Privacy & Cybersecurity Law Blog

The District Court for the District of Columbia recently invalidated certain Department of Health and Human Services (“HHS”) rules regarding an individual’s access to their protected health information (“PHI”). The Court held that: (1) individuals can only direct their electronic PHI to third parties (and not hard copy PHI); and (2) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Omnibus Rule provisions regarding the caps on fees that HIPAA-covered entities may charge for such requests did not follow relevant administrative law procedures.

Under the HIPAA Privacy Rule, individuals may request that covered entities provide them access to their PHI, but they may also direct the covered entities to provide such PHI directly to a third party, such as an electronic medical record service. The Health Information Technology for Economic and Clinical Health Act of 2009 provided a statutory cap of $6.50 that covered entities could charge for such an access request, but that rate was interpreted to only apply to requests for access to PHI by individuals. Covered entities and their service providers typically charged higher rates, such as $20-$30, for access requests made by companies on behalf of the patient. In 2016, HHS guidance stated that the $6.50 rate applied to all requests for access to PHI, whether they came from the patient or third parties.

In its ruling, the court held that HHS’s actions were “arbitrary and capricious” and “did not follow the requisite notice and comment procedure.”

The case may mark a blow to HHS’ Right of Access initiative. As we’ve noted, the U.S. Department of Health and Human Services’ Office for Civil Rights has engaged in two separate actions that address patients’ rights to access their PHI.