OCR Modifies HIPAA Guidance for Sending PHI to Third Parties

In response to a recent federal court decision, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has modified its guidance regarding certain obligations imposed on covered entities when responding to individuals’ requests to send their protected health information (PHI) to third parties. In short, covered entities are no longer required to fulfill patients’ requests to send PHI that is maintained in non-electronic format to third parties, nor are they restricted from charging more than a “reasonable, cost-based fee” when sending PHI to third parties.

Generally speaking, under HIPAA, individuals have a right to obtain a copy of their PHI that is maintained by a covered entity (often referred to as the “Individuals’ Right of Access”). Under the HITECH Act, which was enacted as an effort to modify HIPAA and streamline processes for maintaining and producing PHI in electronic formats (ePHI), individuals also have a right to direct a covered entity to send a copy of their ePHI to a designated third party (often referred to as a “third-party directive”). The third-party directive must be in writing, signed by the individual making the request, and identifying the designated third party and where the ePHI should be sent.

In 2016, OCR issued guidance which attempted to clarify the HIPAA and HITECH rules, asserting that the right to a third-party directive is an extension of the Individuals’ Right of Access and, therefore, certain safeguards under HIPAA that apply to the Individuals’ Right of Access also apply to third-party directives (including third-party directives pertaining to non-electronic PHI). Specifically, OCR stated that covered entities (i) must respond to third-party directives within 30 days, (ii) must provide the requested PHI in the format and manner requested by the individual, provided that it is “readily producible” in such manner, and (iii) may charge the individual making the request only a reasonable, cost-based fee. These are the same requirements that are explicitly imposed under HIPAA when covered entities respond to requests under an Individual’s Right of Access.

In 2018, however, a federal court in Ciox Health, LLC v. Alez Azar, et al. found that OCR exceeded its administrative authority when it issued the 2016 guidance and that OCR was attempting to impose additional obligations on covered entities with respect to third-party directives that were not actually required by HIPAA or the HITECH Act.

OCR recently modified its 2016 guidance to comport with the Ciox court’s decision, confirming that covered entities are not required to (i) respond to third-party directives (for both PHI and/or ePHI) within 30 days, (ii) produce non-ePHI in the format and manner requested by the individual, or (iii) restrict their charges for production of PHI and/or ePHI to a reasonable, cost-based fee. That said, OCR has further clarified that these requirements will continue to apply to the Individuals’ Right of Access under HIPAA. Further, the court decision and revised OCR guidance do not modify the HITECH Act which requires covered entities who maintain ePHI to send copies of it in electronic format to third parties when directed by an individual. With respect to the amount a covered entity can charge for sending PHI (including ePHI) to third parties, OCR noted that the fee should not be excessive such that it would constitute a “sale of PHI” which is prohibited under HIPAA.

Finally, while OCR’s revised guidance reduces certain obligations of covered entities, it is important to note that it does not modify any state law requirements. To the extent that state law imposes stricter requirements than HIPAA and/or the HITECH Act with respect to third-party directives, the state law requirements will govern.