Covered entities are no longer required to limit the fees they charge when sending records to a third party, according to a recent decision by the U.S. District Court for the District of Columbia.  The decision declared that portions of regulations and guidance documents issued by the Office for Civil Rights (OCR), the agency responsible for issuing and enforcing the HIPAA Rules, were unlawful in that they required covered entities to charge the same limited, cost-based fee whether a patient requested their records for their own use or directed the covered entity to send their records to a third party.  Depending upon fees permitted under state law, a covered entity may now be permitted to charge per page fees and/or record search fees when a patient requests their records be sent to their lawyer, life insurance company or other third party.

To help health centers understand how the recent decision could affect their record release practices, we provide a brief background on the relevant HIPAA regulations and guidance at issue, a summary of the court’s findings and suggested next steps.

Patient Record Requests under HIPAA

At issue in the case were the HIPAA regulations and a guidance document on patients’ right to access their medical records.  Below is a brief summary of the relevant regulations, laws and guidance documents:

2000: The HIPAA Privacy Rule established an individual’s right to access protected health information (PHI) maintained in a covered entity’s designated record set.[1] The HIPAA Privacy Rule established the fees covered entities could charge for providing patients with their records, as well as the process for patients to request records, as described below:

• When a patient requested a copy of their record, covered entities were limited to charging only a reasonable, cost-based fee (referred to as the “Patient Rate” in the recent court decision and in this posting). Covered entities could require patients to request their records in writing, if the covered entity informed patients of the requirement.
• When a patient requested a copy of their records be sent to a third party (referred to as a “third party directive”), covered entities were not limited in the fees they could charge. Patients were required to complete a valid HIPAA authorization to release their records to a third party.[2]

2009: In the Health Information Technology for Economic and Clinical Health (HITECH) Act, Congress provided that patients had a right to obtain their electronic health records and to direct a covered entity to transmit their electronic health records to a third party without the need for a valid HIPAA authorization.  The HITECH Act also limited the fee a covered entity could charge for delivering electronic health records.

2013: In the Omnibus Rule[3], OCR expanded the third party directive established by the HITECH Act to include requests for records in any format, not just electronic health records.  The Omnibus Rule also amended the reasonable, cost-based fee permitted under the Patient Rate.

2016:  In Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (herein after the “2016 Guidance”), OCR stated that covered entities were required to limit charges for third party directives to the Patient Rate.

Challenges to the Omnibus Rule and the 2016 Guidance

Ciox Health, a medical records retrieval company, built its business model upon an industry understanding that the Privacy Rule permitted covered entities (and their business associates) to charge more than the Patient Rate when releasing records to third parties.  The changes to the fees and format for record releases under the Omnibus Rule and the 2016 Guidance caused Ciox Health and other medical records companies to lose millions of dollars in revenue.

In 2018, Ciox Health filed suit against OCR.  Ciox Health challenged the portions of the Omnibus Rule in which OCR’s required covered entities to disclose records to third parties in any format instead of limiting the requirement to only electronic health records as established by the HITECH Act.  Ciox Health also challenged OCR’s application of the Patient Rate to third party directives in the 2016 Guidance.[4]

In Ciox Health, LLC v. Azar, et. al, the court found that OCR exceeded its authority in requiring providers to deliver an individual’s PHI to third parties regardless of whether the information is in an electronic health record.  The court also found that OCR inappropriately expanded the Patient Rate by applying it to third party directives.  According to the court, such changes should go through a notice and comment period.  The court declared unlawful and vacated: (1) the requirement under the Omnibus Rule that covered entities deliver PHI to third parties regardless of format and (2) the expansion of the Patient Rate under the 2016 Guidance.

Following the decision, OCR posted a notice about the decision.  OCR also updated several pages on its website with a heading about the decision; however, OCR has not indicated whether it intends to propose new regulations, revise the 2016 Guidance, or create additional guidance documents.

Next Steps for Health Centers

Health centers responding to patient record requests internally or contracting with a medical records vendor to respond to patient record requests should consider the following steps to ensure compliance with HIPAA’s right of access provisions:

1. Review your health center’s policies and procedures related to patients’ right to request access to their PHI, as well as your health center’s Notice of Privacy Practices. These documents may need to be updated to distinguish the process for a patient to request a copy of their records versus requesting their records to be sent to a third party.  If your health center uses a medical records vendor, provide your vendor with a copy of your health center’s updated policy and procedure and/or request a copy of their updated policy and procedure.
2. Review your state laws and regulations related to permitted fees for record requests. While some states have per page charges and search fees which may now be applied to third party directives, other states prohibit such charges.  If your health center changes the fees it charges for third party requests, ensure that the updated fee schedules are available to patients.
3. Expect an increase in patients requesting their records. Patients may recognize (or be advised) that, in order to avoid higher fees charged for third party requests, they should request a copy of their record themselves and then deliver it to the third party.  As such, health centers may see an increase in patients requesting their records.  Health centers should ensure they meet the timeline requirements in responding to such requests under 45 CFR § 164.524(b)(2).
4. Keep an eye out for additional action and updates from OCR. As next steps, OCR could issue revised guidance or regulations on patient access, either as separate actions or as part of the upcoming changes to the HIPAA Privacy and Enforcement Rules.[5]

Questions? If you have questions about this Client Alert or other matters, please contact Dianne Pledgie, or call FTLF at (202) 466-8960.

[1] There are certain exceptions to a patient’s right to access PHI, described in detail at 45 CFR § 164.524(a).

[2] The requirements for a valid authorization are described at 45 CFR § 164.508(b).

[3] The full name of the 2013 Omnibus Rule is “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”

[4] Ciox Health also challenged the types of labor costs included in the Patient Rate and the alternative methods for calculating the Patient Rate. The court found that the explanation of labor costs included in the Patient Rate, as detailed in the 2016 Guidance, is an interpretative rule that is not subject to notice and comment.  The court also found that the alternative methods for calculating the Patient Rate are not reviewable final agency action.

[5] For information on the Notice of Proposed Rule Making on HIPAA Privacy: Changes To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, see: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=0945-AA00.  For information on the Notice of Proposed Rule Making on HIPAA Enforcement Rule: Annual Penalty Limits and Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, see https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201910&RIN=0945-AA04.