Fee Limitations on Requests to Send Patient Records to Third Parties Lifted

Following a ruling in a federal court that went against the U.S. Department of Health and Human Services, the cap on fees that can be charged by HIPAA-covered entities and business associates for providing copies of medical records and other health data to third parties such as lawyers and health insurance companies has been removed.

The HIPAA Privacy Rule placed a cap on the fees that can be charged by HIPAA covered entities for providing patients with a copy of their medical records. In 2013, the HIPAA Omnibus Rule took effect which modified the HIPAA Privacy Rule and expanded this requirement to cover copies of records sent to third parties, known as the third-party directive. This was confirmed in 2016 guidance issued by the HHS’ Office for Civil Rights (OCR). OCR explained that when an individual directs a covered entity to send PHI to a third party, the feel limitation or Patient Rate applies. The 2013 rule also compelled covered entities and business associates to send PHI to third parties regardless of the record format.

CIOX Health, a medical record provider, took legal action in 2018 against the HHS challenging the changes. CIOX Health processes millions of requests for access to patient records every year. Those requests include access by healthcare providers for treatment purposes, requests from patients for copies of their own records for their own use, and requests to send medical records to third parties. The expansion of the Patient Rate to third party requests caused CIOX and other medical records companies to lose millions in revenue each year.

On January 23, 2019, U.S. District Court Judge Amit Mehta issued a Memorandum Opinion in which the 2013 provisions were vacated and the expansion of the Patient Rate to cover PHI sent to third parties was determined to be unlawful.

“The court holds that: HHS’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress.” Judge Mehta also ruled that the broadening of the Patient Rate in 2016 constituted a legislative rule and OCR failed to subject the change to notice and comment. “Accordingly, the court declares unlawful and vacates the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format.”

CIOX Health also challenged the methods that can be used for calculating fees, but that claim was dismissed. Moving forward, the Patient Rate will still apply when patients are requesting copies of their medical records for their own use but not for requests to send copies of medical records to third parties.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

“The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect. OCR will continue to enforce the right of access provisions that are not restricted by the court order,” explained OCR.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/