MEDICAL PROVIDERS AND THE COMMON ROADBLOCKS, DELAY TACTICS, AND EXCUSES AND HOW TO RESPOND
Melanie Carpenter, ESQ
Special Counsel, ChartSqad
September 28, 2023
It is so fun being a plaintiff's attorney, isn't it? When I say fun, I mean, you like having 3 battles at once right? Battling the defense counsel, the judge, and the medical providers (let's be honest, you can probably add your client on this list as well). Now, why are we fighting our client's medical providers? We need those medical records and bills, and they love to make it as difficult as possible.
The case is at a standstill until you have enough medical information to know the potential value of the case and move forward in settlement discussions. Even more so, if you are going to trial, you need ALL of the medical information. A significant amount of time is spent simply requesting records, following up on those requests, and dealing with the excuses, delay tactics, and road blocks the medical providers (or their Release of Information (ROI) vendor) creates.
I have spent years analyzing the ROI industry as a whole and uncovering the secrets, tricks, and tactics used by medical providers to avoid releasing a patient's records, or to earn a profit on the release of those records. Here I will expose the unreasonable tactics used that suck up your time and resources and provide the tips and tricks to winning the battle against the medical providers/ROI
Problem: Provider Sent Incomplete Records
You received records from a provider with specific treatment or dates of service you know must exist, or even better, you have a preoperative and post operative report but nothing on the actual operation. Or perhaps you have billing showing a slew of charges with no records to match that treatment or procedure. Retracting pages, reports, or specific treatment is common practice: intentional and unintentional. Providers will practice defensive medicine and remove any content they believe to be harmful. This is a blatant violation of HIPAA Patient Access Rights. The patient is entitled to a complete copy of the Designated Record Set which is defined in 45 CFR § 164.524(a).
Solutions
- When you request records, be sure to state that the ENTIRE Designated Record Set, not the "Legal Health Record" Is requested. The Legal Health Record is not a defined term in actual legislation; however, it is industry understood to exclude any personal health record (PHR) that is patient controlled, managed, and reported. Provider's ROI departments notoriously create their own definition or Interpretation of a rumored definition to create policies regarding the Legal Health Record. Avoid the confusion or procedural tactics and make sure your request is CLEAR you want the Entire Designated Record Set.
- Request an Audit Trail. Patients have a right to request an audit trail of their records. The audit trail will tell you every single person who touched the Electronic Medical Record System (EMR) and what action they took. The audit trail will show if pages were removed, or information was redacted. Now you have evidence to go back to the provider and show the records released were Incomplete. The documented history of the EMR also provides information as to who you may want to depose in connection with those records.
Problem: Unreasonable Measures
HIPAA provides a defined list of what Is considered an "unreasonable measure" In connection with releasing the patient's records. It is important to note the provider may require a written request from the patient and is permitted to verify the identity of the patient. 45 CFR 164.514(h). For example, the provider may require a driver's license or call the patient to validate the request that came from that patient. The provider cannot require verification of a patient's Identity in a manner that causes unreasonable barriers or delay in the release of records. So, the provider does have some discretion here as there is no rule on the type of verification permitted. The law does provide guidance on what is considered unreasonable.
Solutions
A provider may NOT Impose unreasonable measures on an Individual that serve as barriers to or unreasonably delay the individual from obtaining access to records. For example, a provider may NOT:
- Require a patient to physically come into the doctor's office to request access. It is unreasonable to require any person to physically present themselves in person to access their records. The provider also cannot require a patient to hire a copy service to come copy the records.
- Require a patient to provide proof of Identity In person. Similar to 1 above, a provider cannot require a patient to physically present themselves to prove their identity. There are a million reasons a person may not be able to actually go to the doctor's office.
- Require a patient to use a specific web portal to request records. Many providers have a web portal they offer to patients to make appointments, see limited records, and access lab results etcetera. These portals almost never have the full Designated Record Set. In addition, not every person Is tech savvy enough to be able to navigate a web portal. Further, under the 21st Century Cures Act, the patient has a right to choose their own Personal Health Record Portal and utilize one site to collect, review, share, or transfer their records. This right is not extinguished just because the provider prefers a certain web portal.
- Require that a request is mailed as opposed to electronically sent to the provider or mail records when the patient requests and electronic copy. The provider is bound to respond in the form and format the patient requests. So, if a patient asks for records to be emailed, the provider must email the records. I hear this excuse everyday: we are unable to send records via email. Whether they cannot attach a file that large or argue email is not a secure means of sending personal health information, they are wrong and it's time to educate. First, a zip folder solves your size Issues. Otherwise, there are several ways a provider can send a secure link to records stored in an EMR or portal. Second, email is far more secure than paper mail. With paper mail, the file can get lost by the courier, there is an unreasonable delay in the time it takes to get to the requestor, and several humans touch that personal health Information before It even lands in the hands of the recipient, which is a risk of exposure. With email, the worst-case scenario is the file is sent to spam. The likelihood of being hacked for medical records is quite laughable. In fact, the department of health and
human services have clarified that even If there Is a risk, the patient assumes the risk and waives It If they want those records via email. There is literally no excuse here.
Problem: Invalid Certificate of No Records
This is the most common delay tactic out there. You send a request for records, provide all the necessary information, and the provider responds with a letter stating no records exist. They do this because by law, they must respond in some manner so technically compliant. However, it's a flat out lie and extremely frustrating!
Solution
Start with your intake procedures. Ask your client for any documentation, text message, email, appointment confirmation, business card, anything showing they were at that facility. Your best weapon Is the medical record number. Often the billing department will send billing over, but the medical records department sends a CNR. If there are bills, there are records. I handle this by providing detailed information such as account numbers, doctors names and dates of service. If this does not yield results, encourage your client to call themselves. There is nothing more powerful than the patient calling to say I demand access to my records It Is my civil right under Federal Law.
In any situation where a provider is violating HIPAA and the Patient Right to Access records, you do have the option to report the violation to the Office for Civil Rights, the agency that regulates HIPAA. Keep In mind however, the patient has rights, the law firm does not. The patient needs to be actively involved in the complaint process for this to work. If your firm Is requesting records on behalf of the patient, it Is a third-party request. Any complaints in connection with total lack of response or flat refusal to send records are a violation of HIPAA and should absolutely be reported.
In closing, there are many barriers to obtaining the records you need. The more aware you are of these barriers, the better prepared you are to fight through them or remove them altogether. Without records, you have no case. It's one of the greatest pain points to any civil practice, so learning how the other side plays will be instrumental In Improving results and getting your hands on those much-needed records as soon as possible.