Court vacates ‘third-party directive’ within individual right of access
The United States District Court for the District of Columbia has voided certain HIPAA health record access requirements, according to the Department of Health and Human Services’ Office for Civil Rights.
In Ciox Health vs. Alex Azar, the federal court last week vacated specific provisions in a 2013 rule modifying the HIPAA privacy, security and enforcement rules under the Health Information Technology for Economic and Clinical Health Act and Genetic Information Nondiscrimination Act.
“A portion of that rule was challenged in federal court, specifically provisions within 45 C.F.R. §164.524, that cover an individual’s access to protected health information,” according to an OCR announcement.
HHS adopted the 2013 rule to limit what companies may charge for delivering protected health information (PHI)—restrictions known as the Patient Rate. And, in 2016, the agency issued further guidance which mandated that the Patient Rate applies even to requests to deliver PHI to third parties.
However, U.S. District Court Judge Amit Mehta, in his January 23 decision, declared unlawful and vacated the 2013 Omnibus Rule “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of “an [EHR] with respect to [PHI] of an individual ... in an electronic format.”
In addition, Mehta declared unlawful and vacated the 2016 guidance “insofar as it, without going through notice and comment, extends the Patient Rate to reach third-party directives.”
The plaintiff in the court case was Ciox Health, a Georgia-based company that manages health data requests, including maintaining, retrieving and producing individuals’ PHI. In particular, Ciox challenged the 2016 expansion of the Patient Rate as “violative of the procedural and substantive protections of the Administrative Procedure Act,” according to the court.
“Before the 2016 guidance, the industry understood that the Patient Rate applied only to personal use requests for PHI and not to third-party directives under the HITECH Act, and it structured its contracts and pricing models accordingly,” observed the court. “The 2016 guidance, however, upended that understanding, as it declared that the Patient Rate applied to all requests for PHI initiated by an individual, even if such information was requested for use by a third party, like an insurance company or a law firm.”
While the court declared unlawful and vacated the 2016 Patient Rate expansion and the 2013 mandate broadening PHI delivery to third parties regardless of format, OCR issued a statement reaffirming that “the right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect."