The HIPAA Privacy Rule’s “Reasonable, Cost-Based” Data Problem
This is a re-print of a blog post I wrote for the Health Care Blog on Jan 13, 2015. The original piece can be found here.
Over the last five years, the United States has undergone more significant changes to its health care system perhaps since Medicare and Medicaid were introduced in the 1960s. The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Patient Protection and Affordable Care Act of 2010 have paved the way for tremendous changes to our system’s information backbone and aim to provide more Americans access to health care.
But one often-overlooked segment of our health care system has been letting us down. Patients’ access to their own medical information remains limited. The HIPAA Privacy Rule grants individuals the right to copies of their own medical records, but it comes at a noteworthy cost — health care providers are allowed to charge patients a fee for each record request. As explained on the Department of Health and Human Services’ website, “the Privacy Rule permits the covered entity to impose reasonable, cost-based fees.”
HIPAA is a federal regulation, so the states have each imposed guidelines outlining their own interpretations of “reasonable.” Ideally, the price of a record request would remain relatively constant — after all, the cost of producing these records does not differ significantly from state to state. But in reality, the cost of requesting one’s medical record is not only unreasonably expensive; it is also inconsistent, costing dramatically different amounts based on local regulation. The Law Offices of Thomas Lamb provide a conveniently organized list of each state’s regulation online, offering an easy mechanism for comparing the expected cost of requesting medical records. Most regulations take the form of a maximum dollar amount per page, in addition to labor, search, or postage fees. But a number of the provisions are simply absurd. Wisconsin has four price levels: for the first 25 pages of your record, you pay $1.00 per page; for the next 25 pages, you pay $0.75 per page; for the next 50 pages, you pay $0.50 per page; and for any additional pages, you pay $0.30 per page. The first 10 pages in Ohio cost $2.50 each. And Michigan charges $20 upfront for any request. On the other hand, Vermont actually imposes a price ceiling of $5.00 on all requests. While some states refuse to offer strict bounds on the price: Arizona, Hawaii, Utah, and Wyoming simply have variations of “reasonable without being in excess of the actual costs” as their description.
These price discrepancies are represented in the graph below, which shows aggregate statistics for record requests of different lengths — 20, 50, 100, 150, and 200 pages.
As you can see, the average price across states for requesting a relatively modest, 50-page medical record would be $41.26 plus the cost of postage. The actual disparity from state-to-state is also notable — from an expected $76.10 in Pennsylvania to just $5.00 in Vermont. It is arguable whether these high prices are “reasonable,” but it seems ridiculous to suggest they are in fact “cost-based.” Is it possible that there is this much variation in the cost incurred by a doctor’s office in releasing a patient’s record from state to state?
But the unfairness of these state regulations goes far beyond their inconsistency. The amount patients are required to pay for the service is proportional to the length of their medical records. Yet the length depends on a patient’s age and health — the younger and healthier you are, the shorter your medical record tends to be — but also on the doctor’s workflow and whether the office uses an electronic medical record system. These variables are almost entirely out of the patient’s control, and the result is a market that saddles some Americans with high barriers of access to information they have a legal right to obtain.
The second stage of Meaningful Use, the Department of Health and Human Service’s three-part subsidy program for incentivizing providers to adopt and utilize electronic medical record systems, focuses almost solely on the sharing of health encouraging interoperability and cooperation. It has been repeatedly shown that better information saves money and lives — medical errors currently contribute to over 200,000 (yes, thousand) deaths each year in the United States, and a dearth of information sharing is one cause of this tragedy. Policymakers realize this problem, and Meaningful Use and other programs have been tasked with kick-starting serious health information exchange (HIE) initiatives.
Meaningful Use has been integral in steering the previously paper-heavy health care system towards a digital future. Electronic medical record systems have been a polarizing topic in health care, but they offer yet another dimension to the debate surrounding the HIPAA Privacy Rule. In a system primarily run on paper, the cost to store and release a medical record depended largely on the length of that record — the number of pages one had to handle. In a digital system, the number of pages becomes an irrelevant and useless metric. Records are copied and released with a series of clicks, not page-by-page. If nothing else changes about the way medical records are made accessible to patients, policymakers should at least adapt regulation to more adequately fit the system’s current (and future) self.
But we can do better. Patients can be an important player in facilitating the exchange of health information, but the system inhibits access to their most basic health information. And for patients who stand to benefit most from increased data mobility, the barrier of entry is even higher — a relatively healthy individual might have a 50-page health record, but someone in need of lots of care or with a chronic condition will have a health record spanning hundreds of pages. Given the price dynamics of the record request market, these high-utilizers stand to be charged hundreds of dollars each time they request information from their providers. And that fee is for a single record request. We might say that patients have a right to their health information, but reality seems to offer a different impression.
I challenge policymakers to reconsider this aspect of the HIPAA Privacy Rule. Patient engagement with their medical information has incredible potential, and the first step to making that a reality is increasing the ease of access. Drop the fees — an exclusionary health care landscape doesn’t lead to better care. Better access to information might, though.
