On January 28, 2020, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a notice (the OCR Notice) regarding individuals’ right of access to health records in response to a January 23, 2020 court ruling in the Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. Jan. 23, 2020) case. OCR noted that despite the modifications contained in the 2013 Omnibus Rule issued on January 25, 2013, the fee limitation set forth in the HIPAA Privacy Rule (i.e., reasonable, cost-based fee)(the Patient Rate) only applies when an individual requests access to his/her own records and does not apply when the individual directs his/her records to be sent to a third party.

In the Ciox Health case, Ciox Health, a medical record retrieval company challenged: (1) the 2013 Omnibus Rule requiring the production of “protected health information” (PHI) contained in formats other than in an electronic health record (EHR) and in any format requested by the requester; and (2) OCR’s 2016 guidance entitled “Individuals’ Right Under HIPAA to Access Their Health Information 45 C.F.R. § 164.521” (the 2016 Guidance) issued expanding the Patient Rate to when an individual directs his/her records to be sent to a third party such as a law firm or insurance company (Third-Party Directive(s)), the three specified methods by which to calculate the disclosure fees, and the exclusion of the cost to search and retrieve the requested records. Ciox asserted that OCR’s actions were beyond its legal power and authority and created legislative rules without public notice and comment as required under law.

The court agreed with Ciox and held that: (1) because the HITECH Act does not address the right to transmit PHI contained in any format other than an EHR, the 2013 Omnibus Rule’s expansion of the Third Party Directive (i.e., requiring that if PHI is maintained in any electronic format (not just an EHR), the covered entity must provide the information in the electronic form and format requested by the individual if readily producible in such form and format) was arbitrary and capricious; and (2) the 2016 Guidance included an “unequivocal command” that the Patient Rate applied to requests by individuals directing their records to be sent to a third party and legal and practical consequences resulted for business associates like Ciox causing the 2016 Guidance to qualify a “final agency action”.

The court reasoned that the agency’s position was “fundamentally at odds” with its position in the Privacy Rule when the Patient Rate was first adopted in which it provided that the fee limitation was intended only to apply to individual requests and not intended to affect the fees that covered entities charged for providing PHI to persons other than the individual (purpose being to ensure individuals were not deterred from requesting access because of cost) and in contrast to the plain text of the HITECH Act. The court held that the broadening of the Patient Rate to Third Party Directive(s) by OCR was a final agency action that required comment and review before implementation. In other words, the 2016 Guidance was a modification to the law that OCR had no authority to adopt without first going through the notice and comment process.

However, the court held that the exclusion of the labor costs for searching and retrieving the requested records from the Patient Rate was merely a clarification of an ambiguity, which did not require notice and comment. Further, the court ruled in favor of OCR and dismissed Ciox Health’s claim that the three methods for calculating the Patient Rate in the 2016 Guidance (i.e., actual costs; average costs; flat $6.50 rate) were final agency actions that required public notice and comment because the methods included in the guidance were permissive and not mandatory in nature.

The court declined to enter judgment on Ciox Health’s substantive claims because it feared that it would potentially foreclose OCR from revisiting its original articulation of the scope of the Patient Rate, which upon re-evaluation the court noted would be better undertaken through a notice-and-comment process.

The Ciox Health case and limitation of the applicability of the Patient Rate to Third Party Directive(s) could potentially affect OCR’s 2019 announced initiative to focus its enforcement efforts on patients’ rights to access their records (e.g., Bayfront Hospital September 9, 2019 settlement). For example, OCR may need to re-evaluate and shift their enforcement priorities in light of the recent ruling to the extent that any of its investigations or enforcement action priorities include potential allegations of violations of patient access rights related to Third-Party Directives (versus individual requests for access to their own records) and fees charged for such access.

In light of the recent ruling, business associates and covered entities should:

  • Review and revise, as appropriate, existing contracts/fee schedules related to medical record retrieval that may contain fee limitations that no longer apply;
  • Update their existing patient forms and HIPAA policies and procedures regarding medical record retrieval costs; and
  • Re-train and educate workforce members of the revised policies and procedures; and
  • Monitor updates by OCR on potential proposed rulemaking regarding Third-Party Directives and related issues.