Rios v. Partners in Primary Care, P.A., 2019 WL 668509 (W.D. Tex. 2019)
A federal trial court has allowed patients to pursue claims against health care providers (and their recordkeepers) who allegedly charged impermissible fees for access to the patients’ own medical records. As background, the HIPAA privacy rule requires covered entities (including health plans and most health care providers) to provide individuals, upon request, access to protected health information (PHI) about them in designated record sets maintained by or for the covered entity. This includes the right to inspect and obtain a copy of the PHI, and to direct the covered entity to transmit a copy to a person or entity designated by the individual. HHS has issued guidance explaining the access right (see our Checkpoint article), as well as fee limitations and the right to send PHI to third parties (see our Checkpoint article).
In this case, the patients’ attorneys sent requests for the patients’ records to the providers, enclosing copies of HIPAA-compliant authorizations and letters signed by the patients directing the providers to send their records to the attorneys. The providers (or their recordkeepers) attempted to charge amounts exceeding the permissible fees for individual access requests under HIPAA, which the patients refused to pay. The patients then sued under state consumer-protection laws—no private right of action exists under HIPAA. The providers asked the court to dismiss the claims.
The court rejected the providers’ request and allowed the state-law claims to proceed. Citing HHS’s access guidance, the court noted that requests by individuals to have a copy of their PHI sent to a third party are subject to the same fee limitations that apply to requests by individuals to have their PHI sent to themselves. Moreover, these limitations apply regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party (in this case, the attorneys) at the direction of the individual. The court distinguished the situation in a recent case (see our Checkpoint article) where the attorney requested PHI without submitting a written request signed by the client, stating that the fee limitations would not apply under those circumstances. The court also rejected the contention that the patients’ state-law claims were precluded by the lack of a private right of action under HIPAA, observing that the relevant state laws required the court to examine the lawfulness of the fees charged by the providers, which in turn required analysis of HIPAA.
EBIA Comment: This case is at an early stage, and the patients still must prove their claims under the applicable state laws and demonstrate that the fees in fact violated HIPAA’s limitations. Still, the case provides an important reminder of the downside of charging individuals for access to their own PHI. Covered entities wishing to impose access fees should review the HHS guidance carefully. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.