D.C. Court Throws Out Portion of HIPAA Regulations and Guidance: HHS Position Reversed Regarding Access and Copy Fees for Third Party Requests for Medical Records

The U.S. District Court for the District of Columbia has vacated controversial portions of the U.S. Department of Health and Human Service’s (“HHS”) regulations and guidance regarding access and copy fees for third party requests for protected health information (“PHI”), colloquially medical records. With this decision, covered entities and their business associates receive much-needed relief from the significant financial burden of producing copies of voluminous medical records to third parties, such as lawyers and insurance companies.

Specifically, the Court vacated HHS’s 2013 rule compelling delivery of medical records to third parties regardless of the records’ format (instead dialing it back to align with the statutory scope of the HITECH Act, which is limited to electronic health records), and also vacated the 2016 guidance which applied strict HIPAA fee limits to records delivered to third parties pursuant to a patient directed request. Via its Privacy and Security Listservs on January 28, 2020, HHS announced the
reversal of its position on these two key points.

Background

The implementing regulations for the Health Insurance Portability and Accountability Act of 1996 (collectively, “HIPAA”) at 45 C.F.R. 164.524 establish an individual’s right to access PHI and set requirements for the permissible fee that can be charged for such production. Following the enactment of the HITECH Act in 2009, HHS revised these regulations in 2013. One aspect of these
revisions was the promulgation of 45 C.F.R. 164.524(c)(3)(ii), which required that a covered entity must provide a copy of PHI directly to a third party designated by the individual (i.e., a “third-party directive”). Although HHS promulgated this regulation pursuant to the HITECH Act, which limited third-party directives to PHI in electronic health records (“EHRs”), HHS’s regulations did not include that important limit, instead applying third-party directive requirements to access requests for all PHI in any format.

In 2016, HHS issued extensive guidance on the patient right of access provisions, including third party directives. In the guidance, HHS issued three instructions that are relevant here. Specifically, HHS:

1. Applied the HIPAA fee limits at 45 C.F.R. 164.524(c)(4) to third-party directives.
2. Laid out three methods for calculating the fees that may be charged.
3. Limited what activities may be included as “labor costs” in calculating the fees.

Following this regulation and guidance, third-party directives mushroomed, driven largely by requests from plaintiff’s attorneys. This, in turn, resulted in a significant increase in costs for covered entities and their business associates engaged in producing copies of patient records. Ciox Health, LLC (“Ciox”), a release of information (“ROI”) vendor that contracts with hospitals and other healthcare providers to fulfill requests for copies of medical records, filed suit against HHS in the U.S. District Court for the District of Columbia on January 8, 2018 (docket number 1:18-cv-00040; for further discussion of the case, see our previous article here). In its suit, Ciox challenged the regulation and guidance cited above. More than two years later, the case has concluded, and the Court has addressed each of Ciox’s challenges.

Key Takeaways from Ciox Opinion

1. Third-Party Directives Apply to PHI in Electronic Health Records Only. Going forward, third-party directives are scaled back to only apply to requests for electronic copies of PHI maintained in EHRs, in alignment with the scope of the HITECH Act, which provides at 42 U.S.C. § 17935(e)(1):
   • [I]n the case that a covered entity uses or maintains an electronic health record with respect to protected
     health information of an individual . . . the individual shall have a right to obtain from such covered entity
     a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.
2. Fee Limits Apply to Direct Patient Requests Only. HIPAA’s fee limits for copies now apply only to an individual’s request for access to his or her own records and do not apply to requests to transmit records to a third party. Note, however, that state or other law may impose limits and should be read alongside HIPAA to determine the appropriate fees to charge, both for direct patient requests and third-party requests.
3. Methods of Calculating Fees and Limits on Labor Activities are Unchanged. The Court left intact HHS’s guidance on the three methods HHS discusses as options by which fees may be calculated when responding to a patient’s request for records (i.e., actual cost, average cost, and optional flat fee for electronic copies of electronic records), as well as what activities may be included in labor cost calculations. (For a more detailed discussion of these methods and limits, see our previous article here).

Practical Application

So what does this mean as a practical matter for covered entities and business associates responding to requests for medical records?

1. Responding to Direct Patient Request. Covered entities and business associates must still follow the HIPAA regulations and HHS guidance regarding responding to a patient’s request for copies of his or her own records (e.g., covered entities must respond to a patient’s request within 30 days and, when providing copies, must limit the fee charged to the individual to a “reasonable, cost-based fee,” among other requirements).
2. Responding to Third-Party Directive for Electronic Records. If a patient directs a covered entity to send electronic copies of PHI maintained in EHRs directly to a third party, the covered entity must comply. However, HIPAA no longer imposes fee limits for such transmission (though state or other law could apply).
3. Responding to All Other Requests. As the industry adjusts to the revised requirements for third-party directives, covered entities and business associates may still receive third-party directives for copies of paper records. If a patient directs a covered entity to send paper records directly to a third party, the covered entity should inform the individual of the need to receive a valid authorization or comply with an applicable exception under HIPAA (e.g., providing records to another health care provider for treatment) before releasing the records. Similarly, for all requests that originate from a third party (i.e., not at the patient’s direction), the covered entity also must receive a valid authorization or comply with an applicable exception under HIPAA before releasing the records.

Additional Observations

1. Right of Access Initiative and Enforcement Actions. Via a September 9, 2019 press release, OCR quietly announced its “HIPAA Right of Access Initiative” concurrently with its first Resolution Agreement under the new initiative, an $85,000 settlement and corrective action plan with Bayfront Health St. Petersburg.31(For further discussion, see our previous article here). On December 11, 2019, OCR followed with another $85,000 settlement and corrective action plan under this initiative with Korunda Medical, LLC.42 In its press releases, OCR promised to “vigorously enforce the right of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice,” and OCR Director Roger Severino was quoted as saying, “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” OCR again emphasized its focus on patient access rights in its January 28, 2020 announcement following the Ciox decision, saying, “The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect. OCR will continue to enforce the right of access provisions in 45 C.F.R. § 164.524 that are not restricted by the court order.” This, in combination with the HIPAA Right of Access Initiative and swift enforcement actions pursuant to it should remind covered entities and
   business associates of the importance of complying with the remaining provisions related to patient access rights.
2. Business Associate Fact Sheet and Enforcement. This case raised interesting issues of standing for a business associate to challenge HHS’s regulations and guidance, as only limited portions of such are directly applicable to business associates. The Court ultimately found standing for Ciox, a business associate, to bring the case. However, on May 24, 2019, HHS issued a Business Associate Fact Sheet53 (which, based on the Court’s commentary in the opinion, now seems to have been largely a strategic move by HHS to undermine Ciox’s standing argument). The fact sheet compiles all provisions through which a business associate may be held directly liable under the HIPAA Rules. OCR emphasized that it “has authority to take enforcement action against business associates only for those requirements and prohibitions [on the list]” (emphasis in original). Notably, the fact sheet expressly states HHS’s position that the HHS Office for Civil Rights (“OCR,” the HIPAA enforcement body) “lacks the authority to enforce the ‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates. . . . If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.” Ciox argued the opposite, i.e., that HHS does in fact have direct authority over business associates as it relates to such fees. While the Court did not resolve the argument and found standing on other grounds, this may open the door to more aggressive enforcement against business associates by OCR.
3. Outdated Materials and Arguments. As of January 30, 2020, HHS has not yet revised its website that includes the now-vacated guidance. In addition, the HIPAA regulations likely will require agency action to revise. Accordingly, covered entities and business associates should be cautious when consulting HHS materials on this topic unless and until the agency revises them to reflect current law. Further, covered entities and business associates should likely expect some confusion in what requirements apply to which types of requests. Savvy third parties increasingly had been utilizing the third-party directive avenue for requesting copies of records. In the wake of this opinion, they may continue to try to do so until the industry again adjusts to this new position.
4. Future Rulemaking and Guidance. The Court declined to resolve the substantive challenge to the extension of the patient rate to third-party directives, and thus the opinion does not preclude HHS from engaging in notice and comment rulemaking on that point in the future. Although HHS cannot, without an action by Congress to change the underlying law, expand the types of records that individuals have a right to direct to third parties, HHS may, in the future, propose regulations that apply fee limits to the permitted third-party directives (i.e., electronic copies of PHI in EHRs). Similarly, we expect that HHS will revise its published guidance to the extent it is inconsistent with the Court’s ruling and HHS’s announcement of its revised position. Thus, we will continue to monitor for further developments in this area.

For questions or assistance in evaluating how the Ciox opinion applies to specific record requests, please contact Madison M. Pool.