Tip: Check your state rules on data sharing. If you feel like the feds are sending mixed messages on the intersection between HIPAA and data blocking, you’re not alone. The latest change from the HHS Office for Civil Rights (OCR) backpedals a part of the HIPAA Omnibus Rule of 2013 as well as 2016 Guidance — and brings more questions to the conversation on patients’ rights to their medical records than answers. Context: On Jan. 23, Amit Mehta, Washington D.C. federal district court judge, issued a 55-page ruling related to a 2018 case Ciox Health LLC brought against the Department of Health & Human Services (HHS) that deals with the transmittal of patients’ protected health information (PHI) as well as the cost of transferring the data. Ciox Health, a Georgia-based medical records provider that works with clinicians to disperse PHI, filed against HHS because it felt particular sections of the 2013 Omnibus Rule concerning charges for records delivery were unfair and were also costing the company millions. The organization also had a beef about OCR’s 2016 Guidance that limited patient fees for medical records requests to around a $6.50 flat rate — commonly referred to as the “Patient Rate” — and whether it should be applied to third parties delivering excessive amounts of PHI. “This change, according to Ciox, caused Ciox and other medical records companies to lose millions of dollars in revenue,” explain the court documents. And for this reason, “Ciox challenges the 2016 expansion of the Patient Rate as violative of the procedural and substantive protections of the Administrative Procedure Act (APA),” the court continues. Labor costs: In addition to these two points, Ciox addressed other OCR guidance concerns related to labor and formatting. “The 2016 Guidance also described the types of labor costs that are recoverable, and identified methods for calculating the Patient Rate,” notes Boston-based partner attorney Melissa (Lisa) Thompson with Robinson & Cole LLP in its Health Law Diagnosis Blog. “The case additionally challenged a regulation in the 2013 Omnibus Rule that required PHI sent to third parties to be provided in the form and format requested by the patient, if readily producible in that form and format,” Thompson adds. Court Sides With Third Party Records’ Providers Unfortunately, many of the OCR’s changes negatively impacted companies like Ciox, who were losing millions as the middleman. Plus, the company argued that the laws weren’t implemented correctly, and it was suffering because of this. Judge Mehta agreed with Ciox on two points and HHS on one. Here’s a breakdown of the ruling: 1. 2013 Omnibus Rule: The court maintained that the feds’ 2013 rule on PHI delivery to third parties no matter the format was “arbitrary and capricious” and outside the bounds of Congress. 2. Patient Rate: The 2016 Patient Rate update wasn’t properly vetted with notices and comments, and therefore, violated the APA. 3. Labor costs: Labor cost recoveries under the Patient Rate are open to interpretation; thus, “HHS was not required to subject to notice and comment,” according to the court. Federal input: OCR responded to the ruling with a notice on Jan. 28, mentioning Ciox’s challenge to “provisions within 45 C.F.R. §164.524, that cover an individual’s access to protected health information [PHI].” Providers should be aware of the court’s decision to vacate the “third-party directive,” and going forward fee limits “will apply only to an individual’s request for access to their own records,” and will not impact “an individual’s request to transmit records to a third party,” the OCR stresses. How Will This Impact the Healthcare Industry? The court’s ruling creates a little bit of a pickle in the healthcare industry. One reason pertains to two recent settlements OCR made under its “Right of Access Initiative.” In September 2019, Bayfront Health-St. Petersburg agreed to pay OCR $85,000 to remedy a violation of a patient’s right to access records. Bayfront failed to get a pregnant mother medical records pertaining to her unborn child in a timely manner. The organization also entered into a year-long corrective action plan (CAP), too (see Health Information Compliance Alert, Vol. 19, No. 9). Then the OCR struck again in December 2019, with another $85,000 settlement with Korunda Medical, LLC to clear up potential violations. The Florida-based firm didn’t pass on a patient’s medical information in a timely manner, nor did they forward the records electronically to a third party. The organization also charged more for the records than permitted under HIPAA. See the Korunda details at www.hhs.gov/about/news/2019/12/12/ocr-settles-second-case-in-hipaa-right-of-access-initiative.html. Plus: These OCR Right of Access Initiative targets align with other federal measures and proposals designed to eradicate patient blocking, promote interoperability, and meet 21st Century Cures Act requirements (see Health Information Compliance Alert, Vol. 19, No. 2). “I think the progress that’s been made by the two recent enforcement actions in making providers aware of their responsibilities to individuals will be undercut by this decision, even though it does not pertain to those enforcement cases,” warns HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Confusion among providers and lack of compliance will probably increase.” Sheldon-Dean also advises covered entities (CEs) to review their state laws as many of those are more stringent than HIPAA. “Most state laws do limit fees for copies of medical records, and there is nothing in this recent decision that would change that,” he reminds. “Make sure you know what your state laws are as well as HIPAA rules [because] whichever gives the individual greater rights, and a better deal as a consumer, prevails.” Bottom line: This ruling puts the kibosh on OCR’s use of HIPAA to reduce data blocking, “except in individual access cases like those enforced recently,” suggests Sheldon-Dean. In the long run, the ruling may push the feds to move more quickly on their pro-patient IT policies. “This situation could result in greater calls for the data blocking rules to be implemented, to counter the effect of the ruling,” Sheldon-Dean cautions. Stay tuned as Health Information Compliance Alert continues to monitor right of access issues and regulatory reform. Review the notice with a link to Judge Mehta’s ruling at www.hhs.gov/hipaa/court-order-right-of-access/index.html.