Late Breaking: On Heels Of Major Court Defeat, Ocr Issues Notice Regarding Individuals’ Right Of Access To Health Records
Late evening on January 28, 2020, the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) issued an Important Notice Regarding Individuals’ Right of Access to Health Records (“Notice”). The Notice came just five days after a federal court issued a crushing blow to HHS in a seminal case regarding a patient’s right to direct records to a third party (referred to as the “third-party directive”) and the fees that may be charged to such third parties. Ciox Health, LLC v. Azar, et al., NO. 18-cv-0040 (D.D.C. January 23, 2020).
Ciox sued HHS after several of its customers received technical assistance letters from OCR indicating that it might be in violation of HIPAA based on the fees that were being charged to third parties for record requests and the initiation of an OCR investigation of Ciox directly for that same practice.
The lawsuit centered around three main issues: (1) whether the provision of the Omnibus Rule that applied the third-party directive to any type of record, not just the electronic records in an electronic health record, exceeded HHS’s statutory authority; (2) whether HHS’s policy as expressed in Guidance released in 2016 regarding the fees that may be charged under the third-party directive violated the Administrative Procedures Act in that it was essentially new law that did not go through proper rulemaking; and (3) whether HHS’s policy regarding what can be recovered as labor costs was rulemaking subject to notice and comment.
In a 55 page opinion, the court sided heavily with Ciox on the first two elements and readily dismissed the arguments of HHS. HHS prevailed on the third element. The litigation lasted over two years and took many unique twists and turns on some complicated procedural issues, such as whether Ciox, as a business associate (now doing business as MRO), had standing to challenge the provisions of the Omnibus Rule at issue. The Court found they did.
What does this all mean?
Third-Party Directive. Under the HITECH Act, individuals are allowed to obtain an electronic copy of information maintained in an electronic health record and direct the covered entity to transmit such copy to a third party designated by the individual. In the Omnibus Rule, HHS had extended this right to all electronic records and paper records. After the Ciox decision and the Notice from OCR, this right to direct records to third parties now applies onlyto an electronic copy of information maintained in an electronic health record.
While this sounds like a victory, and in many ways it is, covered entities must be prepared for the new wave of requests. “Electronic health record” is defined in the HITECH Act as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” Practically speaking, and more importantly, from an OCR enforcement perspective, what does that mean? This definition has not been incorporated into any final rules, nor has there been guidance about how that term will be interpreted.
In the 2011 Proposed Rule implementing HITECH’s requirement to account for all disclosures through an “electronic health record,” HHS proposed to expand the accounting requirement to disclosures of any electronic record in a designated record set. No help there. In footnotes, the court distinguished EHRs from records that merely exist in electronic form. Citing documents filed by the Ciox parties, the court notes, “[e]lectronic record systems include many ‘legacy systems’ that existed prior to EHRs and are ‘incapable of producing reports in easily readable formats that can be transmitted electronically.’”
While the Court appears to be adopting the current working understanding of an electronic health record used by health care providers to treat the patient, an understanding of how OCR will interpret this is still to come. The distinction will be important because individuals who direct a covered entity to transmit a copy of an electronic record from an EHR to a third party cannot be asked to complete an authorization.
Patient Rate Fee Limitations. The court found that the 2016 Guidance that detailed what fees could be charged to third parties for records directed by individuals to third parties was essentially a “rule” that had not previously existed. The court concluded that prior to the 2016 Guidance, the limitations on what fees could be charged to patients applied only to records given to a patient for their own use.
While we believe the status of this patient rate was not as clear as the court describes particularly with respect to the “patient’s own use” portion, the court concluded that HHS’s position that covered entities could not charge more than the patient rate for records provided to a third party at the direction of the individual constituted a rule and should have been subject to notice and comment.
Is the door closed for HHS on this issue? No. The industry has been expecting the publication of rules that are anticipated to revise other portions of HIPAA and this fee limitation issue could certainly make its way into that rule. It would be limited by the scope of records that are subject to the third party directive, but it could be re-introduced in a proposed rule nonetheless.
Ciox noted in its briefing to the court that requests for records under the third party directive increased “by nearly 700 percent” following the 2016 Guidance. It attributes this increase to for-profit entities, such as insurance companies, and law firms identifying a way to use the third party directive to avoid paying above the patient rate. Ciox reports this has cost the company more than $35 million in responding in 2017 and 2018.
While the court’s decision is a big victory for Ciox and other health care providers responding to high volume record requests, we suspect the issue is not entirely over. We anticipate alternative types of requests will emerge for individuals to obtain copies of their electronic health record in an electronic form that is easily transmitted by the individual to third parties, and we suspect OCR will clarify in rulemaking that an individual obtaining their records directly from the covered entity (or its business associate) even for the purpose of subsequently giving them to insurance companies or law firms still requires the patient rate. For now, the patient rate applies only to records provided directly to patients and not to third parties.
 OCR never finalized this 2011 Proposed Rule later discussed the withdrawal of the Proposed Rule in its Request for Information published in late 2018.