On January 23, 2020, the Federal District Court of the District of Columbia issued a 55-page decision (the Ciox Health decision) (i) invalidating a provision in the 2013 HIPAA Omnibus Rule regarding the format for the transmittal of protected health information (PHI) to third parties as requested by a patient and (ii) declaring unlawful HHS’ 2016 guidance (the 2016 Guidance) which extended to third parties, such as insurers and law firms, the limits on charges for copies of PHI that apply to medical record requests made by a patient for use by the patient.
Ciox health decision
The case was brought by a medical-records vendor that contracts with health care suppliers nationwide to maintain, retrieve, and produce individuals’ PHI. The vendor challenged the 2016 Guidance, which stated that the medical record copy rate applicable to patients (Patient Rate) also applied to patient requests to deliver PHI to third parties, arguing it violated the procedural and substantive protections of the Administrative Procedure Act (APA). The vendor also challenged two additional aspects of the 2016 Guidance: (i) the types of labor costs that are recoverable under the rates charged to patients and (ii) the inclusion of the three alternative methods identified in the 2016 Guidance for calculating the patient rate.
The court found that HHS exceeded its authority in the 2013 HIPAA Omnibus Rule to the extent it modified the HIPAA Privacy Rule to (i) require providers to deliver an individual’s PHI to third parties regardless of whether the information is contained in an EHR and (ii) obligate providers to make PHI available in “the format requested by the individual.”
With regard to extending the Patient Rate to third parties, the Court determined that the 2016 Guidance acted as a legislative rule, and, therefore, such guidance could not be adopted without a notice and comment period. Consequently, the court determined HHS could not require covered entities and business associates to limit the charges for copies of PHI to third parties when requested by a patient.
With regard to the challenge to the allowable labor costs, the District Court stated, “To be sure, HHS bears responsibility for any industry uncertainty as to what precise actions qualify as “[l]abor for copying” PHI that can be charged under the Patient Rate. In 2013, the agency wrote that “labor costs included in [the Patient Rate] could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning, and burning [PHI] to media.” 78 Fed. Reg. at 5,636 (emphasis added). But in 2016, the agency stated that the Patient Rate “does not include labor costs associated with . . . segregat[ing], collect[ing], compil[ing], and otherwise prepar[ing] the responsive information for copying.” Nonetheless, the Court concluded that the 2016 Guidance’s instructions concerning the component costs of the Patient Rate … do not qualify as a legislative rule and therefore, HHS has not exceeded its regulatory authority.
In response to the Ciox Health decision, OCR issued a notice on January 28, 2020, addressing individuals’ right of access to health records. The notice states, in part: “a federal court vacated the ‘third-party directive’ within the individual right of access ‘insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.’ Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records and does not apply to an individual’s request to transmit records to a third party. The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect.”
We also note that OCR issued a new fact sheet in May 2019 to provide a “clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of [HIPAA].” Direct liabilities for business associates included HIPAA violations such as the failure to disclose a copy of ePHI to either a covered entity or an individual in order to satisfy a covered entity’s obligations regarding the form and format and time and manner of access under HIPAA. OCR updated this fact sheet to notify business associates that the “guidance remains in effect only to the extent that it is consistent with the court’s order” in the [Ciox Health decision]. OCR additionally provided that “any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.” OCR may, perhaps in the near future, update and/or further clarify the list of HIPAA violations that a business associate may be directly liable for in response to the Ciox Health decision.<
Impact on existing state medical record laws/regulations
Regardless of the district court decision, it is important to remember that more proscriptive state laws addressing the charge limits for copies of medical records to third-party requestors continue to apply.
For example, Illinois law permits clinicians and health care facilities (collectively, Providers) to charge third parties requesting medical records the reasonable expenses incurred in connection with copying the records, not to exceed a $29.09 handling charge for processing the request, as well as the actual postage or shipping cost (if applicable). The Providers also may charge a copying fee for paper copies of $1.09 per page for the first through twenty-fifth pages, $0.73 per page for the twenty-sixth through fiftieth pages, and $0.36 per page for all pages in excess of fifty. Charges for copies made from microfiche or microfilm shall not exceed $1.82 per page. Providers are permitted to charge half of the rates specified here applicable to paper copies for electronic records, which includes the cost of a CD, DVD, or other storage media. Illinois law permits Providers to charge the reasonable cost of duplicating “information that cannot routinely be copied or duplicated on a standard commercial photocopy machine,” including x-rays or pictures. 735 ILCS 5/8-2001(d).
Similarly, under New York law, Providers are required to provide access to medical records and copies of records, if requested, to “qualified persons.” “Qualified persons” include the patient or an incapacitated adult patient’s legal guardian. A parent or legal guardian of a minor may access the minor’s records when the parent or guardian consented to the care and treatment described in the record or when the care was provided without consent in an emergency resulting from an accidental injury or the unexpected onset of serious illness. “Qualified persons” also include the executors and administrators of estates of deceased patients and, if there is no will, the distributees of the estate. An attorney representing a “qualified person” is also a “qualified person,” provided that the attorney has a signed power of attorney authorizing the attorney to request medical records. Health care providers, insurance companies, other corporate entities, and attorneys lacking a power of attorney are not qualified persons. Providers are permitted to charge reasonable fees to recover costs for inspections and copying. With certain exceptions, Providers may impose a reasonable charge, not exceeding the costs incurred, provided, however, the reasonable charge for paper copies shall not exceed $0.75 per page. Furthermore, a qualified person cannot be denied access to information solely because of inability to pay.
While the Ciox Health decision did deliver some relief to business associates and covered entities regarding providing access to PHI in form or formats requested by individuals and fee limitations for requests for access to PHI, business associates and covered entities are still required to comply with any state law that provides individuals and third parties more rights to PHI access as noted above.
Notably, early last year, OCR announced its “Right of Access Initiative” to ensure that individuals receive copies of their medical records in a timely manner and without being overcharged. Under this initiative, OCR has already fined two covered entities $85,000 each for actions such as failing to timely provide medical records and/or failing to provide medical records in a requested format with reasonably cost-based fees. It remains to be seen what impact the Ciox Health decision will have on the Right of Access Initiative and whether HHS will work with Congress to reexamine individuals’ right of access to their PHI, especially as it relates to hardcopy medical records, that were hindered by the Ciox Health decision.
- Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020).
[Back to reference]
- Specifically, the exclusion of labor costs associated with accessing, searching for, and compiling PHI.
[Back to reference]
- HHS OCR, New HHS Fact Sheet On Direct Liability of Business Associates under HIPAA.
[Back to reference]
- HHS OCR, Direct Liability of Business Associates.
[Back to reference]
- Note that clinicians and facilities are not permitted to collect the handling fee when a patient’s representative requests records for a deceased patient. 735 ILCS 5/8-2001(d-5). In addition, clinicians and facilities must provide a copy of the patient’s records without charge for indigent homeless veterans for the purpose of supporting a claim for veterans’ disability benefits. 735 ILCS 5/8-2001(h).
[Back to reference]
- A qualified person shall not be denied access to patient information solely because of inability to pay. No charge may be imposed under this section for providing, releasing, or delivering patient information or copies of patient information when requested for the purpose of supporting an application, claim, or appeal for any government benefit or program, provided that, where a provider maintains patient information in electronic form, it shall provide the copy in either electronic or paper form, as required by the government benefit or program, or at the patient's request.
[Back to reference]