Share This Post

Important Notice Regarding Individuals' Right of Access to Health Records

February 28, 2020
Compliance By Rodney Farley, Director

According to the press release, a recent federal court decision (Ciox Health, LLC v. Azar, et al., No. 18-cv-0040) vacated portions of the 2013 Omnibus Rule, specifically provisions within 45 CFR §164.524, that cover an individual’s access to protected health information.


The case centered on numerous legal restrictions and conditions placed on covered entities (CE) on producing protected health information (PHI).  Of most significance is what a company can charge for searching for, retrieving, and delivering PHI. The United States Department of Health and Human Services (HHS) has adopted rules that limit what companies may charge for delivering PHI. These restrictions are known as the Patient Rate.

For years, the medical records industry understood that the limitations imposed by the Patient Rate applied only to requests for PHI made by the patient and for use by the patient. For other types of requests, such as those made by commercial entities like insurance companies and law 2 firms, the records industry understood that the allowable fee was not restricted by the Patient Rate. That understanding changed, however, in 2016 when HHS issued a guidance document which stated that the Patient Rate applies even to requests to deliver PHI to third parties.

The 2016 expansion of the Patient Rate was challenged as is was a violation of the procedural and substantive protections of the Administrative Procedure Act (APA). In addition, two additional pronouncements made by HHS in the 2016 guidance document were contested. The first addresses the types of labor costs that are recoverable under the Patient Rate. The second concerns three alternative methods identified for calculating the Patient Rate.

As a result, the court rejected the agency’s grounds for dismissal, in all respects, except one: the court found that the agency’s three methods for calculating the Patient Rate was not a reviewable final agency action. That claim was thus dismissed.

Regarding the cross-motions, the court held that: (1) HHS’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format was arbitrary and capricious as it goes beyond the statutory requirements set by Congress; (2) HHS’s broadening of the Patient 3 Rate in 2016 was a legislative rule that the agency failed to subject to notice and comment in violation of the APA.  Accordingly, the court declared unlawful and vacated (1) the 2016 Patient Rate expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format.

Key Takeaways:

  • The fee limitation set forth at 45 CFR § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.
  • Only certain types of electronic health records are to be delivered to third parties, not all records regardless of their format.
  • The right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect.  OCR will continue to enforce the right of access provisions in 45 CFR § 164.524 that are not restricted by the court order. 

To receive best practices for administrative, technical and physical safeguards of protected health information, subscribe to our HIPAA Alert.