Thanks to a federal judge, the Office for Civil Rights has modified its rules for sending records to third parties. Covered entities are no longer required by HIPAA to send non-electronic protected health information (“PHI”) to a third party at the patient’s request. In addition, covered entities are no longer limited to charging a reasonable cost-based fee when sending records to a third party.

The Third-Party Directive. In 2009, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified HIPAA to simplify the process for producing ePHI:

In the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual … the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.

(42 U.S.C. §17935(e)(1)).

In the 2013 HIPAA Omnibus Rule, HHS extended this “Third Party Directive” beyond ePHI to PHI maintained in any format that the individual might want disclosed to a third party:

If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.

(45 C.F.R. § 164.524(c)(3)(ii)).

In 2016, the OCR issued its informal guidance, Individuals’ Right Under HIPAA to Access Their Health Information (the “2016 Guidance”), in which the OCR pushed the envelope even further and declared that regulatory limits that apply to a patient’s request to access records under § 164.524 also apply the patient’s request to produce records to a third party, including the regulations that limit the amount that a covered entity may charge patients to respond to such requests (“the Patient Rate”):

The right of an individual to have PHI sent directly to a third party is an extension of the individual’s right of access; consequently, all of the provisions that apply when an individual obtains access to her PHI apply when she directs a covered entity to send the PHI to a third party. As a result:

  • This right applies to PHI in a designated record set;
  • Covered entities must take action within 30 days of the request;
  • Covered entities must provide the PHI in the form and format and manner of access requested by the individual if it is “readily producible” in that manner; and
  • The individual may be charged only a reasonable, cost-based fee that complies with 45 CFR 164.524(c) (4).

(2016 Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html). Together, the 2013 Omnibus Rule and the 2016 Guidance saddled covered entities with additional obligations and costs that were not required by the HITECH Act much to the chagrin of medical records departments and document production companies.

The Ciox Health Decision. In 2018, Ciox Health sued HHS, arguing that the Third Party Directive and Patient Rate limitation exceeded HHS authority. (Ciox Health, LLC v. Azar, Case No. 18-cv-00040 (APM) (D.D.C. 2018)). On January 23, 2020, the federal D.C. District Court agreed:

the court (1) declares unlawful and vacates the 2013 Omnibus Rule insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of “an [EHR] with respect to [PHI] of an individual … in an electronic format,” … and (2) declares unlawful and vacates the 2016 Guidance insofar as it … extends the Patient Rate to reach third-party directives.

(Memorandum Opinion at p.55). On January 28, 2020, the OCR issued a notice acknowledging the Ciox Health decision, confirmed its responsibility to comply, but confirming that it would “continue to enforce the right of access provisions in 45 C.F.R. § 164.524 that are not restricted by the court order.” (Available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html)

The Net Effect. Here is the net of the Ciox Health decision and the remaining HIPAA rules:

  1. Patient Requests to Transmit ePHI. The Third Party Directive established by the HITECH Act remains in effect as to ePHI: if a covered entity maintains an individual’s health information in electronic format, the individual may “direct the covered entity to transmit such copy directly to an entity or person designed by the individual, provided that any such choice is clear, conspicuous and specific.” (42 U.S.C. § 17935(e)(1); see also 45 C.F.R. § 164.524(c)(3)(ii)). According to HHS, “[t]he individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.” (45 C.F.R. § 164.524(c)(3)(ii)). In responding to such requests, the covered entity is not bound by the Patient Rate, i.e., the covered entity may charge more than the “reasonable cost-based fee” that would apply if the covered entity were producing the records to the individual. (See id. at § 164.524(c)(4)). Note, however, that excessive fees may violate HIPAA’s prohibition on selling PHI. (Id. at § 164.502(a)(5)(ii); 2016 Guidance).
  2. Patient Requests to Transmit non-ePHI. Under HIPAA, covered entities are not obligated to comply with an individual’s request to transmit to third parties PHI that is not in electronic format. Covered entities may, if they so choose, transmit the PHI at the individual’s request pursuant to (1) a valid HIPAA authorization per 45 C.F.R. § 164.508; (2) if the disclosure is to a person involved in the patient’s health, health care or payment for care, per the patient’s informal consent per § 164.510(b), in which case the covered entity would normally want to document the patient’s request; or (3) per another HIPAA exception if one applies. Again, the Patient Rate does not apply to requests to transmit non-ePHI to third parties: under HIPAA, the covered entity may charge more than a “reasonable cost-based fee” so long as the fees are not so excessive as to constitute the “sale of PHI.” Alternatively, the covered entity may simply provide the requested information directly to the patient who is making the request. Patients retain the right to access or obtain copies of their own PHI maintained in a designated record set pursuant to § 164.524. The Patient Rate would apply to disclosures directly to the patient, i.e., the covered entity may only charge the patient a reasonable cost-based fee as described in the regulations and explained in the 2016 Guidance.
  3. Beware State Laws. The foregoing changes do not affect more restrictive state laws or regulations. For example, some states require covered entities to transmit medical records or other PHI at the request of the patient regardless of format. (See, e.g., IDAPA 22.01.01.101.03(g)). Additionally, state laws may limit the fees that a covered entity may impose for records. (See, e.g., IDAPA 16.03.14.220.14(a)). To the extent those laws or regulations are more restrictive than HIPAA, covered entities must continue to comply with those state laws or regulations.

Next Steps. Covered entities and business associates should review and, as appropriate, modify their existing policies, privacy notices, and fee schedules. They should also train their staff concerning the new rules. They should also watch for additional rulemaking or guidance from OCR concerning the changes.