On January 23, 2020, the United States District Court for the District of Columbia declared sections of the 2013 Omnibus Rule unlawful. The Court found that the Department of Health and Human Services (HHS) impermissibly expanded provisions of the HITECH Act by removing authorization requirements for the transmission of protected health information (PHI) from sources other than an electronic heath record (EHR). Additionally, the Court declared that HHS's 2016 Guidance was unlawful insofar as it commands that the Patient Rate limitations apply to all third-party directives.
In Ciox Health, LLC v. Alex Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020), a medical records company that contracts with health care suppliers to maintain, retrieve, and produce individuals' medical records challenged legal restrictions and conditions placed on the production of PHI. Ciox Health argued that HHS lacked authority to expand the HITECH Act's third-party directive in the 2013 Omnibus Rule and that the 2016 expansion of the Patient Rate violated the procedural and substantive protections of the Administrative Procedure Act.
The Court examined the requirements of the 2013 Omnibus Rule as it pertains to third-party directive requests. Prior to enactment of the HITECH Act, a covered entity could not release PHI stored in any format to a third party without a valid authorization that included: a description of the information sought; the purposes for disclosure, the authorization's expiration date/event; and statements adequate to place the individual on notice of his or her rights. In 2009, Congress passed the HITECH Act which changed the law to permit patients to direct a facility to transmit PHI from an EHR to a third party without the burden of completing an authorization. The 2013 Omnibus Rule expanded this relief from the authorization requirement to include PHI contained in any format, not just PHI in EHRs. The Court held that in making this expansion, HHS impermissibly exceeded its general rulemaking authority to expand a congressionally imposed restriction. Thus, based on the Court's ruling, an authorization will once again be required before a patient may direct a facility to release PHI that is not found in an EHR to a third party.
Additionally, the Court examined the application of the Patient Rate to third-party directives. To ensure that patient access to PHI is not prevented by excessive fees, HHS adopted rules that limit what companies may charge for delivering PHI. These restrictions are known at the "Patient Rate." Prior to the HHS guidance on patient access rights that was promulgated in 2016 (the 2016 Guidance), it was understood that limitations imposed by the Patient Rate applied only to requests for PHI made by the patient for use by the patient. Requests by insurance agencies and attorneys were not restricted by the Patient Rate. However, in its 2016 Guidance, HHS expanded the Patient Rate to an individual's request to deliver PHI to third parties.
Under the 2016 Guidance, the Patient Rate applied regardless of whether the access request was submitted by an individual directly or forwarded by a third party on behalf and at the direction of an individual. The Court held that HHS exceeded its authority in extending the Patient Rate to third-party directives. However, the court declined to enter judgment on the merits of the substantive challenge. Instead, the Court held that HHS failed to put this legislative rule through notice and comment, leaving open the opportunity for HHS to do just that in the future.
In light of the Court's decision, HIPAA covered entities and vendors who fulfill records requests on their behalf should review and update their policies and procedures on fee limitations and patient access.