On January 28, 2020, the Department of Health and Human Services (“HHS”) issued an announcement of financial importance to covered entities and business associates that produce copies of medical records to patients and third parties. HHS announced that it would not enforce the fee limitation described in HHS’s 2016 regulation at 45 C.F.R. § 164.524(c)(4) that applied to individuals’ requests for transmission of their Protected Health Information (“PHI”) to third parties. HHS also reported that a federal court vacated the expanded “Third-Party Directive” described in HHS’s 2013 final rule, called “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” 78 Fed. Reg. 5,566 (Jan. 25, 2013) (“Omnibus Rule”).
The HIPAA Privacy Rule is designed not only to protect patient privacy rights, but also to ensure that patients have ready access to their medical records. To promote ready access, HHS adopted, among other guidelines, limitations on what companies may charge for delivering PHI, called the “Patient Rate.” 45 C.F.R. § 164.524(c)(4). For years, these limitations applied only to patient requests for PHI and not to requests from commercial entities like insurance companies and law firms. However, in 2016, HHS issued guidance stating that the Patient Rate limitations applied to third party requests. This change caused medical records companies to lose millions of dollars in revenue. One of these companies, Ciox Health, LLC, challenged the 2016 expansion of the Patient Rate in federal court. Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020), (“Ciox Lawsuit”). The outcome of this suit, discussed below, led to the HHS announcement that the fee limitations no longer apply to requests for copies of records to be sent to third parties.
The Ciox decision also modifies HHS’s directive in the Omnibus Rule that covered entities and their business associates must share PHI in all forms with third parties without formal authorizations. The court vacated this portion of the Omnibus Rule on the ground that it conflicted with HITECH, which only addressed the authorization requirement for electronic health records (“EHRs”).
Surveying the history of these statutes and requirements previews or explains the Ciox decision.
Application Of The “Patient Rate” and Third-Party Access Under The Privacy Rule As Originally Enacted
As originally enacted, the Privacy Rule limited permissible charges for copies of PHI to: (1) the cost of “[c]opying, including the costs of supplies for and labor for copying, the [PHI]”; (2) “[p]ostage, when the individual has requested the copy, or the summary or explanation, be mailed”; and (3) “[p]reparing an explanation or summary of the [PHI].” Id. § 164.524(c)(4)(i)–(iii) (2012). Other common costs associated with maintaining and producing PHI, such as costs of data storage, infrastructure, and document retrieval could not be included. See 65 Fed. Reg. at 82,557. These “Patient Rate” limitations on chargeable fees served HHS’s purpose of ensuring that individuals would not be deterred from seeking PHI because of the costs. However, the limitations did not apply to productions made to third parties. Id. at 82,754. Indeed, the Final Rule expressly distinguished between patient-requested PHI and PHI requested for third parties.
An impediment to accessing PHI was the prohibition against releasing PHI to a third party without a valid authorization. 45 C.F.R. §§ 164.502(a)(1)(iv) (2008). The required authorizations had to include certain “[c]ore elements,” including: (1) a description of the information sought; (2) the purposes for its disclosure; (3) the authorization’s expiration date or event; and (4) “statements adequate to place the individual on notice” of his or her rights. Id. § 164.508(c)(1)–(2) (2008). Obtaining such authorizations was burdensome administratively, leading to some relaxation in the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of 2009.
Fees And THIRD-PARTY Access To PHI Under HITECH
HITECH was enacted in response to the development of distinct digital-record formats and storage systems, and specifically, the use of EHRs. Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 226 (2009); 42 U.S.C. §§ 17935(e), 17921(5). Under HITECH, covered entities and their business associates may impose fees for producing copies of EHRs if the fees are no greater “than the entity’s labor costs in responding to the request for the copy.” 42 U.S.C. § 17935(e)(3). This fee cap applied on its face to personal use requests but whether it extended to third party requests was unclear.
HITECH made it easier for patients and third parties to obtain copies of PHI contained in EHRs. HITECH does not require formal authorizations for production of EHRs. Instead, patients may direct by “clear, conspicuous, and specific” instruction that copies of their EHRs be provided directly to designated entities or persons. Id. § 17935(e)(1). This is called the “Third-Party Directive.” This Third-Party Directive applied only to EHRs, not other forms of PHI – until 2013.
Fees And Third-Party Access Under the 2013 Omnibus Rule
The Omnibus Rule broadened the Third-Party Directive created by HITECH to include requests for PHI contained not only in EHRs but in all formats. Thus, third parties were required to send PHI in all forms to third parties based only on “clear, conspicuous, and specific” patient instructions. See 45 C.F.R. § 164.524(c)(3)(ii). Additionally, the Omnibus Rule required that the PHI be provided in the form and format requested by the individual, including in electronic form, if it is readily producible in such form and format.” Id. §§ 164.524(c)(2)(i),164.524(c)(2)(ii).
HHS acknowledged that this expanded the Third-Party Directive beyond the text of the HITECH Act. 78 Fed. Reg. at 5,631. But HHS concluded it could do this under the general rulemaking power granted to it under section 264(c) of HIPAA. That provision, HHS said, allowed it ensure access was provided more uniformly to all PHI maintained in various types of designated record sets and avoid a complex set of disparate requirements. Id.
In the Omnibus Rule, HHS also modified the Patient Rate under the Privacy Rule, breaking out the cost of labor for copying PHI, whether in paper or electronic format. See id. at 5,635–36; 45 C.F.R. § 164.524(c)(4)(i). HHS announced that such cost “could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media, and distributing the media.” 78 Fed. Reg. at 5,636. However, HHS instructed that actual labor costs associated with the retrieval of electronic information would not be recoverable under the Patient Rate. Id. HHS further stated that “[f]ees associated with maintaining systems and recouping capital for data access, storage and infrastructure” would not be “considered reasonable, cost-based fees.” Id.
2016 Privacy Rule Guidance
Three years after adopting the Omnibus Rule, HHS issued a guidance document in titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524. This guidance made two pronouncements that gave rise to Ciox Health, LLC v. Azar, et al. First, HHS instructed that the Patient Rate applied whether individuals requested PHI for themselves or that copies be sent to designated third parties. The medical records industry viewed this as a “seismic shift” from the directives on which it had structured contracts and pricing models. Further complicating the operational changes, HHS emphasized that the Patient Rate did not apply when third parties forward individuals’ requests that PHI be sent to those third parties. That is, although all requests for copies had to be based on patient requests, higher fees could be charged when third parties transmitted the requests.
Second, HHS further limited what could be included in the “Patient Rate.” HHS instructed that only those labor costs incurred after the responsive PHI is identified, retrieved or collected, compiled and/or collated, and is ready to be copied. HHS also offered 3 alternatives for calculating the “reasonable, cost-based fee”: (1) the actual allowable costs to fulfill each request; (2) or a schedule of costs based on average allowable labor costs to fulfill standard requests; or (3) in the case of requests for an electronic copy of PHI maintained electronically, a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage).
The Ciox Lawsuit
On November 16, 2018, HHS advised Ciox that it had received a complaint asserting that when individuals make requests through Ciox for their medical records to be directed to law firms and other third parties, Ciox routinely charges fees in excess of the Patient Rate. After some investigation, HHS announced that it did not have jurisdiction to enforce the Privacy Rule against business associates like Ciox. (This itself is significant for reasons beyond the scope of this alert.)
Ciox nonetheless filed a lawsuit in the federal court for the District of Columbia. Ciox challenged (1) the types of labor costs that are recoverable under the Patient Rate; (2) the three alternative methods identified for calculating the Patient Rate; and (3) the requirement that copies of PHI in all forms must be provided to third parties without formal authorizations. Ciox alleged that these requirements violate the Administrative Procedures Act’s procedural and substantive provisions. Ciox added that the third requirement violated HITECH, which required only that certain types of electronic health records be delivered to third parties, not all records regardless of their format.
The court first considered Ciox’s standing given that HHS cannot directly regulate business associates. The court found Ciox could pursue the action because Ciox suffered a redressable financial injury traceable to agency actions affecting Ciox’s contracting partners, the covered entities. Business associates may provide health records services only through formal contracts known as Business Associate Agreements. See 45 C.F.R. § 164.502(e)(2) (providing that a covered entity’s relationship with a business associate “must be documented through a written contract or other written agreement or arrangement”); id. § 164.504(e) (requirements of business associate contracts).
On the merits, the court held that (1) the portion of the 2013 Omnibus Rule compelling delivery of PHI in any form to third parties goes beyond HITECH and is therefore arbitrary and capricious; and (2) HHS’s broadening of the Patient Rate in 2016 violated the APA. Accordingly, the court held that the “third-party directive” and HITECH requirements regarding production of PHI only apply to EHRs, and vacated the fee limitation set forth at 45 C.F.R. § 164.524(c)(4). In response, HHS agreed to comply with this ruling, announcing in its notice of the decision that “the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.”
For covered entities and their medical record business associates the Ciox Lawsuit and HHS’s January 28, 2020 announcement about them require changes to their operations. First, such entities should change their fee policies. When individuals request that EHRs be transmitted to third parties, charges may be higher than the Patient Rate. This means that fees need not be limited to costs incurred after the responsive PHI is identified, retrieved or collected, compiled and/or collated, and is ready to be copied. Fees may include “skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [the EHRs] to media, and distributing the media.” 78 Fed. Reg. at 5,636. As always, labor costs associated with EHR retrieval, fees associated with maintaining systems, and capital for data access, storage, and infrastructure may not be charged. Id.
Second, although not noted in HHS’s announcement, covered entities and their business associates should create policies, procedures, and training to advise their staff that they may only release PHI contained in EHRs to third parties – not other forms of PHI – unless they have a compliant patient authorization in hand or the disclosure is otherwise required or permitted. (This may include regulations relating to subpoenas, which will be discussed in our upcoming webinar on HIPAA compliant responses to medical records subpoenas).