Healthcare Information Security

HIPAA and Compliance News

Alleged HIPAA Violations in Lawsuit Against D.C. Hospitals

A class-action lawsuit has been filed against MedStar Georgetown University Hospital and George Washington University Hospital for potential HIPAA violations related to patients being able to receive copies of their medical records.

Two hospitals accused of HIPAA violations in recent class action lawsuit

Four individuals claim they were asked to pay hundreds of dollars to get electronic copies of their records, which their lawsuit claims is a violation of Washington D.C. law and federal law. Both state that a “reasonable fee” may be charged for patients obtaining copies of their medical records.

“Defendants maintain patient medical records in electronic format, but they charge far more for copies that is allowed by law,” the lawsuit stated. “In response to Plaintiffs’ requests for their electronic records, Defendants billed them per-page rates and processing fees that are far in excess of the labor and supply costs of providing the copies.”

A third-party contractor, HealthPort, reportedly responded to the requests for medical record copies with invoices of $1,168 for one request and $1,558 for the other. The charges were for per-page copying fees, according to the lawsuit, as well as a “basic fee” of $22.88, and a shipping-and-handling fee of $16.38.

Specifically, HIPAA regulations state that “covered entities may impose reasonable, cost-based fees for the cost of copying and postage,” and that both individuals and their personal representatives are able to request patient right of access.

“The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed,” HHS states on its website. “If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information.”

According to the lawsuit, the “delivery fees” are not allowable charges. Specifically, “storing” electronic medical records are not considered “labor.” Therefore, there should not be per-copy page fees when there is in fact no labor required to copy each page.

“It does not require twice as much labor to provide a 100-page record as it does to provide a 50-page record, whether it is electronic or paper,” the lawsuit states. “It also does not require more labor to provide copies or online access to an individual’s attorney than to provide the same access to the individual.”

The move to electronic medical records has dramatically reduced the time and labor necessary to transfer records and give them to patients, the lawsuit added.

Patient PHI access, and the fees that typically come with it, has been an issue in other states recently as well. In August, HealthITSecurity.com reported on a proposed New Jersey bill that sought to make it easier for patients to gain access to their medical records.

Introduced on June 25, A-4611 would require that the maximum fee for producing a paper copy of a patient’s record would be $100, or a copying fee of no more than $0.50 per page plus an administrative fee of no more than $15, whichever is less. For an electronic copy, the bill proposes that the maximum fee would be $50 or the actual cost of reproducing the record, whichever is less.

Copies of medical records can become costly very quickly, and often times these are the patients that are already feeling the squeeze from mounting healthcare costs," stated Assemblyman Bob Andrzejczak, who introduced the legislation. "For patients that move or need to switch doctors, requesting copies of medical records can pose an unwanted burden. This change would give New Jersey patients some of the lowest medical record fees in the country."

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks