Hacker News new | past | comments | ask | show | jobs | submit login
An Open Letter to the People Who Brought Us HIPAA (thehealthcareblog.com)
21 points by pfletcherhill on Jan 14, 2015 | hide | past | favorite | 8 comments



Worth pointing out that HIPAA/HITECH[1] explicitly states that the fee can only include:

  Page 107: "covered entity may impose a reasonable, cost-based fee"

 - the cost of labor of copying (*not* the time spent gathering the record)
 - cost of materials used (paper, toner, CDs)
 - postage (if requested to be mailed)
 - preparation of a summary (if requested by patient)
Section 2i (effective as of Sept 2013) of that same page says an institution must provide the record in an electronic format specified by the patient if it is readily reproducible. That's part of what we are banking on with Prime[2].

It seems many hospitals and clinics are overcharging in the former case and most have not yet had a lot of exposure to the latter. (Which should necessarily reduce cost, because time and media costs are lower with digital.)

[1] PDF: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined...

[2] https://stayinyourprime.com


So, if I understand Section 2i correctly, combined with your quoting of Page 107, the cost of retrieving one's medical record data from the electronic system is legally set to exactly $0.00, and this article has completely missed the boat?


Definitely not a lawyer but it seems that way to me.

Also a lot of the state laws seem to "allow" fees that are blatantly disallowed. (Alabama, search fee of $5; Arkansas, Retrieval fee for offsite records; California, clerical costs in locating...)

From page 14 of HITECH it outlines precedence vs state laws. It usually sides with the individual (it defers to state law when state law gives more privacy/access rights). On fees, the QA period that preceded the finalization of HITECH explicitly disallows retrieval fees and has more explanation on what constitutes "reasonable fees".

The "RFC" [1] says on pages 70-71 of the pdf:

"With respect to providing a copy (or summary or explanation) of protected health information from an EHR in electronic form, however, section 13405(e)(2) of the HITECH Act provides that a covered entity may not charge more than its labor costs in responding to the request for the copy."

And (emphasis mine):

"While we did not propose more detailed considerations for this factor within the regulatory text, we retained all prior interpretations of labor with respect to paper copies—that is, that the labor cost of copying may not include the costs associated with searching for and retrieving the requested information. With respect to electronic copies, we asserted that a reasonable cost-based fee includes costs attributable to the labor involved to review the access request and to produce the electronic copy, which we expected would be negligible."

And in response to comments (re: Electronic):

"We clarify that labor costs included in a reasonable cost-based fee could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning protected health information to media, and distributing the media."

Also:

"...in this final rule we clarify that a covered entity may not charge a retrieval fee (whether it be a standard retrieval fee or one based on actual retrieval costs). This interpretation will ensure that the fee requirements for electronic access are consistent with the requirements for hard copies, which do not allow retrieval fees for locating the data."

Finally, delineating costs when state law has something to say:

"When a State law provides a limit on the fee that a covered entity may charge for a copy of protected health information, this is relevant in determining whether a covered entity’s fee is ‘‘reasonable’’ under § 164.524(c)(4). A covered entity’s fee must be both reasonable and cost-based. For example, if a State permits a charge of 25 cents per page, but a covered entity is able to provide an electronic copy at a cost of five cents per page, then the covered entity may not charge more than five cents per page (since that is the reasonable and cost-based amount). Similarly, if a covered entity’s cost is 30 cents per page but the State law limits the covered entity’s charge to 25 cents per page, then the covered entity may not charge more than 25 cents per page (since charging 30 cents per page would be the cost-based amount, but would not be reasonable in light of the State law)."

All that together implies to me that HITECH would overrule all allowances for search/retrieval/other fees specified by state laws to zero."

[1] https://www.federalregister.gov/articles/2013/01/25/2013-010...


I don't see any details about security on your app's homepage [1]. Not even the word 'security' exists. Just a privacy policy.

[1] stayinyourprime.com


Link is under "Menu" -> "Security & Privacy" https://stayinyourprime.com/security

Brief technical outline (not on that page, as most people don't "care"): - SSL for all API endpoints - No data stored on the phone (unless you send to Health) - No credentials stored on server (without special case explicit permission) - Data at rest stored encrypted - but we have the keys - Automatic security updates nightly, faster for events such as Heartbleed: https://twitter.com/stayinyourprime/status/45370574409788211... - Threat monitoring software on all production servers and periodic vulnerability scans.


My notes on the sad state of healthcare data integration[1]. This issue of patient access to their own records in electronic format kind of falls in the general category of electronic data access and data integration. In short, you'd be lucky to get your provider to print your records let alone save them as pdf let alone export them in a machine readable fashion. The only change I see on the horizon is entirely consumer driven with the advent of better and more interesting consumer focused health/lifestyle devices and apps. Once the consumer becomes savvy, industry EMR providers will follow.

[1]http://siculars.posthaven.com/health-data-integration-regula...


I was wondering what happens to your medical records if your Doctor dies. It turns out there's no hard set rules--that I was able to find. Yes--you have a trail of prescriptions, and if you paid with insurance I guess you can prove you took/need certain medications? The problem arises if you see a Doctor and pay cash. It looks like the only way to gain access to your records is going through probate court. Even then, the Executor is not required to look for your records. Who knows where the medical records end up; I imagine most times they end up in garbage? Am I right? If I got this wrong, please correct me.


A dead doctor (or lawyer) doesn't mean that his/her practice is dead. That legal entity carries on. The local medical board will have rules regarding the disposition of patient records. In all likelihood the dead doctor's practice will be taken over and/or merged into an existing practice. In a worst-case scenario (solo doc, no staff, small town) the records would probably be returned to patients.

Any responsible doctor/practice/hospital will have life insurance to cover expenses resulting from the death of a senior employee such as a doctor. It may even be bundled into the doc's malpractice insurance.

Executors execute wills. They are responsible for the disposition of the dead's assets, not the continued care of patients.

You don't need to prove that you "need" any prescription. If your doc dies, your current prescription is still in effect. When it comes time to renew you need to find another doctor. You don't get to carry on with a prescription forever without medical supervision just because the original doc is dead. It is not up to the patient to decide what they "need" when it comes to prescriptions. Input yes, but the decision as to need is the responsibility of the doctor.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: