Health plans and their health plan records providers and other business associates should review and update their existing policies and practices concerning providing and charging individuals for access to protected health information in response to modifications in the Department of Health & Human Service (“HHS”) Office of Civil Rights (“OCR”) rules implementing the Health Insurance Portability & Accountability Act (“HIPAA”) requirements regarding patient’s rights to access their protected health information (“PHI”) from health plans, health care providers, health care clearinghouses (“”Covered Entities”) and their business associates (“HIPAA entities”) to comply with a January 23, 2020 court order (the “Coix Order”) in Coix Health, LLC v. Azar, et al, No 18 –CV-0040 (D>D.C. January 23, 2020).  Utilizing the flexibility resulting from the Coix Order could help reduce health plan costs of compliance with the HIPAA right of access rule by allowing the health plan and its records providers more freedom to determine the charges and format for delivering PHI in response to records requests received from other insurers, lawyers and other third parties.

Coix Order  Invalidates Pieces of OCR HIPAA Rules On PHI Record  Rules

The new flexibility is the result of the Coix Order entered by a Federal District Court in response to a lawsuit brought by Coix Health, LLC (“”Coix”).  Coix brought the lawsuit challenging the “Patient Rate” restrictions on the amounts that HIPAA entities can charge for providing records containing PHI the “third party directive” requirements in the rules implementing HIPAA’s right of access requirements under 45 C.F.R. §164.524 as adopted by OCR as part of its final rule entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  (The “2013 Omnibus Rule”) on January 25, 2013.   In particular, the 2013 Omnibus Rule includes a “Patient Rate” rule that limits the charges that Covered Entities can make for delivering PHI requested by patients and third parties to prevent patient access to PHI from being thwarted by excessive fees.  As part of the Patient Rate rule, OCR restricted what Covered Entities and their records providers can charge to provide copies of protected health information.  The Patient Rate rule restricts charges that can be imposed to provide protected health information, restricts the methods for calculating these charges and limits the type and amount of labor costs that can be included when calculating the Patient Rate. The Patient Rate rule in the 201 Omnibus Rule also requires that Covered Entities and their records companies provide the requested PHI directly to the patient or to a third party designed by the patient and in the format requested by the patient regardless of the format in which the Covered Entity or its medical provider maintains the PHI within its record.

When originally implemented, the medical records industry generally understood that the Patient Rate limitations applied only to requests for PHI made by the patient for use by the patient.  Before 2016, however, Covered Entities and their medical records providers generally understood that this Patient Rate rule did not apply to or limit fees that Covered Entities or their medical records providers could charge commercial entities or other third parties like insurance companies and law firms to fill requests for PHI.  That understanding changed, in 2016, however, when HHS issued guidance that stated that the Patient Rate applies even to requests to deliver PHI to third parties.

A specialized medical-records provider that contracts with healthcare suppliers nationwide to maintain, retrieve, and produce individuals’ PHI, Cox handles tens of millions of requests for records containing PHI annually including demands by healthcare providers for treatment purposes, patients asking for their own PHI, and third parties, such as life insurance companies and law firms, seeking a patient’s PHI for commercial or legal reasons.  According to Cox, OCR’s interpretation of the Patient Rate rule as applicable to third party requests as well as direct patient requests cost it and other medical records companies millions of dollars in revenue. Accordingly, Coix filed the Coix Health, LLC v. Azar, et al lawsuit challenging OCR’s 2016 application of the Patient Rate to third party requests as violating the procedural and substantive protections of the Administrative Procedure Act (“APA”). In addition to this challenge to the scope of the Patient Rate, Coix also contested OCR pronouncements in the 2016 guidance document on (1) the types of labor costs that are recoverable under the Patient Rate; and (2) the three alternative methods identified for calculating the Patient Rate as violating the APA’s procedural and substantive provisions. Finally, Coix also challenged the requirement in the Patient Rate rule that records companies to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient. According to Coix, Congress required only that certain types of electronic health records be delivered to third parties, not all records regardless of their format, as HHS’s regulations now command.

In its January 23, 2020 ruling on HHS’s motion to dismiss and the parties’ cross-motions for summary judgment, the D.C. District Court agreed with OCR that OCR’s rule requiring the use of one of three methods for calculating the Patient Rate was unreviewable as a final agency action and dismissed Coix’ challenge to that requirement. Concerning Coax’s other challenges, the Court sided with Coix.  It ruled that:

• OCR’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress;
• OCR’s broadening of the Patient 3 Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA; and
• OCR’s 2016 explanation concerning what labor costs can be recovered under the Patient Rate is an interpretative rule that OCR was not required to subject to notice and comment.

Accordingly, District Court in the Coix Order declares unlawful and vacates (1) the 2016 Patient Rate expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format within the individual right of access” set forth in the provisions of 45 C.F.R. §164.524 of the 2013 Omnibus Rule insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to protected health information of an individual in an electronic format.” Additionally, the federal court ordered that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) only apply to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.

As a result of the Coix Order, Covered Entities and their medical records providers still must calculate the Patient Rate in accordance with one of the three allowed methodologies when providing a patient with records containing PHI in response to a patient request.  However, Covered Entities and their medical records provider now may exercise greater flexibility when determining the format and charges when responding to requests from third parties other than the patient for records containing PHI.  Before doing so, however, most Covered Entities and business associates will want to update their HIPAA policies and procedures to reflect the new practices consistent with the new HIPAA and other relevant requirements.  Updating the policies first is important because the 2013 Omnibus Rule states Covered Entities violate HIPAA by failing to follow their own HIPAA privacy and security policies when those practices are more restrictive than those mandated by OCR’s 2013 Omnibus Rule.  Consequently however, Covered Entities and their medical records companies desiring to exercise this newly available flexibility should revise their existing policies and procedures to authorize their exercise of this new flexibility consistent with the Coix Order and associated OCR guidance.

OCR Plans To Comply With Coix Order In Applying Patient Record Rule

In an “Important Notice Regarding Individuals’ Right of Access to Health Records” released January 28, 2020, OCR announced that that it will comply with the Coix Order vacating the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual  . . . in an electronic format.” Additionally, OCR stated that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and not apply to an individual’s request to transmit records to a third party.   However, OCR also added that the right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect.  OCR will continue to enforce the right of access provisions in 45 C.F.R. § 164.524 that are not restricted by the court order.

More Information

We hope this update is helpful. For more information about the Coix Order or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

• 2/28 New Comment Deadline For NLRB Proposal To Exclude College Work Study Student Workers From NLRA Coverage
• Don’t Get Stuck Paying Another Employer’s Overtime Or Other Backpay

• 2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020!
• DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk
• OSHA Seeks Small Business Volunteers For Tree Care Safety Panel
• NLRB Restores Pre-Obama Era Union Dues Checkoff Rule
• $1.6M HIPAA Penalty Largely Caused By Inadequate Security Assessments & Oversight

• 10 Former NFL Payers Charged With Defrauding NFL Retiree Health Fund
• NLRB Order Directs Settlement Of McDonald’s Unfair Labor Practice Complaints Including Joint Employer Liability Charges Against McDonald’s USA
• 2018 US National Health Expenditures Grew Again
• ONC Patient Matching for Prescription Drug Monitoring Program Slides Available
• SBA Hosts Employee Benefits Roundtable 11/21

• College Pays $54,000 To Settle DOJ ADA Lawsuit For Paramedic Program’s Termination of TA With MS
• Business Leaders Serve Jail Time For Employment Tax Crimes
• New $2.15M OCR Penalty Shows Health Plans Risks Of HIPAA Violations
• Proposed NLRB Employee Definition To Exclude College Study Workers
• DOL Proposing To Allow Default Website ERISA Retirement Plan Disclosures

• Salary Threshold Increases Require Employer Review Of Salaried Worker FLSA Exemption Qualification

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2020 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

This entry was posted on Tuesday, January 28th, 2020 at 11:58 PM and is filed under 21st Century Cures Act, Academic Medicine, Association Health Plan, Corporate Compliance, Data Breach, Data Security, health benefit, health Care, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, Protected Health Information. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.