A Federal District Court decision in Washington, D.C last week is gathering headlines about portions of HIPAA being thrown out by the decision. As sometimes happens, the decision splits the baby, with something for the plaintiff (a company that makes copies of medical records available to patients, insurance companies, attorneys, etc.) and the defendant (the Health and Human Services Department – HHS). HIPAA compliance, of course, means much more!
Ciox Health, LLC, vs. Alex Azar, et al (HHS)
This case stems from a lawsuit filed by Ciox Health against HHS after HHS issued Guidance in 2016 on changes to HIPAA resulting from the HITECH Act and the implementing regulations of 2013.
Ciox objected to parts of the Guidance covering the format in which Protected Health Information (PHI) must be produced, and how much covered entities could charge for producing such PHI.
In the Guidance, HHS specified that PHI must be provided to a patient requesting it in an electronic format – regardless of the existing format of the PHI. The HITECH Act and the subsequent HHS 2013 Omnibus Rule required covered entities to provide a copy of PHI to patients maintained in an EHR system in an electronic format. The Court agreed that this portion of the expansion of HIPAA regulations could not stand.
Charging for Copies of Medical Records
A second major issue – the one of great import to Coix Health – was the change in the Guidance concerning what and how covered entities can charge patients for producing copies of records.
The original HIPAA regulations allowed covered entities to charge patients for furnishing copies of PHI at rates that did not exceed the cost to copy records. With the advent of EHR systems, the rule was updated to allow for actual costs of providing records, average costs of providing records, or a flat fee of $6.50 – when furnished to an individual. This was called the Patient Rate. The Patient Rate did not include the labor costs of identifying, retrieving, collecting, compiling and/or collating the PHI. The Court held that the Guidance of 2016 was consistent with the 2013 Omnibus Rule on methods allowable for calculating the cost of furnishing PHI, and that portion of the HIPAA regulations, as interpreted in the Guidance, could stand.
Covered entities, and their business associate vendors who actually retrieved and made copies of medical records, could charge other amounts when the records were requested by a third party, e.g., an insurance company or law firm. The Guidance of 2016 provided that if a request by an individual was transmitted via a third party, the Patient Rate would apply to those requests, too. The Court found that HHS could not impose such a requirement without a formal notice and comment period of a change in regulations.
The Effect of this District Court Decision on HIPAA
How does this ruling affect covered entities and business associates? Some covered entities or business associates may be considering changing their practices with respect to charging for the costs of furnishing medical records after a request by a third party. They would be well-advised to check with Legal Counsel, first. There is no indication if either party will appeal the ruling, or if a stay of the ruling may be issued pending an appeal. So nothing may change in the short term, but covered entities should be on the lookout for further action that keeps the current situation intact.
A District Court decision on HIPAA can be an important inflection point. The consequences of this decision are very important to the companies that dig out and furnish medical records to individuals and third parties. It remains to be seen how they affect all covered entities and other business associates.