January 29, 2020 Publications
The DC Federal District Court issued an opinion in Ciox Health, LLC v. Azar, et al., Case No. 18-CV-00040 (D.D.C. January 23, 2020) that reverses portions of guidance issued by the Office for Civil Rights (“OCR”) in 2016 related to the fees that a healthcare provider may charge for medical records that are requested by a patient and directed to a third party. The original HIPAA Privacy Rule included provisions that a “covered entity” (1) must provide patients the right to access his or her protected health information (“PHI”) within a designated record set and (2) could only charge a reasonable cost-based fee for such access. In 2009, the HITECH Act amended HIPAA to provide that a patient could request that the patient’s access to PHI maintained in an electronic health record (“EHR”) be directed to a third party. In 2013, the Omnibus Rule further broadened the third party directive and allowed patients to make this third party directive for access to PHI contained in any format. Lastly, in 2016, OCR issued guidance that applied the fee limitation from the original HIPAA Privacy Rule to situations in which the patient directs the PHI to a third party.
Following the OCR Guidance, healthcare providers received a significant increase in medical record requests from attorneys, insurance companies, and other third parties framed as requests for patient access directed to a third party. The requesters frequently took the position that these requests were subject to the fee limitations and many filed complaints with OCR if the provider charged more than the cost-based fees. As a result, healthcare providers and their copy services who followed the OCR guidance received significantly reduced payments for providing these records, leading to this case.
In its opinion, the Court held:
- The fee limitations under HIPAA for provision of access to PHI in a designated record set continues to apply to requests for access by the patient and provided to the patient.
- The fee limitation does not apply to a patient’s directive of access to a third party.
- Patients may request access to PHI contained in an electronic format be directed to third parties, but this third party directive does not apply to patient records maintained in other formats.
Healthcare providers and other covered entities who implemented policies and procedures that incorporate the 2016 OCR guidance should revisit those policies to realign the provision of patient directives for access by third parties and the associated fees with the court’s findings.