Trial Magazine

For over seven years,¹ patients have enjoyed the right to obtain low-cost copies of their electronic medical records.² This right to low-cost records was initially provided under the Health Information Technology for Economic and Clinical Health (HITECH) Act.³ In 2016, Congress reaffirmed this right, passing the 21st Century Cures Act (Cures Act) to make the flow of medical records among patients and health care providers, developers, exchanges, and networks simpler, cheaper, and faster.⁴

But access to low-cost records has recently come under attack in courts by businesses that, for years, have been reaping windfall profits by selling patients their own records. In Ciox Health LLC v. Azar, the District of D.C. vacated a HITECH regulation (45 C.F.R. §164.524(c)(4)) that allowed patients to receive low-cost medical records even when they designate another person to receive their records.⁵

Several months later, the Department of Health and Human Services, Office of the National Coordinator of Heath Care Technology (ONC) finally issued regulations enforcing the Cures Act. These regulations provide that an individual or entity that interferes with patients’ access, exchange, or use of their electronic health information (EHI) will be subject to penalties for “information blocking.”⁶ They also reinstate the patient’s right to designate a third party to receive the records at no cost—essentially undoing the ruling in Ciox.

As the Cures Act regulations go into effect on April 5, 2021, here’s what you need to know to obtain no- or low-cost electronic medical records and to overcome defendants’ objections.

Accessing EHI

You now can offer clients several possible approaches for requesting their records.

Records request letters. Your clients can send a letter to health care providers requesting that their records be placed online in a patient portal—either their portal or a portal maintained for the client’s personal representative or another person designated to receive the records. The patient can specify who will have access to the portal (the patient, their attorneys, any other third party). Under HIPAA regulations, providers have 30 days to comply with requests, though some states have laws setting a shorter timeframe—for example, in Washington state the deadline is 15 working days.⁷

Many health care providers or their business associates—such as health care data management companies like Ciox—have been providing records by this method in recent years. You can expect the usual resistance from health care providers and other actors intent on profiting from medical records, but the ONC is more likely to levy civil money penalties for violations of the new Cures Act regulations.

The letter should be similar to a records request letter under HIPAA regulations; however, it should instruct the health care provider to provide the records through an online portal, and the record recipient’s address and email address should be included in the letter. After the records are uploaded, the patient can download them using a predetermined password.

Online apps. Your client also can order their EHI using an online app accessible by computer or smartphone. These “patient-facing”⁸ apps differ from an online portal because only the patient can receive the records, which he or she can forward to others using the app. The client must select and purchase an app⁹ and then request records by filling out and digitally signing a standard form. The app may incorporate a photograph of the client’s driver’s license as verification of identity. In some cases, the app may already be registered with health care providers. If not, the app usually will seek to add new providers to its service. The advantage of patient-facing apps is that patients have greater control over their health care records.

Combatting Information Blocking

Now that most health care providers have electronic records, there is no excuse for delaying delivery or limiting the types of records they will provide. There’s also no excuse for charging high prices for medical records or otherwise “blocking” patients from receiving their records. Under the Cures Act, these activities are called information blocking—defined as “a practice that . . . is likely to interfere with access, exchange, or use of electronic health information.”¹⁰ An actor—a health care provider, a health information network or exchange, or a health IT developer—that charges a fee for a patient, their representative, or their designee to access, exchange, or use the patient’s EHI will be inherently suspect if the fee is reviewed to determine whether it constitutes information blocking.¹¹

If your client is charged a fee for accessing EHI, file a complaint with the ONC using the agency’s online form.¹² The form lists detailed questions to answer and allows you to attach supporting documents. If you file a complaint, provide thorough documentation—the better your claim is supported by evidence, the more likely it is that the agency will act on it. Should the ONC find that fees were charged in violation of the Cures Act, monetary fines may be applicable.¹³

Overcoming Defenses

The Cures Act lists eight exceptions that are defenses to claims of high fees and information blocking.¹⁴ Four of these exceptions apply to procedures for fulfilling requests to access, exchange, or use EHI—and the two discussed below are the ones attorneys or their clients will most likely use to obtain records.¹⁵

The ‘fees’ exception. Most relevant to attorneys and their clients is the fees exception, which allows actors to charge fees that create a reasonable profit and do not implicate information blocking. The fees exception lists acts that, when violated, are subject to an information blocking complaint.¹⁶ First, the fees exception does not apply to a “fee prohibited by 45 C.F.R. §164.524(c)(4)”—the reasonable cost-based fee provision of the HIPAA regulations that has been in effect for electronic records since 2013.¹⁷ It’s important to remind defendants that the HIPAA rules have not been displaced by the Cures Act and that they are still active and enforceable.¹⁸ Under the Cures Act, the HIPAA regulations represent an upper limit to fees that can be charged for electronic records.¹⁹

Second, the fees exception does not apply to “a fee based in any part on the electronic access of an individual’s EHI by the individual, their personal representative, or another person or entity designated by the individual.”²⁰ In other words, under the regulations adopted to enforce the Cures Act, no fee can be charged for a patient’s “electronic access” to EHI. This provision reinstates the third-party directive vacated in Ciox where the court found that the HIPAA third-party directive regulation was invalid because it was not submitted to a notice-and-comment period as required by the Administrative Procedures Act.²¹ The Cures Act regulations underwent a notice-and-comment period and now reinstate a third-party designee’s right to no-cost EHI.

The ‘content and manner’ exception. This defense to information blocking applies to a standard called the United States Core Data for Interoperability (USCDI), which covers health care information data.²² The USCDI lists classes of data that must be produced in response to a patient’s request, establishing a minimum requirement for EHI. It requires that EHI include clinical notes, laboratory notes and results, medications, and other types of data that can be viewed online.²³

One class of data—“provenance” data—refers to metadata or information that can help answer questions such as who created the data and when. Provenance data includes information that is required to be contained in audit trails or audit logs—a typical audit log must include who made the record, when the service was provided, what was done, where the data was entered, and why the patient received the care. Reference this category in any complaint when the audit log or audit trail was not produced.²⁴

Defining ‘electronic access.’ The term “electronic access”²⁵ is defined as “an internet-based method that makes [EHI] available at the time the [EHI] is requested and where no manual effort is required to fulfill the request.”²⁶ Electronic access begins “at the time the [EHI] is requested,” which is when patients or their designees download EHI from the health care provider’s or business associate’s online portal.

That download does not involve manual effort from the health care provider or business associate and therefore complies with the no-fee provisions of 45 C.F.R. §171.302(b)(2). This no-fee provision applies to online methods of supplying records, including ­smartphone apps, application programming interfaces, patient portals, or other internet means, such as email or cloud computing.²⁷

The undefined terms in the definition of “electronic access” have been exploited by business associates. For example, in Ciox, the defendant challenged the no-fee provision of §171.302(b)(2) by focusing on the phrase “where no manual effort is required to fulfill the request.” In a letter explaining why the patient had to pay high costs for their records, the defendant concluded that the no-fee provision does not apply to requests that are fulfilled with any degree of manual labor.²⁸ However, various health care provider or business associate actions—including verifying, retrieving, and searching records—are costs that cannot be charged to the patient under HIPAA or Cures Act regulations. Remind health care providers and their associates that these costs should not be considered in a patient’s request for EHI under the Cures Act because they do not meet the definition of electronic access.²⁹

Anticipate the need to challenge any practices by defendants and third parties that interfere with the right to obtain no- or low-cost EHI. Though we won’t know the scope of Cures Act regulation enforcement until after April 5, 2021—when the ONC will be able to begin issuing decision letters in response to complaints—remember that filing a complaint benefits all patients who want a copy of their EHI. A regulation that is not enforced does not exist.

Roger J. Leslie is the founder of the Law Office of Roger J. Leslie in Seattle and can be reached at roger@cmglaw.com.

Notes

1. The compliance date for Health Insurance Portability and Accountability Act (HIPAA) regulations based on the Health Information Technology for Economic and Clinical Health (HITECH) Act was Sept. 23, 2013. See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566 (Jan. 25, 2013), https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
2. Electronic medical records are referred to as electronic health records (EHI) in the 21st Century Cures Act. EHI includes but is not limited to terms used in the HIPAA regulations. The HIPAA regulations use the term ePHI, which stands for electronic protected health information. The enthusiasm for low-cost access to these records is fueled by the broad adoption of electronic health records by health care providers. In 2017, 96% of acute care hospitals and 79.7% of office-based physicians in the United States possessed certified electronic health records. See Off. of the Nat’l Coordinator for Health Info. Tech. (ONC), Quick Stats, June 17, 2019, https://dashboard.healthit.gov/quickstats/quickstats.php; ONC, Office-based Physician Electronic Health Record Adoption, 2017, https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php.
3. The HITECH Act modified HIPAA regulations to provide for access to low-cost electronic medical records. See 42 U.S.C. §17935(e) (West 2020), 45 C.F.R. §164.524(c)(4) (2020).
4. 45 C.F.R. §§170, 171 (2020); see Jonathan H. Lomurro, Jennifer L. Keel, & Nursine Jackson, Cures for Barriers to Electronic Health Records, Trial, Apr. 2019, at 44. In fact, one often-repeated promise from the Office of the National Coordinator of Health Information Technology, the agency charged with enforcement of these Cures Act provisions, is that under the Cures Act, EHI belongs to patients. See Elec. Health Rep., CMS Administrator Seema Verma at HIMSS19: “The Data Belongs to the Patient,” Feb. 13, 2019, https://tinyurl.com/y78knpw5.
5. Ciox Health, LLC v. Azar, 435 F. Supp. 3d 30 (D.D.C. 2020); 42 U.S.C. §17935 (West 2020).
6. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25,642 (May 1, 2020); Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID–19 Public Health Emergency, 85 Fed. Reg. 70,064 (Nov. 4, 2020).
7. For the 30-day deadline under HIPAA, see 45 C.F.R. §164.524(b)(2) (2020); for Washington state’s 15-working-days deadline, see Wash. Rev. Code §70.02.080 (West 2020).
8. The ONC labels these applications as patient-facing apps or patient-facing application programming interfaces (API). See, e.g., 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25,642, at 25,644, 25,742, 25,764, 25,905.
9. Health app providers can be found online. Two examples are the Apple Health app (https://support.apple.com/en-us/HT208680) and the SyncMD app (https://syncmd.com/pro).
10. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25,642, 25,956 (May 1, 2020).
11. Id. at 25,792.
12. The ONC’s online complaint form can be accessed at https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6. A regulation enacted pursuant to the Cures Act, 45 C.F.R. §171.302(b)(2) (2020), makes charging any fee for electronic access suspect, at the least.
13. 42 U.S.C. §300jj-52(b)(2) (West 2020).
14. ONC, Cures Act Final Rule: Information Blocking Exceptions, https://www.healthit.gov/cures/sites/default/files/cures/2020-03/InformationBlockingExceptions.pdf.
15. 45 C.F.R. §171.302(b) includes four subsections: §§171.302(b)(1) and (2) are described in this article, while §§171.302(b)(3) and (4) prohibit charging a fee for exporting or converting electronic records that are certified.
16. 45 C.F.R. §171.302(b) lists conditions that are not defenses to information blocking.
17. 45 C.F.R. §171.302(b)(1).
18. Though the court in Ciox vacated HIPAA rules, it specifically indicated that it was not making a decision about the validity of the HITECH Act. See Ciox Health, LLC, 435 F. Supp. 3d at 67–68.
19. 45 C.F.R. §171.302(b)(1) prohibits violation of the HIPAA regulation that incorporates the HITECH Act’s reasonable cost-based fee requirement. As an upper limit, a patient cannot be charged more than the HIPAA regulations currently allow.
20. 45 C.F.R. §171.302(b)(2) (2020).
21. Ciox Health, LLC, 435 F. Supp. 3d 30.
22. 45 C.F.R. §171.301(a)(1) (2020).
23. See ONC, United States Core Data for Interoperability (USCDI), https://inquiry.healthit.gov/support/plugins/servlet/desk. The requirement to produce audit logs is included by reference in the Cures Act.
24. 45 C.F.R. §170.299 (2020); ASTM e2147-18; Lomurro, Keel, & Jackson, supra note 4.
25. See 45 C.F.R. §171.302(b)(2) (2020).
26. 45 C.F.R. §171.302(d) (2020).
27. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. at 25,886–25,887.
28. See Letter from Ciox Health, LLC, on fee provisions at 45 C.F.R. §171.302 (on file with author).
29. Id.