Release of information: What you don't know can cost you

Medical practice executives have many responsibilities within a medical group, sometimes including the management of the release of a patient’s protected health information (PHI) to the patient, other healthcare entities or outside parties, such as attorney offices. 

This work is commonly referred to as release of information (ROI), and the failure to handle it appropriately could be quite costly. Even if the medical practice executive does not serve dually in this role, ultimately the protection of a patient’s PHI is the responsibility of the medical group, and by default the medical practice executive.¹ Understanding the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the 21st Century Cures Act (Cures Act) is crucial to know which information can and cannot be released with a ROI request, as well as the time constraints for releases. The penalties for not complying with the myriad standards and requirements can be financially detrimental to your medical practice.

Privacy Rule

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency that has the responsibility for the enforcement of the HIPAA privacy and security rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E), which were rendered to enforce HIPAA.² The Privacy Rule dictates how the medical practice, i.e. “covered entity,” uses patient’s PHI and also helps educate patients on their rights, related to controlling the way their personal health information is utilized. Additionally, the Privacy Rule dictates the time frame whereby a medical group must fulfill the ROI. The fines for not following the tenets of these laws can be significant.

Whether the penalty assessed is categorized as civil or criminal will depend on whether the violation is a result of an oversight or outright negligence. The civil monetary penalties that can be assessed to a covered entity, i.e. medical practice, are $100 per each failure to comply. The OCR has capped this civil penalty for same scenario at $25,000 per year, provided that the violation was not a result of willing negligence.³ The criminal penalties, which are accessed when an individual knowingly and intentionally uses the patient’s PHI with “the intent to sell, transfer, or use individually identifiable health information for the commercial advantage, personal gain, or malicious harm,” are much more significant. These criminal penalties are dependent on the level of deceit and utilization of the patient’s PHI. The criminal penalties range from a $50,000 fine and one year in prison to a $250,000 fine and 10 years in prison. 

An example of a non-negligent oversight is if a medical group did not have processes in place to release a patient’s PHI within the required 15-day time frame. The Privacy Rule also allows for the patient to request a designated record set (DDS), which, for a medical group, includes the patient’s medical and billing records. If a patient requests their DDS, but the medical group does not fulfil this request until the 20th day and excludes the billing statement, the medical group could be guilty of two violations. If multiple dates of service (DOS) are requested, then the penalty is multiplied by each DOS not fulfilled,  and capped at $25,000. The patient has the right to file a complaint with the OCR, which would subject the medical group to an investigation and potential fines. The OCR has an obligation to investigate every complaint and tracks the number of times a medical group has a complaint filed against them. 

A scenario that could subject the medical group to criminal sanctions under the Privacy Rule is a medical practice executive or another individual in the medical group providing a list of patients, along with demographic data and diagnosis, to a vendor in exchange for a fee or a price break to the practice. Vendors and other parties know that medical groups have a wealth of information; patient lists provide them with contacts for new products, services or pharmaceuticals. Even if the medical group has a business associate agreement (BAA) in place, patient PHI cannot be used in this manner without specific authorization by the patient.⁴ This would be a severe breach of patient PHI, and criminal penalties would be assessed.  

Cures Act – penalties enforced as of Sept. 1, 2023

The 21st Century Cures Act, or simply Cures Act, has many components, but the one that can impact a medical group financially is related to information blocking.⁵ Information blocking occurs when an entity,  or “actor, ” does not provide the patient’s PHI in the form and specific format the patient requests, such as printing or faxing the medical records, compiling the records on a flash drive, sharing records via an electronic health record (EHR) portal or burning the records on a CD. Unlike the Privacy Rule, which allows for the medical group to charge a fee for producing these medical records, the Cures Act states that these records must be provided to the patient at no cost to the patient. While patients must not be charged for the reproduction of their PHI, but other entities (e.g., attorneys) can be charged a fee, which is capped by the HIPAA Privacy Rule. 

Enforcement related to Cures Act penalties began on Sept. 1, 2023. The penalty is exceptionally high — $1 million per violation — and for now is limited to developers of certified health IT, entities offering certified health IT, health information exchanges (HIEs) and health information networks (HINs). There is a plan to establish healthcare provider penalties, referred to as “disincentives,” and HHS has released the proposed rule for public comment. The proposed rule establishes disincentives for healthcare providers who are found to commit information blocking. There are three components to the proposed rule⁶:

• Medicare Promoting Interoperability Program — Eligible hospitals, including critical access hospitals (CAH), would not be considered an eligible meaningful electronic heath record (EHR). Hospitals would see a loss of 75% of annual market basket increase, while CAHs would experience a reduction of 100% of reasonable costs instead of 101%. Initial calculations put the median loss for hospitals at approximately $394,3537.
• Merit-based Incentive Payment System — Eligible physicians or groups of physicians would not be a meaningful use of certified EHR technology in a performance period and would receive a score of zero in the category of Promoting Interoperability. Initial calculations show the median disincentive for an individual physician would be $686 with a potential range for a group of physicians of $1,372 to $165,326.⁷
• Medicare Shared Savings Program (MSSP) — A provider who participates in an accountable care organization (ACO) would not be eligible to participate in the program for one year at minimum.  The provider would lose the opportunity of one year of revenue in the ACO. 

Most medical groups will fall under the healthcare provider penalties, and it is imperative that medical practice executives monitor the final rulings that come out from the HHS to financially protect their medical practices. Even though healthcare providers are not included in the $1-million-per-violation penalty, a vendor that the medical group is associated with could be, which make it crucial to ensure that any vendor that the medical group engages with also has processes and standards that comply with the Cures Act. 

A tool to avoid penalties

One way to ensure that your medical group is releasing patient information in accordance with the Privacy Rule and the Cures Act is to have an appropriate ROI Request Form. The ROI Request Form must have specific information on the document to make sure the medical group releases only the minimum necessary PHI to satisfy the request, which is also a requirement of the Privacy Rule. This document can help the processing staff determine whether the request falls within the Privacy Rule, and therefore can be billable, or under the Cures Act and cannot be billed to the patient to produce the requested information. 

Summary

Medical practice executives already have exceptionally demanding jobs, but it is important that they understand the Privacy Rule and the Cures Act. Having the appropriate tools, such as an appropriate ROI Form, can help the medical group adhere to the requirements. Not having tools and processes in place to appropriately process ROI can result in significant cost to the medical group.

Notes:

1. HHS. “Individuals’ Right under HIPAA to Access their Health Information 45 CFR§ 164.524.” Available from: https://bit.ly/3Gr6SRS. 
2. HHS. “How OCR Enforces the HIPAA Privacy & Security Rules.” Available from: https://bit.ly/47r1ppJ. 
3. HHS. “Summary of the HIPAA Privacy Rule.” Available from: https://bit.ly/49LpOrM.
4. HHS. “Your Rights Under HIPAA.” Available from: https://bit.ly/49P0GAn.
5. HHS. “HHS Proposes Rule to Establish Disincentives for Health Care Providers that have Committed Information Blocking.” Oct. 30, 2023. Available from: https://bit.ly/3uMjcJw.
6. ONC. “Information Blocking.” Available from: https://www.healthit.gov/topic/information-blocking. 
7. Tripathi M, Blum J. “Consequences for Information Blocking: New Proposals to Establish Disincentives for Health Care Providers.” Health IT Buzz. Oct. 30, 2023. Available from: https://bit.ly/47F1Fl6.