Laura F. Fryan (lfryan@brouse.com) is a Partner and Nicole Thorn (nthorn@brouse.com) is an attorney in the Akron, Ohio, office of Brouse McDowell.
In January 2020, the United States District Court for the District of Columbia handed down a ruling that completely changed the way healthcare providers could charge for medical records in certain instances, overruling longstanding guidance from the U.S. Department of Health & Human Services (HHS). Shortly afterward, the pandemic rocked the United States, and the impact of Ciox Health, LLC, v. Alex Azar[1] garnered very little attention. In reality, Ciox makes a substantial difference for healthcare providers and third-party record fulfillment vendors. It also highlights the nuances of state law in making decisions regarding how much to charge for medical record requests.
Ciox Health LLC is a national medical records provider that maintains, retrieves, and produces individuals’ protected health information (PHI). In March 2017, HHS notified CHI Health St. Francis of a patient complaint alleging that Ciox had charged an excessive fee for forwarding her electronic medical records to a law firm. HHS warned St. Francis that, as a result of Ciox’s actions, St. Francis may have violated the Privacy Rule, but the agency took no further action. On November 16, 2018, HHS advised Ciox that it had received another complaint. HHS demanded Ciox produce records to aid in HHS’s investigation. HHS later rescinded its record request, but Ciox filed suit against HHS claiming that it did not have the authority to expand what is known as the patient rate and its scope under the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Omnibus Rule, and guidance from HHS in 2016.
Background
The patient rate was instituted in 2000 when the HIPAA Privacy Rule established an individual’s right to access PHI and the permissible fee that can be charged for such production.[2] For requests brought by an individual seeking their own records, the Privacy Rule permits a covered entity to “charge a reasonable, cost-based fee” (the patient rate), which allows charging the following: (1) the cost of copying, including the costs of supplies and labor for copying the PHI; (2) postage, when the individual has requested the records or summary be mailed; and (3) any actual preparation, if any, of an explanation or summary of the PHI. Notably, the patient rate excludes other common costs generally associated with maintaining and producing PHI, such as costs of data storage data infrastructure and document retrieval.
However, when the cost of obtaining and transmitting PHI was to be borne by someone other than the patient, HHS did not limit the charge amount to the patient rate: “We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes” (emphasis added).
For years, the medical record industry and healthcare providers understood the limitations that the patient rate imposed on their businesses, as this only applied to requests for PHI made by the patient for the use by the patient. For other types of requests, such as those made by commercial entities, such as insurance agencies and law firms, the records industry understood that the allowable fee was not restricted by the patient rate. However, that changed in 2016, as described below.
In 2009, the HITECH Act[3] introduced another layer to the question of what an entity could charge for providing medical records to a patient. For PHI requested by an individual electronic form the cost could be “[no] greater than the entity’s labor costs in responding to the request for the copy.” Additionally, the HITECH Act explicitly stated that no authorization was required for a patient to direct a copy of their records to a third party. This is called the third-party directive.
Then came the Omnibus Rule in 2013.[4] This rule broadened the third-party directive created by the HITECH Act to reach requests for PHI contained in any format, and not just an electronic medical record system. It also amended that portion of the Privacy Rule that specifies the costs recoverable under the patient rate. HHS clarified, as part of the reasonable cost-based fee, the cost of labor for copying PHI, whether in electronic or paper format. Such costs “could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning protected health information to media, and distributing the media.” Ciox saw a modest increase in third-party directives. Ciox still continued to receive most third-party requests through third-party authorizations, and thus persisted in charging the patient rate for such requests.
As an attempt at further clarification, HHS issued a guidance document in 2016 titled “Individuals’ Right Under HIPAA to Access their Health Information 45 CFR § 164.524 .”[5] HHS declared that the patient rate would apply to the following scenarios: (1) when an individual “directs a covered entity to send the PHI to a third party” and (2) “regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual.” HHS claimed that the patient rate does not apply when “the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization.” The patient rate does however apply where the third-party forwards, on behalf of and at the direction of the individual, the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third party. This change, according to Ciox, caused Ciox and other medical record providers and healthcare providers to lose millions of dollars in revenue.
The 2016 guidance also provided direction with respect to determining the patient rate. First, it reached only those labor costs incurred after the responsive PHI “has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.” Expressly, it does not include the labor for “searching for, retrieving, and otherwise preparing the responsive information for copying.” Second, the it set forth three alternatives for calculating the reasonable, cost-based fee: “(1) by calculating actual allowable costs to fulfill each request;…(2) by using a schedule of costs based on average allowable labor costs to fulfill standard requests”; or (3) alternatively, in the case of requests for an electronic copy of records, by charging a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage). The 2016 guidance notes that “charging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The Privacy Rule also permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: “(1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.…The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by state law.”
