Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH

Court Invalidates Certain Patient Info Access Requirements

Ruling Affects Fees Charged for Records and Other Provisions
Court Invalidates Certain Patient Info Access Requirements

A federal court has invalidated certain HITECH Act provisions and Department of Health and Human Services guidance related to patient requests for copies of their health records, creating new requirements for compliance officers and others to follow.

See Also: OnDemand | Driving Security, Privacy, & Compliance Goals by Accelerating HITRUST Certification

Some regulatory experts say the ruling will create more confusion about compliance issues that already are complex.

In the Jan. 23 ruling in the 2018 lawsuit, Ciox Health vs. Alex Azar, secretary of HHS, a Washington court vacated a HIPAA Omnibus-related provision requiring third parties to transmit protected health information in any format requested by patients.

The court also invalidated portions of HHS Office for Civil Rights guidance issued in 2016 that set limits on the fees companies can charge in fulfilling patient requests for copies of their health records to be sent to third parties. But the ruling does not specify how much companies can charge.

The court left intact the right for patients to access their health information, and the calculation of fees – and fee limits - when individuals request those records be sent to them. But the court invalidated the “patient rate” limiting what companies can charge when patients request that their protected health information be delivered to third parties.

Lawsuit Allegations

In January 2018, Ciox Health, a Georgia-based medical records retrieval company, filed a lawsuit against HHS alleging that certain changes implemented by HIPAA Omnibus regulations in 2013 and modified by HHS guidance in 2016 “threaten[ed] to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss."

Ciox Health also alleged that the HHS regulatory changes unlawfully broadened the medical information that patients can request to be transmitted "from any form whatsoever - for example electronic health record or non-EHR - in any form whatsoever - for example, paper, electronic, radiologic film, etc. - to any third party, including profit-seeking commercial parties like insurers and lawyers."

In its 55-page ruling, the court agreed with those Ciox Health arguments.

“HHS’ 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress” in 2013 modifications to HIPAA under the HITECH Act, also known as the HIPAA Omnibus Rule, the court ruled.

”This opinion will certainly be disruptive of what is a very hot topic these days – the ability of patients to access their information in a meaningful and efficient way.”
—Kirk Nahra, WilmerHale

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, says that the ruling means “if the information is not part of the EHR, then a request by the individual to transmit the information to a third party, whether in electronic or hard copy form, appears to require a HIPAA-compliant authorization and is only subject to any state law limits on the permissible rate.”

In addition, HHS guidance in 2016 to limit the fees companies can charge for sending patients’ records to third parties, “is a legislative rule that the agency failed to subject to notice and comment in violation of the Administrative Procedure Act,” the court wrote.

”Accordingly, the court declares unlawful and vacates the 2016 patient rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format,” the ruling says.

In its lawsuit, Ciox Health alleged that a $6.50 flat fee referenced by HHS regulations for electronic copies of PHI is "irrational, arbitrary, capricious and absurd." The process of record retrieval is “time-consuming,” Ciox Health argued.

“Once PHI is located, it takes significant effort to fulfill a request for paper or electronic copies of patient medical records in a manner that complies with both federal law and the patchwork of applicable state privacy laws."

Creating More Confusion?

Some regulatory experts say the ruling could create new challenges for compliance officers and others involved in managing electronic patient records.

”This opinion will certainly be disruptive of what is a very hot topic these days – the ability of patients to access their information in a meaningful and efficient way,” says privacy attorney Kirk Nahra of the law firm WilmerHale.

”We already are having a substantial debate about the overall and potential inconsistencies between the HIPAA right to access and [HHS’ proposed] interoperability/information blocking rules - and a potential tension between the patient access right and appropriate protections of the data,” he notes (see: Deciphering HHS’ Proposed Information Blocking Rules).

”This decision will make that analysis much more complicated, by creating different financial rules depending on where the [records] requests are coming from. I suspect the short-term implication will be meaningful confusion - and potential high costs for access to records in certain situations.”

In a statement about the ruling, HHS OCR notes: “The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect. OCR will continue to enforce the right of access provisions … that are not restricted by the court order.”

Ciox Health, in a statement provided to Information Security Media Group, says the court “disallowed the patient rate for non-patients like insurance companies and lawyers. There has been no change to the patient rate. Ciox always has and continues to strongly support patients’ secure and unrestricted access to their medical records, including making the process easier. This ruling enables Ciox to continue helping providers achieve these objectives.”

Unlawful ‘Expansion’?

In its ruling, the court noted that Ciox handles tens of millions of records requests annually for its clients.

”For years, the medical records industry understood that the limitations imposed by the patient rate applied only to requests for PHI made by the patient for use by the patient. For other types of requests, such as those made by commercial entities, like insurance companies and law firms, the records industry understood that the allowable fee was not restricted by the patient rate,” the court noted.

”That understanding changed, however, in 2016, when HHS issued a guidance document, which stated that the patient rate applies even to requests to deliver PHI to third parties,” the ruling said. “This change, according to Ciox, caused Ciox and other medical records companies to lose millions of dollars in revenue.”

Ciox challenged the 2016 expansion of the patient rate as a violation of the procedural and substantive protections of the Administrative Procedure Act.

Good News, Bad News

Commenting on the “noteworthy” case, independent HIPAA attorney Paul Hales says: “The good news from Ciox v. Azar is that fees for a patient’s right of access are undisturbed. However, the court put some limits on patient access to records in electronic form.”

Hale notes that HHS OCR in May 2019 issued updated guidance that appeared to be in response to the Ciox Health lawsuit, acknowledging that HHS lacked the authority to enforce “reasonable, cost-based fee limitations” against business associates, such as Ciox Health.

The 2019 guidance noted, however, that “a covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.”

Healthcare providers must furnish patients with copies of their medical records at the patient rate even if the provider uses a vendor to maintain and retrieve the records,” Hales notes. “Apparently, OCR intends to require providers to pay the vendor for record retrieval and absorb the difference between that fee and the patient rate.”

The case is a victory for Ciox and a loss for lawyers seeking records at the patient rate, Hale says. “Citing the 2016 HHS guidance, some lawyers insisted they were required only to pay the minimal patient rate to obtain client medical records,” he notes.

”Ciox v. Azar is about more than patient rights and record retrieval fees. It turns on important legal questions involving the Administrative Procedure Act. I expect the legal issues will be appealed to the D.C. Circuit Court of Appeals. HHS may also respond by beginning a rule-making process to address the decision. But that is a lengthy process.”


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.