In what is being seen as a strong rebuke to years of regulatory overreach, the United States District Court for the District of Columbia entered an order on January 23, 2020 that invalidates provisions of the 2013 Omnibus Rule to the Health Information Portability and Accessibility Act (“HIPAA”) and 2016 guidance issued by United States Department of Health and Human Services Office (“HHS”) on the fees that may be assessed to patients for copies of medical records.

In 2017, CIOX Health, a provider of release of information and disclosure management services, filed suit against HHS alleging that portions of the 2013 Omnibus Rule and related guidance “unlawfully, unreasonably, arbitrarily, and capriciously” sought to restrict the fees that can be charged by healthcare providers and their business associates for providing copies of medical records, and violated the Administrative Procedure Act (“APA”).

Background

The rules and guidance at issue in the lawsuit expanded upon the provisions in the HIPAA Privacy Rule related to the fees that can be charged to patients who request copies of their medical records for their own personal use. Under the HIPAA Privacy Rule, healthcare providers are permitted to assess a “reasonable, cost-based fee” for copying a patient’s medical records, limited to just “the labor and supply costs of copying” those records and postage for mailing those records (if mailing was requested by the patient). Under the Privacy Rule, healthcare providers are prohibited  from passing on to patients any other costs associated with processing patient requests for copies of medical records. The Privacy Rule did not explicitly address the calculation of fees that could be assessed when copies of medical records are requested by third-parties, such as a patient’s attorney in a medical malpractice claim.

In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). The HITECH Act created a mechanism for what became known as a “third-party directive”.  A third-party directive is a request made by a patient to a healthcare provider for electronic copies of the patient’s medical records stored in an electronic health record system (“EHR”), copies of which are to be sent to a third-party recipient, without having to complete and sign a HIPAA-compliant authorization form. Prior to the enactment of the HITECH ACT, such a disclosure without a HIPAA-compliant authorization form would be prohibited, except in limited circumstances. In addition to creating the third-party directive, the HITECH ACT explicitly limited the fees that could be assessed to patients for fulfilling a third-party directive request to no more than the healthcare provider’s labor costs in responding to and fulfilling the request.  As the Privacy Rule had allowed for labor and supply costs, the fee structure for third-party directive requests was more limited.

Four years later, HHS promulgated the 2013 Omnibus Rule (the “Omnibus Rule”), which amended the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. The Omnibus Rule expanded the third-party directive to include patient requests for copies of medical records stored both in EHRs and on paper. The Omnibus Rule also amended the HIPAA Privacy Rule provision on the “reasonable, cost-based fee” that healthcare providers could assess to patients requesting copies of their medical records. Specifically, the Omnibus Rule stated that healthcare providers could include the labor costs associated with copying medical records electronically or in paper format in the “reasonable, cost-based fee” assessed to patients but could not include the “actual labor costs associated with the retrieval of electronic information,” nor the costs “associated with maintaining systems and recouping capital for data access, storage and infrastructure.” 78 Fed. Reg. at 5,636.

In 2016, HHS published guidance on the patient right of access under HIPAA, which included new guidance on fees assessable to patients for medical record requests. The guidance stated that the “reasonable, cost-based fee” defined by the Omnibus Rule also applies regardless of whether the request was submitted by the patient or by a third party. In addition, the guidance stated the “reasonable, cost-based fee” can only include the labor costs incurred after the requested information has been compiled and is ready to be copied. This meant that the labor costs associated with searching for and retrieving the requested paper medical records could not be included in the “reasonable, cost-based fee.” The guidance went on to state that the “reasonable, cost-based fee” could be determined on a per-request basis or using a fee schedule based on average allowable labor costs, or healthcare providers could simply charge a flat-fee of $6.50 (including labor, postage, and supplies).

Shortly after its publication, HHS began investigating covered entities and their business associates for alleged violations of the 2016 guidance.

Impact of Omnibus Rule and 2016 HHS Guidance on Fees for Copies of Medical Records

As detailed in CIOX Health’s complaint, the Omnibus Rule and the 2016 HHS Guidance created tremendous financial burdens on healthcare providers. Prior to the enactment of the Omnibus Rule and 2016 HHS Guidance, third parties not involved in patient care, such as personal injury attorneys, copy services, data analytics companies, and life insurance companies paid fees for copies of medical records as promulgated by applicable state law. Providing third parties with copies of medical records at the state-established regulatory rates gave healthcare providers the ability to recoup their production costs, and in turn provide copies of medical records to patients at well below cost. The application of the “reasonable, cost-based fees” to almost all requests for copies of medical records shifted millions of dollars per year for the past 4 years onto healthcare providers. The 2016 HHS Guidance also decreased the use of HIPAA-compliant authorization forms for requesting copies of medical records, which disadvantaged patients, as the requests that they signed did not provide them with information regarding their rights under HIPAA that authorization forms do.

The Court’s Decision and Its Significance

The United States District Court for the District of Columbia found that the Omnibus Rule’s expansion of the third-party directives to electronic and paper records, to be arbitrary and capricious. In addition, the court held that HHS’s 2016 Guidance that applying the “reasonable, cost-based” fee to third-party directives violated the APA. The court did not, however, invalidate the 2016 HHS Guidance on what labor costs can be recovered under the “reasonable, cost-based fee.”

The decision also closes the loop hole that third parties not involved in patient care were able to exploit to obtain copies of medical records without valid HIPAA authorizations for fees that were only intended to be assessed to patients requesting copies of their own medical records. The court’s decision is being interpreted as a cautionary tale for other government agencies that seek to bypass the administrative rulemaking process. In addition, the decision will effectively stop HHS from investigating alleged violations of the 2016 HHS Guidance.