HITECH ACT Violation - Filing a complaint to DHHS-OCR
What to do if the medical provider violates your HITECH Request
It is very common to receive an invoice after a HITECH medical records request that does not properly reflect the HITECH rates. Medical providers and third-party companies that produce medical records have a financial incentive to take advantage of patients and their attorneys by attempting to over charge for medical record production. Ciox Health, one of the third-party medical records vendors, felt so strongly that they should be able to charge as they please that they initiated a federal lawsuit attempting to stop enforcement of federal law! That case, Ciox Health, LLC v. Hargan, can be found HERE. Below is a recent non-complaint invoice that this firm recently received.
If you are unable to obtain the records that you have requested you should first contact the health care provider and/or their records vendor. Perhaps after an informal conversation the covered entity will take the necessary steps to bring themselves into compliance with the HITECH ACT. Once properly adjusted and compliant with the HITECH ACT, the medical record invoice should look something like this:
The Most Common HITECH ACT Violations related to producing medical records are:
Overcharging/Charging on a per page basis
Requiring a 3rd Party HIPAA Authorization
Not providing an itemized invoice reflecting HITECH rate or actual cost of production
Charging additional fees, for example retrieval fees, access fees, inventory fees, etc.
Violating the 30 day deadline for producing records
Claiming request sent by attorney and not patient
Demanding additional paperwork or to use their own authorization
Limited production such as only one “low-cost” request allowed per year
Claiming that only paper records are maintained but not including a certification stating so
FIRST STEP: SENDING A COMPLAINT LETTER TO HEALTH CARE PROVIDER
Often a phone call or simple letter advising the medical provider that they are in violation of HITECH will make the provider adjust their medical record charges.
If the medical provider fails to respond to the violation letter or refuses to adjust the medical records invoice to properly reflect HITECH rates, then you will have to escalate the matter and file a complaint with your local Department of Health and Human Services Office of Civil Rights (“DHHS-OCR”) office.
NEXT STEP: FILING A COMPLAINT TO DHHS-OCR
FILING A COMPLAINT
You should always notify the health care provider first, regardless who is answering your client’s request. The health care provider (a “covered entity”) and the records vendor (a “business associate”) are bound by law and contract to comply with HIPAA and HITECH amendments. The health care provider is also vicariously liable by agency law for the violations of its records contractors. See 45 C.F.R. §§ 160.402(c) and 164.504(e)(1).12
A health care provider must take action to enforce compliance by their records vendors. Once made aware of a HITECH violation, a health care provider must take “reasonable steps to…end the violation.” See id. If they are unsuccessful, they are expected to terminate the contract or agreement with the contractor. Id.
OCR INVESTIGATIONS CAN TAKE TIME TO COMPLETE AND RENDER A DECISION
In some regions, DHHS can act within three to six months. In other regions, DHHS may take up to eighteen months. However, DHHS often takes action to enforce compliance before the investigation and final decision is reached.
WHY FILING A COMPLAINT IS WORTH YOUR TIME
You are vindicating your client’s rights under HIPAA and HITECH
DHHS often intervenes with health care providers and health systems to encourage compliance in advance of investigatory outcomes. This can include sending staff to implement compliance policies at records contractors and with in-house records custodians.
Puts health care providers on notice that they must take action to comply with your client’s request.
WHERE AND HOW TO FILE YOUR COMPLAINT
For additional Reference: http://www.hhs.gov/ocr/privacy/hipaa/complaints/
REQUIREMENTS – Your complaint must:
2. Name the covered entity or business associate and describe the acts or omissions you believe violated the requirements of the Privacy, Security, or Breach Notification Rules; and
3. Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause."
1. By mail (or fax):
Southeast Region - Atlanta (AL, FL, GA, KY, MS, NC, SC, and TN) Office for Civil Rights
U.S. Department of Health and Human Services
Sam Nunn Atlanta Federal Center, Suite 16T70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Customer Response Center: (800) 368-1019
Fax: (202) 619-3818
TDD :(800) 537-7697
Note: Using this option allows you to include any correspondence with the health care provider or records contractor.
2. Online Form: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Select “Privacy or Security of Health Information (HIPAA)”
3. Plain Paper (Letter, Email, Fax):
You do not need to use one of the official complaint forms (online or in print) to file a complaint on your client’s behalf. You have the option of submitting a complaint in any format you choose.
Note: if you choose this option, you should reference the information requested on the paper form or the online complaint portal which includes:
Name and contact information
Name of client on whose behalf you are filing
Name and address of health care provider or business associate violating the HITECH Act.
Brief description of what happened (previous correspondence should suffice)
Any other relevant information