arrow button to first section

Issue Alerts

Go To Homepage Print Friendly Page Email Page Download PDF

District Court Strikes Down Office for Civil Rights 2016 HIPAA Right to Access Guidance Application to Third Parties

February 4, 2020

By: Brooke Bennett Aziere and Amanda M. Wilwert

On January 23, 2020, the United States District Court for the District of Columbia (“D.C. District Court”) entered an order invalidating provisions of the Modification to the HIPAA Privacy, Security, and Enforcement Rules (“2013 Omnibus Rule”) and the United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) subsequent 2016 Guidance related to the assessment of fees for copies of paper and electronic protected health information (“PHI”). Five days later, on January 28, 2020, consistent with the D.C. District Court’s Order, HHS OCR released an important notice explaining the right to access fee limitation will apply only to an individual’s request for access to his/her own records. It will not apply to an individual’s request to transmit records to a third party.

Under the HIPAA Privacy Rule, healthcare providers must provide an individual the right to access his/her PHI (subject to limited exceptions). Healthcare providers are permitted to charge a “reasonable, cost-based fee” for providing copies. In 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) amended this right to access rule by creating the “third-party directive”—which permits an individual to direct copies of PHI (maintained in an electronic format only) to a third party. The 2013 Omnibus Rule expanded the third-party directive to include individual requests for copies of PHI stored in any format. Finally, in 2016, HHS OCR published guidance which states the “reasonable, cost-based fee” limitation applies to an individual’s request to direct PHI to a third party. Our previous issue alert on HHS OCR’s 2016 Guidance can be found at: https://www.foulston.com/uploads/New-HIPAA-Guidance-Removes-Roadblocks-to-Patient-Access-But-at-What-Cost-to-Providers.pdf.

Georgia-based Ciox Health, a medical record retrieval company, filed suit against HHS alleging portions of the 2013 Omnibus Rule and 2016 Guidance “unlawfully, unreasonably, arbitrarily, and capriciously” sought to restrict the fees that can be charged by healthcare providers and their business associates for providing copies of PHI and violated the Federal Administrative Procedures Act (“APA”).

The D.C. District Court found HHS’ expansion of the third-party directive in the 2013 Omnibus Rule requiring the delivery of PHI to third parties regardless of the records’ format arbitrary and capricious because it went beyond the statutory requirements set by Congress in the HITECH Act. The D.C. District Court held that the 2016 Guidance broadening the “reasonable, cost-based fee” limitation to third-party directives was effectively a legislative rule the Agency failed to subject to the notice and comment periods in violation of the Federal APA.

The D.C. District Court’s Order effectively now closes the loophole attorneys, insurance companies, and other third parties have been exploiting to obtain copies of PHI under the HIPAA fee limitations. There are two important takeaways for healthcare providers and their business associates:

  • The “reasonable, cost-based fee” limitation only applies to requests for access made by an individual (or his/her personal representative) and the PHI must be provided to the individual (or his/her personal representative). The fee limitation does not apply to an individual’s request for the healthcare provider or business associate to direct copies of PHI be sent to a third party. This means healthcare providers may charge their standard medical record fee charges in accordance with state law to third parties receiving copies of PHI (e.g., attorney, insurance companies), even if the request appears on its face to be sent by the individual.

  • Individuals may request PHI contained in an electronic format be directed to third parties, but the third-party directive does not apply to records maintained in other formats. This means healthcare providers are not obligated to scan paper records to an electronic format in order to send to a third party.

This news came amid OCR’s ramped up enforcement efforts of the right to access rule in the past year with two settlements and corrective action plans in 2019. Healthcare providers should revisit their right to access policies and procedures to ensure compliance with the HIPAA Privacy Rule and the D.C. District Court’s findings.

A copy of the D.C. District Court order can be found at: https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51

HHS OCR’s notice regarding the Right to Access and D.C. District Court order can be found at: https://www.hhs.gov/hipaa/court-order-right-of-access/index.html

For More Information

If you have questions or want more information regarding these changes, contact your legal counsel. If you do not have regular counsel for such matters, Foulston Siefkin LLP would welcome the opportunity to work with you to meet your specific business needs. Foulston's healthcare lawyers maintain a high level of expertise regarding federal and state regulations affecting the healthcare industry. The firm devotes significant resources to ensure our attorneys remain up-to-date on developments. At the same time, our healthcare practice group's relationship with Foulston's other practice groups, including the taxation, general business, labor and employment, and commercial litigation groups, enhances our ability to consider all of the legal ramifications of any situation or strategy. For more information about this update, contact Brooke Bennett Aziere at 316.291.9768 or baziere@foulston.com or Amanda M. Wilwert at 913.253.2181 or awilwert@foulston.com. For more information on the firm, please visit our website at www.foulston.com.

Established in 1919, Foulston Siefkin is the largest law firm in Kansas. With offices in Wichita, Kansas City, and Topeka, Foulston provides a full range of legal services to clients in the areas of administrative & regulatory; antitrust & trade regulation; appellate law; banking & financial services; business & corporate; construction; creditors’ rights & bankruptcy; e-commerce; education & public entity; elder law; emerging small business; employee benefits & ERISA; employment & labor; energy; environmental; ERISA litigation; estate planning & probate; family business enterprise; franchise & distribution; government investigations & white collar defense; governmental liability; government relations & public policy; healthcare; immigration; insurance regulatory; intellectual property; litigation & disputes; mediation/dispute resolution; mergers & acquisitions; Native American law; oil, gas & minerals; OSHA; privacy & data security; private equity & venture capital; product liability; professional malpractice; real estate; securities & corporate finance; senior housing & care; supply chain management; tax exempt organizations; taxation; trade secret & noncompete litigation; water rights; and wind & solar energy.

Health Law Resources

Sign up to receive these issue alerts straight to your inbox here.


This update has been prepared by Foulston Siefkin LLP for informational purposes only. It is not a legal opinion; it does not provide legal advice for any purpose; and it neither creates nor constitutes evidence of an attorney-client relationship.