HIPAA and Compliance News

Judge Rules Against HHS Over HIPAA Right of Access Third-Party Fees

Ciox Health sued HHS in 2018 to stop what it called “irrational” enforcement of the HIPAA Right of Access rule around third parties; a federal judge ruled HHS overstepped on fee limitations.

healthcare HIPAA Right of Access compliance patient privacy HHS OCR Federal District Court

By Jessica Davis

- Washington, DC US District Court Judge Amit Mehta issued a blow to the Department of Health and Human Services for its 2013 HIPAA Right of Access rule around third-party requests for patient records, finding some sections of its rule are impermissible under the Administrative Procedure Act (APA).

HHS enacted regulatory changes to HIPAA in 2013 and 2016 that broadened the type of information that must be transmitted upon request, but limited the fees that could be charged. Specifically, the 2016 changes limited charges to a reasonable fee, or a flat fee of about $6.50.

Georgia-based Ciox Health filed suit against HHS in January 2018 to stop HHS enforcement of the HIPAA Right of Access Rule based on the 2016 changes, arguing that HHS admitted it pushed past the HITECH Act regulations to do so and calling those updates “irrational, arbitrary, capricious and absurd.”

“A $6.50 flat fee that was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests,” CIOX claimed.

On Tuesday evening, the court ruled that it would only partially dismiss the case and denied HHS’ other request to dismiss.

“The court holds that: HHS’s 2013 rule compelling delivery of patient health information to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress,” according to the ruling.

“HHS’s broadening of the Patient Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA,” it continued. “HHS’s 2016 explanation concerning what labor costs can be recovered under the Patient Rate is an interpretative rule that HHS was not required to subject to notice and comment.”

As a result, the court ruled that the portion of these rules are unlawful and vacated the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format.

The court also ruled that the HHS’ three methods for calculating the patient rate was not a reviewable final agency action and was dismissed.

The issue, according to the ruling, was that under HHS regulations a “business associate can provide health records services to a covered entity only pursuant to a formal contract… Ciox’s contracts require the company to produce PHI for covered entities” in accordance with HIPAA.

Before HIPAA, companies did so through patient authorizations to allow the release of PHI to third parties. Ciox and other third-party vendors understood the HIPAA patient rate did not apply to those vendors and instead charged a state-authorized or independently contracted rates, which often exceeded the limits of HHS’ rule changes by several hundred dollars for each request.

As a result, HHS’ rule changes were costing Ciox “well over $10 million per year,” according to the ruling.

“Although interesting, the parties’ debate is not one the court need resolve,” Judge Mehta wrote. “That is because, even if HHS cannot directly regulate business associates, Ciox’s financial injury is still traceable to agency action through the effect those actions have had on Ciox’s contracting partners, the covered entities.”

“Here, the regulatory scheme governing the medical records management industry, when combined with the evidence presented by Ciox, leaves ‘little doubt as to causation and the likelihood of redress,” he continued. “HHS’s regulations all but ensure that business associates will limit the fees they charge in a manner consistent with HHS’s interpretation of the Patient Rate.”

Upon the ruling, HHS released a notice stating that the federal court had vacated the third-party directive and explained that moving forward the fee limitation will apply only to an individual’s request for access to their own records. It will not apply to an individual’s request to transmit records to a third party.

The Office for Civil Rights has ramped up its enforcement efforts of the Right of Access rule for the past year, handing down two settlements and corrective action plans in 2019. OCR is attempting to enforce a patient’s right to prompt access to their records, given Ciitizen found that more than half of providers fail to comply with the rule.