Skip to Main Content

The already beleaguered U.S. health care system is facing a new and costly threat that will affect patient care and ultimately may lead to hospital closures: paying for and processing a torrent of medical record requests.

While the news media in 2022 focused on hospitals’ billions of dollars of losses, negative operating margins, and other daunting post-pandemic challenges, a set of costly modifications to the HIPAA Privacy Rule proposed by the Department of Health and Human Services mostly flew under the radar.

These modifications were outlined in a “Notice of Proposed Rule Making” on Jan. 21, 2021. But it was not a priority until very recently, when HHS announced plans to finalize this rule in March 2023. Between January 2021 and now, HHS didn’t focus on the modifications, which had already sat for several years. If HHS can continuously shelve this issue while it focuses on other priorities, it begs the question “Why force it through now?”


HHS says the proposed rule change aims to improve the sharing of health information while easing unnecessary administrative burdens on health care providers and reducing costs for them. But as a health information management professional with three decades of experience, I’m certain this rule change will do the exact opposite.

HHS’s proposal calls for several changes to HIPAA, formally known as the Health Insurance Portability and Accountability Act of 1996, which aimed to standardize health care transactions to protect individual’s health information.


None of the changes would be as problematic as upending the operational and financial model for releasing patients’ medical information to third-party requestors such as law firms and insurance companies. These requests generally come at low or no cost to health care providers and patients, as they are essentially subsidized by the fees the requestors pay to access medical records for commercial purposes. But the provision would drastically lower the fees third parties pay to obtain these records.

Currently, almost 80% of hospitals and other providers outsource record requests to trained professionals who work for release of information to companies.

Unfettered by higher fees for accessing protected patient records, the new rule would dramatically empower commercial third-party requestors to ask for as many records as they wish. The proposed rule would also mean that hospitals and other health care providers would have to figure out how to make up for these lower fees to comply with federally mandated requirements. This unfunded mandate would also supersede state laws that regulate the fees that commercial third-party requestors must pay.

A study by Hemming Morse, a forensic and financial consulting firm, found that this would cost providers in excess of $1 billion annually. For most hospitals, especially community-based facilities in more rural areas, any incremental, unplanned expense could be catastrophic. Yet the reality is that most are largely unaware that the cost for this service is about to shift to their balance sheets because of the proposed change. I’m willing to bet the vast majority of hospital executives haven’t factored this expense into their 2023 budgets.

It’s also highly likely that record requests will increase because of the policy change. Increased requests lead to insurmountable challenges for already overworked health information management staff and longer processing times for everyone involved. In my experience working for a conglomerate of hospitals, I saw how a single audit by an insurance company can lead to thousands of record requests, temporarily overwhelming a hospital’s records department.

A hospital with thousands of beds could suddenly have hundreds of thousands of patient record requests that it will have to process and pay for, and those resources must come from somewhere. Hospitals may need to sacrifice patient care, curtailing community outreach programs or forgoing the purchase of lifesaving technology.

There is a level of specialized knowledge required to properly scrub a medical record for sensitive or irrelevant information before it is released to ensure HIPAA compliance.

When records are not properly scrubbed, hospitals and providers get reprimanded — or fined — by HHS’s Office of Civil Rights. An unmanageable demand for record releases, limited and untrained staff, and no planned budget is a recipe for mistakes and privacy horror stories, especially when sensitive information pertaining to sexual abuse, HIV status, substance use, or reproductive health is at stake.

Instead of improving access and protecting privacy, the proposed change will compromise patient privacy, creating a system whereby patient information becomes more easily accessible and vulnerable than ever before.

There is no plausible reason to finalize the draft regulation. Lawmakers must understand this policy change from the perspective of the hospital administrators and health information technology professionals working to process these requests and protect patient privacy.

The solution is simple: HHS must retract the Notice of Proposed Rule Making provision that would cause the catastrophic billion-dollar annual cost shift. It is a prime example of federal overreach that will foist an extremely unnecessary operational and financial crisis on already stressed hospitals and health care providers.

Let’s not create a crisis in patient access to — and privacy of — their protected health information. HHS has not offered an explanation as to how the change will actually help the industry or patients. In fact, if it fully understood the implications for our nation’s hospitals, I am confident it wouldn’t push this new rule forward as it’s currently written.

I encourage hospital administrators to act urgently to tell lawmakers the policy change is neither feasible nor beneficial for patients or the health care industry.

Angie Comfort is a health information management professional with more than 30 years of experience and a longtime member of the American Health Information Management Association and the Association of Clinical Documentation Integrity Specialists.

Create a display name to comment

This name will appear with your comment