As you may know, a patient has the right to access his/her medical records pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). Providers can charge for providing copies of those records but are limited in what fees can be charged when the request comes from a patient. Because these requests create additional administrative burdens on providers, many contract with third parties (a "business associate" under HIPAA) to handle the requests.
A recent case brought by one such business associate successfully challenged the United States Department of Health & Human Services ("HHS") rules and guidance related to production of medical records. The medical record provider successfully argued that these rules resulted in significant financial harm for which they were entitled to relief.
In a January 27 decision by the U.S. District Court for the District of Columbia, the court determined that HHS had overreached and acted arbitrarily and capriciously when promulgating rules and issuing guidance related to the right to access Protected Health Information ("PHI") by individuals. The outcome results in a change in what providers can charge for requests from third parties acting on behalf of patients.
In 2000, HHS promulgated the "Privacy Rule" as part of its rule-making authority related to HIPAA. The Privacy Rule allows individuals to request access to their own medical records and outlines a permissible fee that can be charged for copies of those records. For an individual seeking her own records, the fee has to be a "reasonable, cost-based fee," which the court defined as the "Patient Rate." This fee includes costs of copying and costs of preparation of a summary of the records, if requested. The Patient Rate prohibits charges for data storage and retrieval. The court noted that back in 2000 HHS made it clear that the Patient Rate only applied to requests by the patient.
Along comes the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in 2009, and eliminated the requirement that the patient provide a specific patient authorization, commonly known as a HIPAA authorization, for release of records to a third party. The court referred to these types of requests as "third-party directive" requests. However, HITECH only applied to an electronic health record "EHR." It also imposed a statutory cap on the fee that a covered entity could charge a patient for providing a copy of the EHR, a fee not to exceed the provider's "labor costs."
Then in 2013, another set of regulations was issued that further amended HIPAA and the HITECH Act. These regulations expanded HITECH's allowance for release of records without an authorization not only to EHR but to all requests for PHI (hard copy or electronic). In amending the Privacy Rule, the 2013 Omnibus rule stated that labor costs for copying PHI in paper or electronic format could include "skilled technical staff time spent to create and copy the electronic file" but prohibits costs associated with retrieval.
Three years after the Omnibus rule (2016), HHS issued guidance related to an individual's right to access his PHI. The guidance stated that the Patient Rate applied to a request by an individual to send the PHI to a third-party. The request could come directly from the third party, albeit at the request or direction of the individual. Prior to this pronouncement, the industry had only applied the Patient Rate to requests directly from the individual for his information to be sent to the individual. In cases where a law firm or insurance company requested the records on behalf of the individual, providers were not limited to the Patient Rate, and in Alabama, most providers charged the allowable costs provided under state statute (Ala. Code § 12-21-6.1).
The 2016 guidance also clarified that labor costs were only those incurred after the records were ready to be copied. Searching or retrieving was not an allowable cost for the Patient Rate. HHS gave three examples of how to calculate these labor costs - (1) actual allowable costs; (2) an average of actual costs and (3) for electronic copies, a flat fee not to exceed $6.50, inclusive of labor, supplies and storage.
The Court Case
Ciox challenged three aspects of HHS's implementation of the HIPAA Privacy Rule and HITECH Act. First, Ciox contended that expansion of HITECH to all third-party directives was arbitrary and capricious. Second, HHS's application of the Patient Rate to third party requests was improperly implemented, and lastly, HHS's 2016 direction on calculating labor costs was improper as well.
The federal court agreed that HHS exceeded its authority in expanding HITECH to all record requests regardless of format. Additionally, the court found that HHS failed to follow proper procedures implementing a rule that applied the Patient Rate to third-party directive requests. However, the court's opinion left open the possibility that HHS could apply the Patient Rate to third-party directives if it followed the proper procedures in publishing the guidance for notice and comment. On the last issue raised regarding labor costs, the court sided with HHS and found that the guidance on labor costs was a proper explanation allowed under HHS's authority. The court noted that the three examples were not an exhaustive list of how to determine "reasonable costs." This appears to leave open the possibility of establishing a reasonable charge by alternative means.
What the decisions means to providers
Bottom line, if your practice receives a request for medical records from a third party acting on behalf of a patient, you are not limited to charging the Patient Rate. It is permissible, based on the court's decision, to charge the statutory amount allowed by Alabama law - $1.00 per page for the first 25 pages, $0.50 for each page thereafter. However, you are not allowed to charge the search/retrieval fee of $5.00.
Angie Smith is a partner at Burr & Forman LLP practicing in the firm's healthcare practice group. For more information, please contact firstname.lastname@example.org or 205-458-5209.