Today’s news cycle is so short and fast that we can often overlook important developments. An example is the recent federal court ruling on Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020). Many of us missed this court order, which ruled in favor of Ciox Health, LLC. The firm is a “specialized medical records provider that handles tens of millions of record requests annually for its clients,” according to the court filing. Ciox Health brought suit because, as a business associate (BA), its ability to charge for record sharing was capped at the “patient rate” under the regulations implementing provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the company claimed did not cover actual processing costs. The firm also claimed that the regulations only applied to covered entities, not BAs. But all that apparently is out the window with the court ruling. Now it appears that companies like Ciox Health, LLC, can negotiate a much higher rate for their services with such clients as law firms and life insurance companies underwriting policies.
This outcome has the potential to radically change how patient data is shared with third parties and how much can be charged. The impact could be broader than you might think. It could affect patients as well as the business models of technology vendors and third parties that collect patient data on behalf of themselves and their clients. We hope it doesn’t but it could also affect the timing and content of the upcoming rule from the Office of the National Coordinator for Health Information Technology (ONC) on information blocking and the rule from the Centers for Medicare and Medicaid Services (CMS) on the use of application programming interfaces (APIs) to facilitate patients’ access to their data. (We hope it doesn’t cause delays because a large number of stakeholders are waiting on these rules.)
Let’s take a deeper dive.
What the Ciox Health ruling does. The ruling does several things.
- Patient-requested Data Formats – It invalidated provisions in a 2013 rule modifying the Health Insurance Portability and Accountability Act’s (HIPAA) privacy, security and enforcement rules in response to provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH). It specifically nullified provisions requiring third parties to transmit protected health information (PHI) in any format requested by patients.
- Charge Caps – It invalidated portions of 2016 guidance from the Office for Civil Rights, which capped what companies can charge when responding to patient requests that copies of their health records be sent to third parties, such as lawyers and insurance companies. This cap is called the patient rate, which allows providers “to charge a reasonable, cost-based fee” that would include “the labor and supply costs of copying” those records and postage for mailing them (if the individual requested physical copies), but exclude most other costs. Ciox Health argued that this didn’t begin to cover the real costs of processing record requests and only applied to covered entities, not BAs. The court sided with Ciox Health, LLC. Moreover, the Ciox Health ruling was silent on how much companies now can charge for that service.
- Patient Access and Costs – It does not affect the right of patients to ownership of their protected health information (PHI); their right to access their PHI from providers and health plans for their own use; and how much can be charged when they request that their records are sent to them (the “patient rate”).
What does it mean? The Ciox Health ruling could have far reaching implications. For example:
- Patients. Without a doubt, we (patients) have a right to our data; however, if we’re requesting it be sent to lawyers and insurance companies, the costs are going to come back to us somehow, some way, even if it’s hidden from us. Can we afford it? Can we be protected from price gouging? Will separate rulemaking be needed to address patient protections?
- Data originators and third parties. Patient data is becoming a commodity and there’s a lot of money to be made from it. As a result of this ruling, will data originators — such as health systems, providers and pharmacies — adjust pricing? Will companies that haven’t been selling or exchanging data change their business models to cash in on this potential revenue stream?
The new ruling could be a gold mine for third-parties like Ciox Health, LLC. Now that the fee cap is lifted, how much will they charge? What will happen in the case of fees that are beyond a “reasonable” rate? And who decides? Will these fees ultimately be charged back to the patient?
Another question is how and whether the ruling applies to “data harvesters.” These third parties buy de-identified patient data (legal under HIPAA) from various sources and then sell the information on a secondary market. The data have a variety of uses, including strategy development, marketing, research and public health monitoring. This involves millions of de-identified records, so processing fees could add up to a healthy revenue stream. For example, Iqvia, one of the world’s largest data harvesters, posted revenues of $2.68 billion in the first quarter of 2019.
- Vendors. Electronic health records (EHRs) and API developers often sit between the data and the third-party user. An indeterminate number of EHR vendors already are likely aggregating and selling de-identified longitudinal data sets. The permission is included in the provider use agreement. Even if EHR vendors aren’t selling patient data now, will they change their business model to adapt to this potentially profitable opportunity? Will provider use agreements have to be reworked? If so, this could add up to a lot of administrative costs and legal fees.
- State laws. It also is worth noting that many states have laws related to access to patients’ medical records. Providers and third parties will need to get up to speed on what—if anything--is required by their geographic locations regarding medical records access and fees. It will be very confusing for multi-state, integrated delivery systems. Federal requirements usually are a “floor,” but now that it has been removed under the Ciox Health ruling, state laws will prevail. Will states without laws be pushed to create them to clarify medical record access and related fees? Will states with existing laws need to revise them to provide greater patient and provider protections?
- Federal rulemaking. As noted previously, the Ciox Health ruling may impact the content and timing of the data blocking and API rules. Attorneys at the Department and Health and Human Services (HHS) may have to take a time out to digest the court ruling, get down in the weeds, and see how it might affect the content of the upcoming rules and HIPAA privacy regulations. Will the HHS attorneys also be looking at the provisions of the 21st Century Cures Act — which, of course, passed after HITECH — to see how they might or might not come into play? (Could it supersede?) Will additional guidance be forthcoming?
Yet another question is whether — and how — the ruling could affect business associate (BA) agreements. As mentioned previously, Ciox Health, LLC, is technically a business associate and its suit questioned whether HHS could directly set and enforce its medical record processing fees for BAs. Apparently not, according to the court. After the court ruling, HHS released a statement reiterating that the fee limitation will only apply to an individual’s request for access to their own records and does not apply to an individual’s request to transmit records to a third party. Will providers and others have to redo their BA agreements with third parties to address patient record processing fees? Are there implications for other kinds of BA agreements? Will HHS need to issue additional clarifying guidance about HIPAA enforcement?
Delays are highly likely as all this gets sorted out. Unfortunately, in the meantime, nothing gets done. This always happens in the waiting period before final rules are issued. However, the delay here could be longer than normal, given the amount of work and rework that could be involved with aligning various regulations and the Ciox Health ruling.
What’s next? Point-of-Care Partners (POCP) is keeping on top of the implications of the Ciox Health ruling, which is likely to be appealed. We will let you know in the event that HHS issues follow-up guidance on the subject.
To be sure, we are management consultants and, by definition, business and product strategists, not attorneys. We urge readers, clients and their companies to consult their own counsel for interpretations of the ruling and to see how the it might impact them.
POCP also will be analyzing the upcoming rules on information blocking and APIs, once they drop. Our analysis will be posted online, so stay tuned. In the meantime, please feel free to contact me (email@example.com).