The Complexity of Regulatory Pricing

By Leke Adesida, Chief Compliance Officer, Ciox Health

Easy release of information is a thing of the past.  With a dense web of state and federal laws governing medical-record disclosure, understanding laws can be tricky. Commercial requestors will often inundate their requests with confusing language, which makes a careful look at a request critical for accurate retrieval. Even determining an appropriate fee for reproducing a record has serious financial and legal implications.

Misunderstanding the law could result in financial penalties, sanctions or litigation from requestors. Meanwhile, failure to collect appropriate fees from requestors places the cost burden of health information management squarely on the provider. Grasping nuances in the web of laws governing fees takes serious time and effort, but companies like Ciox have the technology and resources to do it correctly. Ciox manages millions of information requests in partnership with providers from across the country, and its continued investment in digital connection with requestors supports managing these requests’ volume and complexity.

Navigating the system can be tricky for even experienced health information consumers. Generally speaking, HIPAA permits a reasonable, cost-based fee for the work involved in reproducing a medical record requested by a patient or their personal representative, but it is not always that straightforward. Recently, interpretations have seemingly allowed a patient to direct their record to a third party for the same reasonable, cost-based fee. These types of requests are for the purpose of the 3rd party to obtain a lower fee cost, but have caused major privacy concerns with the minimal requirements for a patient to complete a patient access request. You can guess what happens next: A growing number of third-party requestors are now using patient-directed requests to lower the fees to the financial detriment of medical information providers and additional privacy issues in regards to the patient truly understanding the full impact of directing their PHI to a 3rd party that are not regulated under HIPAA.

There’s also another layer of complexity in exactly which requests are subject to the patient rate. If a third party asks for the records directly with an accompanying valid HIPAA authorization from the patient, or some other legal authority, then state laws will generally dictate the fee for reproduction.  But those laws, which can already be very complex, may be scattered across various state statutes, regulations or administrative codes. Plus, many states have separate fee parameters for different kinds of requests.

As if determining the proper fee weren’t difficult enough, medical providers with facilities in multiple states face even more hurdles. That’s because being in multiple states requires a mastery of each state’s laws, since none are identical. While considering these complexities and risks can be difficult and time-consuming, the work is necessary to ensure HIM departments remain in compliance with the law. Ciox has a long history of dealing with complex information requests, and its deep experience makes it a leader in the sector. Ciox handles health information with the utmost integrity, because every record represents a real person.