New Lawsuits and Legal Issues in Health IT Related to Patient Data

Legal Issues

There are an increasing number of lawsuits and legal issues impacting the health information technology marketplace.  Here are highlights on just a few related to the storage of and/or access to patient data:


Limiting the Charge-able Amount for Copying/Transferring Medical Records

Ciox Health, a healthcare technology company that assists providers with medical records requests, filed a lawsuit against the Department of Health and Human Services (HHS) to prevent the agency from enforcing portions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that limit the amount providers can charge for copying and transmitting electronic patient records. This lawsuit is focused peripherally on the EHR Access Rule, 42 C.F.R. § 164.524.

There are many nuances to this suit, but the bottom line is that Ciox Health claims there are unfair regulations on the amount allowed to charge when copying and transferring electronic protected health information (ePHI) to third-party commercial businesses like law firms or life insurance companies. The HHS guidance from 2016 requires a limit on the charges to a “reasonable cost-based fee.” HHS outlined three ways covered entities could charge a fee: actual labor costs, average labor costs, or a flat fee of $6.50.  Cioux Health says the fee schedule isn’t based at all on actual costs of the work involved.


More False Claim Lawsuits Against EHR Vendors?

In other legal news, the HHS Office of the Inspector General (OIG) also has scheduled a new audit of Medicare EHR incentive payments after identifying $729 million in inappropriate payments made through the program over the last 6 years. The focus is to investigate EHR vendors that are skirting meaningful use requirements to obtain Medicare incentive payments. OIG senior counsel said the agency will “vigilantly” investigate EHR vendors that compromise patient safety or trigger false claims through the EHR incentive program.

This audit comes on the heels of news that software company eClinicalWorks paid $155 million to resolve allegations from the Justice Department that it falsely certified its EHR software.


The GDPR Goes into Effect in Europe on 05/25/18

Meanwhile in Europe, the General Data Protection Regulation (GDPR) is planned to go into effect on May 25, 2018. GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The new program can impose fines up to four percent of global annual profits, or $23.5 million, whichever is greater, to all organizations that collect, store and transmit the following types of data: name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

The GDPR stretches globally as it applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. This new program is interesting as it applies to all industries, while to date data privacy laws within the United States are sector specific.


There are undoubtedly many legal issues to consider and monitor in the data management space.  At Harmony Healthcare IT, we keep up to date on these issues. We’re in the business of helping healthcare providers shore up disparate data sources and put a strong legacy data management strategy into place.  We often see healthcare providers with 30-40+ outdated legacy systems that are cumbersome at best, and at worst, are sitting ducks for legal or technical problems, including cyberattack.

Is your organization doing everything necessary to safeguard ePHI, HR and ERP data? Are you plagued by a multitude of legacy data applications in various states of use and usefulness?

We can help.

Click here to download our legal focus white paper. It covers specific information about:

  • Mitigating Legal Risks – Being prepared for litigation and audit eDiscovery.
  • Retaining Data and Replacing Systems – What to save and the issues that may arise.
  • Governing Data with Technology – Creating a plan with a cross-functional team and technology.

Better yet, reach out to our team to start a conversation about your organization’s specific needs.

As we are seeing time and time again — it is better to be proactive than reactive.

Feb 02 2018

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up