Federal court says HHS can't limit fees for 3rd-party access to patient records

cybersecurity
Despite a recent court ruling, the issue of what fees can be charged for delivering patient records has not been put to rest, healthcare lawyers say. (turk_stock_photographer/Getty Images)

Providers and companies will no longer be limited to the fees they are allowed to charge when a patient requests to send their health data to a third party after HHS changed its policy last week.

HHS eliminated the cap on third-party fees for access to patient records following a federal judge's ruling.

U.S. District Court Judge Amit Mehta issued a Memorandum Opinion (PDF) on January 23 that vacates specific provisions in a 2013 rule which modified the Health Insurance Portability and Accessibility Act (HIPAA).

Matthew Fisher, chair of Health Law Group and partner for Mirick O’Connell, told FierceHealthcare the court's ruling could result in fees being indirectly imposed on patients again. 

"While the ruling states that the limitation on fees is only applicable to direct patient requests, when some entities request on behalf of the patient, then the fees will necessarily be charged back," he said.

HHS adopted the 2013 rule to rein in what companies can charge for delivering protected health information (PHI)—restrictions known as the Patient Rate.

RELATED: OCR settles 2nd HIPAA right of access case with Florida primary care practice

HHS then issued guidance in 2016 stating that the Patient Rate applies “when an individual directs a covered entity to send the PHI to a third party" and limited charges to a reasonable fee, or a flat fee of about $6.50.

Prior to that 2016 guidance, the allowable fee electronic health records (EHR) vendors could charge for delivering PHI to a third party like a law firm or insurance company was not restricted by the Patient Rate. 

The change caused Ciox and other medical records companies to lose millions of dollars in revenue, according to the ruling. 

In his decision, Mehta partially dismissed Ciox Health's case but denied HHS' other requests to dismiss.

"The court holds that: HHS’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress," according to the ruling.

Mehta also ruled that HHS’s broadening of the Patient Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment and that the agency's.

"Accordingly, the court declares unlawful and vacates the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format," the ruling said.

Upon the ruling, HHS' Office for Civil Rights issued a notice on January 28 announcing that a federal court vacated the “third-party directive” within the individual right of access.

Moving forward, the fee limitation will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party, OCR said in the notice.

RELATED: HHS Office for Civil Rights unveils new guidance on patient rights to data under HIPAA

"The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect. OCR will continue to enforce the right of access provisions that are not restricted by the court order," the agency said.

The background

Georgia-based Ciox Health filed a lawsuit against HHS in January 2018 to stop HHS enforcement of the HIPAA Right of Access Rule based on the 2016 changes. The case concerned what a company like Ciox can charge for searching for, retrieving, and delivering PHI.

Ciox Health challenged the 2016 expansion of the Patient Rate as violative of the procedural and substantive protections of the Administrative Procedure Act (ACA).

The ruling doesn't necessarily mean that all guardrails have come off in terms of the fee that can be charged, Fisher said. Many states have laws that set maximum fees that can be charged, for example.

"While those fees may be more than what HHS set as the maximum, it still means that there are limits even if those limits will be different across the states," he said.

The fee issue hasn't been put to rest, Fisher said, and how HHS and OCR respond will be an interesting development to watch.

"While the court found that some of the fee limitations arguably went beyond the scope of HIPAA and/or HITECH, what if a full regulatory process is followed instead of just guidance?  Also, there could be some impact from new regulations coming under the 21st Century Cures Act and other sources that end up impacting the fee issue too," he said.

Suggested Articles

Silicon Valley giants are building software and technology tools to serve as trusted healthcare resources in the ongoing COVID-19 outbreak.

More and more hospital systems are developing their own tests to screen patients for COVID-19, but the supply needed may be running out.

An advisory group to ONC is standing up a coronavirus task force to tackle privacy and interoperability issues impeding frontline clinicians.