New Ruling Requires Healthcare Organizations to Rethink Charges for Providing Records to Third Parties

Wes Morris, Managing Principal Consultant
Dawn Morgenstern, Senior Principal Consultant 

On January 23, 2020, the U.S. District Court for the District of Columbia ruled in Ciox Health v. Azar, et al. that certain elements of guidance for Individual Access requests related to patients’ designated records sets were unlawful. In doing so, the court vacated two elements that have an immediate impact on covered entities and the businesses that support them. Specifically, at issue is providing copies of records to third parties such as attorneys and life insurance companies. The elements vacated are: (1) a mandate from the Omnibus Rule of 2013 broadening protected health information (PHI) delivery to third parties –regardless of format; and (2) the 2016 Patient Rate Expansion that was included in Individual Right of Access guidance issued by Health and Human Services.

For the healthcare industry, the changes should immediately result in (1) reviewing the fee structure established based on the 2016 guidance to determine if changes should be made; and (2) reviewing policies and procedures for receiving and acting upon individual copy requests to adjust practices as needed.

To understand the impact of this ruling, it’s helpful to examine the original intent of the Access to PHI requirement contained in the HIPAA Privacy Rule and how the intent was expanded over time.

Third Party Directive

Prior to the Privacy Rule compliance date in April 2003, patients were occasionally refused access to their health records, under the premise that the record was the property of the care provider. The provision for access to PHI was written to ensure that individuals have a right to review and/or request copies of all PHI contained in providers’ designated records sets. The provider was allowed to charge a reasonable fee for providing the copies to the individual.

In 2013, the Omnibus Rule modified provisions of the Privacy Rule and the HITECH Act to broaden the third-party directive to allow an individual to direct their electronic copies to a third party in the electronic form and format requested by the individual, if it is readily producible.

The court ruling will directly impact covered entities and business associates policies and procedures for responding to requests by individuals to have their records sent directly to a third party; to differentiate between an individual’s right to request access to their own PHI and an authorized disclosure to a third party of their PHI.

Patient Rate Expansion

At the time of publication of the Privacy Rule, many providers were still primarily maintaining records on paper. Significant use of electronic records systems did not occur until the advent of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.

HITECH was written, in part, to move the healthcare industry toward electronic records, and ultimately to promote effective interchange of electronic health records between providers. As we moved into electronic records, an understanding developed that access “should” be easier to provide from electronic records, in an electronic format if requested, and limited the costs that could be charged to the individual. However, when implemented, there was wild variance in the fees charged, depending on state rules and provider understanding of the fees allowed. The failure to understand the right of access continued for some providers, and formed the basis of what was, for several years, the highest penalty seen for a violation of the Privacy Rule.i

In 2013, the Omnibus Rule modified provisions of the Privacy Rule and the HITECH Act to amend a portion of the Privacy Rule that specifies the costs that are recoverable for copies of records under the Patient Rate.

HHS issued extensive guidance in 2016ii addressing a number of issues surrounding the Individual’s Right of Access, including fees that could be charged for copies of records provided under the Right of Access requirement.

The guidance instructed that there were 3 methods for determining fees: (1) by calculating actual allowable costs to fulfill each request; (2) by using a schedule of costs based on average allowable labor costs to fulfill standard requests; or (3) a flat fee not to exceed $6.50.

At the heart of the matter are these statements excerpted from the 2016 guidance. For brevity, only the reference to a flat fee is provided here, as it is most pertinent to Ciox Health’s argument.

  • Flat fee for electronic copies of PHI maintained electronically. A covered entity may charge individuals a flat fee for all requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage. Charging a flat fee not to exceed $6.50 is therefore an option for entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.
  • The fee limits apply when an individual directs a covered entity to send the PHI to the third party.  Under the HIPAA Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request.  See 45 CFR 164.524(c)(4).  This limitation applies regardless of whether the individual has requested that the copy of PHI be sent to herself or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).
  • The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations (emphasis added), prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity.

Court Ruling

According to the court documents, the problem the Omnibus Rule and subsequent guidance created was that third parties began to use this arrangement to side-step the higher fee allowances that occurred when an individual submitted an Authorization to Disclose PHI. Ciox Health claimed a nearly 700 percent increase in requests that were intended for third parties after this guidance was published.

HSS has updated their web page for the 2016 guidance, which consists of this statement:

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at More information about the order is available at Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

The issues are complex, and guidance has changed significantly over time. The update does not provide a great deal of immediate clarity, leaving the reader to be responsible for sorting through both the 2016 guidance, and the elements that were vacated by the order. Perhaps, in time, HHS will update the 2016 guidance to reflect the effect of the order, rather than requiring readers to investigate the order to understand the changes. Regardless, covered entities and their affected business associates should review their own policies and fee structures based on this order now, rather than awaiting updated guidance.

Cignet Health Fined a $4.3M Civil Money Penalty for HIPAA Privacy Rule Violations Back to top
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 Back to top


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us