On January 23, 2020, the US District Court for the District of Columbia issued a well-reasoned 55-page decision concluding that, among other things, it was improper for the Department of Health and Human Services (HHS) to pronounce in guidance that only limited fees could be charged for sending medical records to third parties at the patient’s direction. The plaintiff in the lawsuit, Ciox Health, LLC, a company that manages medical records requests for many covered entities, alleged that it lost millions of dollars in fees due to HHS’s guidance.
After considering Ciox’s claims, the court held that HHS exceeded its authority in issuing guidance that stretched beyond the bounds of the applicable statutes and regulations. The court noted that if HHS wished to implement its third-party directive rule, it needed to use the notice and comment process for creating a regulation and not simply announce the rule in the form of guidance.
To fully appreciate the Ciox decision, it is important to understand the background on reasonable cost-based fees and the 2016 HHS guidance. Health Insurance Portability and Accountability Act (HIPAA) regulations direct that “if the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee . . .” 45 CFR § 164.524(b)(4). The regulation explains that a reasonable, cost-based fee may include only the cost of: (1) labor for copying the medical records requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the medical records, if agreed to by the individual. Id.
In 2016, HHS issued guidance that further clarified that the reasonable, cost-based fee may not include costs associated with reviewing the request for access, verifying the request, searching for and retrieving the medical records, storage costs, or other costs not specifically listed in the regulation. Additionally, HHS provided acceptable methods for calculating and documenting a reasonable, cost-based fee and created a special flat-fee option for electronic copies. For an electronic copy, a covered entity or business associate may charge a flat-fee of $6.50 instead of calculating a reasonable, cost-based fee. The court in Ciox found that HHS’s guidance on reasonable, cost-based fees was consistent with the regulatory language.
In addition to clarifying the contours of the reasonable, cost-based fee rule, HHS’s 2016 guidance also provided clear direction on when that limited fee must be used. HHS declared that the reasonable, cost-based fee “applies regardless of whether the individual has requested that the copy of the medical records be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).” This declaration, as the court in Ciox found, “cannot be sourced to either the HITECH Act or the 2013 Omnibus Rule” and that “[n]either the legislation nor the regulations makes the [reasonable, cost-based fee] applicable to third-party directives.” As a result, the third-party directive portion of the 2016 guidance is no longer effective.
The practical implication of this decision is that, for a request to send records to third parties even when the patient initiates the request, covered entities and their business associates do not need to charge only the more limited “reasonable, cost-based” fee. Instead, when handling a directive to send records to a third party, covered entities and business associates may return to the practice of charging a fee that complies with state law (most states have a per page maximum fee for health records) or, if there is no such state law, a fee that the covered entity or business associate deems appropriate for the service.
From a legal perspective, the Ciox
decision is important for a few reasons.
First, HHS has stepped up its enforcement
of right of access claims over the past year and this decision will curtail
any such enforcement based on HHS’s third-party directive rule in its 2016
guidance. Second, the decision highlights
the fact that federal agencies’ rule making authority and ability to interpret
their regulations are not limitless.
Finally, the Ciox decision reminds us all the importance of challenging agency
action when that action exceeds the scope of the agency’s authority.
 In addition to the third party directive claim, Ciox also alleged that: (1) HHS’s 2013 omnibus rule compelling delivery of records to third parties regardless of the records’ format exceeded statutory limits; and (2) HHS’s 2016 guidance on the reasonable, cost-based fee amounted to a rule that required notice and comment. The court found that HHS’s 2013 rule improperly exceeded limitations set by Congress in the HITECH Act, which limits the right to direct the transmission to information in an electronic health record and not in any format as the regulation requires. As for the reasonable, cost-base fee guidance, as noted above, the court held that such guidance was not improper.
Notably, the court devoted much of its opinion to a discussion of Ciox’s ability to pursue its claims as a business associate and not a regulated covered entity. Prior to reaching a decision on all three claims and after a detailed Article III standing analysis, the court found that Ciox in fact had standing to pursue its claims.