Following a ruling in a federal court that went against the U.S. Department of Health and Human Services, the cap on fees that can be charged by HIPAA-covered entities and business associates for providing copies of medical records and other health data to third parties such as lawyers and health insurance companies has been removed.
The HIPAA Privacy Rule placed a cap on the fees that can be charged by HIPAA covered entities for providing patients with a copy of their medical records. In 2013, the HIPAA Omnibus Rule took effect which modified the HIPAA Privacy Rule and expanded this requirement to cover copies of records sent to third parties, known as the third-party directive. This was confirmed in 2016 guidance issued by the HHS’ Office for Civil Rights (OCR). OCR explained that when an individual directs a covered entity to send PHI to a third party, the feel limitation or Patient Rate applies. The 2013 rule also compelled covered entities and business associates to send PHI to third parties regardless of the record format.
CIOX Health, a medical record provider, took legal action in 2018 against the HHS challenging the changes. CIOX Health processes millions of requests for access to patient records every year. Those requests include access by healthcare providers for treatment purposes, requests from patients for copies of their own records for their own use, and requests to send medical records to third parties. The expansion of the Patient Rate to third party requests caused CIOX and other medical records companies to lose millions in revenue each year.
On January 23, 2019, U.S. District Court Judge Amit Mehta issued a Memorandum Opinion in which the 2013 provisions were vacated and the expansion of the Patient Rate to cover PHI sent to third parties was determined to be unlawful.
“The court holds that: HHS’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress.” Judge Mehta also ruled that the broadening of the Patient Rate in 2016 constituted a legislative rule and OCR failed to subject the change to notice and comment. “Accordingly, the court declares unlawful and vacates the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format.”
CIOX Health also challenged the methods that can be used for calculating fees, but that claim was dismissed. Moving forward, the Patient Rate will still apply when patients are requesting copies of their medical records for their own use but not for requests to send copies of medical records to third parties.
“The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect. OCR will continue to enforce the right of access provisions that are not restricted by the court order,” explained OCR.