On January 23, 2020, the Federal District Court of the District of Columbia issued a decision in Ciox Health, LLC v. Azar, et al., which has implications on the type of protected health information that must be transmitted to third parties and the fees that can be charged for the transmission.
Ciox Health, LLC, a national medical records provider, filed a lawsuit against the Department of Health and Human Services (HHS) in January 2018 concerning various legal restrictions and conditions placed on the transmission of protected health information (PHI) to third parties. Most significantly, the case concerns what a company like Ciox can charge for responding to a patient’s request to send PHI to a third party.
To ensure that patients have ready access to their medical records, HHS adopted rules limiting what companies can charge for delivering PHI. These restrictions are known as the “Patient Rate.” For years, it has been understood that the Patient Rate limitations only applied to a patient’s request to access their own PHI, and not to a patient’s request to send PHI to third parties such as insurance companies and law firms. However, that understanding changed in 2016 when HHS published guidance stating that the Patient Rate applies even to requests to send PHI to third parties. According to Ciox, this change caused Ciox and other medical records companies to lose millions of dollars in revenue.
In its lawsuit, Ciox challenged the 2016 guidance and its expansion of the Patient Rate to non-patients as violative of the procedural and substantive protections of the Administrative Procedure Act. Ciox also challenged a regulation adopted in 2013, which requires medical records companies to send PHI to third parties regardless of the format in which the PHI is contained, and in the format specified by the patient. Ciox argued that Congress only required that certain types of electronic health records be delivered to third parties, not all records regardless of their format, as the 2013 rule requires.
On January 23, 2020, the District Court for the District of Columbia issued an opinion1 holding that “HHS’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress” and that “HHS’s broadening of the Patient Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA.”
Accordingly, the District Court declared unlawful and vacated the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format.
Following the Ciox decision, HHS released a notice2 stating that the federal court had vacated the third party directive to the extent that it requires the transmission of PHI to third parties in any format, and explained that the Patient Rate will only apply to an individual’s request for access to their own records—not to an individual’s request to transmit records to a third party. The notice further states that “OCR will continue to enforce the right of access provisions in 45 C.F.R. § 164.524 that are not restricted by the court order.”
Although the decision provides some relief to companies like Ciox, it is important to remember that covered entities and business associates must still comply with state laws which may provide individuals and third parties with more rights to access PHI.
It should also be noted that OCR has recently increased its efforts to enforce the Right of Access Rule and launched an initiative early last year to ensure that individuals receive their records in a timely manner and without being overcharged. OCR has already fined two covered entities – a hospital and a primary care and interventional pain management services provider – $85,000 each under this initiative.
The Ciox decision and OCR’s Right of Access Initiative are important for healthcare providers who process patients’ requests for medical records, as well as those who outsource that function to business associates.
Tips for healthcare providers and business associates post-Ciox decision
- Providers and business associates must train staff to properly identify and timely respond to patient access requests. In light of the Ciox decision, staff should be trained to differentiate between patient requests to access their own records and patient requests to transmit their records to third parties. Policies and procedures should be revised to clarify this distinction along with the corresponding HIPAA and state obligations in responding to these requests.
- Providers and business associates must also remember that the limitation on fees still applies to patient requests to access their own records. Under HIPAA, an individual who has requested a copy of their records may not be charged more than a reasonable, cost-based fee that is limited to certain labor, supply, and postage costs.
- Providers who contract with business associates for Health Information Management services must also ensure that the business associates are in alignment with and trained to adhere to the providers’ policies and procedures. The underlying services agreement may address potential liability and/or indemnification in the event the business associate fails to comply with its contractual or HIPAA obligations.
Tache, Bronis, Christianson and Descalzo, P. A.
150 S.E. 2nd Avenue, Suite 600, Miami, FL 33131