In January 2020, the United States District Court for the District of Columbia handed down a ruling that completely changed the way healthcare providers could charge for medical records in certain instances, overruling longstanding guidance from the U.S. Department of Health & Human Services (HHS). Shortly afterward, the pandemic rocked the United States, and the impact of Ciox Health, LLC, v. Alex Azar garnered very little attention. In reality, Ciox makes a substantial difference for healthcare providers and third-party record fulfillment vendors. It also highlights the nuances of state law in making decisions regarding how much to charge for medical record requests.
Ciox Health LLC is a national medical records provider that maintains, retrieves, and produces individuals’ protected health information (PHI). In March 2017, HHS notified CHI Health St. Francis of a patient complaint alleging that Ciox had charged an excessive fee for forwarding her electronic medical records to a law firm. HHS warned St. Francis that, as a result of Ciox’s actions, St. Francis may have violated the Privacy Rule, but the agency took no further action. On November 16, 2018, HHS advised Ciox that it had received another complaint. HHS demanded Ciox produce records to aid in HHS’s investigation. HHS later rescinded its record request, but Ciox filed suit against HHS claiming that it did not have the authority to expand what is known as the patient rate and its scope under the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Omnibus Rule, and guidance from HHS in 2016.
The patient rate was instituted in 2000 when the HIPAA Privacy Rule established an individual’s right to access PHI and the permissible fee that can be charged for such production. For requests brought by an individual seeking their own records, the Privacy Rule permits a covered entity to “charge a reasonable, cost-based fee” (the patient rate), which allows charging the following: (1) the cost of copying, including the costs of supplies and labor for copying the PHI; (2) postage, when the individual has requested the records or summary be mailed; and (3) any actual preparation, if any, of an explanation or summary of the PHI. Notably, the patient rate excludes other common costs generally associated with maintaining and producing PHI, such as costs of data storage data infrastructure and document retrieval.
However, when the cost of obtaining and transmitting PHI was to be borne by someone other than the patient, HHS did not limit the charge amount to the patient rate: “We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes” (emphasis added).
For years, the medical record industry and healthcare providers understood the limitations that the patient rate imposed on their businesses, as this only applied to requests for PHI made by the patient for the use by the patient. For other types of requests, such as those made by commercial entities, such as insurance agencies and law firms, the records industry understood that the allowable fee was not restricted by the patient rate. However, that changed in 2016, as described below.
In 2009, the HITECH Act introduced another layer to the question of what an entity could charge for providing medical records to a patient. For PHI requested by an individual electronic form the cost could be “[no] greater than the entity’s labor costs in responding to the request for the copy.” Additionally, the HITECH Act explicitly stated that no authorization was required for a patient to direct a copy of their records to a third party. This is called the third-party directive.
Then came the Omnibus Rule in 2013. This rule broadened the third-party directive created by the HITECH Act to reach requests for PHI contained in any format, and not just an electronic medical record system. It also amended that portion of the Privacy Rule that specifies the costs recoverable under the patient rate. HHS clarified, as part of the reasonable cost-based fee, the cost of labor for copying PHI, whether in electronic or paper format. Such costs “could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning protected health information to media, and distributing the media.” Ciox saw a modest increase in third-party directives. Ciox still continued to receive most third-party requests through third-party authorizations, and thus persisted in charging the patient rate for such requests.
As an attempt at further clarification, HHS issued a guidance document in 2016 titled “Individuals’ Right Under HIPAA to Access their Health Information  HHS declared that the patient rate would apply to the following scenarios: (1) when an individual “directs a covered entity to send the PHI to a third party” and (2) “regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual.” HHS claimed that the patient rate does not apply when “the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization.” The patient rate does however apply where the third-party forwards, on behalf of and at the direction of the individual, the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third party. This change, according to Ciox, caused Ciox and other medical record providers and healthcare providers to lose millions of dollars in revenue..”
The 2016 guidance also provided direction with respect to determining the patient rate. First, it reached only those labor costs incurred after the responsive PHI “has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.” Expressly, it does not include the labor for “searching for, retrieving, and otherwise preparing the responsive information for copying.” Second, the it set forth three alternatives for calculating the reasonable, cost-based fee: “(1) by calculating actual allowable costs to fulfill each request;…(2) by using a schedule of costs based on average allowable labor costs to fulfill standard requests”; or (3) alternatively, in the case of requests for an electronic copy of records, by charging a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage). The 2016 guidance notes that “charging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The Privacy Rule also permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of: “(1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.…The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by state law.”
The Ciox ruling
In Ciox, the court struck down the 2013 Omnibus Rule expansion of the third-party directive for requests for PHI contained in any format, and not just in an electronic medical records system and also struck down part of the 2016 HHS guidance by clarifying that the patient rate does not apply to third-party directives. The court upheld the 2016 HHS guidance on calculating the patient rate such that fees are only restricted to the patient rate when a patient (or personal representative) requests their medical records to be sent to themselves. The impact of this ruling is that healthcare providers can set their own charges for requests made by: (1) a patient, when the patient directs the records to be sent to a third party, or (2) third parties (with valid authorization).
Many states have medical record fee statutes. So how do you know whether you should follow your state law or federal law? In general, the more stringent law—whichever law provides for the cheaper rate for the patient—prevails. However, one must look more closely at state law when considering records requests from a third party.
Another important regulation to mention is the Office of the National Coordinator for Health Information Technology’s final rule in 2020 that implemented certain provisions of the 21st Century Cures Act. In an effort to reduce the administrative burdens, like medical records copying fees, on the healthcare industry, Congress has called for standardized application programming interfaces that will help allow individuals to securely and easily access structured electronic health information using smartphone applications and other technology platforms. The goal is for patients to access their electronic medical record at no additional cost and for providers to choose the technology that allows them to provide the best care for patients, without excessive costs or technical barriers. It also prohibits information blocking—anything that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.
This final rule essentially reiterates the requirement for healthcare providers to comply with a patient’s request to access their PHI electronically unless the healthcare provider can affirmatively meet an exception. Notably, the exceptions include a healthcare provider’s fees for medical records, including fees that result in a reasonable profit margin, for accessing, exchanging, or using electronic health information. It is important to understand that while fees are explicitly excepted, a healthcare provider could be charged with information blocking if the provider’s fees do not comply with applicable law, including liability for funds received through government programs and penalties under the False Claims Act.
The Ciox case quietly changed the way healthcare providers can charge for medical record requests from third parties. For third-party vendors like Ciox, this case was a large victory after challenging multiple layers of rulemaking and legislative actions. Healthcare providers should revisit their medical record fees and processing of medical record requests in light of the Ciox case while considering any applicable state law.
Create or revisit existing policies regarding your healthcare entities’ response to medical record requests.
Consult both HIPAA and your state medical records laws when reviewing your policy.
Between HIPAA and your state medical records laws, typically the more stringent rule is applicable.
Map out your existing medical records requests to determine whether your practice can comply with the new information-blocking rules.
Closely review records requests from attorneys and others who submit patient authorization forms with the request to determine whether this is a third-party or patient-directed request.