPAA, as long as you…

Posted on March 6, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

OCR Director Severino Makes Policy from the Podium

Speaking at the HIMSS health IT conference in Las Vegas on Tuesday, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.

In 2013, the HIPAA Omnibus Final Rule allowed healthcare providers to communicate Electronic Protected Health Information (ePHI) with patients through unencrypted e-mail, if the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent.

A HIMSS audience member asked Severino why the OCR hasn’t issued similar guidance for text messaging with patients. “I don’t see a difference,” Severino said. “I think it’s empowering the patient, making sure that their data is as accessible as possible in the way they want to receive it, and that’s what we want to do.”

“Wow! That’s a big change,” said Tom Leary, Vice President of Government Relations for HIMSS. “That’s wonderful. Actually, the physician community has been clamoring for clarification on that for several years now. Our physician community will be very supportive of that.”

The 2013 OCR guidance for e-mails,  and Severino’s announcement about text messages, only applies to communications with patients. All HIPAA Covered Entities and Business Associates are still forbidden to use unsecure communications tools to communicate with each other.

Messages sent through free e-mail services are not private. Google’s Gmail Terms of Service, allow Google to “use…reproduce…communicate, publish…publicly display and distribute” your e-mail messages. Health care providers must use encrypted e-mail or secure e-mail systems to communicate ePHI outside of their organizations.

In 2012, a small medical practice was penalized $ 100,000 for sharing patient information through free Internet services, including e-mail.  According to the resolution agreement, Phoenix Cardiac Surgery “daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.”

While the OCR may be best-known for its HIPAA enforcement, it has pushed healthcare organizations to lower barriers that have prevented patients from obtaining their medical records. The Omnibus Rule required health care providers to only recover actual costs when providing patients with copies of their records.

In its 2016 guidance, the OCR set a $ 6.50 limit (inclusive of all labor, supplies, and postage) for health care providers “that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.”

The federal requirement to recover actual costs, or a flat fee of $ 6.50, supersedes state laws that allowed providers to charge for medical record searches and per-page fees. Maine caps the cost at $ 250 for a medical record, far above the federal $ 6.50 flat fee.

 

Health IT and ROI (Release of Information) Vendor Sues HHS Over Patient Records Fees

Posted on January 19, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now here’s one for the ages – a vendor taking HHS head-on. The vendor, CIOX Health, has sued HHS in an effort to stop the agency from enforcing HIPAA rules limiting how much providers and business associates can charge patient records. While the vendor may not get anywhere, the lawsuit raises the important question of what patient record retrieval should cost.

According to Becker’s Hospital Review, the suit focuses on changes to the privacy law put into place in 2013 and 2016. The article notes that these modifications broadened the type of information providers and BAs must send while capping the fees vendors could charge for doing so. Specifically, the changes made in 2016 require that vendors that the costs associated with record requests for a reasonable or flat rate of about $6.50.

In its complaint, CIOX says the flat fee “was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.” It contends that the HIPAA provisions in question established the limits “unlawfully, unreasonably, arbitrarily and capriciously.”

It’s hard to tell whether CIOX will get anywhere (though my guess is “not very far”). Government agencies are all but immovable, and HHS particularly so. I appreciate the spunk involved in filing the suit, the premise of which actually sounds reasonable to me, but I think the company has about as much chance of prevailing as a gnat fighting a combine harvester.

That being said, I think this suit focuses on an important issue, which is that the fee limits imposed by states and the federal government for providing medical records are all over the map. While such limits may be necessary to protect consumers, it’s probably fair to say that they aren’t exactly based on actual estimates of provider and vendor costs.

The truth is, the healthcare industry hasn’t come to grips yet with the cost of delivering healthcare information to patients. After all, while basic information delivered by a portal may be good enough for patients, these aren’t real medical records and they can’t be used as a basis for care.  And delivering an entire medical record can be expensive.

Plus, this issue is really complicated by the number of records requests that healthcare organizations are receiving from parties other than the patient. The number of records request from insurance companies, lawyers, and other third parties has increased dramatically. Not to mention how much of the record these organizations want to get. If it were just patients requesting their records, this question would be much simpler.

I can only think of a few ways to handle this problem, none of which are really satisfactory. For example, HHS or the states could create some sort of system which permits different fees depending on the difficulty of retrieving the information. Providers and business associates could submit their fees to some kind of review board which would approve or reject the proposal. Or perhaps we could just allow vendors to charge whatever the market would bear. None of these sound great to me.

If we want patients to manage their health effectively, they need to be able to share their records, and they must be able to access those records without paying a fortune for the privilege. At the same time, we can’t ask providers and business associates to share records at their own expense. Given the importance of this problem, I think it’s high time that healthcare leaders look for solutions.