Bocage v. Acton Corp., 2018 WL 905351 (N.D. Ala. 2018)
A federal trial court has ruled that the HIPAA privacy rule’s limitations on the fees that may be charged for medical records requested by individuals or their personal representatives do not apply to requests by individuals’ attorneys pursuant to an authorization. The individuals in the case claimed they were improperly charged search and retrieval fees after their attorneys requested copies of medical records on their behalf. (Although HIPAA allows covered entities to recover reasonable, cost-based fees from individuals requesting copies of their own protected health information (PHI) or personal representatives requesting PHI on behalf of another person, it does not permit recovery of costs associated with reviewing the request for access; searching for and retrieving the PHI; locating and reviewing PHI in medical or other records; or segregating, compiling, or otherwise preparing responsive PHI.)
The court focused on whether a medical records request by an individual’s attorney is subject to the restrictions, noting that the HIPAA omnibus rule (see our Checkpoint article) empowers individuals to direct a covered entity to transmit copies of their PHI to designated third parties and, when they do so, the requests are subject to the restrictions on recoverable charges. However, the court observed that the overarching requirement for applicability of the restrictions is that individuals must request their own PHI, or their personal representatives must request it on their behalf. Referring to OCR’s guidance on recoverable costs (see our Checkpoint article), which concluded that the fee limits do not apply when a third party requests PHI on its own behalf pursuant to an individual’s authorization, the court held that the fee limitations do not apply to an attorney who requests an individual’s PHI while acting as the individual’s legal representative (rather than as their personal representative).
EBIA Comment: This case raises nuanced but important issues under HIPAA’s privacy rule. First, while a personal representative “stands in the shoes” of an individual with respect to the individual’s rights under the privacy rule, HIPAA defines a personal representative as someone authorized by applicable state law to make health care decisions for the individual. The attorney/client relationship does not typically include this power. Second, when individuals instruct a covered entity to disclose their PHI to a designated third party, they are entitled to certain rights and protections under the privacy rule. In contrast, those rights and protections do not extend to a third-party requestor relying on an authorization. The OCR guidance cited by the court describes these differences in detail and includes a helpful table comparing disclosures under a HIPAA authorization with those under the individual access right. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVII.B (“Right to Access PHI in Designated Record Set”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded 1/17/18).
Contributing Editors: EBIA Staff.