February 13, 2020

District Court Walks Back OCR Guidance On Provision Of Medical Records To Third Parties

On January 23, the U.S. District Court for the District of Columbia issued a ruling in Ciox Health, LLC v. Alex Azar, et. al., invalidating portions of the Modifications to the HIPAA Privacy, Security and Enforcement Rules and the 2016 guidance issued by the HHS OCR addressing the assessment of fees for copies of electronic and paper health records to third parties. Under HIPAA’s Privacy Rule, providers generally must provide a patient with the right to access his or her own PHI and can charge a “reasonable, cost-based fee” for providing such copies. OCR guidance expanded this obligation, requiring providers to provide copies of patients’ medical records to third parties when requested by a patient while charging the same reasonable, cost-based fee. The court ruled that OCR overstepped its statutory authority by imposing the fee cap on records to be provided to third parties, even when requested by a patient; however, the court did not rule on what fee is permissible, leaving that issue for resolution through rulemaking comment and review.