The answer to this question has changed yet again. I’ve blogged on this topic several times in the past (see here, here and here), and described the question as a wriggling worm. Plaintiff Ciox Health, LLC has finally managed to catch that worm and share its bounty among those looking to charge third-party requestors more than the limited “reasonable, cost-based fee” that may be charged to individuals.

On January 23, 2020, a federal court found in favor of plaintiff Ciox, a specialized medical records processing vendor, on its challenge to 2016 Guidance issued by the U.S. Department of Health and Human Services. The 2016 Guidance provided, among other things, that when either an individual request copies of his or her medical records or a third party requests copies on behalf of the individual, the amount that can be charged is limited to a “reasonable, cost-based” fee. According to Ciox’s President of Life Sciences (and as noted in the court’s decision), the effect of the 2016 Guidance was to cause law firms and other third parties to use the individual access request, with its “reasonable, cost-based fee” limitation, as the means to request patient records, rather than having individuals sign HIPAA authorizations which implicate only state law fee caps (if any). The frequency of records requests made by third parties on behalf of individuals (“third-party directives”) increased by nearly 700 percent following the issuance of the 2016 Guidance.

HHS published an “Important Notice Regarding Individuals’ Right of Access to Health Records” on January 28, 2020, noting the Ciox decision and the fact that the “reasonable, cost-based fee” limitation no longer applies to third party directives. In addition, the records are not required to be produced in electronic format in response to a third-party directive.

What does this mean for covered entities and business associates trying to figure out how to respond to a HIPAA authorization, an individual access request, or a third-party directive?

Consider who is making the records request and where the records are to be sent. If the individual who is the subject of the records wants copies transmitted electronically to the individual, treat the request as an access request. If a third party seeks the records, it is likely sufficient to provide the third party with HIPAA authorization form and treat the request as a third-party directive. However, if the individual initiates the request and wants the records sent to a third party, it may be prudent to treat the request as an access request, limiting fees and endeavoring to comply with requests to transmit records in electronic format.  Don’t dangle the Ciox worm in front of individuals seeking their own medical records.