Health Law Advisor

During the past several turbulent weeks for the U.S. health care system, rulings in the case Alliance for Hippocratic Medicine v. FDA have called into question the U.S. Food and Drug Administration’s (“FDA’s”) scientific review process to approve new drug applications. While the U.S. Supreme Court acted on the afternoon of Friday, April 21, 2023 to preserve access to the drug mifepristone while the case continues in the United States Court of Appeals for the  Fifth Circuit, the future of mifepristone—and the FDA’s authority to approve new drugs—will continue to be debated on appeal.

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.