Federal Court Invalidates Key Aspects of Individual’s HIPAA Right to Direct PHI to Third Parties

In a challenge brought by a medical records provider, a federal court has invalidated significant aspects of HHS guidance interpreting the HIPAA individual access right. As background, since its adoption in 2000, the HIPAA privacy rule generally has given individuals the right to access their own protected health information (PHI) and limited fees that can be charged to individuals exercising that right. The HITECH Act expanded the right—entitling individuals to obtain an electronic copy of PHI maintained in an electronic health record (EHR) and to direct a covered entity to transmit the electronic EHR to a third party designated by the individual. (EHR refers to a specific type of clinical health records and is a subset of records maintained in electronic form.) The HITECH Act requirements were broadened beyond EHRs by the 2013 omnibus rule—allowing individuals to designate third-party recipients for most PHI, and requiring covered entities to provide most electronic PHI to individuals or the designated third party in the electronic format requested by the individual, if readily producible in that format (see our Checkpoint article). Then, in 2016 guidance, OCR determined that HIPAA’s fee limitations apply when individuals direct covered entities to disclose PHI to third parties, and strictly limited recoverable costs (see our Checkpoint article). The records provider, a HIPAA business associate, contended that these and other interpretations of the individual access right exceeded the agency’s authority, violating the federal law governing administrative actions by federal agencies.

The court ruled that neither the text nor the structure of the HITECH Act supported the omnibus rule’s requirement that covered entities deliver an individual’s PHI to third parties regardless of whether the PHI is contained in an EHR. The court rejected HHS’s attempt to use its discretionary rulemaking authority under HIPAA to expand the scope of the individual access right, noting uncertainty regarding the continued validity of that authority (enacted in 1996) and the circumscribed language used by Congress in the HITECH Act. As a result, the court invalidated the omnibus rule to the extent it requires covered entities to comply with individuals’ instructions to disclose their PHI to third parties beyond requests for EHRs in an electronic format. The court also concluded that HHS violated federal administrative law when it extended the fee limitations to individual-directed disclosures to third parties through its 2016 guidance rather than through formal rulemaking. Therefore, the court invalidated this aspect of the 2016 guidance—but left open the possibility that HHS could adopt a similar requirement through the formal rulemaking process. The court upheld provisions of the 2016 guidance setting forth three permissible ways for covered entities to calculate recoverable costs and limiting recoverable costs, including the prohibition on recouping expenses incurred to identify, locate, and retrieve PHI.

EBIA Comment: Before the 2016 guidance, the typical third-party request for an individual’s PHI was made pursuant to the individual’s authorization and was not subject to HIPAA’s fee limitations. By combining the omnibus rule with the 2016 guidance, HHS intentionally created a way for individuals to invoke HIPAA’s fee limitations when directing covered entities to transmit their PHI directly to third parties. While this approach benefited individuals, it shifted costs to covered entities (and their business associates) and generated litigation (for example, see our Checkpoint article) and enforcement actions (see our Checkpoint article). Although this decision affects individual-directed disclosures to third parties, it does not change the rules governing individuals’ access to their own PHI, including the associated fee restrictions. Covered entities and business associates seeking to recover the costs of providing copies of PHI should discuss the HIPAA requirements—and the implications of this decision—with legal counsel. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).

Contributing Editors: EBIA Staff.