By Jeffrey H. Brochin, J.D.
Rule compelling delivery of PHI to third parties regardless of the records’ format was arbitrary and capricious, and, the broadening of the Patient Rate was subject to notice and comment under the APA.
A federal district court in the District of Columbia has ruled that HHS’s 2013 rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format was arbitrary and capricious because it went beyond the statutory requirements set by Congress. Additionally, HHS’s broadening of the Patient Rate in 2016 was a legislative rule that the agency failed to subject to notice and comment in violation of the APA. However, as to their 2016 explanation concerning what labor costs could be recovered under the Patient Rate, that was an interpretative rule that HHS was not required to subject to notice and comment (Ciox Health, LLC v. Azar, January 27, 2020, Mehta, A.).
History of HIPAA and the Privacy Rule. In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to encourage the development of a health information system, and tasked HHS with providing Congress recommendations on standards with respect to PHI, including individuals’ rights to their PHI, the procedures for exercising such rights, and the authorized uses and disclosure of PHI. HHS timely made the required privacy recommendations to Congress, but Congress failed to enact legislation, thereby triggering HHS’s rulemaking authority under HIPAA. In 2000, HHS issued a final rule, known as the Privacy Rule.
The Privacy Rule covered both "covered entities" and "business associates" as defined in the rule, but for the purposes of the instant litigation, the court characterized the plaintiff, Ciox Health, LLC (Ciox) as a business associate, i.e. an entity that operates on behalf of a covered entity and creates, receives, maintains, or transmits PHI for a regulated function or activity.
Patient Rate fee for obtaining records. The Privacy Rule established an individual’s right to access PHI and the permissible fee that could be charged for such production, and when the rule was promulgated in 2000, HHS made it clear that the restricted rate was to ensure that individuals would not be deterred from seeking PHI due to its costs. For requests brought by an individual seeking her own PHI—known as a "personal use request"—the Privacy Rule permitted a covered entity to charge a reasonable, cost-based fee, which became known as the Patient Rate. The rule made an express distinction between patient-requested PHI and non-patient-requested PHI. The Patient Rate applied to the former but not the latter.
2009 HITECH Act. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in response to the growth of digital-record formats and storage systems. The HITECH Act created a simplified process for requesting delivery of certain PHI to third persons by doing away with restrictions on releasing PHI stored as electronic health records (EHRs); but the Act also set a statutory cap on the fee that a covered entity could charge a patient for delivering EHRs. The HITECH Act stated that notwithstanding the Patient Rate, any fee that the covered entity might impose for providing an individual with a copy of such information, if the copy was in electronic form, the fee could not be greater than the entity’s labor costs in responding to the request for the copy.
2016 Guidance changes. For years, the medical records industry understood that the limitations imposed by the Patient Rate applied only to requests for PHI made by the patient for use by the patient. For other types of requests, such as those made by commercial entities, like insurance companies and law firms, the records industry understood that the allowable fee was not restricted by the Patient Rate. That understanding changed, however, in 2016, when HHS issued a guidance document, which stated that the Patient Rate applied even to requests to deliver PHI to third parties. That change, according to Ciox, caused them and other medical records companies to lose millions of dollars in revenue, and Ciox challenged the 2016 expansion of the Patient Rate as violative of the procedural and substantive protections of the Administrative Procedure Act (APA). Ciox also challenged the three methods of calculating the Patient Rate. HHS moved to dismiss the case, and both parties filed motions for summary judgment.
The court’s rulings. Although the court found that HHS’s three methods for calculating the Patient Rate was not a reviewable final agency action, and dismissed that claim, the court further held that: (1) HHS’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format was arbitrary and capricious insofar as it went beyond the statutory requirements set by Congress; (2) HHS’s broadening of the Patient Rate in 2016 was a legislative rule that the agency failed to subject to notice and comment in violation of the APA; and; (3) HHS’s 2016 explanation concerning what labor costs could be recovered under the Patient Rate was an interpretative rule that HHS was not required to subject to notice and comment. Accordingly, the court declared unlawful and vacated the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format.
The case is No. 1:18-cv-00040-APM.
Attorneys: Jay Philip Lefkowitz (Kirkland & Ellis LLP) for Ciox Health, LLC. Vinita B. Andrapalliyal, U.S. Department of Justice, for United States Department of Health and Human Services and Alex M. Azar, II.
Companies: Ciox Health, LLC; United States Department of Health and Human Services
MainStory: TopStory CaseDecisions CMSNews EHRNews HITNews HIPAANews ProgramIntegrityNews DistrictofColumbiaNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.