HIPAA Court Case: Right of Access Rule Guidance Struck Down by Court
The typical HIPAA court cases are those brought by individuals, alleging their HIPAA or state-law equivalent privacy or data security rights were violated. In these cases, the court or the jury determines who wins, applying HIPAA law to the facts. Less typically, HIPAA court cases that challenge the law itself are brought. Recently, a covered entity, Ciox Health, sued the Department of Health and Human Services (HHS) in federal court, arguing that HHS overstepped its authority when it issued guidance about medical copy fees.
What are the Facts of the HIPAA Court Case?
In 2013, Congress amended the HITECH Act. As amended, that law states that a covered entity may only charge an individual a reasonable, cost-based fee when an individual requests copies of his or her medical records in electronic form.
The regulations issued by HHS mirror this HITECH Act provision. The Privacy Rule provision at 45 C.F.R. § 164.524 provides that if an individual (a patient) requests a copy of PHI for his or her own use, a covered entity may impose a reasonable, cost-based fee for electronic records, that may only include costs of labor, supplies, and postage – but no more.
This provision is known as the “patient rate rule.” Under the patient rate rule, patients can only be charged a reasonable, cost-based fee when the patient makes the request for records, for the patient’s own use.
Neither HITECH nor HHS regulations address whether the patient rate applied to a request made by an individual (who provides a written authorization) to deliver the records to a third party, such as a law firm or an insurance company.
In 2016, HHS issued guidance addressing the issue of whether the “patient rate” rule applies to this situation. The 2016 guidance concluded that the patient rate should not apply to requests being made by a third party pursuant to a HIPAA authorization signed by the patient. The guidance, however, also concluded that covered entities were bound by the patient rate in cases where an individual requested access to the PHI by requesting the records be directed to a third party.
Ciox Health was one of thousands of entities that changed its fee rate in response to the guidance. Before the guidance, Ciox was charging patients a higher rate when those patients requested PHI be directed to a third party, as opposed to when they requested it for their own use. When the guidance was issued, Ciox began following it, applying the patient rate for individual requests to direct PHI to a third party. Ciox soon realized that it was losing millions of dollars by applying the patient rate instead of the higher rate it charged before the guidance.
Ciox therefore decided to sue HHS in federal court. Ciox’s argument was that the new guidance amounted to a change in the regulations, and that, since an agency must provide the public with notice of a change in the regulations and an opportunity to comment before the changes are made, the “new” regulation requiring the lower rate was null and void.
What Was the Outcome of the HIPAA Court Case?
The court agreed with Ciox. The court held that the expansion of the patient rate to situations where an individual directed PHI be sent to a third party, amounted to a change in the law. The court stated that a new law is created whenever an agency goes beyond “clarifying” existing law, or when an agency creates a new burden on an entity it regulates. The court found that the guidance didn’t interpret the law; it instead actually modified it. The court also found that the guidance created a new burden on covered entities by requiring them to charge lower fees in response to patients directing covered entities to send PHI to third parties.
The court found that since HHS had changed the regulation, HHS had to, for the change to be valid, first provide notice to the public of its intent to change the rules, and an opportunity for the public to comment on the change. Since HHS failed to provide notice and an opportunity to comment, the court declared the guidance invalid.