On October 21, 2025, the acting administrator of the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget issued Memorandum M-25-36, which contains guidance for federal agencies on “how to bolster, streamline, and speed” the deregulatory agenda prioritized by the Trump administration in 2025 (“the Memorandum” or “M-25-36”).
The Memorandum furthers two Executive Orders (EOs) issued earlier in the year. EO 14192, entitled “Unleashing Prosperity Through Deregulation,” requires that for every new regulation issued, ten must be repealed. EO 14219 seeks to ensure “Lawful Governance” to implement the president’s Department of Government Efficiency Deregulatory Initiative. M-25-36 also furthers a Presidential Memorandum of April 9, 2025, entitled “Directing the Repeal of Unlawful Regulations.”
The Memorandum, which establishes timelines and guidelines for OIRA review, focuses on: 1) speeding up the OIRA review process; 2) repealing facially unlawful regulations; and 3) developing better deregulatory records. We discuss each of these sections in turn before providing some thoughts in the health care context.
On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).
As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties. In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.
Blog Editors
Recent Updates
- DOJ Subpoena Seeks Health Information of Hospital Patients Receiving Gender-Affirming Care: Will Judge Grant Motion to Quash?
- Podcast: 42 CFR Part 2 Final Rule: What’s Changing and What Do You Need to Know? – Diagnosing Health Care
- Congress Creates Yet Another Cliff for Medicare Telehealth Extensions (and We’re Running Out of Metaphors)
- OIRA Memo on Agency Deregulation: Implications for Health Care
- Outside Counsel’s Internal Investigations—Including Those Relating to Health Care—Are Privileged and Protected from Disclosure