By: Anahita Anvari
Changes are underway for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Following a recent court ruling in Ciox Health, LLC v. Alex Azar, et al. (the “Ciox Case”) and a subsequent Department of Health and Human Services (HHS) notice, the Patient Rate fee limitation no longer applies when patients request the delivery of their medical records to third parties.
This post provides an overview of the past and present legal framework and discusses how HIPAA covered entities and business associates should move forward.
Overview of the Pre-CIOX Case Legal Framework
HIPAA governs the privacy and security of protected health information (“PHI”). Specifically, the Privacy Rule establishes the patient’s right to access their PHI. Pursuant to the Privacy Rule, a covered entity may only charge a “reasonable, cost-based fee” (the “Patient Rate”) for providing a copy of PHI to a patient. The Privacy Rule defines what costs the Patient Rate may include and how it may be calculated.
It is necessary to understand the Patient Rate in three circumstances:
1 – When a patient requests PHI for their own use,
2 – When a patient requests the delivery of PHI to a third party, and
3 – When a third party requests PHI at the direction of the patient.
Originally, the Privacy Rule only applied the Patient Rate to PHI requested by the patient for their own use. A 2016 Guidance by HHS changed this rule to apply the Patient Rate to any patient request to deliver PHI. Therefore, the Patient Rate also applied where the patient requested the delivery of PHI to a third party. The patient rate did not apply where a third party directly requested the PHI at the direction of the patient.
For example, consider a situation where a law firm needs a patient’s medical records to represent the patient in a lawsuit. The fee for the request for PHI would be limited to the Patient Rate if the patient requested the PHI for their own use or for delivery to the law firm. The Patient Rate did not apply if the law firm itself requested the PHI at the patient’s direction.
The Ciox Case and the Patient Rate Rule
The Ciox Case challenged the legality of the Patient Rate.[1]Ciox Health LLC is a medical record company (a business associate) that contracts with health care providers (covered entities) to maintain and produce PHI. Ciox sued HHS after patients complained that Ciox was overcharging for PHI considering the Patient Rate. Ciox argued that the Patient Rate fee limitation harmed business operations and caused the loss of millions of dollars in potential revenue.
The United States District Court for the District of Columbia sided with Ciox. The Court ruled that HHS overreached its authority regarding the extension of the Patient Rate, because this was essentially a legislative act that should have gone through notice and comment. After the ruling, HHS announced the Patient Rate will apply only to patient requests for medical records for their own use. The Patient Rate will not apply when a patient requests the delivery of PHI to a third party or when a third-party requests PHI at the patient’s direction.
Consider again law firm example. Under the new rules, a covered entity or business associate may charge a fee higher than the Patient Rate if the patient requests the records for delivery to the law firm or if the law firm requests the records at the direction of the patient. The Patient Rate will apply when the patient requests the records for their own use.
The chart below summarizes the past and present state of the Patient Rate rule:
| Patient Rate Under HIPAA Privacy Rule: | Patient Rate Following the 2016 Guidance: | Patient Rate Following the Ciox Case: |
| Patient Rate only applied to PHI requested by the patient for their own use. | Patient Rate applied to PHI requested by the patient for their own use and for delivery to a third party.
The Patient Rate did not apply to requests for PHI made directly by a third party at the direction of the patient. |
Patient Rate applies only to PHI requested for a patient’s own use.
The Patient Rate does not apply when patients request delivery of PHI to a third party or where a third party directly requests PHI at the direction of the patient. |
Next Steps for HIPAA Covered Entities and Business Associates
Covered entities and business associates should take steps to reevaluate their compliance with HIPAA following the Ciox Case. Click here to determine if your business qualifies as a covered entity or a business associate.
To reiterate, the Patient Rate fee limitations no longer apply when a patient requests the delivery of their medical records to a third party. Therefore, you should reexamine what fee you charge for these requests. Consult with an attorney to determine whether your state law imposes any fee limitations and assess whether you need to renegotiate any existing contracts to accommodate for the change.
For more information about HIPAA in general, click here.
[1]This post does not address the portions of the Ciox Case concerning Third-Party Directives, what costs may be included in the Patient Rate or the possible methods for calculating the Patient Rate.
This post was originally posted here on February 9, 2020 and has been reprinted with the author’s permission.
Anahita (Ana) Anvari, at the time of this post, is a third-year law student at Penn State’s Dickinson Law. She is from Southern California and is interested in health care and business law. Ana founded the Health Law and Policy Society and is currently serving as a Senior Editor of the Dickinson Law Review.
Sources
45 C.F.R. §164.524
HIPAA: Combined Regulation Text of All Rules
Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020)
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524
Important Notice Regarding Individuals’ Right of Access to Health Records
Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82, 462 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.599 et seq.)
The Health Care Entrepreneur’s Quick Guide to Important Laws: Part 2
Photo Sources
https://www.jotform.com/what-is-hipaa-compliance/
https://students-residents.aamc.org/applying-medical-school/article/8-tips-completing-fee-assistance/
https://compliancy-group.com/hipaa/
