On December 11, 2019, I joined my colleague Danielle Wesley, Esq., Vice President and General Counsel, to present the fourth and final installment of MRO’s PHI Disclosure Management Webinar Series. In this webinar titled “Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope,” we reviewed trends and national efforts underway, discussed how the health system is impacted and formulated tactics to combat the confusion.

Patient-Directed Request Trends

The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding more clarification for healthcare provider organizations, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in mounting challenges for healthcare providers. Recently, we have begun to see the following trends:

• Attorneys and other third parties have increased the number of “patient-directed” requests and are using the records for their own for-profit activities—such as litigation or data sharing/selling.
• Such requests demand that records be sent directly to the third party but be billed at the patient rate under the HITECH Act.
• Use of the phrase “any and all” has led to a rise in page count per request. This phrase is used as an attempt to receive all PHI regarding a patient, not just the specific encounters or visits that are relevant to the litigation.
• An increase in the submission of meritless complaints to release of information companies such as MRO, their clients, and the OCR has resulted in more time and effort to respond to baseless complaints, which ultimately generates greater operational costs.

These trends are concerning for release of information companies and their clients because attorneys and record retrieval companies are able to obtain large volumes of essentially unrestricted, unregulated PHI at lower fees by using generic, template forms. Furthermore, patients are unaware of the risks associated with the documents they are signing and are not actually providing “informed consent.” Such risks include:

• No acknowledgement of HIPAA rights
• No expiration date, allowing third parties to copy and use the “patient-directed” request letter indefinitely
• No restriction on sensitive information regarding HIV, sexually transmitted diseases, psychotherapy notes, substance abuse and more

Health System Impacts

As the misuse of patient-directed requests grows, so does the impact across health system departments. Not only does this issue directly affect the Health Information Management (HIM) department, it also affects the Compliance and Legal/Risk Management departments.

HIM departments must mitigate patient privacy risks while managing an increase in volume, workload, costs and staffing.

Compliance departments are concerned about OCR incrimination, which results in knee-jerk responses versus well-informed actions. There is also a lack of time and resources to appropriately push back on meritless attorney complaints and threats.

Legal and Risk Management departments face OCR complaints and outside attorney pressure, and lack understanding of the steps and costs required to fulfill requests for medical records. For all parties involved, proper training is needed to mitigate risk and take appropriate action in response to attorney requests and patient-directed requests.

PHI Disclosure Management: Recommendations for Organizations

All health systems and organizations should have a plan in place to combat attorney misuse of patient-directed requests. Here are four simple, yet effective tactics:

• Provide HIPAA training and education throughout your organization, particularly focused on patient access and patient privacy. Include departments such as HIM, Legal, Compliance, Risk Management, Finance, etc.
• Recognize this as a long-term problem that cannot be resolved effectively by short-term solutions. Consistency is essential, begin by understanding your responsibilities set forth in your organization’s HIPAA compliant Notice of Privacy Practices.
• Don’t be afraid to push back. Engage with the OCR whenever possible since it is critical that they hear from your organization directly. MRO’s most successful clients have taken a strong stance for their patients and against third parties misusing patient access.
• Contact your representatives and senators to share your concerns regarding misuse and abuse of patient-directed requests from attorneys, record retrieval companies and other third parties. Specifically, contact members of the Health, Education, Labor and Pensions (HELP) Committee.

Continuing Education for the Misuse of Patient-Directed Requests

As we begin the New Year, Danielle and I will continue to educate our client base by hosting webinars, publishing additional content and visiting Capitol Hill alongside other industry experts. Stay connected and view the latest updates by following us on our social media platforms.

To learn more about the misuse of patient-directed record requests, fill out the form below to receive a copy of this webinar.