Recently, the United States District Court for the District of Columbia vacated certain rules and regulatory guidance set forth by the U.S. Department of Health and Human Services (“HHS”) regarding access and copying fees for third-party requests for medical records under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the implementing HIPAA Privacy Rule. In light of the District Court’s decision in Ciox Health, LLC v Alex Azar, et al, HIPAA covered entities and business associates that fulfill release of information requests on behalf of covered entities should review their current policies and procedures with respect to fulfilling patient requests for copies of medical records to ensure compliance with the District Court’s decision.

Health care providers and other HIPAA covered entities (and business associates acting on their behalf to create, receive, maintain or transmit protected health information or “PHI”) are required to provide individuals with access to their own PHI upon request. Under the Privacy Rule, they are permitted to charge certain fees for the copied records. To ensure that patient access is not thwarted by excessive fees, HHS regulates the amount that covered entities and business associates are entitled to charge for copies of patient medical records and other PHI.

Under the Privacy Rule, covered entities are permitted to charge a “reasonable, cost-based fee.” This reasonable cost-based fee (referred to in the Ciox Memorandum Opinion, known as the “Patient Rate,” can include the cost of copying (including the cost of supplies and labor), postage (when an individual requests their PHI to be mailed0, and preparing the explanation or summary of the requested PHI. Initially, it was understood that only requests brought by an individual seeking his or her own PHI (referred to in the Ciox opinion as “Personal Use Requests”) were subject to the Patient Rate. Thus, while covered entities and business associates are required to comply with third-party directives, or patient requests that their electronic PHI be delivered to third parties, these requests were not subject to the same fee restrictions. However, since the promulgation of the Privacy Rule nearly twenty years ago, HHS has issued additional rules and guidance, further restricting the fees that covered entities are permitted to charge for producing copies of medical records and subjecting the medical records industry to significant financial burdens.

In 2013, HHS issued the HIPAA/HITECH Omnibus Final Rule, expanding the scope of third-party directives beyond the statutory limitations of the HITECH Act, which applied only to electronic PHI, and compelling delivery of third-party requests for patient PHI regardless of the form of the record. Further, in 2016, HHS issued a guidance document titled “Individuals’ Right Under HIPAA to Access their Health Information 45 C.F.R. § 164.524” that expanded the scope of the Patient Rate beyond just Personal Use Requests, providing an unequivocal command that the Patient Rate would also apply to third-party directive requests. In the 2016 Guidance, HHS also set forth three options for calculating allowable costs under the Patient Rate. According to the Guidance, a holder of PHI may determine the fee by calculating actual allowable costs to fulfill each request; or by using a schedule of costs based on average allowable labor costs to fulfill standard requests. Alternatively, in the case of requests for an electronic copy of PHI, the covered entity could charge a flat fee not to exceed $6.50.

The regulatory changes in 2013 and 2016 represented a seismic shift in the agency’s previous articulation of the Privacy Rule, and led to significant increases in the volume of third party directive requests for PHI, often including demands that the requests be fulfilled for a maximum of $6.50, or a complaint to HHS/OCR would follow. Many holders of PHI also experienced significant losses in revenue. After suffering $35 million in lost revenue following the issuance of the 2016 guidance, Ciox Health LLC, a specialized medical records company, filed suit against HHS to stop enforcement of these controversial regulatory changes, arguing that the Omnibus Rule expansion of the scope of third-party directives to all forms of PHI was arbitrary, capricious and not in accordance with the law, and further, that the 2016 Guidance was a legislative rule that should have gone through the notice and comment process under the federal Administrative Procedure Act before it was issued.

After two years of litigation, the District Court agreed with Ciox and vacated HHS’s 2016 Guidance as to the expansion of the Patient Rate to reach third-party directives, thus limiting the scope of copying restrictions to Personal Use Requests. The court also vacated HHS’s expansion of the third-party directive via the Omnibus Rules, thus limiting the scope of third party medical records requests to PHI contained electronically. The litigation also led HHS to clarify that the $6.50 Flat Rate is not a cap on fees for providing copies of PHI.

Covered entities and business associates tasked with processing requests for access to PHI on behalf of covered entities may have policies and procedures in place that reflect the now invalid requirements under the 2013 Omnibus Rule and 2016 Guidance. These entities may want to seek counsel to determine whether revisions to policies, practices and service agreements are necessary.