Court Vacates Portions of HIPAA Regulations & Guidance Related to Individual Right of Access

Back to Posts

Court Vacates Portions of HIPAA Regulations & Guidance Related to Individual Right of Access

March 6, 2020

On January 23, 2020, in Ciox Health, LLC v. Azar, et al., a federal district court vacated portions of the HIPAA Omnibus Final Rule of 2013 (the “2013 Omnibus Rule”) related to an individual’s right of access to their health records. Specifically, the court order vacated the “third-party directive” within the individual right of access provisions because it went beyond the scope of the Health Information Technology for Clinical and Economic Health Act of 2009 (HITECH) by expanding the type of protected health information (PHI) that must be a third party without valid written authorization. The court also found that in guidance issued in 2016 (the “2016 Guidance”), HHS inappropriately implemented fee limitations on requests to transmit protected health information (PHI) to a third party.


Under the 2000 HIPAA Privacy Rule (“Privacy Rule”), individuals have the right to request their own medical records/PHI. This is often referred to as an individual’s right of access. The Privacy Rule generally permitted a covered entity to charge “a reasonable, cost-based fee,” known as the Patient Rate, to cover the cost of procuring the requested records. The Privacy Rule was clear: the Patient Rate applied only to requests made by individuals for their own records and not to requests made by other entities.

When HITECH was passed in 2010, it contained a provision that made it easier to deliver PHI in electronic format to third parties, instead of just to the individual making the request. Under this “third-party directive,” individuals could request that their electronic PHI be disclosed to a third party without executing a written authorization for the release. HITECH also placed a cap on the fee a covered entity could charge a patient for access to records, although it was not clear whether this cap extended to third-party directives.

The 2013 Omnibus Rule expanded HITECH’s third-party directive to apply to requests for PHI contained in any format, not just electronically. Therefore, if an individual requested that a covered entity transmit a copy of PHI directly to a third party, the covered entity would have to provide the PHI “in the form and format requested by the individual, if [the PHI] is readily producible in such form and format.”

In the 2016 Guidance, Individuals’ Right Under HIPAA to Access Their Health Information, HHS indicated that the Patient Rate applied when an individual directed a covered entity to send PHI to a third party. In other words, if an individual requested that their PHI be sent to a third party, the costs the entity could charge for complying with the request would be limited. The 2016 Guidance also significantly limited the scope of the Patient Rate to labor costs incurred after the PHI was retrieved and ready to be copied. The guidance set forth potential methodologies for calculating the fee for fulfilling a patient-initiated PHI request or imposing a maximum flat fee of $6.50.


Together, the 2013 Omnibus Rule and the 2016 Guidance effectively expanded the scope of the third-party directive under HITECH and increased costs related to such requests. As a result, HHS was sued by Ciox Health, LLC (“Ciox Health”), a company that manages health record requests. Ciox Health argued that the allowable labor costs and fee methodologies outlined in the 2016 Guidance were arbitrary and did not bear any relation to the actual cost of retrieving records in response to an individual’s request. Moreover, Ciox Health argued that increased scope for third-party directives in the 2013 Omnibus Rule, along with the fee limitations that applied to such requests in the 2016 Guidance, did not go through proper rulemaking channels and were therefore a violation of the Administrative Procedures Act, the result of which caused Ciox Health to lose millions of dollars in revenue.  

In response, the court vacated the portion of the 2013 Omnibus Rule that expanded third-party directives to records in any format as arbitrary and capricious “insofar as it goes beyond the statutory requirements set by Congress.” The court also vacated the 2016 Guidance “insofar as it…extends the Patient Rate to reach third-party directives,” reasoning that HHS had no authority to adopt the guidance without proper notice and comment under the Administrative Procedures Act. Therefore, moving forward, the third-party directive under HITECH applies only to records in electronic format, and the Patient Rate will apply only to an individual’s request for access to their own records—not to a request to transmit records to a third party. However, the court ruled that the 2016 guidance regarding labor costs and fee methodologies was an interpretative rule that HHS was not required to subject to notice and comment.

The full text of the court’s opinion may be found here:


First and foremost, it is important for employers sponsoring group health plans to remember that nothing in this court ruling changes an individual’s fundamental right of access under HIPAA. Individuals still have the right to request copies of their PHI, and covered entities (and business associates, when directed by the terms of their Business Associate Agreement) must respond to individual access requests within the required time frame under HIPAA (generally 30 days). The Office of Civil Rights (OCR) takes an individual’s right of access very seriously—in fact, just last year, OCR announced its “Right of Access” initiative to ensure that individuals receive their PHI in a timely manner and without excess charge. When an individual requests PHI for themselves, responding entities remain bound by the Patient Rate. However, when an individual requests that records be sent to a third party in electronic format, entities may charge more than the Patient Rate. Moreover, if an individual requests that a covered entity send paper copies of PHI to a third party, or when a third party initiates a request for an individual’s PHI, the covered entity must obtain valid written authorization (unless some other exception under HIPAA applies). Second, keep in mind that most individual access requests will be handled by a carrier or a third party administrator – so from a purely practical standpoint, employers as plan sponsors may not notice much of a difference at all with this ruling.

While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.