With the backlash on HITECH because of Ciox v Azar, the issue is how individuals actually enforce their rights under HITECH when a medical provider or its business associate fails to comply. There is no private course of action against these non-compliant entities for individuals to pursue their rights under Federal Law. However, under the still enforceable HITECH Act of 2009, under section 13410(e), each of the State's Attorney General is granted the authority to bring civil actions on behalf of residents who suffer violations of HIPAA. With these civil actions, the AG can obtain damages on behalf of the residents affected by these violations. HIPAA is enforced by the Office for Civil Rights however, the AG cases are separate from the OCR enforcement and include causes of action for State Law violations, which means these cases can result in several fines and penalties for the HIPAA and State law violations. The State Attorney General’s Office is required to provide notice to the OCR prior to bringing action and include a copy of the complaint.
Typically, the Business Associate of a medical provider is the culprit in violating several patient’s rights at any given time. These Business Associates are the vendors that contract with the providers to handle the Release of Information. They typically make money from selling these records to the patients, the patient’s attorneys, insurance companies, etc. So, if you have a slew of patients who have records being held hostage pending payment of an excessive, illegal, fee for said records, check your state laws. Many states limit the cost of copies of records and most of the state laws specifically provide the Federal HIPAA law the authority on fees for electronic records. What this means is that the medical provider or its business associate is likely in violation of state and federal law if the fee is outside these statutory limits.
In addition, if a medical provider or its business associate is refusing to release records for any reason that is not a valid exception to the Patient Right of Access laws, whether it be for payment, they are simply non-responsive, or they are creating unreasonable barriers to access to these records, the entity is in violation of both state and federal law. Almost every state has legislation requiring the release of records within a certain time frame, whether they received payment for a copy of those records or not. Again, this allows the state AG the means to enforce the patient rights and in-state action and the OCR to enforce HIPAA separately and assess fines and penalties.
Several state AGs have already successfully taken action through Section 13410(e) going back to 2010 recovering damages and resulting in OCR investigations and penalties. Connecticut being the first, obtained a settlement on behalf of 1.5 million people in the state against Health Net. In 2011 Vermont brought suit against Health Net representing another 1.5 million impacted by HIPAA and State Law violations. In addition, cases have been brought in Indiana, Massachusetts (against Beth Israel, Boston Children’s, UMass, McLean), Minnesota, New York (against Rochester Medical Center, Aetna, Emblem Health), New Jersey, California (against Kaiser, Cottage Health System, Aetna, Anthem), Oregon and Utah (against Avalon Healthcare), Ohio, Pennsylvania, Indiana, Colorado.
Law firms and companies like ChartSquad are positioned to assist in seeking redress for these individuals impacted by this type of illegal activity. It is my goal to encourage patients to stand up for their federal and state civil rights and take a stand against these crimes. Access to health information is imperative for one’s health care. When medical providers and their vendors stand between an individual and access to their health information, the damage is to their health. As I sit here writing this article while infected with a vicious strain of COVID-19, I can tell you firsthand, that without our health, we are not living, we are surviving. We all have the right to live.
Melanie Carpenter, ESQ
Special Counsel for ChartSquad