Industry Insight: ROI Vendors Face Confusion Over Fees
By Shannon B. Hartsfield
For The Record
Vol. 30 No. 5 P. 10
A case currently in litigation highlights ongoing confusion regarding fees that may be charged by release of information (ROI) vendors associated with providing access to protected health information (PHI).
In January, Ciox Health filed a complaint for declaratory and injunctive relief in the US District Court for the District of Columbia (case number 1:18-cv-00040-APM) against Eric Hargan, JD, who at the time was acting secretary of Health and Human Services (HHS).
In its complaint, Ciox requests declaratory and injunctive relief to keep HHS from enforcing its rules restricting what ROI vendors may charge for providing copies of records containing PHI, particularly when the records are going to for-profit law firms and other third parties rather than to individual patients.
Ciox states, in part, that "HHS's unlawful rules are forcing health care providers to bear costs Congress never contemplated and threaten to bankrupt the dedicated medical records providers who service the health care industry by effectively—and quite deliberately—mandating that they fulfill a rapidly growing percentage of requests for PHI at a net loss."
HIPAA and many state laws give patients the right to access certain PHI held by covered entities. The HITECH Act of 2009 gave individuals new rights regarding PHI access. Specifically, federal law provides that covered entities that use or maintain PHI electronically must be able to provide individuals with an electronic copy of that PHI. The fee the covered entity may charge to provide an electronic copy "shall not be greater than the entity's labor costs in responding to the request for the copy." Additionally, the HITECH Act gives individuals the right to direct the covered entity to transmit the copy of the electronic PHI to an entity or other person the individual designates, so long as that choice is "clear, conspicuous, and specific."
In 2013, HHS issued final omnibus rules implementing portions of the HITECH Act, including its provisions regarding records access. HHS indicated that no authorization form is needed if the individual is requesting records access and asking that the copy be provided to a third party. In addition, per Federal Register, volume 78, page 5634, HHS expanded the provision about directing copies to third parties so that it applies to both paper and electronic records.
The omnibus rules provide details regarding the labor costs that could be considered in setting a fee for providing access. HHS notes that labor costs could include the time of skilled technical staff who create and copy the file. If the individual requests that the electronic copy be provided on portable media, the entity could also charge for the relevant supplies such as a flash drive or CD. The covered entity may not, however, charge a fee to retrieve the PHI.
The omnibus rules also contain provisions dealing with the sale of PHI. If the patient is not requesting access but a third party is requesting PHI pursuant to a patient authorization, the covered entity or business associate can charge only "a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law."
HHS indicates that this fee may include both direct and indirect costs, including the cost of retrieving the PHI, but "fees charged to incur a profit from the disclosure of protected health information are not allowed."
Business Associates and HIPAA Liability
In the preamble to the omnibus rules, HHS provides a list of HIPAA provisions with which a business associate must comply where failure to do so could create direct regulatory liability for the business associate. Per Federal Register, volume 78, pages 5598–5599, these provisions include the following:
• using and disclosing PHI impermissibly;
• failing to notify the covered entity of a breach;
• failing to provide individuals (or their designees) or the covered entity with access to PHI as specified in the business associate agreement;
• failing to disclose PHI to HHS in connection with a compliance investigation;
• failing to properly account for disclosures; and
• failing to comply with the HIPAA Security Rule requirements.
HHS notes that business associates would also be contractually liable for other provisions of the business associate agreement. HHS states that for business associates "direct liability under the HIPAA Rules would attach regardless of whether the contractor and subcontractors have entered into the required business associate agreements."
Guidance Regarding Records Access
The Office for Civil Rights (OCR), which enforces HIPAA, has detailed guidance on its website regarding permissible charges for copies of PHI. OCR's guidance states that while individuals may be charged for copies of their PHI, the fee may include only the costs of postage, supplies, and certain labor costs. Costs associated with reviewing the request, retrieving and locating the PHI, and preparing the PHI for copying may not be included.
The only permissible labor costs are those for "creating and delivering the electronic or paper copy in the form and format requested by the individual." Fees charged to individuals to access their own PHI may not include administrative and other costs relating to outsourcing the function to a third party.
OCR provides detailed guidance regarding how to calculate permissible fees. The guidance creates a kind of safe harbor by indicating that the covered entity may choose to charge a flat fee that does not exceed $6.50 if the covered entity does not want to go through the process of calculating the average or actual allowable costs. OCR has made it clear, however, that $6.50 is not the maximum amount that may be charged.
The Ciox Case
Even though HHS previously indicated that business associates could be found to be directly liable for using and disclosing PHI impermissibly and failing to provide access as specified in the business associate agreement, recent HHS statements in connection with litigation have raised questions regarding the extent of business associate liability and HHS's enforcement authority regarding business associates.
Ciox's complaint alleges that the "vast majority" of US hospitals contract with ROI vendors, and, due to the complexity of providing PHI access and the costs involved, HHS's actions "threaten to disrupt the American health care system and increase health care costs for patients, with dire consequences for millions of Americans."
Alex Azar, JD, the secretary of HHS, filed a motion to dismiss on April 2. HHS argues that Ciox "is not a covered entity that is subject to the rule and guidance that it challenges." HHS notes that Ciox and the covered entities it serves may negotiate the payments that Ciox receives from the covered entity. HHS states that it is not imposing obligations on business associates when it restricts what covered entities may charge individuals.
HHS also states that the guidance on OCR's website regarding charges for records access is "not binding on any covered entity," but "HHS continues to hold this view about the reach of" the rule limiting charges for copies for individuals seeking PHI access. HHS states that "both the challenged provisions of the Privacy Rule and the guidance apply only to covered entities, a separate category of businesses."
In fact, HHS states that it "cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI" and "Ciox is not liable for failure to comply with the provision at issue."
The motion raises several interesting arguments that could lead to confusion about HHS's jurisdiction over business associates that engage in activities that would violate HIPAA if performed by the covered entity. HHS's statements in the motion to dismiss seem to conflict with the language in the preamble to the omnibus rule, which says a business associate can be directly liable for, among other things, using and disclosing PHI impermissibly.
It would seem that using PHI to charge an impermissible fee, or disclosing such PHI accompanied by an impermissible charge, would be a violation. Additionally, 45 C.F.R. §164.504(e)(2)(ii)(H) says that the business associate agreement must require the business associate to comply with the requirements of the privacy rules that apply to the covered entity, to the extent such functions have been delegated to the business associate.
Ciox filed its memorandum in opposition to the HHS motion to dismiss on May 2, along with a cross motion for summary judgment. Ciox described HHS's claims that it could not take enforcement action against business associates in this context as "astonishing." Ciox quoted from portions of the preamble to the 2013 omnibus regulations that stated clearly that HHS believed that the Privacy Rule's restrictions on a covered entity's use and disclosure of PHI extend automatically to business associates.
The outcome of the Ciox case remains to be seen. In the meantime, covered entities and business associates should review the detailed guidance provided by OCR regarding charges for PHI access. Even if business associates would not be subject to HHS enforcement action for imposing impermissible charges on individuals requesting access to PHI, it's clear that covered entities may still be subject to such enforcement actions. Therefore, covered entities should proceed with caution in structuring ROI arrangements and reviewing proposed fee structures.
— Shannon B. Hartsfield is a health care attorney whose practice focuses on corporate compliance, particularly in the regulatory and data privacy areas. She is board certified in health law by the Florida Bar Board of Legal Specialization and Education. She advises clients on state and federal matters, including internal investigations, HIPAA and data privacy, data breaches, informed consent, genetic testing, long term care, fraud and abuse, licensure, the Emergency Medical Treatment and Labor Act, EMRs, and prescription drug distribution.