Changes to Individuals’ Right of Access to Health Records Announced

The Department of Health and Human Services’ Office for Civil Rights made an announcement  regarding the reversal of the following legislative modifications made to the HIPAA Omnibus Final Rule of 2013:

  • Changes to the Genetic Information Nondiscrimination Act
  • Changes to the HIPAA Security, Privacy, and Enforcement Rules based on the Health Information Technology for Economic and Clinical Health Act
  • Other changes to the HIPAA Rules

The reversal is applicable to a part of the rule that broadened the third-party directive in the individual right of access (45 C.F.R. §164.524) beyond a person’s request for a copy of his electronic health record in a digital format and guidance given in 2016 supporting fee restrictions for sending a copy of a person’s PHI – 45 C.F.R. § 164.524(c)(4) – is likewise applicable to a person’s request to send healthcare records to a third-party for commercial or legal purposes. Those fee restrictions have been reversed and will now simply apply to a person’s request to get access to their own information, not when requesting a copy of their PHI to be sent to a third party like an insurance provider or lawyer.

The reversal followed the outcome of the legal case by the healthcare records provider, Ciox Health, that challenged the legislative modifications. Ciox Health provides healthcare companies with the services of maintaining, retrieving and generating the PHI of individuals. Ciox Health takes care of requests from healthcare companies to provide the PHI of people for treatment reasons, together with requests from patients availing their rights according to the HIPAA individual right of access, and requests for their PHI to be sent to business and legal entities. Ciox Health manages tens of millions of PHI requests every year.

Ciox Health believes that the fee restrictions merely applied to requests of people to access their own PHI, and not to send their PHI requests to legal and business entities. But, in 2016, the Department of Health and Human Services (HHS) passed a guidance document that clarified that the fee restrictions now include PHI requests from legal and business entities. Based on the lawsuit, that change led to the loss of millions in revenue by Ciox Health and other healthcare records companies. The change was questioned for being violative of the Administrative Procedure Act’s procedural and substantive protections.

Ciox additionally questioned the types of labor costs which are recoverable with the fee restriction, the three techniques for computing fees for giving access to records, and the 2013 change demanding healthcare records firms “to send PHI to third parties irrespective of the format of the PHI and the format stated by the patient. The HHS submitted a motion to dismiss and a federal court did a summary judgment of the cross-motions.

The court granted the HHS motion to dismiss in part and denied it in part. The same is true for the cross-motions. In all cases, the HHS motions to dismiss were denied apart from the three ways for computing fees.

The court decided that the rule necessitating PHI to be sent to third parties irrespective of the format of the records was ‘arbitrary and capricious’ as it went past the specifications of the HITECH Act. The court additionally decided in support of the plaintiff regarding the concern on the 2016 expansion of fee restrictions, since this was a legislative modification and the HHS did not subject the change to notice and feedback, violating the ACA. The 2016 explanation of what labor costs could be retrieved was established to be an interpretive rule and was consequently not governed by notice and feedback.

The court proclaimed the changes against the law and reversed the 2016 expansion of fee restrictions and the 2013 mandate expanding PHI delivery to third parties no matter format. The Ciox Health, LLC v. Azar, et al court order is found on this link.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at