Ciox Health, LLC v. Azar

• Citation: 435 F.Supp.3d 30
• Decision Date: 23 January 2020
• Docket Number: Case No. 18-cv-00040 (APM)
• Parties: CIOX HEALTH, LLC, Plaintiff, v. Alex AZAR, et al., Defendants.
• Court: U.S. District Court — District of Columbia

435 F.Supp.3d 30

CIOX HEALTH, LLC, Plaintiff,

v.Alex AZAR, et al., Defendants.

Case No. 18-cv-00040 (APM)

United States District Court, District of Columbia.

Signed January 23, 2020

Filed January 27, 2020

Jay Philip Lefkowitz, Gilad Bendheim, Kirkland & Ellis LLP, New York, NY, Thomas J. Tobin, Perkins Coie LLP, Seattle, WA, Michael D. Shumsky, Hyman, Phelps & McNamara, P.C., Washington, DC, for Plaintiff.

Vinita B. Andrapalliyal, U.S. Department of Justice, Washington, DC, for Defendants.

MEMORANDUM OPINION

Amit P. Mehta, United States District Court Judge

I. INTRODUCTION

Plaintiff Ciox Health, LLC ("Ciox") is a specialized medical-records provider that contracts with healthcare suppliers nationwide to maintain, retrieve, and produce individuals' protected health information ("PHI"). Ciox handles tens of millions of records requests annually for its clients. Such requests include PHI demands by healthcare providers for treatment purposes, patients asking for their own PHI, and third parties, such as life insurance companies and law firms, seeking a patient's PHI for commercial or legal reasons.

This case centers on various legal restrictions and conditions placed on producing PHI. Most significantly, it concerns what a company like Ciox can charge for searching for, retrieving, and delivering PHI. To ensure that patient access to PHI is not thwarted by excessive fees, the United States Department of Health and Human Services ("HHS") has adopted rules that limit what companies may charge for delivering PHI. These restrictions are known as the "Patient Rate." For years, the medical records industry understood that the limitations imposed by the Patient Rate applied only to requests for PHI made by the patient for use by the patient. For other types of requests, such as those made by commercial entities, like insurance companies and law firms, the records industry understood that the allowable fee was not restricted by the Patient Rate. That understanding changed, however, in 2016, when HHS issued a guidance document, which stated that the Patient Rate applies even to requests to deliver PHI to third parties. This change, according to Ciox, caused Ciox and other medical records companies to lose millions of dollars in revenue. Ciox challenges the 2016 expansion of the Patient Rate as violative of the procedural and substantive protections of the Administrative Procedure Act ("APA").

In addition to the scope of the Patient Rate, Ciox also contests two additional pronouncements made by HHS in the 2016 guidance document. The first addresses the types of labor costs that are recoverable under the Patient Rate. The second concerns three alternative methods identified for calculating the Patient Rate. Ciox argues that these actions violate the APA's procedural and substantive provisions. Ciox also challenges under the APA a regulation adopted in 2013, which requires records companies to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient. According to Ciox, Congress required only that certain types of electronic health records be delivered to third parties, not all records regardless of their format, as HHS's regulations now command.

Before the court is HHS's motion to dismiss and the parties' cross-motions for summary judgment. For the reasons discussed below, HHS's motion to dismiss is granted in part and denied in part, and the parties' cross-motions are granted in part and denied in part. The court rejects the agency's grounds for dismissal in all respects, except one: the court finds that the agency's three methods for calculating the Patient Rate is not a reviewable final agency action. That claim is thus dismissed. As for the parties' cross-motions, the court holds that: (1) HHS's 2013 rule compelling delivery of PHI to third parties regardless of the records' format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress; (2) HHS's broadening of the Patient Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA; and finally, (3) HHS's 2016 explanation concerning what labor costs can be recovered under the Patient Rate is an interpretative rule that HHS was not required to subject to notice and comment. Accordingly, the court declares unlawful and vacates (1) the 2016 Patient Rate expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format.

II. BACKGROUND

A. Statutory and Regulatory Background

1. HIPAA and the Privacy Rule (2000)

In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA") to "encourag[e] the development of a health information system," and tasked the Department of Health and Human Services ("HHS") with providing Congress recommendations on standards with respect to PHI, including individuals' rights to their PHI, the procedures for exercising such rights, and the authorized uses and disclosure of PHI. See Pub. L. 104-191, title II, §§ 261, 264(a)–(b), 110 Stat. 1936, 2021, 2033 (1996). Congress directed HHS to make its recommendations regarding PHI within 12 months of HIPAA's enactment. Id. § 264(a). HIPAA also provided that, if Congress did not act on the agency's recommendations within 36 months of HIPAA's enactment, HHS would be required to promulgate regulations regarding PHI within six months of the 36-month period's expiration. Id. § 264(c). HHS timely made the required privacy recommendations to Congress, but Congress failed to enact legislation, thus triggering HHS's rulemaking authority under HIPAA. In 2000, HHS issued a final rule, known as the "Privacy Rule." See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.500 et seq. ).

Critical to understanding the parties' dispute is the distinction that the Privacy Rule draws between "covered entities" and "business associates." The Privacy Rule is directed primarily to regulating "covered entities." See 45 C.F.R. § 164.500(a) (stating that "the standards, requirements, and implementation specifications of this subpart apply to covered entities with respect to [PHI]"). A "covered entity" includes health plans, health care clearinghouses, and health providers that "transmit[ ] any health information in electronic form in connection with a [covered] transaction." Id. § 160.103. The Privacy Rule also regulates "business associates," albeit to a lesser extent than covered entities. See, e.g. , id. § 164.502 (setting forth permitted uses and disclosures for both covered entities and business associates); id. § 164.504(e)(1) (setting forth terms for business associate contracts and subcontracts). A "business associate," generally speaking, operates on behalf of a covered entity and "creates, receives, maintains, or transmits protected health information for a [regulated] function or activity." Id. § 160.103. Business associates include a "person that offers a personal health record to one or more individuals on behalf of a covered entity" and a "subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate." Id. Under these definitions, Plaintiff Ciox Health, LLC ("Ciox") qualifies as a "business associate," and not a "covered entity." See Ciox Health's Compl. for Declaratory and Injunctive Relief, ECF No. 1 [hereinafter Compl.], ¶ 5.

As relevant here, the Privacy Rule establishes an individual's right to access PHI and the permissible fee that can be charged for such production. See generally 45 C.F.R. § 164.524. For requests brought by an individual seeking her own PHI—known as a "personal use request"—the Privacy Rule permits a "covered entity" to "charge a reasonable, cost-based fee." Id. § 164.524(c)(4). The court refers to this "reasonable, cost-based fee" as the "Patient Rate." As originally enacted, the Privacy Rule provided that the Patient Rate could comprise the following elements: (1) the cost of "[c]opying, including the costs of supplies for and labor for copying, the [PHI]"; (2) "[p]ostage, when the individual has requested the copy, or the summary or explanation, be mailed"; and (3) "[p]reparing an explanation or summary of the [PHI]." Id. § 164.524(c)(4)(i)–(iii) (2012). Notably, the Patient Rate excluded other common costs associated with maintaining and producing PHI, such as costs of data storage, data infrastructure, and document retrieval. See 65 Fed. Reg. at 82,557 ; Compl. ¶ 31.

When HHS promulgated the Privacy Rule in 2000, it made clear that the purpose of the Patient Rate was to ensure that individuals would not be deterred from seeking PHI due to its cost.

The inclusion of a fee for copying is not intended to impede the ability of individuals to copy their records. Rather, it is intended to reduce the burden on covered entities. If the cost is excessively high, some individuals will not be able to obtain a copy. We encourage covered entities to limit the fee for copying so that it is within reach of all individuals.

65 Fed. Reg. at 82,577. Conversely, when the cost of obtaining and transmitting PHI was to be borne by someone other than the patient, HHS did not require charging the Patient Rate.

We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes.

Id. (emphasis added). Elsewhere in the Final Rule HHS stated:

The proposal and the final rule establish the right to access and copy records only for individuals, not other entities ; the ‘reasonable fee’ is only applicable to the individual's request. The Department's expectation is that other existing practices regarding

...