{"id":98,"date":"2020-02-20T16:17:13","date_gmt":"2020-02-20T21:17:13","guid":{"rendered":"http:\/\/apexcompliance.net\/blog\/target\/district-court-ruling-impacts-hipaa-access-request-permissible-charges\/"},"modified":"2020-02-20T16:17:13","modified_gmt":"2020-02-20T21:17:13","slug":"district-court-ruling-impacts-hipaa-access-request-permissible-charges","status":"publish","type":"post","link":"https:\/\/apexcompliance.net\/blog\/2020\/02\/20\/district-court-ruling-impacts-hipaa-access-request-permissible-charges\/","title":{"rendered":"District Court Ruling Impacts HIPAA Access Request Permissible Charges"},"content":{"rendered":"<p>On January 23, 2020, the United States District Court for the District of Columbia declared sections of the 2013 Omnibus Rule unlawful. The Court found that the Department of Health and Human Services (HHS) impermissibly expanded provisions of the HITECH Act by removing authorization requirements for the transmission of protected health information (PHI) from sources other than an electronic heath record (EHR). Additionally, the Court declared that HHS&#8217;s 2016 Guidance was unlawful insofar as it commands that the Patient Rate limitations apply to all third-party directives.<\/p>\n<p>In <em>Ciox Health, LLC v. Alex Azar, et al.<\/em>, No. 18-cv-0040 (D.D.C. January 23, 2020), a medical records company that contracts with health care suppliers to maintain, retrieve, and produce individuals&#8217; medical records challenged legal restrictions and conditions placed on the production of PHI. Ciox Health argued that HHS lacked authority to expand the HITECH Act&#8217;s third-party directive in the 2013 Omnibus Rule and that the 2016 expansion of the Patient Rate violated the procedural and substantive protections of the Administrative Procedure Act.<\/p>\n<p>The Court examined the requirements of the 2013 Omnibus Rule as it pertains to third-party directive requests. Prior to enactment of the HITECH Act, a covered entity could not release PHI stored in any format to a third party without a valid authorization that included: a description of the information sought; the purposes for disclosure, the authorization&#8217;s expiration date\/event; and statements adequate to place the individual on notice of his or her rights. In 2009, Congress passed the HITECH Act which changed the law to permit patients to direct a facility to transmit PHI from an EHR to a third party without the burden of completing an authorization. The 2013 Omnibus Rule expanded this relief from the authorization requirement to include PHI contained in any format, not just PHI in EHRs. The Court held that in making this expansion, HHS impermissibly exceeded its general rulemaking authority to expand a congressionally imposed restriction. Thus, based on the Court&#8217;s ruling, an authorization will once again be required before a patient may direct a facility to release PHI that is not found in an EHR to a third party.<\/p>\n<p><strong>[\u2026]<\/strong><\/p>\n<p><em><strong>This is an extract of previously published material.<\/strong><\/em><\/p>\n<p id=\"mct-ai-attriblink\"><a href=\"https:\/\/www.jdsupra.com\/legalnews\/district-court-ruling-impacts-hipaa-18684\/\" target=\"_blank\" rel=\"noopener noreferrer\">Click here to view full original article at www.jdsupra.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On January 23, 2020, the United States District Court for the District of Columbia declared sections of the 2013 Omnibus Rule unlawful. The Court found that the Department of Health and Human Services (HHS) impermissibly expanded provisions of the HITECH Act by removing authorization requirements for the transmission of protected health information (PHI) from sources other than an electronic heath record (EHR). Additionally, the Court declared that HHS&#8217;s 2016 Guidance was unlawful insofar as it commands that the Patient Rate limitations apply to all third-party directives.&hellip; <a href=\"https:\/\/apexcompliance.net\/blog\/2020\/02\/20\/district-court-ruling-impacts-hipaa-access-request-permissible-charges\/\" class=\"read-more\">Read More <\/a><\/p>","protected":false},"author":1,"featured_media":419,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36,3,35,18],"tags":[39,38,17,37,20,19],"_links":{"self":[{"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/posts\/98"}],"collection":[{"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":0,"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/media\/419"}],"wp:attachment":[{"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/apexcompliance.net\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}