February 18, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

HHS Addresses Federal Court Invalidation of Certain Provisions of the HIPAA rule Relating to the Third-Party Requests for Patient Records

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  

In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which entitled patients to direct the covered entity to send their PHI contained in an electronic health record to a third party “in an electronic format”[4] without the need for a valid authorization (the “third-party directive”).[5] HITECH also implemented a limitation on the fees that can be charged to patients, but not third parties, for the delivery of these requested records.[6]

Ciox Health’s challenge centered around later regulatory changes to HIPAA stemming from the 2013 Omnibus Rule and a 2016 guidance document issued by OCR (the “2016 Guidance”).

The 2013 Omnibus Rule expanded HITECH’s third-party directive beyond its application to PHI contained in electronic format to cover PHI contained in any format, and mandated that covered entities send the PHI in the format requested by the individual. Ciox Health challenged this change as violative of the Administrative Procedure Act (“APA”) because it conflicts with the plain language of HITECH. The court agreed.

Ciox Health also brought an APA challenge against the 2016 Guidance. Despite the Privacy Rule placing limitations on fees charged to an “individual” for a copy of their PHI,[7] the 2016 Guidance stated the Patient Rate must also be charged to third parties. The APA requires that agency rules that would change the law or impose new obligations must undergo a notice and comment period. HHS adopted the 2016 Guidance without notice and comment. The court found this application of the Patient Rate to third parties represented a change in the law, and that without notice and comment HHS had no authority to adopt the 2016 Guidance.[8]

This case is significant, because as noted by Ciox Health in its arguments, the changes made by the 2013 Omnibus Rule and the 2016 Guidance were a glaring departure from the industry’s previous understanding of the law.[9] Prior to the court’s decision (and OCR’s change in policy), covered entities and the business associates acting on their behalf faced an increased burden to collect patient PHI in any and all formats and transmit copies of the information, in the requested format, to third parties for a limited fee, instead of the state-authorized or independently-contracted rates that were charged prior to the 2016 Guidance.[10] The resulting financial losses were only exacerbated by a significant increase in third-party directive requests, as entities realized that the higher fees could be avoided through the use of third-party directives.[11]


[1] No. 18-cv-00040 (D.D.C. 2020).

[2] The Defendants maintained that the requirements at issue in this case are applicable to covered entities only, and that they have no enforcement activity with respect to business associates. Id.

[3] 45 C.F.R. § 164.524(c)(4).

[4] 42 U.S.C. § 17935(e)(1).

[5] 42 U.S.C. § 17935(e)(1).

[6] 42 U.S.C. § 17935(e)(3).

[7] 45 C.F.R. § 164.524(c)(4).

[8] However, the court ruled in favor of HHS in regards to Ciox Health’s challenge of the three methodologies for Patient Rate calculation included in the 2016 Guidance on the basis that the relevant language did not impose a requirement on covered entities to adopt one of the methodologies.  Ciox Health, LLC v. Azar, No. 18-cv-00040 (D.D.C. 2020).

[9] Id.

[10] Id.

[11] Id.

©2020 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

202-861-4182
Matthew Berger Healthcare Attorney Epstein Becker Green
Associate

MATTHEW H. BERGER* is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. A Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals, Mr. Berger has extensive experience in international data transfer standards and protocols, supply chain data vulnerabilities, and data breach management due to his work as a privacy professional supporting the U.S. Department of Energy’s Privacy Program and other federal agencies’ privacy programs and as a data privacy and security attorney.

Mr. Berger’s experience includes:

  • Counseling health care companies, private equity firms, hedge funds, and other private-sector and public-sector entities on matters involving cybersecurity, data privacy, data center consolidation, privacy compliance, high-capacity computing, and breach responses/wargames

  • Working with corporate or department leadership to build cross-vertical collaboration in cybersecurity matters

  • Providing advice to government contractors and to businesses with international clientele or Internet-based advertising or services on issues pertaining to U.S. federal privacy and transnational border data transfer protocols, the Health Insurance Portability and Privacy Act (HIPAA), and the new Office for Civil Rights’ “Audit Protocol”

  • Advising clients on compliance with HIPAA Privacy and Security Rules, and other relevant privacy laws, rules, and regulations regarding protected health information, during mergers, acquisitions, and divestitures

  • Drafting and reviewing vendor and data processor agreements for compliance with international data transfer standards, including General Data Protection Regulation (GDPR) model clauses, binding corporate rules (BCRs), and APEC Cross-Border Privacy Rules (CBPRs)

  • Counseling clients on emerging European Union data privacy issues, including “the right to be forgotten” and GDPR

Before joining Epstein Becker Green, Mr. Berger worked at several technology companies, where he was assigned to serve as the Team Lead and Highest-Level Privacy Advisor to the U.S. Department of Energy’s Chief Privacy Officer, as the Lead Data Privacy Incident Associate to the Federal Deposit Insurance Corporation’s Chief Information Officer Office, and as a Privacy Advisor to the National Nuclear Security Administration. Earlier in his career, he was a data privacy and security attorney at a national law firm.

*Admitted in Virginia; not admitted in the District of Columbia.

202-861-1829
Audrey Davis food and drug law Epstein Becker Washington DC
Law Clerk

Audrey Davis* is a Law Clerk – Admission Pending – in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. She will be focusing her practice on food and drug law, fraud and abuse, health care compliance, and managed care issues. 

Ms. Davis received her Juris Doctor, cum laude, from Temple University, Beasley School of Law, where she served as a Staff Editor of the Temple Law Review and on the executive board of the school’s Health Law Society. During law school, she also interned with...

202-861-1830