On January 28, 2020, the US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued an important notice regarding individual’s right of access to health records.
The notice came after a decision was issued by the US District Court for the District of Columbia in Ciox Health, LLC v. Alex Azar, et al. opining on the legality of certain rules and guidance from the HHS regarding fees and delivery of an individual’s protected health information (PHI). Although an individual’s right to access their own PHI and the fees that apply remain undisturbed, the court’s decision in Ciox Health rolls back rules and guidance issued by the HHS. These rules include extending the third-party directive to PHI contained in formats other than electronic health records (EHRs) and guidance extending the patient rate to third-party directives, rather than only personal use requests for PHI.
Statutory and Regulatory Background
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to improve the health care system’s efficiency and effectiveness1.
Pursuant to this authority, the HHS later issued the HIPAA Privacy Rule that, among other topics, established an individual’s right to access PHI as well as the fee that can be charged for the information’s production2. Under the HIPAA Privacy Rule, covered entities may charge a reasonable, cost-based fee (patient rate) for a “personal use request,” which is a request brought by an individual seeking their own PHI. This reasonable, cost-based fee can encompass costs such as:
- The cost of copying the PHI, including supplies and labor
- Postage, when the individual has requested the PHI to be mailed
- Preparing an explanation or summary of the PHI, if needed
Certain costs, however, were excluded from the patient rate, including common costs associated with maintaining and producing PHI such as data storage and document retrieval, among others.
In 2009, the health care industry saw the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was intended to promote the adoption and meaningful use of health information technology in the United States, including EHRs3. Among other provisions, the HITECH Act included two key provisions: (1) the “third-party directive,” which provided a simplified process for requesting delivery of certain PHI to third persons when the PHI was contained in an EHR, and (2) a statutory cap on the fee that a covered entity may charge an individual for delivery of EHRs4.
Change came for providers yet again when the HHS amended the HIPAA Privacy Rule in 2013 with a set of rules commonly known as the Omnibus Rule5. Importantly, the Omnibus Rule broadened the third-party directive found in the HITECH Act, allowing it to reach requests for PHI in any format instead of those only found in an EHR6. Specifically, the Omnibus Rule required information to be provided “in the form and format requested by the individual, if it is readily producible in such form and format” and required covered entities to deliver PHI to third parties regardless of whether the information is contained in an EHR. Additionally, the Omnibus Rule amended the portion of the HIPAA Privacy Rule specifying the costs recoverable under the patient rate, providing that the cost of labor for copying PHI (both paper and electronic) could include time spent by skilled technical staff to create and copy an electronic file, but excluded “actual labor costs associated with the retrieval of electronic information” as well as costs associated with system maintenance7.
The HHS turned the health care industry upside down in 2016 when it released the guidance document “Individuals’ Right Under HIPAA to Access Their Health Information 45 C.F.R. § 164.52,” otherwise known as the “Privacy Rule Guidance.” Along with providing direction on determining the patient rate, the HHS did an about-face regarding the implementation of the patient rate, announcing that the rate applied not only when an individual sought to access their PHI, but also when an individual directs a covered entity to send their PHI to a third party and when a third party forwards an individual’s request for PHI to the covered entity, with the PHI to be sent to the third party.
Ciox Health, LLC v. Alex Azar, et al.
The changes to the patient rate and third-party directive found in the Omnibus Rule and Privacy Rule Guidance prompted plaintiff Ciox Health, LLC—a specialized medical records provider that enters into contracts nationwide with health care suppliers to maintain, retrieve, and produce PHI—to file suit8. Ciox Health challenged a variety of the rules and guidance promulgated by the HHS, including the application of the patient rate to third-party directives and the costs included in the patient rate9.
Ciox Health challenged, among other things, the 2013 Omnibus Rule’s expansion of the third-party directive to include the delivery of PHI to third parties regardless of whether the PHI is contained in an EHR as well as the rule’s requirement that PHI be made available in any format requested by the individual. To this end, Ciox Health argued the provisions violated the federal Administrative Procedure Act (APA) as being in conflict with the HITECH Act’s plain language and exceeding HHS’ lawful authority. The court agreed, holding the HHS lacked the authority to extend the third-party directive to reach PHI that was not contained in an EHR, as the HITECH Act is limited to EHRs, and the statute did not include an intent by Congress to allow the HHS to further interpret or define the third-party directive. In an attempt to save the Omnibus Rule’s expansion of the third-party directive, the HHS pointed to HIPAA Section 264(c) as giving it the authority to enact the rule. Noting it was unclear whether the general rulemaking authority the HHS pointed too was still in effect, the court determined that the determination did not need to be made, as general rulemaking authority granted by Congress to an agency could not be used to expand a restriction Congress imposed.
Ciox Health also challenged the 2016 Privacy Rule Guidance’s application of the patient rate to third-party directives, arguing it was a legislative rule and, therefore, was invalid due to the HHS’ failure to use the notice and comment period requirements under the federal APA. The court agreed, holding it was, in fact, a legislative rule requiring notice and comment. The court, however, declined to opine on Ciox Health’s substantive argument on the rule—that the rule was invalid for being in conflict with the HITECH Act’s plain language.
As such, the court vacated the 2013 Omnibus Rule to the extent it expanded the HITECH Act’s third-party directive beyond requests for a copy of an EHR in an electronic format and vacated the 2016 Privacy Rule Guidance to the extent it extended the patient rate to third-party directives without first going through notice and comment as required by the APA.
Ciox Health’s Impact on Providers
Due to the court’s decision and the HHS OCR notice, providers that qualify as covered entities will see some of the following changes to rate and format requirements for PHI contained in EHRs:
- The original HITECH Act third-party directive regarding the electronic format of PHI is back in effect. As such, the third-party directive only applies to PHI in EHRs, rather than PHI found in any format.
- The patient rate no longer reaches third-party directives––instead, it only applies to personal use requests for PHI.
An individual’s right to access their own records and the fee limitations applying to an individual exercising these rights remain unchanged. Additionally, whether the HHS maintains the authority to enact rules under HIPAA Section 264(c) and whether the patient rate’s applicability to third-party directives will withstand a challenge on its merits both remain to be seen.
[1] Pub. L. 104-191, Title II, §§ 261, 264(a)-(b), 110 Stat. 1936, 2021, 2033 (1996).
[2] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82, 462 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.500 et seq.).
[3] Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 126 (2009).
[4] 42 U.S.C. § 17935(e)(1), (3).
[5] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5, 556 (Jan. 25, 2013).
[6] 42 C.F.R. § 164.524(c)(2)(i)-(ii), (3)(ii).
[7] 45 C.F.R. § 164.524(c)(4)(i).
[8] Note the plaintiff in this case was a business associate, not a covered entity. However, in a portion of the court’s decision not addressed here, the court concluded Ciox Health had standing to challenge the rules and guidance.
[9] Notably, the court considered a variety of issues not addressed in this legal alert, including jurisdictional issues, the HHS’ exclusion of labor costs in the patient rate, and the three methods for determining payment under the 2016 Privacy Rule Guidance. The decision in its entirety is available here.
If you have any questions regarding the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com or another member of the firm’s Health Care & Health and Human Services Practice Area.