The Trump Administration has prioritized the elimination of overreaching regulations:i In FY 2017, the Trump Administration reduced lifetime net regulatory costs across all agencies by $8.1 billion ($570 million per year). Further, it committed to reducing net lifetime regulatory cost in FY ‘18 by another $9.8 billion ($686.6 million per year).ii By contrast, the Obama-Era Department of Health and Human Services (“HHS”) imposed in just one single example of its administrative overreach almost $22 billion in lifetime regulatory costsiii (more than 1.5 billion per year) on health care providers when it issued regulations and sub-regulatory guidance purporting to implement just one statute, as discussed more fully below.
Under the Obama Administration, HHS Unlawfully Imposed Almost $22 Billion in Net Lifetime Regulatory Costs on Health Care Providers by Requiring that They Provide Voluminous Patient Health Records to Commercial Third Parties (Mostly Trial Attorneys) at the Subsidized, Below Cost “Patient Rate”: HHS promulgated regulations in 2013 (the “2013 Omnibus Rule”)iv and then issued sub-regulatory guidance in 2016 (the “2016 Guidance”)v that purported to implement the health record access provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)vi, as amended by the Health Information Technology for Clinical and Economic Health Act (“HITECH”)vii. HHS acted beyond its authority when issuing the 2013 Omnibus Rule and the 2016 Guidance. As a consequence of this administrative overreach, HHS imposed more than $1.5 billion in annual costs (approx. $21.7 billion in net lifetime regulatory costs) on health care providers and their business associates, virtually all to the benefit of malpractice lawyers, without providing any benefit to the health care system.viii In fact, far from providing a benefit to patient care, the 2013 Omnibus Rule and the 2016 Guidance impose a lifetime burden of almost $22 billion on the health care system.
HIPAA - A Guiding Principle of HIPAA was to “make the exchange of protected health information relatively easy for health care purposes”.ix HIPAA and it implementing regulations (the “Privacy Rule”)x have long provided individuals with a broad right of access to their own health records. To ensure access, HIPAA limited the fees that providers can charge individuals for copies of their records to the labor costs for copying and the cost of supplies, while foreclosing recovery of other costs, such as those incurred for record search, retrieval, handling, and ensuring compliance with the disclosure limitations of HIPAA. Importantly, however, this below cost, subsidized “Patient Rate” was never intended to apply to fees charged to third parties.xi/xii However, today, attorneys and other commercial third parties are exploiting the 2013 Omnibus Rule and the 2016 Guidance to force health care providers to provide them with records at a financial loss estimated by Leavitt Partners at $1.52 billion per year, and HHS is reinforcing this behavior.
HITECH – The Primary Purpose of HITECH was to Encourage Interoperability for Health Care Purposes by Promoting “the Adoption and Meaningful Use of Interoperable Health Information Technology and Qualified Electronic Health Records.”xiii It Was Not Intended to Be Subverted to Benefit Commercial Third Parties Seeking Vast Stores of Patient Health Information, Often Covering Decades of Treatment, That Have to be Manually Compiled and Provided at the Patient Rate. HITECH also amended HIPAA to codify a limited “Third Party Directive” right by which an individual could direct copies of his or her electronic health record (and only the electronic health record) to third parties, provided that the subject patient’s health care provider, in fact, maintained such an electronic health record.xiv Moreover, when considered in the full context of HITECH, it is clear that the focus of the directive right was intended to be the Qualified Electronic Health Record (as defined by HITECH).xv This right to direct the Qualified Electronic Health Record made sense. It “promote[d] the adoption and meaningful use of interoperable health information technology and Qualified Electronic Health Records”.xvi It allowed patients to participate in their own health care decisions by forwarding the readily available electronic record to a third party without adding undue burden to the health care system and without creating a multi-billion dollar windfall to trial attorneys.
The Obama Administration Lacked the Statutory Authority to Expand the Reach of (1) the Third Party Directive from the Qualified Electronic Health Record to Any and All Health Information and (2) the Patient Rate from Just Patients, their Health Care Providers, and their Personal Representatives to Commercial Third Parties. This Combined Administrative Overreach Stymied HITECH’s Health Care Interoperability Initiative by Imposing Billions in Unnecessary and, Indeed, Unlawful Cost on Providers :
First, while acknowledging that the statutory Third Party Directive applied only to the electronic health recordxviii, HHS promulgated a wide-ranging regulatory directive that applied broadly to all patient health information in any form or media, regardless of whether it was part of the Qualified Electronic Health Record or not. That administrative action was in direct conflict with the limits of the HITECH Act. Making matters worse, HHS claimed authority to do so by express reliance upon section 264(c) of HIPAA. This reliance was misplaced and, indeed, unlawful because section 264(c) was enacted for the very specific and time-limited purpose of promulgating HIPAA’s Privacy Rule, and the authority granted in that section had already expired by its terms more than 13 years before the promulgation of the 2013 Omnibus Rule.xix/xx
Second, three years later, HHS issued its 2016 Guidance, stating that third parties, acting pursuant to a Third Party Directive, were entitled to the benefits of the Patient Rate.xxi This new substantive rule was promulgated without congressional authority, and without satisfying the requirements of the Administrative Procedure Act.
THE PROBLEM - The 2013 Omnibus Rule and the 2016 Guidance Are Now Being Exploited to Provide a Multi-Billion Dollar Windfall to Malpractice Attorneys and Other Commercial Third Parties at the Expense of the Health Care System. The 2013 Omnibus Rule and the 2016 Guidance taken together created a windfall for malpractice lawyers – 99% of all Third Party Directive demands are made for the benefit of trial attorneys - and other commercial third parties who are now demanding production of “any and all” patient health records in a variety of media and format, located in multiple locations, and often covering decades of health care by simply paying the below-cost, federally mandated Patient Rate.xxii These discovery demands can often require the production of thousands of pages of records that have nothing to do with a patient’s present health concerns. As a result, health care providers, large and small alike, including non-profit institutions and small doctor’s offices and rural clinics, are bearing new incremental costs of more than $1.5 billion annually (almost $22 billion in net lifetime regulatory cost) for the production of patient health records to commercial third parties who are exploiting the special Patient Rate that was formerly reserved for treatment purposes.
THE SOLUTION – Correct the Obama-Era Administrative Overreach By Stating that the Third Party Directive Applies only to the Qualified Electronic Health Record and that the Patient Rate Is Available Only to Patients and Their Health Care Providers and Personal Representatives, as Intended: The 2013 Omnibus Rule and the 2016 Guidance unlawfully extend the reach of the Third Party Directive and the Patient Rate, virtually all to the benefit of malpractice lawyers, and to the great detriment of the health care system. The Guidance should be withdrawn. Moreover, HHS should immediately clarify that: (1) a commercial third party’s right to receive a copy of an individual’s health records, pursuant to a “Third Party Directive”, extends only to the Qualified Electronic Health Record referred to as the Continuity of Care Document (“CCD”); and (2) the “Patient Rate” does not apply to records produced to third parties, except in the very limited circumstance in which the third party is serving as the individual’s personal representative for health care decisions.
This solution would provide a major deregulation victory to the Administration while eliminating $22 billion in lifetime regulatory cost which, left uncorrected, will be borne by the U.S. health care system.
iE.g., Executive Order 13777, issued February 24, 2017.
iiFact Sheet, President Donald J. Trump is Delivering on Deregulation, issued on December 14, 2017.
iiiThis figure was calculated using the same methodology employed by the Administration when calculating the net lifetime regulatory cost savings in the Fact Sheet referenced at note ii above. For a cost that continues in perpetuity, the calculation for present value using the discount rate assumed in the Fact Sheet (7%) is (annualized cost) / (discount rate). The calculation is $1,520 / 7% = $21,714m.
ivSee Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013).
vIndividuals’ Right under HIPAA to Access their Health Information 45 CFR 164.524.
viPub. L. No. 104-191, 110 Stat. 1936 (1996).
viiPub. L. No. 111-5, 123 Stat. 226 (2009).
viiBroad Patient Directive and February OCR Guidance May Trigger a $1.52 Billion Cost Shift to Providers (Leavitt Partners).
ixSee 64 Fed. Reg. 59918, 59940.
xSee 65 Fed. Reg. 82462
xiAs HHS made clear at the time, it did not “intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual.” 65 Fed. Reg. 82557.
xiiIn fact, extending the “Patient Rate” to commercial third parties would have been inconsistent with one of HIPAA’s primary goals, which was to ensure the confidentiality of patient PHI. The Privacy Rule focused not only on ensuring patient access but also, as the name suggests, on ensuring the privacy/confidentiality of patient records. Once patient records are given to non-HIPAA covered entities (e.g. commercial third parties), those records are no longer subject to HIPAA’s use and disclosure restrictions.
xiii75 Fed. Reg. 44314, 44316. (Emphasis Added.)
xivSection 13405(e) of HITECH (codified at 42 U.S.C. §17935(e)(1) states, in part: In applying section 164.524 of Title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to the protected health information of an individual – the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific. (Emphasis Added.)
xvA review of the relevant health IT certification criteria regulations suggests that the Third Party Directive should only apply to the data typically contained in the certified Continuity of Care Document (“CCD”). 45 C.F.R. §170.315 (10-1-16 Edition)
xviSupra at note xiii.
xviiSee supra at notes ii and viii
xviiiSee the Preamble to the 2013 Omnibus Rule (78 Fed. Reg. at 5631), which states, in part:
Section 13405(e) [of the HITECH Act] applies by its terms only to protected health information in EHRs. However, incorporating these new provisions in such a manner in the Privacy Rule could result in a complex set of disparate requirements for access to protected health information in EHR systems versus other types of electronic records systems. As such, the Department proposes to use its authority under section 264(c) of HIPAA to prescribe the rights individuals should have with respect to their individually identifiable health information to strengthen the right of access as provided under section 13405(e) of the HITECH Act more uniformly to all protected health information maintained in one or more designated record sets electronically, regardless of whether the designated record set is an EHR. (Emphasis Added.)
xixSee HIPAA §264 (formerly codified at 42 U.S.C. §1320d-2). Click Here for HIPAA.
xxSee, e.g., Association of American Physicians and Surgeons, Inc. v. FDA, 226 F. Supp. 2d 204, 222 (D.D.C. 2002) (Administrative agencies do not have the authority to promulgate regulations that exceed the authority granted by statute, irrespective of whether the agency believes that its actions advance preferable public policy.).
xxiSee, the 2016 Guidance (the Patient Rate applies “regardless of whether the individual has requested that the copy of the PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is”.)
xxiiSupra notes v and xxi.