Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 1 of 44

UNITED STATES DISTRICT COURT
DISTRICT OF COLUMBIA
CIOX HEALTH, LLC
925 North Point Parkway
Suite 350
Alpharetta, GA 30005
Plaintiff,
v.
ERIC D. HARGAN, in his official capacity as
Acting Secretary of Health and Human Services
200 Independence Ave. S.W.
Washington, D.C. 20201,
and
UNITED STATES DEPARTMENT OF HEALTH
AND HUMAN SERVICES,
200 Independence Ave. S.W.
Washington, D.C. 20201,
Defendants.

)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)

Case No. ________

CIOX HEALTH’S COMPLAINT FOR
DECLARATORY AND INJUNCTIVE RELIEF
Plaintiff CIOX Health, LLC (“CIOX”) brings this civil action seeking declaratory
and injunctive relief against defendants Eric D. Hargan, in his official capacity as
Acting Secretary of Health and Human Services, and the United States Department
of Health and Human Services (collectively “HHS,” “the Department,” or
“Defendants”). In support thereof, CIOX states the following:
NATURE OF THE ACTION
1.

This lawsuit seeks the entry of declaratory and injunctive relief to prevent

HHS from enforcing a series of rules and regulations that unlawfully, unreasonably,

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 2 of 44

arbitrarily, and capriciously seek to restrict the fees that healthcare providers and
their business affiliates (like CIOX and other medical-records providers) are entitled
to charge for gathering and disseminating patient records containing individuals’
protected health information (“PHI”) pursuant to the Health Insurance Portability
and Accountability Act (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936 (1996), as
amended by the Health Information Technology for Clinical and Economic Health Act
(“the HITECH Act”), Pub. L. No. 111-5, 123 Stat. 226 (2009), and the 21st Century
Cures Act, Pub. L. No. 114-255, 130 Stat. 1033 (2016), and as codified in relevant part
at 42 U.S.C. § 17291 et seq.
2.

As set forth below, HHS’s rules are (a) impossible to square with the plain

language of the controlling legislative enactments—as HHS itself conceded expressly
at the time it issued them; (b) irrational, arbitrary, capricious, and absurd on their
own terms; and (c) in key respects were promulgated by the Department without
advance notice to the public or any opportunity to provide comment, in defiance of
the Administrative Procedure Act and the most elementary requirements of good
governance.
3.

Most important, HHS’s continued application and enforcement of these

rules imposes tremendous financial and regulatory burdens on healthcare providers
and threatens to upend the medical-records industry that services them. These
burdens are having a severe adverse impact on already-struggling healthcare
providers, including non-profit hospitals, community hospitals, academic hospitals
involved in research, local clinics, and physicians’ practices. And today, these rules

2

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 3 of 44

are being exploited by for-profit commercial businesses to shift costs they properly
should bear onto healthcare providers and patients. In short, HHS’s unlawful rules
are forcing healthcare providers to bear costs Congress never contemplated and
threaten to bankrupt the dedicated medical-records providers who service the
healthcare industry by effectively—and quite deliberately—mandating that they
fulfill a rapidly growing percentage of requests for PHI at a net loss.
4.

At a time when the American public is clamoring to reduce healthcare costs,

the rules challenged in this Complaint threaten to substantially increase costs for
patients and challenge the long-term viability of the medical-records industry, which
plays a critical role in facilitating healthcare providers’ ability to deliver high-quality,
error-free, and cost-effective healthcare services by ensuring that our Nation’s
healthcare professionals are able to access, share, and distribute critical patientrelated information in real-time. Indeed, the vast majority of hospitals in the United
States contract with medical-records providers like CIOX precisely because these
companies’ highly specialized services are efficient, cost-effective, and critical to the
timely dissemination of key medical information, thereby allowing healthcare
providers to focus their full attention on the task before them: ensuring the best
possible care for patients. Left unchecked, Defendants’ unlawful actions thereby
threaten to disrupt the American healthcare system and increase healthcare costs for
patients, with dire consequences for millions of Americans.
THE PARTIES
5.

Plaintiff CIOX Health (“CIOX” or “the Company”) is a business incorporated

and headquartered in Alpharetta, Georgia. CIOX is a specialized medical-records
3

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 4 of 44

provider that qualifies as a “business associate” under HIPAA, and healthcare
providers in all 50 states contract with CIOX to perform their obligations to lawfully
retrieve and release individuals’ PHI in accordance with both HIPAA and relevant
state privacy laws.

CIOX employs more than 7500 people, most of whom are

stationed on-site at its clients’ facilities as so-called “Release of Information” or “ROI”
specialists.

As a business associate under HIPAA, CIOX is subject to HHS’s

regulations and can be subject to civil and criminal money penalties for violations of
the Department’s rules. 45 C.F.R. §§ 160.402(a) and 164.500(c).
6.

Defendant HHS is a federal agency whose responsibilities include the

administration of HIPAA, the HITECH Act, the 21st Century Cures Act, and the
enforcement of the regulations challenged in this case, including the challenged
provisions located within 45 C.F.R. Part 164. HHS’s principal office is located at 200
Independence Avenue, S.W., Washington, D.C. 20201, and the unlawful actions
challenged in this case originated within HHS’s headquarters at its subordinate
division known as the Office for Civil Rights (“OCR”)—which has accused CIOX of
violating the unlawful regulations challenged in this litigation and indeed has
threatened to take enforcement action against the Company if CIOX fails to comply
with the rules and regulations challenged in this Complaint.
7.

Defendant Eric D. Hargan is the Acting Secretary of HHS, is responsible for

the overall administration of the Department, and is the official charged by law with
administering HIPAA, the HITECH Act, and the 21st Century Cures Act. Acting
Secretary Hargan, through his designees at OCR, has undertaken the unlawful

4

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 5 of 44

actions challenged in this case, and is sued only in his official capacity. He maintains
offices at 200 Independence Ave., S.W., Washington, DC 20204.
JURISDICTION AND VENUE
8.

This Court has subject-matter jurisdiction pursuant to 28 U.S.C. § 1331.

This action arises under the Administrative Procedure Act (“APA”), 5 U.S.C. §§ 555,
702, and 704-706, and the Declaratory Judgment Act, 28 U.S.C. §§ 2201-02.
9.

Venue is proper in this district pursuant to 28 U.S.C. § 1391(e) because

Defendant HHS is a federal agency headquartered in the District of Columbia,
because Defendant Hargan is an officer of a federal agency, and because a substantial
part of the events giving rise to this complaint occurred in the District of Columbia.
RELEVANT FACTUAL BACKGROUND
10.

Ensuring that healthcare providers have timely access to individual medical

records is essential to the delivery of high-quality healthcare services and to the
minimization of diagnostic, treatment, and other medical errors. So is enabling
meaningful involvement by patients in their own course of care, which often results
in better health outcomes and lower healthcare costs—particularly when it comes to
managing complex diseases and chronic conditions.
11.

Accordingly, and as detailed below, Congress long has promoted the

development of a nationwide digital healthcare infrastructure that is designed to
facilitate the timely dissemination of electronic medical records to both individual
patients and the healthcare professionals responsible for guiding their treatment.
Given the sensitivity of the information contained in such records, Congress likewise
has taken a number of steps to protect the privacy interests that every person has in
5

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 6 of 44

the intimate details contained within his or her personal medical files. This case
arises at the intersection of those two objectives and involves the legitimate
production of individuals’ PHI in accordance with the various federal and State
statutes and regulations that govern such activities.
12.

Producing such information in accordance with these laws is both complex

and costly. Each year, hundreds of millions of lawful disclosures of PHI are made
throughout the United States. The costs required to fulfill each request for a patient’s
PHI include not only the supplies and technology used to produce PHI to the
requesting party, but also the extensive labor costs associated with receiving,
compiling, verifying and processing such requests. Countless records containing PHIcontaining patient histories, examination notes, discharge summaries, physicians’
orders, pathology and radiology reports, images, x-rays, billing records, and other
materials related to a patient’s health status and course of medical care are generated
or maintained in multiple media formats. And in many cases, these materials are
located in multiple physical and virtual locations, which requires staff to be
dispatched to physically obtain or retrieve records from an array of sources.
13.

As a result, fulfilling a given request for PHI typically requires the

responding party to identify, obtain, and compile records drawn from an array of
disparate computer databases (including both current and legacy systems); current
paper records that may be stored on-site; archived paper or electronic records that
often are stored off-site or “in the cloud”; and even microfilm records that, depending
on the facility at issue, might be stored either on- or off-site. This process is time-

6

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 7 of 44

consuming even when the information is centralized within one site; it is more
complex and time-consuming when the information is located in multiple places
within a single site; and it is extraordinarily complex and time-consuming where the
information is located in multiple locations across multiple sites.
14.

Once responsive PHI is located, it takes significant effort to fulfill a request

for paper or electronic copies of patient medical records in a manner that complies
with both federal law and the patchwork of applicable state privacy laws. A trained
ROI specialist must: physically retrieve an individual’s medical records from the
various media sources and locations in which it has been discovered; review each
individual request or authorization to confirm its validity and compliance with
applicable legal standards; log the request and supporting details into a computer
database; examine every page of the recovered materials in order to ensure
compliance with both federal law and the panoply of applicable state privacy
regulations (which, for example, can require the redaction of sensitive details
regarding past treatment for mental health disorders, drug or alcohol abuse, domestic
abuse, or HIV); review the production to ensure that another patient’s private
information is not erroneously included in the production; convert the records to the
requestor’s chosen format; physically create a digital or electronic copy of the relevant
information that has been compiled; re-file the original version(s) of any retrieved
information that was not originally found in a digital format; and either prepare
physical copies of the as-compiled materials for mailing (if they are to be produced in
paper form); copy the materials to compact disc, a USB drive, or other electronic

7

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 8 of 44

storage medium (if electronic copies of the records are to be mailed); or digitize the
compilation of materials if they are to be sent to the requestor electronically.
15.

The variable costs associated with fulfilling such requests fluctuate

dramatically depending on the nature of a given request and each individual patient’s
unique facts and circumstances. While some routine patient requests might require
the location, assessment, compilation, and production of less than 50 pages of
materials and/or images (e.g., when an individual is changing his or her primary
physician and simply needs to send his or her most recent records to his or her new
provider), other requests may seek copies of “any and all” PHI relating to a given
individual—particularly when those requests are made in connection with thirdparty commercial activities, as when a law firm is seeking medical records in
connection with the prosecution or defense of litigation or an insurer is seeking to
underwrite a new life insurance policy. Such requests can be particularly challenging
to fulfill where a given patient has complex or chronic conditions that require
continuous treatment, since those conditions tend to generate scores of records across
multiple facilities—sometimes within a single healthcare-services system, and often
across multiple healthcare systems with distinct record-keeping practices. In such
cases, addressing such requests can require the identification, review, compilation,
copying, and production of literally thousands of pages of documents, electronic
images, and films that may need to be collected from an array of distinct locations in
a virtually infinite variety of formats.

8

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 9 of 44

16.

The recent development and still-nascent adoption of federally-certified

electronic health record (or “EHR”) technologies pursuant to the HITECH Act
(discussed in greater detail below) has not meaningfully reduced the inherent
difficulties or labor costs associated with producing patient-level PHI.

To the

contrary, it has increased them (at least for the time being). Not only do most
individuals’ medical records currently reside in multiple media formats spread across
multiple locations, but the various certified EHR systems now used by healthcare
providers and other practitioners have been developed by different vendors using
different methods, technologies, and design approaches—resulting in significant
variations among health IT platforms that render such systems largely incapable of
directly exchanging relevant information without substantial and time-consuming
human intervention.
17.

Precisely because these EHR technologies are relatively new, countless

medical records that may be relevant to a given request pre-date not only the 2009
HITECH Act, the 1996 HIPAA, or the related HHS implementing rules and
regulations, but also the date as of which most healthcare providers began to
maintain any type of digital or electronic records (whether they qualify as EHRs
within the meaning of the HITECH Act or not). Particularly when it comes to lifeinsurance-related requests and records sought in connection with litigation, literally
decades of accumulated patient records can be at issue—placing a significant burden
on the American healthcare system because such commercial requests almost
invariably span broad expanses of time, treatment, and technology.

9

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 10 of 44

18.

Given these complexities, most hospitals in the United States (which are

called “covered entities” under the federal statutes and regulations governing PHI)
have chosen to outsource the task of producing PHI to dedicated medical-records
providers like CIOX (which the federal statutes and related regulations term
“business associates”). In short, it is far less expensive and far more efficient for
healthcare providers, who otherwise need to be focused on caring for patients, to
outsource these ROI services to highly-specialized businesses like CIOX, who
efficiently manage the variable costs associated with the disclosure of PHI and
provide their own technological platforms, subject-matter expertise, well-developed
ROI operations, and highly-trained personnel. Given their expertise, ROI specialists
like CIOX typically retrieve and disclose PHI far more quickly, securely,
confidentially, and cost-effectively than most healthcare providers, and outsourcing
this cumbersome process to ROI professionals allows healthcare providers to focus
their financial and human resources on their core mission: providing first-rate
healthcare services to patients.
19.

As an ROI vendor to an array of healthcare providers throughout the United

States, CIOX currrently handles tens of millions of record requests per year on behalf
of its healthcare provider-partners and produces literally billions of pages and images
containing PHI annually. In order to ease the burden those requests otherwise might
impose on the Nation’s healthcare system and to help improve the delivery of
healthcare services to patients, CIOX continually has invested in the development of
new technologies to improve the accuracy and efficiency of the ROI process—

10

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 11 of 44

including proprietary technology platforms that can transmit records across provider
sites that use otherwise-incompatible systems, thereby advancing interoperability
between disparate locations and systems in accordance with one of Congress’s
primary goals under both HIPAA and the HITECH Act. See HIPAA § 264. Thanks
to these innovative solutions, CIOX typically fulfills provider requests to access
records for treatment purposes in less than 24 hours, and often can fulfill patient or
third-party requests for relevant information within 5 days.
20.

Individual patients’ requests for copies of their own PHI currently account

for approximately 4 percent of CIOX’s overall volume. Because CIOX firmly believes
in empowering individuals to play an active role in the management of their health
and well-being, it has chosen to fulfill such requests at a significant net loss: It
provides more than half of the requesting individuals with copies of their own records
free of charge and charges the remaining minority of individuals at the HHSmandated rate described in detail below (called the “Patient Rate”)—a highlyrestrictive rate which does not allow CIOX or its healthcare-provider partners to
recoup the substantial costs that are associated with fulfilling such requests. CIOX
therefore loses considerable sums when it fulfills these individual requests for PHI.
21.

Consistent with its commitment to public health, CIOX likewise incurs

substantial losses when it fulfills healthcare providers’ requests for records related to
a patient’s continuity of care—for instance, where staff in one facility requests records
relating a patient’s treatment at another facility in order to supplement, augment, or
assume responsibility for the patient’s ongoing course of treatment. These continuity-

11

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 12 of 44

of-care requests account for roughly 40-to-50 percent of CIOX’s total volume, and
CIOX fulfills virtually all of these requests free of charge, even though state and
federal laws otherwise would allow CIOX to charge for fulfilling such requests. Given
CIOX’s commitments to helping control costs across the country’s sprawling
healthcare infrastructure and to empowering both patients and healthcare providers,
CIOX thus fulfills roughly half of the record requests it currently fulfills at a
substantial net loss.
22.

Given those losses, the overwhelming majority of CIOX’s revenues

historically have come from fulfilling patient-authorized requests for PHI from
commercial third parties (such as life insurance companies and law firms) at stateregulated or independently contracted rates. The resulting revenues, derived largely
from fulfilling patient-authorized requests from for-profit insurance conglomerates,
incorporated businesses, and other commercial partnerships, in turn enable CIOX to
provide physicians and the majority of individuals with copies of their own PHI for
free (or at a significant net loss) and support CIOX’s unique ability to continuously
innovate ROI technologies. In short, these revenues—and these revenues alone—
keep CIOX in business and enable the Company to play its vital role in: (a) containing
costs that otherwise would cripple the Nation’s healthcare system; (b) ensuring that
healthcare providers have quick, accurate, and reliable access to continuity-of-care
records; (c) preventing healthcare providers from being distracted from their patientcare responsibilities; and (d) helping empower individuals to play an active role in

12

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 13 of 44

managing their personal health and well-being by ensuring prompt, accurate, and
often-free access to their medical records for personal use.
STATUTORY AND REGULATORY BACKGROUND
A.

HIPAA (1996)

23.

Congress passed HIPAA in 1996 in order to help “improve … the efficiency

and effectiveness of the healthcare system, by encouraging the development of a
health information system through the establishment of standards and requirements
for the electronic transmission of certain health information.” HIPAA § 261 (codified
at 42 U.S.C. § 1320d).
24.

As part of those efforts, HIPAA § 264 directed HHS to develop “detailed

recommendations on standards with respect to the privacy of individually identifiable
health information” and ordered the Department to submit its recommendations to
Congress within “12 months after the date of the enactment of this Act.” Id. § 264(a)
(formerly codified at 42 U.S.C. § 1320d-2).

HIPAA further specified that the

Department’s recommendations to Congress “shall address at least the following: (1)
The rights that an individual who is a subject of individually identifiable health
information should have; (2) The procedures that should be established for the
exercise of such rights; (3) The uses and disclosures of such information that should
be authorized or required.” Id. § 264(b) (same).
25.

In the event Congress received HHS’s recommendations but failed timely to

enact “legislation governing standards with respect to the privacy of individually
identifiable health information,” HIPAA delegated rulemaking authority to HHS to
“promulgate final regulations containing such standards not later than the date that
13

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 14 of 44

is 42 months after the date of the enactment of this Act.” Id. § 264(c)(1) (same).
HIPAA’s grant of rulemaking authority thus was subject to two limitations: First,
HHS’s authority to regulate the disclosure of individually identifiable information
was conditional: It was triggered only if Congress failed to enact its own legislation
on this subject matter. And second, it was time-limited, authorizing the Department
to promulgate regulations only within a well-defined window of time, rather than
providing a perpetual delegation of authority to implement new privacy-related
regulations whenever HHS deigned fit and without respect to subsequent legislative
activity.
B.

HHS’s Original Privacy Rule (2000)

26.

HHS eventually submitted its privacy recommendations to Congress under

HIPAA §§ 264(a)-(b), but Congress failed to enact legislation within the 36-month
window set forth in HIPAA § 264(c)(1).

That failure in turn triggered HHS’s

conditional rulemaking authority to promulgate initial regulations regarding these
issues, and, after issuing a notice of proposed rulemaking in November 1999, the
Department published its final rule in 2000. See HHS, Standards for Privacy of
Individually Identifiable Health Information—Final Rule, 65 Fed. Reg. 82462 (Dec.
28, 2000). For ease of reference, we call this set of regulations the “Privacy Rule.”
27.

HHS’s Privacy Rule created the first uniform federal standards governing

the confidentiality, privacy, and lawful dissemination of medical records containing
an individual patient’s PHI, which the regulations defined in relevant part as
“individually identifiable health information … that is: (i) Transmitted by electronic
media; (ii) Maintained in any medium described in the definition of electronic media
14

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 15 of 44

at [45 C.F.R.] § 162.103 of this subchapter; or (iii) Transmitted or maintained in any
other form or medium.” Id. at 82805 (codified at 45 C.F.R. § 164.501).
28.

Consistent with HIPAA § 264(b), the Privacy Rule established a multi-

pronged framework governing both mandatory and permissible disclosures of patientlevel PHI, including disclosures to both individual patients and third parties seeking
to access an individual’s PHI for legitimate purposes: (A) disclosures that were
required (“required disclosures”); (B) disclosures that were permitted without specific
patient authorization (“permitted disclosures”); and (C) disclosures that were
permitted with specific patient authorization (“authorized disclosures”).
a.

Required Disclosures: As relevant here, the Privacy Rule
generally “required” healthcare providers to fulfill an
individual’s request to inspect and/or obtain a copy of his or her
own medical records (“personal use requests”). Id. at 82805
(codified at 45 C.F.R. § 164.502(a)(2) (“A covered entity is
required to disclose [PHI] … [t]o an individual, when requested
under, and required by, [45 C.F.R.] § 164.524”)); see also id. at
82823 (codified at 45 C.F.R. § 164.524(a) (“[A]n individual has a
right of access to inspect and obtain a copy of protected health
information about the individual in a designated record set.”)).

b.

Permitted Disclosures: Outside the personal-use context, the
Privacy Rule generally “permitted” providers to disclose PHI
without obtaining the patient’s specific, prior consent in order
“to carry out treatment, payment, or health care operations” or
for certain specified categories of activities that are critical to
important public health and public policy objectives. Id. at
82805 (codified at 45 C.F.R. § 164.502(a)(1)(ii)-(iii)).

c.

Authorized Disclosures: Finally, the Privacy Rule established a
catch-all category pursuant to which other disclosures are
“permitted” if (and only if) such disclosures are preceded by the
patient’s specific, prior “authorization.”
Id. (codified at 45
C.F.R. § 164.502(a)(1)(iv)); see also id. at 82811 (codified at 45
C.F.R. § 164.508 (setting standards for obtaining a “valid
authorization” to disclose a patient’s PHI to third parties)).
15

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 16 of 44

29.

Regardless of whether a given disclosure was required, permitted, or

authorized by the Privacy Rule, however, HHS understood that the process of
gathering and disclosing a patient’s PHI in response to a valid request under the
Privacy Rule would be both time-consuming and expensive. As we explained earlier,
there might be hundreds of documents containing an individual’s PHI, from an array
of different healthcare providers or systems, which could have been generated and
thereafter could be stored in a variety of different formats and physical or virtual
locations.

Just as the Privacy Rule established distinct procedures governing

different categories of allowable disclosures, it established distinct cost-related rules
governing these different categories of allowable disclosures.
30.

With respect to requests by an individual for his or her own medical records

(and for such “personal use” requests alone), the Privacy Rule sought to strike a
balance between (A) ensuring that patients can afford to access their medical records
so that they can participate in the management of their personal health, and (B)
ensuring that healthcare providers would not be bankrupted by the expense of
complying with their new regulatory obligation to fulfill such requests. For these
personal use requests (and again, only these personal use requests), the Privacy Rule
therefore authorized healthcare providers and their affiliates “to charge a reasonable,
cost-based fee” for copying a patient’s medical records, which would include “the labor
and supply costs of copying” those records and postage for mailing those records (if
the individual requested that his or her PHI be mailed), but specifically would exclude

16

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 17 of 44

most of the record provider’s other costs. 65 Fed. Reg. at 82557 (emphasis added).
As the Preamble to the Privacy Rule explained:
If hard copies are made, this [reasonable, cost-based fee] would
include the cost of paper. If electronic copies are made to a
computer disk, this would include the cost of a computer disk. [But
providers] may not charge any fees for retrieving or handling the
information [including costs relating to the storage systems and
infrastructure needed to do so] or for processing the request. If the
individual requests the information be mailed, the fee may include
the cost of postage. Fees for copying and postage provided under
state law, but not for other costs excluded under this rule, are
presumed reasonable. If such per page costs include the cost of
retrieving or handling the information, such costs are not
acceptable under this rule.
Id. (emphasis added); see also 45 C.F.R. § 164.524(c). For ease of reference, we shall
refer to this regulatory limitation on allowable fees for servicing personal use
requests as the “Patient Rate.”
31.

For the limited category of personal-use cases to which the Patient Rate

applied, the Privacy Rule’s strictures thus forced healthcare providers and dedicated
medical-records providers like CIOX to operate at a loss—allowing them to recoup a
limited portion of their costs, but none of the substantial expenses associated with
data storage, infrastructure, request processing, or document retrieval and
compilation—in order to ensure that every patient can afford to obtain his or her own
medical records for personal use. 65 Fed. Reg. at 82557 (“If the cost [of obtaining
these records] is excessively high, some individuals will not be able to obtain a copy.
We encourage covered entities to limit the fee for copying so that it is within reach of
all individuals.”).

17

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 18 of 44

32.

At the same time the Privacy Rule’s Patient Rate required healthcare

providers and their affiliates to fulfill personal use requests at a loss, HHS sensibly
recognized that no healthcare provider should be forced to operate at an overall loss.
As a result, the Privacy Rule self-consciously took a different tack for all other
disclosures of PHI, including patient-authorized requests from an insurance company
seeking to issue a life-insurance policy or from a law firm seeking medical records in
connection with litigation (as well as other for-profit commercial entities). In direct
contrast to the below-cost Patient Rate applicable to personal use requests, the
Privacy Rule expressly declined to impose any limitation on the fees providers could
charge for fulfilling these other permitted or authorized requests (including requests
for commercial, for-profit purposes), thereby allowing hospitals, physicians, and their
affiliates to recoup the substantial losses HHS’s Patient Rate forced them to incur
when fulfilling personal use requests by profitably fulfilling commercial requests for
a patient’s PHI. See id. (“We do not intend to affect the fees that covered entities
charge for providing protected health information to anyone other than the
individual.”) (emphasis added).
33.

That made sense: Again, HHS could not rationally require that healthcare

providers operate at an across-the-board loss when producing records, and because
these third-party disclosures typically involve the dissemination of an individual’s
PHI to commercial entities who themselves are engaged in profit-generating business
activities, HHS recognized there was no sensible basis for making healthcare
providers and their affiliates incur vast losses so that these other businesses could

18

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 19 of 44

generate vast profits at the expense of the healthcare system. Were it otherwise,
healthcare providers—who, of course, are focused on providing high-quality
healthcare to patients—effectively would be transformed into conscripted recordcollection servicers for commercial parties simply to underwrite those companies’
commercial profits. As the Privacy Rule therefore explained: “The proposal and the
final rule establish the right to access and copy records only for individuals, not other
entities; the ‘reasonable fee’ is only applicable to the individual’s request.

The

Department’s expectation is that other existing practices regarding fees, if any, for
the exchange of records not requested by an individual will not be affected by this
rule.” Id. at 82754 (emphasis added).
C.
34.

The HITECH Act (2009)
That system worked well, and during the decade that followed

implementation of HHS’s original Privacy Rule, HIPAA helped modernize our
Nation’s healthcare system by fostering the development, deployment, and protection
of digital medical record systems containing patients’ PHI.

During this same

timeframe, however, the number of distinct digital-record formats and storage
systems grew exponentially, and it became increasingly complicated to compile and
transfer medical records between providers as patients moved through the healthcare
system. Congress therefore passed the HITECH Act in order to further promote the
“development of a nationwide health information technology infrastructure that
[better] allows for the electronic use and exchange of information.” HITECH Act
§ 3001(b) (codified at 42 U.S.C. § 300jj-11).

19

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 20 of 44

35.

To that end, the HITECH Act encouraged healthcare providers to

standardize “[t]he electronic exchange and use of health information and the
enterprise integration of such information” by ensuring “[t]he utilization of an
electronic health record [an “EHR”] for each person in the United States by 2014.”
Id. §§ 3001(c)(3)(A)(i)-(ii) (same). The statute in turn defined the term “EHR” as “an
electronic record of health-related information on an individual that is created,
gathered, managed, and consulted by authorized health care clinicians and staff”—
that is, purely electronic records that are developed, deployed, and used exclusively
by healthcare providers to enable the delivery of continuity-of-care services within
traditional healthcare-delivery settings like a hospital or physician’s office.

Id.

§ 13400(5) (emphasis added) (codified at 42 U.S.C. § 17921). The statute further
sought to spur healthcare providers to engage in the “meaningful use” of such digital,
standard-compliant continuity-of-care records by capping the fees healthcare
providers could charge federal insurance programs like Medicare if they failed to
meet targets for deploying EHR technologies that complied with federal standards
for the electronic exchange of continuity-of-care data (so-called “certified EHR
technology”). See id. §§ 4101-4102.
36.

Given Congress’s focus on the digitization, dissemination, and disclosure of

physician-generated electronic patient records using this new architecture, the
HITECH Act naturally sought to ensure that there would be appropriate “privacy
and security protections for the electronic exchange of an individual’s individually
identifiable health information [i.e., their PHI].” Id. § 3001(c)(3)(A)(iii) (codified at 42

20

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 21 of 44

U.S.C. § 300jj-11). That focus in turn led Congress to do what it had not done after
it received HHS’s original HIPAA recommendations: It explicitly reviewed HHS’s
original Privacy Rule and made a series of legislative modifications that were
designed for this new, EHR-based healthcare infrastructure. See, e.g., HITECH Act
§ 13405 (codified at 42 U.S.C. § 17935 (repeatedly referencing, ratifying, or modifying
various provisions of HHS’s original Privacy Rule, 45 C.F.R. § 164 et seq.)).
37.

Against a backdrop where Congress explicitly demonstrated its awareness

of the original Privacy Rule’s specifics, the HITECH Act made two changes that are
relevant to this litigation.

First, Congress sought to simplify the authorization

process in a narrow category of cases. As set forth above, the prior regulatory system
required an often time-consuming process which required patients to provide a
written authorization to a third party, who then (and only then) could obtain the
individual’s PHI from a healthcare provider. To simplify that process, HITECH
provided that where a provider maintains an EHR (and only where the provider
maintains an EHR), patients now can direct the provider (or its affiliate) to “transmit”
a copy of the individual’s EHR as maintained by the provider directly to a designated
third party in an electronic format (and only in an electronic format):
In applying section 164.524 of title 45, Code of Federal Regulations
[i.e., the Privacy Rule], in the case that a [healthcare provider]
uses or maintains an electronic health record with respect to
protected health information of an individual … the individual
shall have a right to obtain from such [healthcare provider] a copy
of such information in an electronic format and, if the individual
chooses, to direct the [provider] to transmit such copy directly to
an entity or person designated by the individual, provided that any
such choice is clear, conspicuous, and specific.

21

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 22 of 44

Id. § 13405(e)(1) (codified at 42 U.S.C. § 17935(e)(1)); see also 21st Century Cures Act
§ 4006(b)(3) (codified at 42 U.S.C. 17935(e)(2) (adding a provision for requests
directed to dedicated medical-records providers like CIOX)). For ease of reference,
we refer to these provisions of the HITECH and 21st Century Cures Acts as the
statutory “Third Party Directive.”
38.

Second, and again with respect to EHRs (and only with respect to EHRs),

the HITECH Act made a modest change to the Patient Rate for personal use cases
(and, naturally, personal use cases alone, because the Patient Rate had never been
applied to requests that were intended to serve for-profit commercial purposes).
Where a provider is “providing such individual with a copy of such information” in
electronic form (as opposed to when the provider is “transmit[ting] such copy directly
to an entity or person designated by the individual” pursuant to a Third Party
Directive), compare HITECH Act § 13405(e)(3) (codified at 42 U.S.C. § 17935(e)(3))
with id. § 13405(e)(1) and 21st Century Cures Act § 4006(b)(3) (codified at 42 U.S.C.
§§ 17935(e)(1)-(2)), the HITECH Act provided that “any fee that the [provider] may
impose for providing such individual with a copy of such information … in an
electronic form … shall not be greater than the entity’s labor costs in responding to
the request for the copy.”

HITECH Act § 13405(e)(3) (codified at 42 U.S.C.

§ 17935(e)(3) (emphasis added)).
39.

For this narrow class of cases (again, involving personal use requests but

not Third Party Directives), and in these limited circumstances (again, involving the
electronic transmission of an EHR but not the transmission, whether electronic or

22

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 23 of 44

physical, of any records other than EHRs), this change effectively barred providers
from charging patients for ancillary supply or postage costs that otherwise had been
permitted under the Privacy Rule’s original Patient Rate. This limitation was fully
rational since, by definition, the electronic transmission of an EHR to an individual
patient (as opposed to the physical mailing of records in paper form or a digitized
version of non-EHRs on, for instance, a compact disc or flash drive) requires no
ancillary supply or postage costs.
40.

Apart from these two changes, however, the HITECH Act: (a) did not alter

the longstanding regulatory division between required disclosures, permitted
disclosures, or authorized disclosures; (b) did not alter the longstanding rule that the
Patient Rate applies only to personal use requests but not to disclosures of PHI to forprofit commercial entities; and (c) did not alter any of the other provisions relevant
here except as to the narrowly-defined category of EHRs (which, again, are “electronic
record[s] of health-related information on an individual that [are] created, gathered,
managed, and consulted by authorized health care clinicians and staff,” HITECH Act
§ 13400(5) (codified at 42 U.S.C. § 17921), rather than paper records, digitized
records, or any other compilations of records that may be “gathered,” “managed,” or
stored outside of the typical healthcare-practice setting.
D.
41.

HHS’s 2013 Omnibus Rule
For the first several years after the HITECH Act’s enactment, no one

questioned the limited nature of the statute’s EHR-delimited Third Party Directive
or the continued vitality of the Privacy Rule’s longstanding proviso that its Patient
Rate applies only where a healthcare provider or its business associate was
23

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 24 of 44

responding to personal use requests from individual patients rather than delivering
patient-level PHI to for-profit commercial enterprises like life insurers or lawyers.
42.

On January 25, 2013, however, HHS promulgated a new set of regulations

(which we refer to as the “2013 Omnibus Rule”) that dramatically—and unlawfully—
expanded the Third Party Directive beyond the HITECH Act’s EHR-delimited
confines. See HHS, Modifications to the HIPAA Privacy, Security, Enforcement, and
Breach Notification Rules Under the [HITECH] Act and the Genetic Information
Nondiscrimination Act; Other Modifications to the HIPAA Rules—Final Rule, 78 Fed.
Reg. 5566 (Jan. 25, 2013). In direct conflict with the plain language of the HITECH
Act, these new regulations purportedly required healthcare providers and their
affiliates to fulfill patient requests to transfer their PHI directly to a third party
regardless of whether the underlying PHI was or was not contained in an EHR: “If an
individual’s request for access directs the covered entity to transmit the copy of
protected health information directly to another person designated by the individual,
the covered entity must provide the copy to the person designated by the individual.”
45 C.F.R. § 164.524(c)(3)(ii). Moreover, HHS’s new regulations required providers to
deliver those records in any format the patient requested, even though the HITECH
Act specified that the statutory Third Party Directive created only a limited right to
direct the transmission of EHRs “in an electronic format.”

Compare id.

§ 164.524(c)(2)(i) with HITECH Act §§ 13405(e)(1) and 21st Century Cures Act
§ 4006(b)(3) (codified at 42 U.S.C. §§ 17935(e)(1)-(2)).

24

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 25 of 44

43.

HHS did not even pretend that its creation of unbounded regulatory

mandate that providers transmit patient PHI, from any form whatsoever (i.e., EHR
or non-EHR), in any form whatsoever (e.g., paper, electronic, radiologic film, etc.), to
any third party (including profit-seeking commercial parties like insurers and
lawyers) was consistent with the HITECH Act’s language. Instead, the Department
explicitly acknowledged that its regulation was inconsistent with the plain terms of
the HITECH Act, and therefore sought to invoke the conditional and time-limited
rulemaking authority it had been granted under HIPAA § 264(c)(1). In HHS’s words:
Section 13405(e) [i.e., the HITECH Act] applies by its terms only
to protected health information in EHRs. However, incorporating
these new provisions in such a limited manner in the Privacy Rule
could result in a complex set of disparate requirements for access
to protected health information in EHR systems versus other types
of electronic records systems. As such, the Department proposed
to use its authority under section 264(c) of HIPAA to prescribe the
rights individuals should have with respect to their individually
identifiable health information to strengthen the right of access as
provided under section 13405(e) of the HITECH Act more
uniformly to all protected health information maintained in one or
more designated record sets electronically, regardless of whether
the designated record set is an EHR.
2013 Omnibus Rule, 78 Fed. Reg. at 5631 (emphasis added). But the Department
made no effort to explain how it lawfully could invoke rulemaking authority that had
expired well over a decade before HHS even proposed (much less promulgated) the
2013 Omnibus Rule and which in any event was conditioned on a lack of legislative
activity in the area—much less how it could exercise that authority in a manner that
directly overrode the explicit limitations set forth in Congress’s subsequent and
specific HITECH Act restrictions.

25

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 26 of 44

44.

As if to underscore its contempt for the HITECH Act’s textual limitations,

HHS then expressly refused to define the statutory term EHR for regulatory purposes
on the ground that its boundless regulatory version of the statute’s otherwise-limited
Third Party Directive effectively had rendered Congress’s carefully written text
irrelevant: “Because we are not limiting the right of electronic access to EHRs, we do
not believe there is a need to define or further clarify the term at this time.” Id. at
5632.
45.

The 2013 Omnibus Rule also made certain changes to the Patient Rate’s cost

structure—most notably by allowing providers to begin charging individuals for at
least a portion of the costs that previously had been excluded by the Patient Rate. As
the Department explained:
We [now] acknowledge … that the cost related to searching for and
retrieving electronic protected health information in response to
requests [is] not … negligible, as opposed to what we had
anticipated [when we first promulgated the Privacy Rule],
particularly in regards to designated record set access that will
require more technically trained staff to perform this function. We
clarify that labor costs included in a reasonable cost-based fee
could include skilled technical staff time spent to create and copy
the electronic file, such as compiling, extracting, scanning and
burning protected health information to media, and distributing
the media. This could also include the time spent preparing an
explanation or summary of the protected health information, if
appropriate.
Id. at 5636. Despite this modest concession, HHS nonetheless made clear that it
would continue to bar healthcare providers from recovering the sizeable costs
associated with compiling and storing the underlying data: “Fees associated with
maintaining systems and recouping capital for data access, storage and

26

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 27 of 44

infrastructure are not considered reasonable, cost-based fees, and are not permissible
to include under this provision.” Id.
46.

Finally, the 2013 Omnibus Rule made no changes to the Privacy Rule’s clear

statement that the Patient Rate applied only to personal use requests, and not to
requests in which a patient’s PHI was being delivered to for-profit third parties
(whether via authorization under the original Privacy Rule’s still-intact provisions at
45 C.F.R. §§ 164.502(a)(1)(iv) and 164.508 or via the new unbounded version of a
third-party directive that HHS had promulgated in open defiance of the HITECH
Act’s explicit textual limitations).
E.
47.

HHS’s 2016 Evisceration Of The Patient Rate Rules
On February 25, 2016, HHS pivoted again, stunning the medical-records

industry by publishing, without any prior notice to the public or any opportunity for
comment, a putative “Guidance” document that not only made dramatic changes to
the Patient Rate but expressly threatened to initiate enforcement action against
healthcare providers and their affiliates if they failed to comply with the putative
“Guidance” document’s newly issued edicts. See HHS, Guidance: Individuals’ Right
Under HIPAA To Access Their Health Information (attached as Exh. A, as modified
May 25, 2016).

We refer to this new set of regulatory directives as the “2016

Mandates.”
48.

Two sets of changes are particularly notable here. First, in a dramatic

reversal from more than a decade of precedent; in defiance of Congress’s
understanding of the Privacy Rule at the time it enacted the HITECH Act; and in
direct conflict with the HITECH Act’s plain text, HHS announced that it henceforth
27

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 28 of 44

would require application of the Patient Rate beyond the personal use context,
including in response to regulatory third party directives ordering healthcare
providers to deliver patient records to for-profit commercial entities. Second, the
2016 Mandates compounded the impact of that announcement by dramatically
curtailing the permissible charges and fees under the Patient Rate, in direct conflict
with both the HITECH Act and its own 2013 Omnibus Rule.
1.
49.

Application of the Patient Rate to Third Party Directives

Though it had been clear for more than a decade that the Patient Rate was

intended only to ensure that individuals themselves could afford to obtain their
medical records for personal use and, thus, that the Patient Rate would not apply to
the delivery of records to anyone except the individual, supra at ¶¶ 30-32 (collecting
quotations), the 2016 Mandates for the first time announced that providers now
would be required to deliver records to commercial third parties at the Patient Rate:
This [fee] limitation [i.e., the Patient Rate] applies regardless of
whether the individual has requested that the copy of the PHI be
sent to herself, or has directed that the covered entity send the
copy directly to a third party designated by the individual (and it
doesn’t matter who the third party is).
2016 Mandates at p.16 (emphasis added).
50.

Thus, when a for-profit law firm or life insurance company submits a request

that is framed as a regulatory third party directive, the 2016 Mandates now obligate
providers—under threat of administrative prosecution—to gather and produce any
volume of records sought at the loss-generating Patient Rate, effectively forcing
healthcare providers and dedicated medical-records providers like CIOX to subsidize

28

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 29 of 44

those businesses’ profits and threatening to impose massive costs on the American
healthcare system.
2.
51.

Further Constriction Of The Patient Rate

Adding further injury, the 2016 Mandates then made dramatic changes to

the component terms of the Patient Rate—substantially curtailing the alreadylimited fees that providers previously had been allowed to charge for fulfilling
individuals’ record requests for their own personal use and now would be forced to
charge for-profit commercial entities as well.
52.

As set forth above, the 2013 Omnibus Rule specifically had provided that

medical-records providers like CIOX would be entitled to begin charging requestors
for “skilled technical staff time” involved in the process of “searching for and
retrieving electronic protected health information in response to requests” because
those costs far exceeded HHS’s original assumption that such costs would be
“negligible.” Supra at ¶ 45 (quoting 2013 Omnibus Rule, 78 Fed. Reg. at 5636).
Despite the plain terms of the 2013 Omnibus Rule, however, the 2016 Mandates
suddenly declared that such costs must be excluded from any “reasonable, cost-based
fee” calculated under the Patient Rate:
Labor for copying includes only labor for creating and delivering
the electronic or paper copy in the form and format requested or
agreed upon by the individual, once the PHI that is responsive to
the request has been identified, retrieved or collected, compiled
and/or collated, and is ready to be copied….
In contrast, labor for copying does not include labor costs
associated with: Reviewing the request for access [or s]earching for,
retrieving, and otherwise preparing the responsive information for
copying. This includes labor to locate the appropriate designated
record sets about the individual, to review the records to identify
29

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 30 of 44

the PHI that is responsive to the request and to ensure the
information relates to the correct individual, and to segregate,
collect, compile, and otherwise prepare the responsive information
for copying.
2016 Mandates at p.12 (emphasis added).
53.

It would be hard to overstate the consequences of that change in the third-

party directive context, particularly where commercial records requests are at issue.
Again, such requests frequently seek “any and all” PHI relating to a given individual
and therefore require the identification, review, compilation, copying, and production
of literally thousands of pages of documents, electronic images, and films that may
need to be collected from an array of distinct locations in a virtually infinite variety
of formats. The 2016 Mandates’ exclusion of the exhaustive labor and associated costs
of “locat[ing] the appropriate designated record sets about the individual,”
“review[ing] the records to identify the PHI that is responsive to the request and to
ensure the information relates to the correct individual,” and “segregate[ing],
collect[ing], compil[ing], and otherwise prepar[ing[ the responsive information for
copying,” id., thus threatens to impose hundreds of millions of dollars in costs that
no longer can be recouped by healthcare providers—all so that for-profit insurers and
lawyers can make bigger profits from their purely commercial activities.
54.

Beyond this unlawful, unexplained and irrational departure from the 2013

Omnibus Rule, the 2016 Mandates also purported to require providers to choose from
one of three new options for calculating the permissible fees for producing PHI under
the Patient Rate: (a) an “actual cost” method that is impossible to apply in practice;
(b) an “average cost” method that fails sensibly to account for the relevant costs
30

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 31 of 44

associated with fulfilling requests for patients’ PHI; or (c) a $6.50 flat fee that was
drawn from thin air and bears no rational relationship to the actual costs associated
with processing such requests.
55. Actual Cost: The “actual cost” option would require providers
to calculate the actual labor cost and actual supply cost for each and
every request it fulfills, which in CIOX’s case is tens of millions of
records per year. To perform these millions of calculations, the
provider would have to compute, for each and every request, the
precise length of time it take the entity’s ROI specialists to copy and
send the record in the form and format requested by the individual
and then “multiply the time by [the employee’s] reasonable hourly
rate.” Id. at p.14. Moreover, the 2016 Mandates would require
providers like CIOX to calculate the employee’s “reasonable hourly
rate” differently depending on the type of request: “What is
reasonable for purposes of an hourly rate will vary depending on the
level of skill needed to create and transmit the copy in the manner
requested or agreed to by the individual (e.g., administrative labor
level to make and mail a paper copy versus more technical skill
needed to convert and transmit the PHI in a particular electronic
format).” Id. Given the tens of millions of requests that companies
like CIOX process annually, it is impossible as a practical matter for
an entity like CIOX to employ this method—as CIOX would have
explained to HHS in written comments had HHS provided the public
with notice of and an opportunity to comment on this absurdly
impractical proposal.
56. Average Cost: The “average cost” option would require
providers to “develop a schedule of costs for labor based on average
labor costs to fulfill standard types of access requests, as long as the
types of labor costs included are the ones which the Privacy Rule
permits to be included in a fee (e.g. labor costs for copying but not for
search and retrieval) and are reasonable.” Id. That option is no more
rational, because the effort required to process any individual
request varies dramatically depending on the patient’s medical
history, the number of forms and locations where the patient’s
records are located, the number of pages of the records produced, the
length of time for which records are sought, and a variety of other
highly-individualized factors that are entirely independent of
whether a given request can be shoehorned into a “standard type.”
HHS sought to address that obvious deficiency in its methodology by
permitting providers to calculate “average labor rates” on a per-page
basis, but only when the record was originally created in a paper
31

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 32 of 44

medium and the individual requests a paper copy, or when the
individual requests that an original paper copy be scanned into an
electronic file, and not in determining the appropriate charge for
providing records that are maintained in an electronic medium. Id.
Yet there is no rational basis for this limitation, which ignores that
most records maintained electronically were produced by converting
paper records into PDF format “pages” of electronically stored media
and, likewise, that there is no way for patients to receive records
directly from an EHR in those cases where the request implicates not
only electronically-stored information but information that is stored
within a statutory EHR.
57. The $6.50 Flat Fee: Given the absurdity of the two other
methodologies set forth in the 2016 Mandates, HHS ultimately
authorized providers to charge a flat fee, not to exceed $6.50, for
fulfilling a given request for records. But the Department made no
effort to explain why $6.50 was an appropropriate measure of the
extraordinary costs associated with providing such records; that fee
bears no rational relationship to the actual cost of fulfilling these
requests; and it is not remotely tailored to the rationale for having a
Patient Rate in the first place. Ultimately, this fee limitation
threatens to impose hundreds of millions of dollars on the American
healthcare system.
58.

Finally, the 2016 Mandates ominously threatened that the Department “will

take enforcement action where necessary” to enforce compliance with these new
edicts. Id. at p.11. Defendants later made good on that threat by informing CIOX
that it had violated the 2016 Mandates by invoicing certain allegedly excluded fees
in response to a regulatory third party directive. See, e.g., Letter from HHS to J.
Sommers, OCR Transaction No. 17-259171, at 3 (“The fee may not include costs
associated with verification; documentation; searching for and retrieving the PHI;
maintaining systems; recouping capital for data access, storage or infrastructure; or
other costs not listed above even if such costs are authorized by State law…. The
specifics … are set forth in the OCR guide entitled ‘Individuals’ Right under HIPAA
to Access the Health Information.’”) (attached as Exh. B).
32

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 33 of 44

FIRST CAUSE OF ACTION
(Violation of 5 U.S.C. § 706(2)—2013 Omnibus Rule and 2016 Mandates)
59.

CIOX repeats and incorporates by reference the allegations contained in

paragraphs 1 through 58 above.
60.

The 2013 Omnibus Rule is final agency action within the meaning of 5

U.S.C. § 704 and therefore is subject to immediate judicial review. As outlined both
previously and hereinafter, its creation of an unbounded third-party directive is both
“arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with
law,” id. § 706(2)(A), and “in excess of statutory jurisdiction, authority, or limitations,
or short of statutory right.” Id. § 706(2)(C).
61.

Prior to the HITECH Act’s enactment in 2013, neither HIPAA nor the

Privacy Rule contained any mechanism by which individuals could direct healthcare
providers or their affiliates to deliver PHI to third parties.

Instead, the only

mechanism for third-party delivery under the Privacy Rule required the third party
to deliver a valid “authorization” from the individual whose PHI was being requested.
See Privacy Rule, 65 Fed. Reg. at 82805 (codified at 45 C.F.R. § 164.502(a)(1)(iv)); id.
at 82811 (codified at 45 C.F.R. § 164.508 (setting standards for obtaining a “valid
authorization” to disclose a patient’s PHI, including to commercial third parties)).
62.

By its plain terms, the HITECH Act’s Third-Party Directive applies only to

“an electronic health record with respect to [PHI] of an individual,” HITECH ACT
§ 13405(e) (codified at 42 U.S.C. §§ 17935(e) (emphasis added)); grants individuals “a
right to obtain” only “a copy of such information in an electronic format,” id.(emphasis
added); and, with respect to the Third-Party Directive, merely authorizes the
33

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 34 of 44

individual “to direct the covered entity to transmit such copy [i.e., the “copy of such
information in an electronic format,” id.] directly to [a designated] entity or person.”
Id. (emphasis added). By its plain terms, the HITECH Act’s statutory Third Party
Directive therefore applies exclusively to PHI that is contained in EHRs—not to any
other records that happen to contain a person’s PHI—and further requires that
healthcare providers and their affiliates like CIOX can be compelled to deliver such
information to the individual’s Third-Party designee only in electronic format.
63.

As HHS openly conceded when it promulgated the 2013 Omnibus Rule, its

unbounded regulatory version of a third-party directive directly conflicts with the
HITECH Act’s textual restrictions both (a) by requiring providers to deliver an
individual’s PHI to third parties regardless of whether that information is derived
from an EHR, and (b) by requiring providers to deliver that information to third
parties in any format demanded by the requestor (not just in electronic format, as the
HITECH Act expressly provided). See 2013 Omnibus Rule, 78 Fed. Reg. at 5631; see
also 45 C.F.R. § 164.524(c).

It therefore is “arbitrary, capricious, an abuse of

discretion, or otherwise not in accordance with law,” 5 U.S.C. § 706(2)(A), and “in
excess of statutory jurisdiction, authority, or limitations, or short of statutory right.”
Id. § 706(2)(C).
64.

HHS’s only alleged basis for its conceded disregard of the HITECH Act’s

explicit statutory limitations is its claim that the Department somehow was
authorized to exercise “authority under section 264(c) of HIPAA to prescribe the
rights individuals should have with respect to their individually identifiable health

34

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 35 of 44

information to strengthen the right of access as provided under section 13405(e) of
the HITECH Act.” 2013 Omnibus Rule, 78 Fed. Reg. at 5631. But HHS’s rulemaking
authority under HIPAA § 264(c) was conditioned on Congress’s failure to enact
pertinent legislation. See HIPAA § 264(c) (formerly codified at 42 U.S.C. § 1320d-2).
Once Congress spoke to this issue in the HITECH Act, that basis for action dissolved.
Moreover, HHS’s rulemaking authority under HIPAA § 264(c) in any event expired
in 2000—nearly a decade before Congress passed the HITECH Act, and well over a
decade before HHS even proposed the 2013 Omnibus Rule (much less promulgated
it). Indeed, precisely because HHS’s § 264 rulemaking authority lapsed ages ago, it
no longer is codified in the U.S. Code; it has been relegated to a “historical note”
because it no longer is extant. And even if HHS’s conditional and otherwise timelimited rulemaking authority under HIPAA § 264(c) somehow could survive those
glaring defects, it is well-settled that federal agencies like HHS cannot use an earlier
grant of general rulemaking authority to override the specific limitations of laterenacted statute like the HITECH Act.
65.

The unbounded version of the third-party directive set forth in the 2013

Omnibus Rule and 2016 Mandates is thus ultra vires, see 5 U.S.C. § 706(2)(A), (C),
and CIOX is entitled to both declaratory and injunctive relief barring both its
enforcement and enforcement of any related provisions of the 2016 Mandates. Id.
§ 706(2); see also 28 U.S.C. § 2201(a); id. § 2202.

35

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 36 of 44

SECOND CAUSE OF ACTION
(Violation of 5 U.S.C. § 706(2)(d)—2016 Mandates)
66.

CIOX repeats and incorporates by reference the allegations contained in

paragraphs 1 through 65 above.
67.

The APA requires federal agencies, including HHS, to publish a “notice of

proposed rulemaking” (or “NPRM”) in the Federal Register and to provide the public
with an opportunity to comment on the NPRM before promulgating any substantive
“rules,” 5 U.S.C. § 553(b), which include any agency action or actions relating to the
“approval or prescription for the future of rates, … prices, … services or … costs, or
accounting, or practices bearing on any of the foregoing.” Id. § 551(4).
68.

Though HHS deemed the 2016 Mandates a “Guidance,” they actually are

legislative rules within the meaning of the APA and represent “final agency action
for which there is no other adequate remedy.” Id. § 704. Among other things: (A) the
2016 Mandates characterize the rate-, price-, service-, cost-, and accounting-relating
requirements they set forth in binding, rather than precatory, discretionary, policy,
or interpretive terms; (B) they expressly threaten the parties that are subject to their
requirements (including non-profit hospitals, community hospitals, physicians,
clinics, and dedicated medical records providers like CIOX) with “enforcement action”
for violations; (C) the rules they impose deviate from more than a decade of
previously-enacted regulatory requirements that themselves had been promulgated
through notice-and-comment rulemaking; and (D) HHS indeed has taken
enforcement action against CIOX (and, on information and belief, others) based
expressly on provisions of the new substantive rules first established by the 2016
36

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 37 of 44

Mandates—including the 2016 Mandates’ unprecedented and previously undisclosed
edict that the Patient Rate must be applied whenever patient-level PHI is delivered
to for-profit commercial entities pursuant to the unbounded regulatory version of the
HITECH Act’s Third Party Directive, and the new methods by which hospitals,
physicians, and their affiliates must calculate fees associated with fulfilling requests
for PHI under the 2016 Mandates.
69.

Despite the fact that the 2016 Mandates therefore qualify as legislative

rules, HHS issued those rules without providing the public with any notice of its
intention to do so and without providing the public with any opportunity to comment
on the Department’s historically unprecedented proposals, in direct violation of 5
U.S.C. §§ 553(b)-(c). Given HHS’s failure to comply with the APA’s rulemaking
strictures, the 2016 Mandates were unlawfully issued “without observance of
procedure required by law,” id. § 706(2)(D), and CIOX is entitled to both declaratory
and injunctive relief barring Defendants from taking any action to enforce any
provision or provisions of the 2016 Mandates.

Id. § 706(2); see also 28 U.S.C.

§ 2201(a); id. § 2202.
THIRD CAUSE OF ACTION
(Violation of 5 U.S.C. § 706(2)—2016 Mandates)
70.

CIOX repeats and incorporates by reference the allegations contained in

paragraphs 1 through 69 above.
71.

From the inception of the Privacy Rule in 2000, HHS made clear that its

below-cost Patient Rate applied solely to personal use requests for PHI—that is,
requests in which individuals requested the delivery of their own PHI to themselves
37

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 38 of 44

for their own health treatment—and not to requests in which such information would
be delivered to a for-profit commercial entity like a life insurance company or law
firm for their own profit-making purposes. 65 Fed. Reg. at 82557 (“We do not intend
to affect the fees that covered entities charge for providing protected health
information to anyone other than the individual.”) (emphasis added); see also id. at
82754 (“The proposal and the final rule establish the right to access and copy records
only for individuals, not other entities.”). Instead, the Privacy Rule and subsequent
decade of practice allowed the States to develop, implement, and enforce their own
cost-based structures for such services.
72.

Congress was well aware of that backdrop when it passed the HITECH Act

in 2009 but took no steps to alter this longstanding regulation or its deference to State
regulation of PHI by third parties.

To the contrary, it expressly ratified that

longstanding rule when it addressed cost structures in the new legislation, by
distinguishing between the costs applicable where an individual seeks to obtain his
or her own PHI for personal use and the costs applicable where such information is
to be transmitted to third parties. In particular, the HITECH Act’s Third Party
Directive established two distinct rights: One pursuant to which individuals could
“obtain from [a] covered entity a copy of [their PHI] in an electronic format,” 42 U.S.C.
§ 17935(e)(1), and the other pursuant to which individuals could direct the covered
entity “to transmit such copy directly to an entity or person designated by the
individual,” id. § 17935(e)(1), or ask a business associate to “grant or transmit such

38

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 39 of 44

access or copy to such person or entity designated by the individual.”

Id. at

§ 17935(e)(2).
73.

In expressly addressing the permissible fees for fulfilling statutory Third

Party Directives, however, Congress made clear that the Patient Rate fee limitations
under “paragraph (c)(4) of … section 164.524 of title 45, Code of Federal Regulations”
would apply only where the records provider was “providing such individual with a
copy of such information,” id. § 17935(e)(3) (emphasis added), but not where the
records provider was “transmit[ting] such copy directly to an entity or person
designated by the individual.”

Cf. id. §§ 17935(e)(1), (e)(2) emphasis added).

Congress thus expressly distinguished between the individual right to “obtain” or
“access” his or her own PHI and the individual’s right to direct its “transmi[ssion]” to
a Third Party, but applied the Patient Rate only to cases where the individual was
“obtain[ing]” or “access[ing]” his or her own information and not in cases where the
individual was directing the “transmi[ssion]” of PHI to a third party. That is clear
evidence that Congress did not intend to apply the Patient Rate to Third Party
Directives. After all, where Congress uses distinct language in different provisions
of the same statutory scheme, its choice is presumed to be deliberate. And where
Congress knows how to say something but fails to do so, it likewise presumed to act
intentionally in the disparate inclusion or exclusion of the pertinent language.
74.

Despite Congress’s clear textual distinction between the fees that may be

charged for personal use requests and those that may be charged in connection with
Third Party Directives, the 2016 Mandates (a) gutted the longstanding distinction

39

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 40 of 44

Congress had relied upon in passing the HITECH Act; (b) flouted the HITECH and
21st Century Cures Acts’ maintenance of those distinctions; (c) disregarded HHS’s
own rationale for having limited the Patient Rate to personal use requests for the
preceding 15 years (namely, its concern with whether individuals could afford to
access their own records for personal use, rather than whether for-profit businesses
had to pay market rates in order to access their customers’ records when carrying out
profitable commercial activities); and (d) articulated no rational basis for reversing
its longstanding regulatory distinction between categories of record requests, by
directing healthcare providers and their affiliates to begin applying the Patient Rate
to Third Party Directives and by expressly threatening to take enforcement action
against companies who failed to follow this loss-generating mandate. Incredibly,
HHS published the 2016 Mandates and upended decades of practices without
proposing those changes, soliciting comments on them, or addressing any comments
on them.
75.

That decision thus is both “arbitrary, capricious, an abuse of discretion, or

otherwise not in accordance with law,” 5 U.S.C. § 706(2)(A), and “in excess of
statutory jurisdiction, authority, or limitations, or short of statutory right,” id.
§ 706(2)(C). CIOX is entitled to both declaratory and injunctive relief barring
Defendants from taking any action to enforce any provisions of the 2016 Mandates
that would require them to charge the loss-generating Patient Rate to any request
for transmission of patient-level PHI pursuant to a statutory Third Party Directive

40

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 41 of 44

(or HHS’s otherwise and independently unlawful regulatory version of a third party
directive). Id. § 706(2); see also 28 U.S.C. § 2201(a); id. § 2202.
76.

At the same time the 2016 Mandates flouted the HITECH Act’s continued

limitation of the Patient Rate to personal use requests, their exclusion of skilled
technical staff time involved in the process of searching for and retrieving electronic
protected health information directly conflicts with the 2013 Omnibus Rule’s explicit
inclusion of such costs in the Patient Rate. But federal agencies cannot take actions
that conflict with their own regulations, and this aspect of the 2016 Mandates thus
likewise is “arbitrary, capricious, an abuse of discretion, or otherwise not in
accordance with law,” 5 U.S.C. § 706(2)(A), and “in excess of statutory jurisdiction,
authority, or limitations, or short of statutory right,” id. § 706(2)(C).

CIOX is

therefore entitled to both declaratory and injunctive relief barring Defendants from
taking any action to enforce this exclusion.
77.

Finally, and for the reasons detailed above, the 2016 Mandates’ tripartite

methodology for calculating allowable costs under the Patient Rate—wherever that
rate must be applied—is “arbitrary, capricious, an abuse of discretion, or otherwise
not in accordance with law,” id. § 706(2)(A), because there is no colorable basis, and
because HHS failed to offer any credible rationale, for imposing the impractical,
absurd, and irrational cost methodologies that the 2016 Mandates forced on providers
without prior notice or any opportunity to comment on these facially irrational
mandates. Once again, CIOX therefore is entitled to both declaratory and injunctive

41

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 42 of 44

relief barring Defendants from taking any action to enforce these provisions of the
2016 Mandates.
PRAYER FOR RELIEF
WHEREFORE, CIOX prays that this Court:
A.

DECLARE AND HOLD that the 2013 Omnibus Rule’s unbounded version

of the HITECH Act’s Third Party Directive is “arbitrary, capricious, an abuse of
discretion, or otherwise not in accordance with law,” id. § 706(2)(A), and “in excess of
statutory jurisdiction, authority, or limitations, or short of statutory right.”

Id.

§ 706(2)(C);
B. DECLARE AND HOLD that the 2016 Mandates were unlawfully issued
“without observance of procedure required by law,” id. § 706(2)(D), are “arbitrary,
capricious, an abuse of discretion, or otherwise not in accordance with law,” id.
§ 706(2)(A), and “in excess of statutory jurisdiction, authority, or limitations, or short
of statutory right.” Id. § 706(2)(C).
C.

VACATE, SET ASIDE, AND PERMANENTLY ENJOIN Defendants

from taking any action to enforce the 2013 Omnibus Rule’s unbounded version of the
HITECH Act’s Third Party Directive;
D.

VACATE, SET ASIDE, AND PERMANENTLY ENJOIN Defendants

from taking any action to enforce the 2016 Mandates; and
E.

GRANT such further relief as the Court may deem just and proper.

42

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 43 of 44

Dated: January 8, 2018

Respectfully submitted,
By: /s/ Michael D. Shumsky
Michael D. Shumsky (D.C. Bar 495078)
KIRKLAND & ELLIS LLP
655 15th Street N.W., Suite 1200
Washington, D.C. 20005
(202) 879 5000
(202) 879-5200 (fax)
Jay P. Lefkowitz, P.C. (D.C. Bar 449280)
KIRKLAND & ELLIS LLP
601 Lexington Avenue
New York, N.Y. 10022
(212) 446 4800
(212) 446-4900 (fax)
Counsel for CIOX Health, LLC

43

 Case 1:18-cv-00040-APM Document 1 Filed 01/08/18 Page 44 of 44

CERTIFICATE OF SERVICE
The undersigned certifies that on this 8th day of January, 2018, he caused
the foregoing COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF to
be served upon the following via messenger and/or electronic mail:
Robert P. Charrow
General Counsel
U.S. Department of Health and Human Services
200 Independence Ave., S.W.
Room 713-F
Washington, D.C. 20201
(202) 690-7741
Jeffrey.Davis@hhs.gov
Office of the Attorney General
United States Department of Justice
950 Pennsylvania Ave., N.W.
Washington, D.C. 20530
(202) 514-2000
Channing D. Phillips
United States Attorney for the District of Columbia
Judicial Center Building
555 Fourth Street, N.W.
Washington, D.C. 20530
(202) 252-7566
Counsel for Defendants
/s/ Michael D. Shumsky
Michael D. Shumsky
Counsel for CIOX Health, LLC