Ciox Health, LLC v. Hargan

• Court: District Court, District of Columbia
• Decided: January 27, 2020
• Docket: Civil Action No. 2018-0040
• Status: Published

Opinion

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA _________________________________________ ) CIOX HEALTH, LLC, ) ) Plaintiff, ) ) v. ) Case No. 18-cv-00040 (APM) ) ALEX AZAR, et al., ) ) Defendants. ) _________________________________________ )

MEMORANDUM OPINION

I. INTRODUCTION

Plaintiff Ciox Health, LLC (“Ciox”) is a specialized medical-records provider that

contracts with healthcare suppliers nationwide to maintain, retrieve, and produce individuals’

protected health information (“PHI”). Ciox handles tens of millions of records requests annually

for its clients. Such requests include PHI demands by healthcare providers for treatment purposes,

patients asking for their own PHI, and third parties, such as life insurance companies and law firms,

seeking a patient’s PHI for commercial or legal reasons.

This case centers on various legal restrictions and conditions placed on producing PHI.

Most significantly, it concerns what a company like Ciox can charge for searching for, retrieving,

and delivering PHI. To ensure that patient access to PHI is not thwarted by excessive fees, the

United States Department of Health and Human Services (“HHS”) has adopted rules that limit

what companies may charge for delivering PHI. These restrictions are known as the “Patient

Rate.” For years, the medical records industry understood that the limitations imposed by the

Patient Rate applied only to requests for PHI made by the patient for use by the patient. For other

types of requests, such as those made by commercial entities, like insurance companies and law firms, the records industry understood that the allowable fee was not restricted by the Patient Rate.

That understanding changed, however, in 2016, when HHS issued a guidance document, which

stated that the Patient Rate applies even to requests to deliver PHI to third parties. This change,

according to Ciox, caused Ciox and other medical records companies to lose millions of dollars in

revenue. Ciox challenges the 2016 expansion of the Patient Rate as violative of the procedural

and substantive protections of the Administrative Procedure Act (“APA”).

In addition to the scope of the Patient Rate, Ciox also contests two additional

pronouncements made by HHS in the 2016 guidance document. The first addresses the types of

labor costs that are recoverable under the Patient Rate. The second concerns three alternative

methods identified for calculating the Patient Rate. Ciox argues that these actions violate the

APA’s procedural and substantive provisions. Ciox also challenges under the APA a regulation

adopted in 2013, which requires records companies to send PHI to third parties regardless of the

format in which the PHI is contained and in the format specified by the patient. According to

Ciox, Congress required only that certain types of electronic health records be delivered to third

parties, not all records regardless of their format, as HHS’s regulations now command.

Before the court is HHS’s motion to dismiss and the parties’ cross-motions for summary

judgment. For the reasons discussed below, HHS’s motion to dismiss is granted in part and denied

in part, and the parties’ cross-motions are granted in part and denied in part. The court rejects the

agency’s grounds for dismissal in all respects, except one: the court finds that the agency’s three

methods for calculating the Patient Rate is not a reviewable final agency action. That claim is thus

dismissed. As for the parties’ cross-motions, the court holds that: (1) HHS’s 2013 rule compelling

delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar

as it goes beyond the statutory requirements set by Congress; (2) HHS’s broadening of the Patient

2 Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation

of the APA; and finally, (3) HHS’s 2016 explanation concerning what labor costs can be recovered

under the Patient Rate is an interpretative rule that HHS was not required to subject to notice and

comment. Accordingly, the court declares unlawful and vacates (1) the 2016 Patient Rate

expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format.

II. BACKGROUND

A. Statutory and Regulatory Background

1. HIPAA and the Privacy Rule (2000)

In 1996, Congress passed the Health Insurance Portability and Accountability Act

(“HIPAA”) to “encourag[e] the development of a health information system,” and tasked the

Department of Health and Human Services (“HHS”) with providing Congress recommendations

on standards with respect to PHI, including individuals’ rights to their PHI, the procedures for

exercising such rights, and the authorized uses and disclosure of PHI. See Pub. L. 104-191, title

II, §§ 261, 264(a)–(b), 110 Stat. 1936, 2021, 2033 (1996). Congress directed HHS to make its

recommendations regarding PHI within 12 months of HIPAA’s enactment. Id. § 264(a). HIPAA

also provided that, if Congress did not act on the agency’s recommendations within 36 months of

HIPAA’s enactment, HHS would be required to promulgate regulations regarding PHI within six

months of the 36-month period’s expiration. Id. § 264(c). HHS timely made the required privacy

recommendations to Congress, but Congress failed to enact legislation, thus triggering HHS’s

rulemaking authority under HIPAA. In 2000, HHS issued a final rule, known as the “Privacy

Rule.” See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg.

82,462 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.500 et seq.).

3 Critical to understanding the parties’ dispute is the distinction that the Privacy Rule draws

between “covered entities” and “business associates.” The Privacy Rule is directed primarily to

regulating “covered entities.” See 45 C.F.R. § 164.500(a) (stating that “the standards,

requirements, and implementation specifications of this subpart apply to covered entities with

respect to [PHI]”). A “covered entity” includes health plans, health care clearinghouses, and health

providers that “transmit[] any health information in electronic form in connection with a [covered]

transaction.” Id. § 160.103. The Privacy Rule also regulates “business associates,” albeit to a

lesser extent than covered entities. See, e.g., id. § 164.502 (setting forth permitted uses and

disclosures for both covered entities and business associates); id. § 164.504(e)(1) (setting forth

terms for business associate contracts and subcontracts). A “business associate,” generally

speaking, operates on behalf of a covered entity and “creates, receives, maintains, or transmits

protected health information for a [regulated] function or activity.” Id. § 160.103. Business

associates include a “person that offers a personal health record to one or more individuals on

behalf of a covered entity” and a “subcontractor that creates, receives, maintains, or transmits

protected health information on behalf of the business associate.” Id. Under these definitions,

Plaintiff Ciox Health, LLC (“Ciox”) qualifies as a “business associate,” and not a “covered entity.”

See Ciox Health’s Compl. for Declaratory and Injunctive Relief, ECF No. 1 [hereinafter Compl.],

¶ 5.

As relevant here, the Privacy Rule establishes an individual’s right to access PHI and the

permissible fee that can be charged for such production. See generally 45 C.F.R. § 164.524. For

requests brought by an individual seeking her own PHI—known as a “personal use request”—the

Privacy Rule permits a “covered entity” to “charge a reasonable, cost-based fee.” Id.

§ 164.524(c)(4). The court refers to this “reasonable, cost-based fee” as the “Patient Rate.” As

4 originally enacted, the Privacy Rule provided that the Patient Rate could comprise the following

elements: (1) the cost of “[c]opying, including the costs of supplies for and labor for copying, the

[PHI]”; (2) “[p]ostage, when the individual has requested the copy, or the summary or explanation,

be mailed”; and (3) “[p]reparing an explanation or summary of the [PHI].” Id. § 164.524(c)(4)(i)–

(iii) (2012). Notably, the Patient Rate excluded other common costs associated with maintaining

and producing PHI, such as costs of data storage, data infrastructure, and document retrieval.

See 65 Fed. Reg. at 82,557; Compl. ¶ 31.

When HHS promulgated the Privacy Rule in 2000, it made clear that the purpose of the

Patient Rate was to ensure that individuals would not be deterred from seeking PHI due to its cost.

The inclusion of a fee for copying is not intended to impede the ability of individuals to copy their records. Rather, it is intended to reduce the burden on covered entities. If the cost is excessively high, some individuals will not be able to obtain a copy. We encourage covered entities to limit the fee for copying so that it is within reach of all individuals.

65 Fed. Reg. at 82,577. Conversely, when the cost of obtaining and transmitting PHI was to be

borne by someone other than the patient, HHS did not require charging the Patient Rate.

We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes.

Id. (emphasis added). Elsewhere in the Final Rule HHS stated:

The proposal and the final rule establish the right to access and copy records only for individuals, not other entities; the ‘reasonable fee’ is only applicable to the individual’s request. The Department’s expectation is that other existing practices regarding fees, if any, for the exchange of records not requested by an individual will not be affected by this rule.

5 Id. at 82,754 (emphasis added). Thus, the Final Rule made an express distinction between patient-

requested PHI and non-patient-requested PHI. The Patient Rate applied to the former but not the

latter.

2. The HITECH Act (2009)

Nearly a decade later, in 2009, Congress passed the Health Information Technology for

Economic and Clinical Health Act, or HITECH Act, in response to the growth of distinct digital-

record formats and storage systems. Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 226 (2009).

The HITECH Act made two key changes relevant to this litigation.

The first is that it created the “third-party directive,” a simplified process for requesting

delivery of certain PHI to third persons. Under the pre-2009 Privacy Rule, a covered entity was

prohibited from releasing PHI stored in any format to a third party without a “valid authorization.”

45 C.F.R. §§ 164.502(a)(1)(iv) (2008). Such an authorization was burdensome. 1 It had to include

certain “[c]ore elements,” such as description of the information sought, the purposes for its

disclosure, and the authorization’s expiration date or event, as well as “statements adequate to

place the individual on notice” of her rights. Id. § 164.508(c)(1)–(2) (2008). The HITECH Act

stripped away these requirements for “electronic health record[s],” or “EHRs.” See 42 U.S.C.

§ 17935(e); see also id. § 17921(5) (defining an “electronic health record” as “an electronic record

of health-related information on an individual that is created, gathered, managed, and consulted by

authorized health care clinicians and staff”). 2 The Act provides:

[I]n the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an

1 In a 2016 guidance document, HHS observed that “because a HIPAA authorization requests more information than is necessary or that may not be relevant for individuals to exercise their access rights, requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right.” See Compl., Ex. A., ECF No. 1-1, at 17. 2 EHR systems are distinct from a record that merely exists in electronic form. Joint App’x, ECF No. 27 [hereinafter J.A.], at 67. Electronic record systems include many “legacy systems” that existed prior to EHRs and are “incapable of producing reports in easily readable formats that can be transmitted electronically.” Id.

6 individual . . . the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.

Id. § 17935(e)(1). So, with respect to PHI contained in an EHR, the HITECH Act expressly entitles

patients to obtain such information for themselves or to direct the information to a third party,

without the need for a “valid authorization” under the Privacy Rule.

The second relevant change made by the HITECH Act is a statutory cap on the fee that a

covered entity may charge a patient for delivering EHRs. The Act states that “notwithstanding

[45 C.F.R. § 164.524(c)(4)]”—a cross-reference to the Patient Rate—“any fee that the covered

entity may impose for providing such individual with a copy of such information . . . if such copy

. . . is in electronic form shall not be greater than the entity’s labor costs in responding to the request

for the copy.” Id. § 17935(e)(3). As the plain text makes clear, the HITECH Act’s fee cap applies

at least to personal use requests produced as EHRs. Whether the statutory fee cap extends beyond

such demands is the subject of dispute.

3. The Omnibus Rule (2013)

In 2013, HHS amended the Privacy Rule as part of broad set of new regulations, which the

court refers to as the “2013 Omnibus Rule.” See Modifications to the HIPAA Privacy, Security,

Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic

Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566

(Jan. 25, 2013).

The 2013 Omnibus Rule made two modifications relevant to this case. First, the

2013 Omnibus Rule broadened the third-party directive created by the HITECH Act to reach

requests for PHI contained in any format, and not just in an EHR. The Privacy Rule states: “If an

7 individual’s request for access directs the covered entity to transmit the copy of [PHI] directly to

another person designated by the individual, the covered entity must provide the copy to the person

designated by the individual.” 45 C.F.R. § 164.524(c)(3)(ii). The copy must be provided to the

individual “in the form and format requested by the individual, if it is readily producible in such

form and format.” Id. § 164.524(c)(2)(i). Additionally, if the requested PHI is maintained in any

electronic format, the covered entity must provide the information in “the electronic form and

format requested by the individual, if it is readily producible in such form and format.” Id.

§ 164.524(c)(2)(ii).

When it expanded the third-party directive to PHI contained in any format, HHS

acknowledged it was going beyond the text of the HITECH Act. The agency conceded that the

HITECH Act “applies by its terms only to protected health information in EHRs.” 78 Fed. Reg.

at 5,631. Yet, HHS insisted it had the authority to command the expansion. It explained that

“incorporating [the HITECH Act’s] new provisions in such a limited manner in the Privacy Rule

could result in a complex set of disparate requirements for access to [PHI] in EHR systems versus

other types of electronic records systems.” Id. As authority to address this concern, the agency

cited its general rulemaking power under section 264(c) of HIPAA. That provision, HHS said,

allowed it “to prescribe the rights individuals should have with respect to their [PHI] to strengthen

the right of access provided under section [17935(e)] of the HITECH Act more uniformly to all

[PHI] maintained in one or more designated record sets electronically, regardless of whether the

designated record set is an EHR.” Id.

The 2013 Omnibus Rule also amended that portion of the Privacy Rule that specifies the

costs recoverable under the Patient Rate. HHS broke out, as part of the reasonable cost-based fee,

the cost of labor for copying PHI, whether in paper or electronic format. See id. at 5,635–36; 45

8 C.F.R. § 164.524(c)(4)(i). Such cost “could include skilled technical staff time spent to create and

copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media, and

distributing the media.” 78 Fed. Reg. at 5,636. “[A]ctual labor costs associated with the retrieval

of electronic information,” however, would not be recoverable under the Patient Rate. Id. Nor

would “[f]ees associated with maintaining systems and recouping capital for data access, storage

and infrastructure” be “considered reasonable, cost-based fees.” Id.

4. The Privacy Rule Guidance (2016)

Three years after adopting the 2013 Omnibus Rule, HHS issued a guidance document in

2016 titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R.

§ 164.524.” See Compl., Ex. A, ECF 1-1 [hereinafter 2016 Guidance]. The 2016 Guidance made

two notable pronouncements that gave rise to this lawsuit.

Most significantly, HHS declared that the Patient Rate applies “when an individual directs

a covered entity to send the PHI to a third party.” Id. at 16. “This limitation,” HHS said, referring

to the Patient Rate, “applies regardless of whether the individual has requested that the copy of

PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party

designated by the individual (and it doesn’t matter who the third party is).” Id.; see also id. (stating

that the Patient Rate applies “regardless of whether the access request was submitted to the covered

entity by the individual directly or forwarded to the covered entity by a third party on behalf and

at the direction of the individual”). The 2016 Guidance noted that the Patient Rate does not apply

when “the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA

authorization.” Id. at 17. But the agency again emphasized that “where the third party is

forwarding—on behalf and at the direction of the individual—the individual’s access request for

9 a covered entity to direct a copy of the individual’s PHI to the third party, the fee limitations

apply.” Id.

The medical-records industry viewed this announcement as a seismic shift in the agency’s

articulation of the law. Before the 2016 Guidance, the industry understood that the Patient Rate

applied only to personal use requests for PHI and not to third-party directives under the HITECH

Act, and it structured its contracts and pricing models accordingly. See Decl. of Tarun Kabaria,

ECF No. 12-2 [hereinafter Kabaria Decl.], ¶¶ 11–14; Decl. of Jeff Gartland, ECF No. 44-1

[hereinafter Gartland Decl.], ¶¶ 5–6, 17–19. The 2016 Guidance, however, upended that

understanding, as it declared that the Patient Rate applied to all requests for PHI initiated by an

individual, even if such information was requested for use by a third party, like an insurance

company or a law firm. Only requests for PHI made directly by the third party with a HIPAA

authorization (or pursuant to another permissible disclosure provision in the Privacy Rule) would

not be subject to the Patient Rate cap. 2016 Guidance at 17.

The 2016 Guidance also provided direction with respect to determining the Patient Rate.

First, it stated that the Patient Rate reaches only those labor costs incurred after the responsive PHI

“has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.”

Id. at 11. On the other hand, labor for “[s]earching for, retrieving, and otherwise preparing the

responsive information for copying” is not recoverable. Id. at 12. Second, the 2016 Guidance set

forth three alternatives for calculating, subject to the Patient Rate’s strictures, the “reasonable,

cost-based fee” that may be charged for fulfilling a patient-initiated PHI request. These

alternatives apply to “a covered entity (or business associate operating on its behalf).” Id. at 15.

A holder of PHI may determine such fee: “(1) by calculating actual allowable costs to fulfill each

request; or (2) by using a schedule of costs based on average allowable labor costs to fulfill

10 standard requests.” Id. “Alternatively, in the case of requests for an electronic copy of PHI

maintained electronically, covered entities may: (3) charge a flat fee not to exceed $6.50 (inclusive

of all labor, supplies, and postage).” Id. The 2016 Guidance notes that “[c]harging a flat fee not

to exceed $6.50 per request is therefore an option available to entities that do not want to go

through the process of calculating actual or average allowable costs for requests for electronic

copies of PHI maintained electronically.” Id. HHS admonished that “[w]e will continue to

monitor whether the fees that are being charged to individuals are creating barriers to this access

[and] will take enforcement action where necessary.” Id. at 11.

Less than a year later, HHS demonstrated its resolve to enforce the Patient Rate. In March

2017, HHS notified CHI Health St. Francis, a covered entity contracting with Ciox, that it had

received a complaint from a patient, alleging that Ciox had charged an excessive fee for forwarding

her electronic medical records to a law firm. See Compl., Ex. B, ECF No. 1-2 [hereinafter St.

Francis Letter], at 1. HHS warned St. Francis that, as a result of Ciox’s actions, St. Francis may

have violated the Privacy Rule, but the agency took no further action. See id.

The following year, Ciox itself received a letter from HHS. On November 16, 2018, HHS

advised Ciox that it had received a complaint, asserting that “when an individual makes a request

through Ciox for his/her medical records to be directed to a third party, such as a law firm, Ciox

routinely charges fees that are not compliant with” the Privacy Rule. See Pl.’s Notice and Request

for Oral Argument, Ex. B, ECF No. 29-2 [hereinafter Ciox Letter], at 1 (citing 45 C.F.R.

§ 164.524(c)(4)). HHS demanded Ciox produce records to aid in HHS’s investigation. See id. at

2. Two weeks later, HHS announced that the investigation of Ciox was in error because the agency

does not have jurisdiction to enforce the Privacy Rule against business associates like Ciox.

See Defs.’ Response to Pl.’s Notice and Request for Oral Argument, ECF No. 30, at 1.

11 B. Procedural Background

1. Ciox’s Complaint

This action has had a long history. Ciox filed suit against Defendants HHS and the

Secretary of HHS on January 8, 2018, asserting three causes of action under the APA, 5 U.S.C.

§ 706(2). See Compl. ¶¶ 59–77.

First, Ciox claims that HHS’s decision under the 2013 Omnibus Rule to expand the

HITECH Act’s third-party directive to PHI contained in formats other than an EHR, and to require

production of PHI in any format demanded by the requester, conflicts with the plain text of the

HITECH Act. See id. ¶¶ 62–63. Ciox also alleges that these actions were ultra vires, as the agency

lacked statutory authority to adopt the charges made by the 2013 Omnibus Rule. See id. ¶¶ 64–

65. Next, Ciox avers that the changes announced in the 2016 Guidance were “legislative rules”

within the meaning of the APA that HHS failed to promulgate through public notice and comment.

See id. ¶¶ 66–69. In particular, Ciox contests HHS’s expansion of the Patient Rate to all third-

party directives, as well as the three enumerated methods by which to calculate disclosure fees, as

violative of the APA’s procedural requirements. See id. ¶¶ 66–69. It also contends that the 2016

Guidance is procedurally deficient in its announced exclusion from the Patient Rate the cost of

skilled technical staff who search for and retrieve electronically stored PHI. See id. ¶ 68. 3 Third,

Ciox challenges aspects of the 2016 Guidance as arbitrary and capricious. It contests HHS’s

declaration that the Patient Rate applies to third-party directives, id. ¶¶ 71–75, as well as its

3 The Complaint also alleges that the exclusion of skilled technical staff time is an arbitrary and capricious agency action, because it “directly conflicts with the 2013 Omnibus Rule’s explicit inclusion of such costs in the Patient Rate.” Compl. ¶ 76. Ciox, however, fails to advance this claim in its motion for summary judgment. See Mem. of P. & A. in Opp’n to Defs.’ Mot. to Dismiss and in Supp. of Ciox’s Cross-Mot. for Summ. J., ECF No. 12-1, at 40–45. The claim is therefore forfeited.

12 “tripartite methodology for calculating allowable costs under the Patient Rate,” id. ¶ 77. Ciox

seeks declaratory and injunctive relief as to all three claims. See id. at 42.

2. Proceedings

On April 2, 2018, Defendants moved to dismiss the action for lack of jurisdiction and

failure to state a claim. See generally Defs.’ Mot. to Dismiss, ECF No. 9, Mem. in Support of

Mot. to Dismiss, ECF No. 9-1 [hereinafter Defs.’ Mot. to Dismiss Mem.]. Defendants assert that

Ciox lacks constitutional standing because the 2013 Omnibus Rule and the 2016 Guidance apply

only to covered entities, and not to business associates like Ciox, and therefore Ciox is not

encumbered by the limitations, including the Patient Rate, set forth in those agency

pronouncements. See id. at 11. Defendants additionally disavow any enforcement authority with

respect to business associates, see id. at 14, and they assert that, to the extent that the challenged

actions have affected Ciox’s revenues, that injury is the result of its own business judgments, not

agency action, see id. at 15–16. Defendants also argue that each of Ciox’s claims is unripe. See id.

at 17–20. Relatedly, Defendants contend that Ciox fails to state a claim upon which relief may be

granted because Ciox lacks statutory standing under the HITECH Act and because the 2016

Guidance is not a final agency action, and thus, unreviewable under the APA. See id. at 20–28.

On May 2, 2018, Ciox opposed Defendants’ Motion to Dismiss and moved for summary

judgment. See Mot. for Summ. J. of Pl. Ciox Health, ECF No. 12; Mem. of P. & A. in Opp’n to

Defs.’ Mot. to Dismiss and in Supp. of Ciox’s Cross-Mot. for Summ. J., ECF No. 12-1 [hereinafter

Pl.’s Opp’n Mem.]. Defendants filed a reply in support of their Motion to Dismiss on May 14,

2018, see Defs.’ Reply Mem. in Supp. of Mot. to Dismiss, ECF No. 16 [hereinafter Defs.’ Mot. to

Dismiss Reply], and, after the court denied Defendants’ request to stay further summary judgment

briefing, see Order, ECF No. 18, Defendants filed their own motion for summary judgment on

13 September 14, 2018, see Defs.’ Cross-Mot. for Summ. J., ECF No. 22, Mem. in Supp. of Defs.’

Opp’n to Pl.’s Mot. for Summ. J. and Cross-Mot. for Summ. J., ECF No. 22-1. Briefing on the

cross-motions for summary judgment concluded on October 5, 2018. See Defs.’ Reply in Supp.

of Defs.’ Cross-Mot. for Summ. J., ECF No. 26.

After a brief delay due to the shutdown of government operations, see Minute Order, Jan.

2, 2019, the court held an initial hearing on the parties’ motions on April 10, 2019. See Hr’g Tr.,

Apr. 15, 2019, ECF No. 34. At that hearing, Defendants offered conflicting interpretations of the

Patient Rate’s applicability to third-party directives, at first suggesting that the Patient Rate does

not apply to third-party directives if the third party paid the associated fees, id. at 41–42, but later

reversing course and saying that the Patient Rate applies to all third-party directives, regardless of

who pays for the fees, so long as the request for PHI originates with the patient, id. at 47–48.

Frustrated by the about-face, the court ordered the parties to confer and report back on whether

they had reached a mutual understanding as to how the Patient Rate applies to third-party

directives. See id. at 49.

On April 24, 2019, Defendants submitted a supplemental filing that sought to clarify the

agency’s position. See Defs.’ Suppl. Filing in Supp. of their Mot. to Dismiss and Cross Mot. for

Summ. J., ECF No. 35-1 [hereinafter Defs.’ Suppl. Filing]. As part of that filing, Defendants

included a table “to illustrate how the fee limitation operates.” Id. at 3–4. The table summarized

the agency’s position that “whether the fee limitation applies depends entirely on whether the

individual has initiated the request for the production of his or her PHI. It is irrelevant whether

the individual or a third party directly pays the bill for the request.” Id. at 3. Ciox responded that

HHS’s clarified position only confirmed its standing to challenge the agency’s actions and the

14 ripeness of its claims. See Pl.’s Mem. in Reply to Defs.’ Suppl. Filing, ECF No. 38 [hereinafter

Pl.’s Reply to Defs.’ Suppl. Filing.].

The court held a second hearing on the parties’ motions on May 8, 2019. Hr’g Tr., May 8,

2019, ECF No. 41. Following that hearing, on May 24, 2019, HHS notified the court that it had

published a “Fact Sheet” on its website that “explains when business associates are directly liable

to HHS for violating provisions of” HIPAA. Defs.’ Notice of Filing of Fact Sheet, ECF No. 39,

at 1. As pertinent here, the Fact Sheet states that HHS “lacks the authority to enforce the

‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 164.524(c)(4) against business associates

because the HITECH Act does not apply the fee limitation provision to business associates.”

See id., Ex. A, ECF No. 39-1 [hereinafter Fact Sheet], at 2. Not surprisingly, Ciox responded that

the Fact Sheet did not alter its standing to contest the agency’s actions in federal court.

See Pl.’s Reply to Defs.’ Notice of Filing of Fact Sheet, ECF No. 40.

The unanticipated Fact Sheet prompted the court to invite further briefing. The court

observed that, based on the Fact Sheet’s clear disavowal of enforcement authority over business

associates’ fee practices, “it would appear that [Ciox] cannot establish standing directly based on

the threat of an enforcement action against it, as it has argued,” and Ciox “is thus left to assert that

its injuries arise from the actions of covered entities who are subject to regulation,” thereby making

the establishment of standing “substantially more difficult.” Order, ECF No. 42, at 1 (quoting

Lujan v. Defs. of Wildlife, 504 U.S. 555, 562 (1992)). “[N]ot confident that [Ciox] has had a full

and fair opportunity to make its record,” the court allowed Ciox to supplement the factual record

to supports its theory of standing. Id. at 2.

Ciox submitted additional evidence to support standing and an accompanying legal

memorandum on June 28, 2019. See Pl.’s Mem. in Resp. to June 4, 2019 Order, ECF No. 43

15 [hereinafter Pl.’s Suppl. Standing Br.]. Defendants submitted a memorandum in response on July

12, 2019, see Defs.’ Resp. to Pl.’s Suppl. Br., ECF No. 46 [hereinafter Defs.’ Resp. to Pl.’s Suppl.

Standing Br.], and Ciox offered a reply on July 17, 2019, see Pl.’s Reply in Supp. of its Suppl. Br.,

ECF No. 47. That final brief brought the record to a close.

III. DISCUSSION

A. Jurisdiction

The court begins with the question of whether it has jurisdiction to decide this matter.

Defendants assert that Ciox lacks standing under Article III of the Constitution. See Defs.’ Mot.

to Dismiss Mem. at 11–17. They also contend that Ciox’s claims are not ripe. Id. at 17–20. The

court addresses standing before turning to ripeness.

1. Article III Standing

As the party seeking to invoke the court’s jurisdiction, the burden lies with Ciox to

establishing standing. See Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). Ciox must

demonstrate standing “with the manner and degree of evidence required at the successive stages

of the litigation.” Lujan, 504 U.S. at 561. In this case, the parties have filed cross-motions for

summary judgment, and the court afforded Ciox an opportunity to supplement the factual record

as to its standing. Accordingly, the court will evaluate standing under the summary judgment

standard. Under that standard, the “plaintiff can no longer rest on . . . ‘mere allegations’” to

establish standing. Id. (quoting Fed. R. Civ. P. 56(e)). Rather, it “must ‘set forth’ by affidavit or

other evidence ‘specific facts,’ . . . which for purposes of the summary judgment motion will be

taken to be true.” Id. (quoting Fed. R. Civ. P. 56(e)).

Standing consists of three elements. First, a plaintiff must have suffered an injury in fact,

or “an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual

16 or imminent, not conjectural or hypothetical.” Id. at 560 (cleaned up). Second, there must be

causation, that is, the injury is “fairly traceable to the challenged action of the defendant, and not

the result of the independent action of some third party not before the court.” Id. (cleaned up).

Third, “it must be likely as opposed to merely speculative that the injury will be redressed by a

favorable decision.” Id. at 561 (cleaned up).

Ciox submits affidavits from two of its business executives—Tarun Kabaria, Vice

President of Operations, and Jeff Gartland, President of Life Sciences—to demonstrate financial

losses caused by the agency’s challenged actions. According to Kabaria, per HHS regulations, a

business associate can provide health records services to a covered entity only pursuant to a formal

contract. See Kabaria Decl. ¶ 7; see also 45 C.F.R. § 164.502(e)(2) (providing that a covered

entity’s relationship with a business associate “must be documented through a written contract or

other written agreement or arrangement”); id. § 164.504(e) (setting forth requirements of business

associate contracts). Ciox’s contracts require the company to produce PHI for covered entities in

accordance with the restrictions set forth in HIPAA, the HITECH Act, and the Privacy Rule—

including the Patient Rate. Kabaria Decl. ¶ 8. Kabaria explains that, before 2009, commercial

third parties requesting PHI did so through “patient authorization[s]” that allowed release of PHI

to the third party. Id. ¶ 11. Ciox understood, as did the industry, that the Patient Rate did not apply

to such third-party requests and therefore charged state-authorized or independently-contracted

rates to fulfill such “authorized” requests. Id. These rates often exceeded the Patient Rate by

several hundred dollars per request. Id. ¶¶ 11, 16. The advent of the HITECH Act’s third-party

directive in 2009 did not change the industry’s or Ciox’s practice, according to Kabaria. Id. ¶ 12.

The industry still understood that the Patient Rate did not apply to requests for PHI delivered to

third parties. Id.

17 The ground began to shift slightly with the 2013 Omnibus Rule, says Kabaria. By

expanding the HITECH Act’s third-party directive to records in formats other than EHRs, Ciox

saw a modest increase in third-party directives. Id. ¶ 13. Ciox still continued to receive most

third-party requests through third-party authorizations, and thus persisted in charging above the

Patient Rate for such requests. Id. The 2016 Guidance caused a major shift in the industry,

however. The 2016 Guidance’s requirement that the Patient Rate apply to third-party directives

accelerated the number of third-party directives relative to authorizations. Id. ¶ 14. Also, the 2016

Guidance’s three options for calculating the Patient Rate caused some of Ciox’s covered-entity

clients to require Ciox to use the flat-fee option of $6.50 for fulfilling third-party directives. Id.

¶ 15. These changes, according to Kabaria, are “costing Ciox well over $10 million per year” and

those losses are likely to “continue growing.” Id. ¶ 16.

Gartland amplifies the points made in Kabaria’s declaration, using actual contracts as

examples. Gartland explains that nearly all of Ciox’s contracts provide that Ciox’s compensation

is limited to the fees chargeable for transmitting PHI. Gartland Decl. ¶ 5. These compensation

provisions require that Ciox charge only “in accordance with Section 164.524(c)(4) of the Privacy

Regulations.” Id. ¶ 6. Ciox’s contracts, according to Gartland, reflect a compensation model that

is “typical” in the industry. Id. ¶ 11. Additionally, Gartland explains, Ciox’s agreements contain

provisions that expose it to stiff sanctions if Ciox were to run afoul of federal laws. Covered

entities can terminate a contract if Ciox is noncompliant, and Ciox is required to indemnify covered

entities for liability arising from violations by Ciox. Id. ¶¶ 15–16. Gartland also confirms that, as

a result of the 2016 Guidance’s expansion of the Patient Rate to all third-party directives and its

option of a $6.50 flat fee, “Ciox as a matter of course now only charges $6.50 for most Third Party

Directive requests.” Id. ¶ 18. The resulting lost revenue in 2017 and 2018 has totaled $35 million

18 and “will continue growing year-over-year,” as third-party directives increase as a percentage of

overall requests. Id. According to Gartland, since 2016, Ciox has spent thousands of employee

hours attempting to renegotiate contracts to mitigate its losses, but still continues to suffer reduced

revenues. Id. ¶ 19.

a. Injury in fact

Ciox posits as its injury in fact the quintessential harm of lost revenue. See Pl.’s Opp’n

Mem. at 17; Pl.’s Suppl. Standing Br. at 6–7; Czyzewski v. Jevic Holding Corp., 137 S. Ct. 973,

983 (2017) (“For standing purposes, a loss of even a small amount of money is ordinarily an

‘injury.’”). Although Defendants question the sufficiency of the Complaint’s allegations of harm,

see Defs.’ Mot. to Dismiss Mem. at 13–14, they do not challenge the adverse fiscal impact that

Ciox claims to have suffered, as outlined in the declarations. See generally Defs.’ Resp. to Pl.’s

Suppl. Standing Br. The element of injury in fact is therefore largely uncontested.

b. Causation

The element of causation presents a threshold dispute: Does Ciox’s claimed financial

injury arise from direct regulation by HHS, or is the injury the result of the agency’s regulation of

others, namely, covered entities? See Lujan, 504 U.S. at 562 (stating that “when the plaintiff is

not himself the object of the government action or inaction he challenges, standing is not

precluded, but it is ordinarily substantially more difficult to establish” (internal quotation marks

and citations omitted)).

According to HHS, “the relevant portion of the [Privacy Rule], which is also the basis for

the 2016 guidance, imposes no requirements or restrictions on business associates like Ciox.”

Defs.’ Mot. to Dismiss Mem. at 11; see also Defs.’ Suppl. Filing at 3 (“HHS has no authority to

hold Ciox liable for failing to observe the fee limitation.”). Instead, HHS argues, the challenged

19 actions are enforceable only against covered entities, a position memorialized in the agency’s

published “Fact Sheet.” See Fact Sheet at 2 (stating that HHS “lacks the authority to enforce the

‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 165.524(c)(4) against business associates”).

Accordingly, HHS maintains, the element of causation in this case must be analyzed under the

more rigorous standard for alleged injuries caused indirectly by government action. See Lujan,

504 U.S. at 562.

Ciox reads the controlling law differently. It asserts that business associates are directly

subject to the Privacy Rule; the Rule’s limitations, including the Patient Rate, govern the conduct

of business associates; and the failure to comply with the Rule subjects business associates to

potential enforcement and punitive consequences. Pl.’s Opp’n Mem. at 18–21. Ciox thus insists

HHS possesses the direct authority over business associates that the agency disclaims.

Although interesting, the parties’ debate is not one the court need resolve. That is because,

even if HHS cannot directly regulate business associates, Ciox’s financial injury is still traceable

to agency action through the effect those actions have had on Ciox’s contracting partners, the

covered entities.

When . . . a plaintiff’s asserted injury arises from the government’s allegedly unlawful regulation . . . of someone else, much more is needed [to prove standing]. In that circumstance, causation and redressability ordinarily hinge on the response of the regulated (or regulable) third party to the government action or inaction—and perhaps on the response of others as well.

Lujan, 504 U.S. at 562 (internal quotation marks and citations omitted). “[I]t becomes the burden

of the plaintiff to adduce facts showing that [the regulated third-party’s] choices have been or will

be made in such a manner as to produce causation and permit redressability of injury.” Id. The

plaintiff must show that “the agency action is at least a substantial factor motivating the third

parties’ actions.” Tozzi v. HHS, 271 F.3d 301, 308 (D.C. Cir. 2001) (quoting Cmty. for Creative

20 Non-Violence v. Pierce, 814 F.2d 663, 669 (D.C. Cir. 1987)). “Unadorned speculation” connecting

the challenged government action and third-party conduct will not suffice. Nat’l Wrestling

Coaches Ass’n v. Dept. of Educ., 366 F.3d 930, 938 (D.C. Cir. 2004) (quoting Simon v. E. Ky.

Welfare Rights Org., 426 U.S. 26, 44 (1976)). Here, the regulatory scheme governing the medical

records management industry, when combined with the evidence presented by Ciox, leaves “little

doubt as to causation and the likelihood of redress.” Id. at 941.

HHS’s regulations all but ensure that business associates will limit the fees they charge in

a manner consistent with HHS’s interpretation of the Patient Rate. The regulations expressly make

covered entities liable for their business associates’ violations. See 45 C.F.R. § 160.402(c)(1)

(“A covered entity is liable . . . for a civil money penalty for a violation based on the act or

omission of any agent of the covered entity, including a . . . business associate, acting with the

scope of the agency.”). So, for example, if Ciox were to charge more than the Patient Rate to carry

out a third-party directive, HHS could hold the covered entity responsible. See Defs.’ Suppl. Filing

at 3. HHS’s letter dated March 22, 2017, to CHI St. Francis illustrates this reality. See St. Francis

Letter at 3. In that case, HHS received a complaint that Ciox had charged $224.65 for 353 pages

of electronic medical records that the patient had requested be sent to her law firm. Id. at 1. HHS

warned CHI St. Francis that “[t]his allegation could reflect a violation of [the Patient Rate].” Id.

HHS advised CHI St. Francis—seemingly at odds with its position taken here—that “all of the

access requirements that apply with respect to PHI held by the covered entity (e.g., the individual

may be charged only a reasonable, cost-based fee [Patient Rate] that complies with [the Privacy

Rule]) apply with respect to PHI held by the business associate.” Id. at 3. Although HHS took no

formal action against CHI St. Francis for Ciox’s actions, it warned that should it “receive a similar

allegation of noncompliance . . . in the future, [HHS] may initiate a formal investigation of that

21 matter.” Id. at 4. The prospect that a covered entity could be held liable for the transgressions of

its business associates provides a powerful incentive for covered entities to ensure that business

associates comply with the Privacy Rule, including the Patient Rate. Indeed, the regulations

expressly provide that a covered entity’s failure to address a business associate’s non-compliance

is itself a violation of the regulations. See 45 C.F.R. § 164.504(e)(1). 4

Not surprisingly, covered entities have structured their contracts to require their business

associates to follow the regulations and to protect themselves against liability. Ciox’s contracts,

for instance, require the company to charge fees “in accordance with Section 164.524(c)(4) of the

Privacy Regulations.” Gartland Decl. ¶ 6 (quoting various contracts); see also Sealed Mot. for

Leave to File Docs. Under Seal, Ex. A, Ex. 44-2, at 29 ¶ 4.1 (under seal); id., Ex. B, ECF No. 44-

3, at 17 ¶ 5.1 (under seal); id., Ex. C, ECF No. 44-4, at 15 ¶ 4.1 (under seal); id., Ex. D, ECF No.

44-5, at 17 (under seal). Additionally, “all of Ciox’s contracts, no matter what model, include

provisions requiring Ciox to indemnify the covered entity for any violation of HIPAA, HITECH,

or the Privacy Rule that is attributable to the covered entity for Ciox’s actions . . . , including

violations of the Patient Rate if that Rate applies to a given request.” Gartland Decl. ¶ 16. Such

indemnification provisions are sure to discourage Ciox from charging more than the Patient Rate.

And, of course, Ciox risks termination of a contract should it charge more than the Patient Rate.

4 That regulation provides:

A covered entity is not in compliance with the standards of § 164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

Id. § 164.504(e)(1)(ii).

22 If these regulatory and contractual provisions were not enough to establish causation,

Ciox also provides testimonial evidence of industry impacts following HHS’s issuance of the 2016

Guidance. According to Gartland, following the 2016 Guidance, “the volume of Third Party

Directive requests has increased by nearly 700 percent, as law firms and other for-profit entities

realized they could use Third Party Directives to avoid the typically higher state-authorized fees

that Ciox previously could charge for fulfilling HIPAA authorizations.” Gartland Decl. ¶ 17.

Moreover, after 2016, covered entities began to insist that “Ciox charge no more than $6.50 for

fulfilling a Third Party Directive because they fear both federal enforcement action and potential

liability if Ciox charges more than that when fulfilling Third Party Directives. As a result, Ciox

as a matter of course now only charges $6.50 for most Third Party Directive requests . . . .” Id.

¶ 18. These sworn statements, which the agency does not contest, demonstrate the real-world

impacts of the challenged actions and how they have caused Ciox’s financial injuries.

Defendants advance two primary arguments in response. First, HHS maintains that Ciox’s

losses are “self-inflicted.” Defs.’ Mot. to Dismiss Reply at 8. Ciox chose to enter into contracts

that “structure its compensation . . . in the form of fees charged to requesters of PHI,” Defs.’ Resp.

to Pl.’s Suppl. Standing Br. at 4, and that include indemnification clauses, Defs.’ Mot. to Dismiss

Reply at 8. Instead, HHS insists, Ciox could have entered into agreements that secured payment

from the covered entities instead of patients, which would have insulated them from the losses

they now claim. See id. at 7–8; see also Defs.’ Resp. to Pl.’s Suppl. Standing Br. at 4 (arguing that

“nothing prevents Ciox from negotiating its compensation structure with covered entities

differently”). HHS analogizes this case to the D.C. Circuit’s decision in Brotherhood of

Locomotive Engineers. See Defs.’ Mot. to Dismiss Reply at 8 (citing Bhd. of Locomotive Eng’rs.

& Trainmen, a Div. of Rail Conf.-Int’l Bhd. of Teamsters v. Surface Transp. Bd. 457 F.3d 24

23 (D.C. Cir. 2006)). There, the court held that a union could not demonstrate causation where the

Surface Transportation Board’s classification of a type of transaction foreclosed the union from

invoking its bargaining rights; the union previously had agreed under its collective bargaining

agreement not to bargain over the effects of such a transaction. Brotherhood of Locomotive

Engineers, 457 F.3d at 28. In that scenario, the injury “was not in any meaningful way ‘caused’

by the Board; rather, it was entirely self-inflicted.” Id. Like the union in Brotherhood of

Locomotive Engineers, HHS contends, Ciox “is injured by the specific terms of the contracts it

entered into with the covered entities” and thus its injury is similarly self-inflicted. Defs.’ Mot. to

Dismiss Reply at 8.

HHS’s self-infliction argument is flawed both legally and factually. Legally it is flawed

because it raises the bar for standing too high. To the extent that injury is self-inflicted, it must be

“so completely due to the complainant’s own fault as to break the causal chain.” Petro-Chem

Processing, Inc. v. EPA, 866 F.2d 433, 438 (D.C. Cir. 1989) (cleaned up) (internal quotation marks

and citation omitted). Standing doctrine thus does not require a plaintiff to show that it made no

choice that put it at risk of injury. See Ellis v. Comm’r of Internal Revenue Serv., 67 F. Supp. 3d

325, 337 (D.D.C. 2014) (stating that “it has been observed that all injuries are in some sense self-

inflicted”), aff’d 622 F. App’x 2 (D.C. Cir. 2015). Therefore, the mere fact that Ciox negotiated

agreements in a highly regulated environment that linked its compensation to the Patient Rate does

not make its injury self-inflicted. See Cent. Ariz. Water Conservation Dist. v. EPA, 990 F.2d 1531,

1538 (9th Cir. 1993) (“While [the] contractual obligations may provide the basis for its economic

liability for the increased costs imposed by the Final Rule, that hardly means that the Final Rule

itself is not the direct cause of that liability.”). Thus, this case is not like Brotherhood of

24 Locomotive Engineers, in which the union was found to have a self-inflicted injury because, of its

own accord, it made the choice to forego bargaining with respect to the type of transaction at issue.

Factually, HHS’s insistence that Ciox’s injury is self-inflicted wholly ignores industry

realities. For example, HHS’s argument that Ciox voluntarily acceded to contracts containing

indemnification provisions, see Defs.’ Mot. to Dismiss Reply at 8, fails to appreciate that its own

regulations make covered entities liable for the acts of their business associates. It should come

as no surprise then that Ciox’s contracts contain indemnity provisions that require the company to

make covered entities whole for any liability resulting from Ciox’s transgressions. Moreover,

HHS overlooks the fact that, for years, it took the position that the Patient Rate applied only to

personal use requests for PHI, and not to requests directing PHI to third parties. See 65 Fed. Reg.

at 82,754 (stating in 2000 that the Privacy Rule “establish[es] the right to access and copy records

only for individuals, not other entities; the ‘reasonable fee’ is only applicable to the individual’s

request”). That the industry, quite sensibly, structured its compensation scheme to fit HHS’s

pronouncements, see Kabaria Decl. ¶ 11, does not mean that Ciox’s injury is now self-inflicted.

Second, HHS argues that Ciox fails to provide substantial evidence of a causal relationship

between the agency’s actions and the response of third parties, which resulted in Ciox’s losses.

See Defs.’ Resp. to Pl.’s Suppl. Standing Br. at 9–10. But the uncontested Gartland Declaration

establishes otherwise. As noted, Gartland explains how, following the 2016 Guidance, Ciox began

to incur greater losses as requesters shifted to third-party directives subject to the Patient Rate.

Gartland Decl. ¶ 17. Additionally, since the 2016 Guidance, covered entities have demanded that

Ciox charge no more than $6.50 for third-party directives, such that Ciox now charges that fixed

amount “as a matter of course” for most third-party directives. Id. ¶ 18. HHS faults Ciox for not

re-negotiating its contracts after 2016 to allow it to collect additional fees from covered entities.

25 But even suggesting that Ciox had to incur new contracting costs to avoid injury only underscores

the causal effect of the agency’s actions. See id. ¶ 19 (explaining that Ciox has “expended

thousands of hours of employee time renegotiating—to only partial success—many contracts that,

but for the 2016 mandates, would not have been at issue”). Ciox has satisfied the element of

causation.

c. Redressability

Having found that Ciox satisfies the element of causation, the issue of redressability is

straightforward. “Causation and redressability typically ‘overlap as two sides of a causation coin.’

After all, if a government action causes an injury, enjoining the action usually will redress that

injury.” Carpenters Indus. Council v. Zinke, 854 F.3d 1, 6 n.1 (D.C. Cir. 2017) (quoting

Dynalantic Corp. v. Dep’t of Defense, 115 F.3d 1012, 1017 (D.C. Cir. 1997)). Here, if the court

were to enjoin the challenged portions of the 2013 Omnibus Rule and the 2016 Guidance,

see Compl. at 42, as Gartland explains:

[Ciox] could maintain the overwhelming majority of its existing contracts in their current form and, for those contracts that already have been renegotiated, revert to the time-tested model that covered entities and business associates uniformly prefer . . . , which allow[s] Ciox to charge the state-authorized rates it previously was allowed to charge for delivering PHI to third parties, including for Third Party Directives.

Gartland ¶ 21. In short, because Ciox could start recouping the loses it presently incurs by charging

the Patient Rate for third-party directives, it has demonstrated that the court can redress its injuries.

HHS resists this uncomplicated logic. It contends that “the 2016 [G]uidance works no

change in the law; it simply clarified what the 2013 Regulation requires. And the 2013 Regulation,

in turn, implemented the HITECH Act. Therefore, vacating the 2016 Guidance would also have

no legal effect.” Defs.’ Resp. to Pl.’s Suppl. Standing Br. at 9–10. But this is a merits argument,

26 and for purposes of standing, the court must assume the merits of Ciox’s claims—the precise

opposite interpretation put forward by HHS. See Warth v. Seldin, 422 U.S 490, 502 (1975);

see also City of Waukeshau v. EPA, 320 F.3d 228, 235 (D.C. Cir. 2003). HHS cannot defeat

standing by asserting it will prevail on the merits.

2. Ripeness

Next, HHS asserts that the court lacks jurisdiction because Ciox’s claims are not ripe.

See Defs.’ Mot. to Dismiss Mem. at 17–20. The court disagrees.

“Ripeness is a justiciability doctrine designed ‘to prevent the courts, through avoidance of

premature adjudication, from entangling themselves in abstract disagreements over administrative

policies, and also to protect the agencies from judicial interference until an administrative decision

has been formalized and its effects felt in a concrete way by the challenging parties.’” Nat’l Park

Hosp. Ass’n v. Dep’t of Interior, 538 U.S. 803, 807–08 (2003) (quoting Abbott Labs. v. Gardner,

387 U.S. 136, 148–149 (1967)). “Determining whether administrative action,” as here, “is ripe for

judicial review requires [courts] to evaluate (1) the fitness of the issues for judicial decision and

(2) the hardship to the parties of withholding court consideration.” Id. at 808. Under the first

prong, courts consider whether the issue presented is “purely legal,” whether the court’s

consideration would benefit from a more concrete setting, and whether the agency’s action is

“sufficiently final.” Nat’l Ass’n of Home Builders v. U.S. Army Corps of Eng’rs, 440 F.3d 459,

463–64 (D.C. Cir. 2006) (internal quotation marks omitted). As to the second prong, the question

is not whether the parties have suffered a “direct hardship,” but rather whether postponing judicial

review would impose an undue hardship or benefit the court. See id. (internal quotation marks

omitted). In the end, “the primary focus of the ripeness doctrine is to balance the [plaintiff’s]

interest in prompt consideration of allegedly unlawful agency action against the agency’s interest

27 in crystallizing its policy before that policy is subject to review and the court’s interest in avoiding

unnecessary adjudication and in deciding issues in a concrete setting.” AT&T Corp. v. FCC, 349

F.3d 692, 699 (D.C. Cir. 2003) (internal quotation marks omitted).

Ciox readily satisfies both prongs of the ripeness doctrine. It is undisputed that the issues

presented by Ciox are “purely legal,” as they involve questions of statutory interpretation and the

agency’s adherence to rulemaking requirements. See Compl. at 33–41. Having presented such

pure legal questions, Ciox’s claims are “presumptively suitable for judicial review.” AT&T Corp.,

349 F.3d at 699 (internal quotation marks omitted). HHS nonetheless contends that the dispute

would benefit from a more concrete setting, see Defs.’ Mot. to Dismiss. Mem. at 18–19, but never

explains what “additional factual development” is necessary to resolve the claims, Action All. of

Senior Citizens of Greater Phila. v. Heckler, 789 F.2d 931, 940 (D.C. Cir. 1986); cf. Nat’l Park

Hosp. Ass’n, 538 U.S. at 812 (finding administrative challenge unripe where “the question

presented here should await a concrete dispute about a particular concession contract”). HHS also

suggests that the “complex[ity]” of the statutory and regulatory scheme warrants a more specific

factual setting, Defs.’ Mot. to Dismiss Mem. at 19, but courts routinely deal with complex

administrative statutes and regulations, and there is nothing uniquely difficult about interpreting

the HITECH Act or the Privacy Rule that would justify deferring a decision to develop more facts.

On the second prong, Ciox plainly has demonstrated hardship in the form of financial

losses. HHS’s only response is that Ciox’s losses are not causally connected to the agency’s

actions, see Defs.’ Mot. to Dismiss Reply at 13, but the court already has found otherwise.

Moreover, where, as here, “there are no significant agency or judicial interests militating in favor

of delay, lack of hardship cannot tip the balance against judicial review.” Nat’l Ass’n of Home

Builders, 440 F.3d at 465 (cleaned up). HHS generically claims that it has “an interest in thinking

28 through its policy choices and completing its decisionmaking process,” Defs.’ Mot. to Dismiss

Reply at 13 (internal quotation marks and citation omitted), but it nowhere says what more thinking

or decisionmaking it is doing with respect to the 2013 Omnibus Rule or the 2016 Guidance. Ciox’s

claims are ripe.

B. Failure to State a Claim

HHS advances two grounds to dismiss Ciox’s causes of action for failure to state a claim.

First, HHS says that, under the HITECH Act, Ciox lacks “statutory standing,” which “concern[s]

a party’s cause of action, not the court’s jurisdiction.” See Kaplan v. Cent. Bank of the Islamic

Republic of Iran, 896 F.3d 501, 519–20 (D.C. Cir. 2018). Second, HHS asserts that the

2016 Guidance is not a challengeable final agency action under the APA, thereby requiring

dismissal of Counts Two and Three. The court considers each argument in turn.

1. Statutory Standing

HHS contends that Ciox lacks statutory standing because its “interests do not fall within

the zone of interests to be protected or regulated by” 42 U.S.C. § 17935(e)—the section of the

HITECH Act upon which Ciox bases its claims. See Defs.’ Mot. to Dismiss Mem. at 20–23. As

support, HHS asserts that § 17935(e) regulates only the fees that a covered entity may charge

patients but is silent as to how much and against whom a business associate may assess fees.

See id. at 22. The agency also points to two other statutory provisions, namely, §§ 17931(a) and

17934(a), that extend certain existing regulations to business associates, but exclude the “fee and

format” requirements of 45 C.F.R. § 164.524. Id. at 22–23.

In Lexmark International, Inc. v. Static Control Components, Inc., 572 U.S. 118 (2014),

the Supreme Court emphasized the “‘lenient approach’ that the courts must follow in determining

whether a party has stated a cause of action under the APA.” Indian River Cty. v. Dep’t of Transp.,

29 945 F.3d 515, 527 (D.C. Cir. 2019) (quoting Lexmark Int’l, 572 U.S. at 130). A plaintiff must

show that “the interest sought to be protected by the complainant is arguably within the zone of

interests to be protected or regulated by the statute . . . in question.” Ass’n of Data Processing

Serv. Orgs., Inc. v. Camp, 397 U.S. 150, 153 (1970). In making that assessment, courts must

consider the “context and purpose” of the relevant statutory provisions and regulations. See Indian

River Cty., 945 F.3d at 530 (quoting Match–E–Be–Nash–She–Wish Band of Pottawatomi Indians

v. Patchak, 567 U.S. 209, 226 (2012)). The “zone of interests” test is not “especially demanding”

in the APA context. Lexmark, 572 U.S. at 130 (quoting Match–E–Be–Nash–She–Wish Band of

Pottawatomi Indians, 567 U.S. at 224–25). For that reason, the Supreme Court has “conspicuously

included the word ‘arguably’ in the test to indicate that the benefit of any doubt goes to the

plaintiff.” Id. (quoting Match–E–Be–Nash–She–Wish Band of Pottawatomi Indians, 567 U.S. at

225). “[T]here does not have to be an indication of congressional purpose to benefit the would-be

plaintiff,” and “a plaintiff certainly need not be expressly listed as a beneficiary of a statutory

provision in order to be within its protected zone-of-interests.” Indian River Cty., 945 F.3d at 529–

30 (quoting Nat’l Credit Union Admin. v. First Nat. Bank & Tr. Co., 522 U.S. 479, 492 (1998)).

Ultimately, the test denies a right of review only “when a plaintiff’s ‘interests are so marginally

related to or inconsistent with the purposes implicit in the statute that it cannot reasonably be

assumed that Congress intended to permit the suit.’” Match-E-Be-Nash-She-Wish Band of

Pottawatomi Indians, 567 U.S. at 225 (citation omitted).

Although HHS insists that only covered entities are covered by the HITECH Act’s fees

restriction, the agency’s reading is far from obvious. To be sure, the HITECH Act refers expressly

only to the “fee that the covered entity may impose” for delivering PHI in electronic form.

42 U.S.C. § 17935(e)(3). But other portions of the Act are designed to extend existing regulatory

30 limits to business associates. Specifically, section 17934(a) of the HITECH Act provides that

business associates are subject to “each applicable requirement” of 45 C.F.R. § 164.504(e).

42 U.S.C. § 17934(a). Section 164.504(e) in turn cross-references § 164.524, see 45 C.F.R.

§ 164.504(e)(ii)(E) (stating that business associates must “[m]ake available [PHI] in accordance

with § 164.524”), the section which contains the Patient Rate, see id. § 164.524(c)(4). Thus, as

Ciox argues, by placing business associates within the reach of 45 C.F.R. § 164.524, the HITECH

Act would appear to extend the Patient Rate to business associates. See Pl.’s Opp’n Mem. at 8–9.

The court need not, for present purposes, decide whether HHS’s or Ciox’s reading of the

HITECH act is the correct one. The “lenient approach” to the zone-of-interests test in the APA

context merely requires the court to determine whether Ciox’s interests “are, at the least, ‘arguably

within the zone of interests’” regulated by the HITECH Act. Bank of Am. Corp. v. City of Miami,

137 S. Ct. 1296, 1303 (2017) (quoting Ass’n of Data Processing, 397 U.S. at 153). As Ciox’s

reading of the HITECH Act is entirely reasonable, Ciox easily surpasses that low bar.

2. Final Agency Action

Two independent conditions must be met for an agency action to be considered “final,”

and thus reviewable, for purposes of the APA. 5 U.S.C. § 704; Bennett v. Spear, 520 U.S. 154,

175 (1997). The challenged action must be the “consummation of the agency’s decisionmaking

process” and it must be an action in which “rights or obligations have been determined” or “legal

consequences will flow.” Bennett, 520 U.S. at 175 (internal quotation marks omitted); see also

Soundboard Ass’n v. Fed. Trade Comm’n, 888 F.3d 1261, 1267 (D.C. Cir. 2018). In approaching

the question of finality, the D.C. Circuit has warned that “courts should resist the temptation to

define the action by comparing it to superficially similar actions in the caselaw.” Cal. Cmtys.

31 Against Toxics v. EPA, 934 F.3d 627, 631 (D.C. Cir. 2019). “Rather, courts should take as their

NorthStar the unique constellation of statutes and regulations that govern the action at issue.” Id. 5

As to the first Bennett prong, the 2016 Guidance marks the consummation of the agency’s

decisionmaking process. 6 The Guidance “comes to a definitive conclusion,” Scenic Am., Inc. v.

U.S. Dep’t of Transp., 836 F.3d 42, 56 (D.C. Cir. 2016), as to the content and scope of the

allowable “reasonable, cost-based fee” permitted under the Privacy Rule, 45 C.F.R.

§ 164.524(c)(4), with regard to each of the three issues challenged by Ciox. The 2016 Guidance

confirms that (1) the Patient Rate applies to third-party directives and (2) the Patient Rate excludes

labor costs associated with searching for and retrieving responsive records, and it identifies three

ways in which to calculate the Patient Rate. The agency does not assert that its position as to any

of these issues remains in flux. Cf. Barrick Goldstrike Mines Inc. v. Browner, 215 F.3d 45, 48

(D.C. Cir. 2000) (stating that, to be a final agency action, the action “must not be of a merely

tentative or interlocutory nature”). HHS still urges the court “not [to] treat HHS’s guidance as the

‘consummation’ of its decisionmaking,” but in support of that position it simply repeats the

common refrain that the agency “retains complete discretion to rescind or change this guidance.”

Defs.’ Mot. to Dismiss Mem. at 25–26. It is well-settled, however, that the mere possibility of a

future revision cannot, by itself, make an agency act non-final. See Gen. Elec. Co. v. EPA, 290

F.3d 377, 380 (D.C. Cir. 2002); see also U.S. Army Corps of Eng’rs v. Hawkes Co., 136 S. Ct.

1807, 1814 (2016) (observing that the possibility of future revision “is a common characteristic of

5 At the outset, HHS urges the court to find that the 2016 Guidance is not a final agency action because it is an “interpretative” rule, as distinct from a “legislative” rule, as those terms are understood under the APA. See Defs.’ Mot. to Dismiss Mem. at 24. But that argument improperly conflates the finality analysis with “the related but separate analysis of whether an agency action is a legislative rule.” Cal. Cmtys. Against Toxics, 934 F.3d at 634. The court therefore undertakes a separate finality inquiry, as directed by the D.C. Circuit. 6 There is no dispute as to whether the 2013 Omnibus Rule is a final agency action. It clearly is. See Abbott Labs., 387 U.S. at 151–53 (holding that the publication of certain regulations by the FDA was final agency action).

32 agency action, and does not make an otherwise definitive decision nonfinal”). The first prong of

Bennett is therefore satisfied.

The second Bennett factor—whether “direct and appreciable legal consequences” flow

from the agency’s action, Bennett, 520 U.S. at 178—demands greater consideration in this case.

The Supreme Court has described this second inquiry as a “pragmatic” one. Hawkes Co., 136

S. Ct. at 1815 (internal quotation marks omitted). It is one “based on the concrete consequences

an agency action has or does not have as a result of the specific statutes and regulations that govern

it.” Cal. Cmtys. Against Toxics, 934 F.3d at 637. “The court here primarily looks to ‘the actual

legal effect (or lack thereof) of the agency action in question on regulated entities.’” Cal. By &

Through Brown v. EPA, 940 F.3d 1342, 1352 (D.C. Cir. 2019) (quoting Nat’l Mining Ass’n v.

McCarthy, 758 F.3d 243, 252 (D.C. Cir. 2014)). The parties address separately the legal

consequences (or lack thereof) of each of the three aspects of the 2016 Guidance challenged by

Ciox. So, the court does the same, starting with the Guidance’s statement that the Patient Rate

applies to third-party directives.

a. Patient Rate applies to third-party directives

The 2016 Guidance supplies the type of obligation, prohibition, or restriction on regulated

entities that makes it a final agency action insofar as it directs regulated entities to apply the Patient

Rate to fulfill third-party directives. See Valero Energy Corp. v. EPA, 927 F.3d 532, 536 (D.C.

Cir. 2019). It provides that “[the Patient Rate] appl[ies] when an individual directs a covered entity

to send the PHI to the third party.” 2016 Guidance at 16. The Guidance speaks to the issue without

qualification. It states: “[The Patient Rate] applies regardless of whether the individual has

requested that the copy of PHI be sent to herself, or has directed that the covered entity send the

copy directly to a third party designated by the individual (and it doesn’t matter who the third party

33 is).” Id. It also admonishes that the fee limit cannot be “circumvent[ed] . . . by treating individual

requests for access like other HIPAA disclosures—such as by having an individual fill out a

HIPAA authorization when the individual requests access to her PHI, including to direct a copy of

PHI to a third party.” Id. at 17. The 2016 Guidance thus provides an unequivocal command that

the Patient Rate applies to third-party directive requests. Accordingly, it bears the hallmarks of a

final agency action. See Appalachian Power Co. v. EPA, 208 F.3d 1015, 1023 (D.C. Cir. 2000)

(“At any rate, the entire Guidance, from beginning to end—except the last paragraph—reads like

a ukase. It commands, it requires, it orders, it dictates.”).

Additionally, the 2016 Guidance’s expansion of the Patient Rate satisfies the second

Bennett prong, because it indisputably has “direct and appreciable legal consequences” for, at a

minimum, one class of regulated persons—the covered entities. See Hawkes Co., 136 S. Ct. at

1814–15 (considering under the second Bennett prong the legal consequences for the agency and

nonparties). HHS does not assert otherwise. See Defs.’ Mot. to Dismiss Mem. at 11 (arguing that

challenged “provision[s] of the Privacy Rule and the guidance apply only to covered entities”).

This aspect of the 2016 Guidance has legal and practical consequences for business

associates, as well. See Valero Energy Corp., 927 F.3d at 537 (noting that, in addition an actual

legal effect, some D.C. Circuit cases “have indicated that the finality analysis can look to whether

the agency action has a practical effect on regulated parties, even if it has no formal legal force”). 7

HHS concedes that, pursuant to 45 C.F.R. § 164.402(c)(1), it can take enforcement action against

a covered entity if its business associate charges in excess of the Patient Rate. Defs.’ Suppl. Filing

7 Once more, the court need not reach the parties’ dispute as to whether the Patient Rate directly binds business associates. The court notes, however, the 2016 Guidance itself would appear to stake out a position different than the one advocated by the agency in this case. See 2016 Guidance at 27 (“[A]ll of the access requirements that apply with respect to PHI held by the covered entity (e.g., limitations on fees that may be charged) apply with respect to PHI held by the business associate.”); id. at 17 (stating that “a covered entity (or a business associate) may not circumvent the access fee limitations”).

34 at 2 (“[I]f a ‘business associates’ charges . . . more than a ‘reasonable, cost-based fee’ for providing

a copy of an individual’s [PHI], it is the covered entity—with whom the business associate has

contracted to provide service—that is liable to HHS for violating the fee limitation.”); Defs.’ Mot.

to Dismiss Reply at 5 (“[W]hen a business associate fulfills a covered entity’s responsibilities

under § 164.524 as an agent, it is the covered entity who may be penalized to the extent that the

business associate’s actions do not comport with the law’s requirements on covered entities, not

the business associate.” (citing 45 C.F.R. § 164.402(c)(1))). The potential vicarious liability of

covered entities for the misdeeds of their business associates effectively compels business

associates to abide by the Patient Rate and its scope. Business associates who fail to charge the

Patient Rate for third-party directives risk incurring costs associated with indemnifying covered

entities or, even more seriously, termination of their contracts. Under the “pragmatic” approach

to finality, Hawkes Co., 136 S. Ct. at 1815, the 2016 Guidance’s extension of the Patient Rate to

third-party directives has both actual legal and practical consequences for business associates,

qualifying it as a final agency action.

HHS disputes that the 2016 Guidance’s discussion of the Patient Rate and third-party

directives has any independent legal or practical effect. Observing that the Guidance is “replete

with citations,” HHS claims that the discussion “does not issue a new directive or rescind an old

one; it merely explains what the regulation already directs.” Defs.’ Mot. to Dismiss Reply at 16;

see also id. (stating that “the guidance itself merely expounds on § 164.524’s requirements”). That

argument is flawed for two reasons. First, it fails to acknowledge the ambiguity in the text of

§ 164.524(c)(4). The regulation merely states that “[i]f the individual requests a copy of the [PHI]

. . . the covered entity may impose a reasonable, cost-based fee.” 45 C.F.R. § 164.524(c)(4). The

regulation is silent as to whether the reasonable, cost-based fee applies only when providing PHI

35 to the individual requestor or includes requests to send PHI to third parties. Second, and more

significantly, HHS’s position is fundamentally at odds with what it said in 2000 when it first

adopted the Patient Rate. HHS said then: “We do not intend to affect the fees that covered entities

charge for providing protected health information to anyone other than the individual,” 65 Fed.

Reg. at 82,557 (emphasis added), and “[t]he proposed and final rule establish the right to access

and copy records only for individuals, not other entities; the ‘reasonable fee’ is only applicable to

the individual’s request,” id. at 82,754 (emphasis added). HHS concluded: “The Department’s

expectation is that other existing practices regarding fees, if any, for the exchange of records not

requested by an individual will not be affected by this rule.” Id. Thus, when HHS adopted the

Patient Rate, it expressly limited it to PHI requested by, and for, the individual requester; the Rate

did not apply to PHI destined for third parties. That distinction makes sense, as the whole point

of placing a limit on fees was to ensure that individual patients would not be foreclosed or inhibited

from accessing their PHI by excessive fees. See id. at 82,556 (“We intend this provision to reduce

covered entities’ burden in complying with requests without reducing individuals’ access to

protected health information.”). That same rationale does not apply when the PHI is directed to

and paid for by a third party, like an insurance company or a law firm.

Still, HHS insists that the 2016 Guidance works no change in the legal obligations of

regulated entities. Although HHS accepts that the original Patient Rate rule “did not govern the

fees that covered entities charge for providing [PHI] to designated third parties,” Defs.’ Summ. J.

Mem. at 27 (citing 65 Fed. Reg. 82,557), it claims “that [policy] was overtaken by the HITECH

Act and subsequent modification of the Privacy Rule in 2013,” id. In other words, according to

HHS, the 2016 Guidance “at most clarifies HHS’s position regarding the effect of the 2013 rule,”

Defs.’ Mot. to Dismiss at 25, and therefore it “is not a certain change in the legal obligations of a

36 party,” as required to qualify as a final agency action, Nat’l Ass’n of Home Builders v. Norton, 415

F.3d 8, 15 (D.C. Cir. 2005). The agency’s argument, however, misreads the HITECH Act and

misunderstands the regulatory history.

The HITECH Act does not speak to the allowable fees for PHI that a person directs to a

third party. Rather, the Act provides that, “[i]n applying [45 C.F.R. § 164.524],” “notwithstanding

paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such

individual with a copy of such information . . . if such copy . . . is in an electronic form shall not

be greater than the entity’s labor costs in responding to the request for the copy.” 42 U.S.C.

§ 17935(e)(3) (emphasis added). Thus, the plain text of the HITECH Act’s fee limit concerns

“providing” PHI in electronic form to “such individual,” not to a third party. Id. This reading is

buttressed by the neighboring statutory language used to create the third-party directive, which

provides that individuals shall have the right to “to direct the covered entity to transmit such copy

direct to an entity or person designated by the individual,” i.e., a third party. Id. § 17935(e)(1).

Congress thus clearly understood how to reference third parties in the HITECH Act when it wanted

to but elected not to do so when establishing the fee limitation. Also, it stands to reason that, by

expressly referencing the existing Patient Rate regulation, Congress did not intend to modify the

then-existing scope of the Patient Rate, which, since its inception in 2000, applied only to delivery

of PHI to the individual requester, and not to third parties. If Congress had intended to expand the

Patient Rate beyond its original parameters, the court would have expected it to say so more

clearly. See Whitman v. Am. Trucking Ass’ns, 531 U.S. 457, 468 (2001) (“Congress, we have held,

does not alter the fundamental details of a regulatory scheme in vague terms or ancillary

provisions—it does not, one might say, hide elephants in mouseholes.”). Thus, contrary to HHS’s

position, the 2016 Guidance does not merely “clarify” the requirements of the HITECH Act.

37 Nor does the 2016 Guidance “clarify” the 2013 Omnibus Rule. That Rule did not untether

the Patient Rate from its original personal-use moorings established in 2000. To the contrary, the

Rule and the accompanying Federal Register discussion are silent as to the Patient Rate’s

applicability to third-party directives. To the extent the 2013 Omnibus Rule addressed the Patient

Rate, its focus was on defining the Rate’s recoverable cost components, not broadening the Rate’s

reach beyond its original scope. See 78 Fed. Reg. at 5,635–36. When asked at oral argument to

point to where in the 2013 Omnibus Rule the agency notified the industry that it had pivoted from

its over-decade-old position and expanded the Patient Rate to third-party directives, agency

counsel referenced the following explanatory text accompanying the Rule:

Section [17935(e)] of the HITECH Act strengthens the Privacy Rule’s right of access with respect to covered entities that use or maintain an [EHR] on an individual. Section [17935(e)] provides that when a covered entity uses or maintains an EHR with respect to [PHI] of an individual, the individual shall have a right to obtain from the covered entity a copy of such information in an electronic format and the individual may direct the covered entity to transmit such copy directly to the individual’s designee . . . . Section [17935(e)] also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity’s labor costs in responding to the request for the copy.

See Hr’g Tr., ECF No. 41, at 16:4–19:3 (citing 78 Fed. Reg. at 5,631) (emphasis added). But that

passage is no more than the agency’s summation of the HITECH Act’s new provisions; the Act,

as discussed, did not alter the status quo as to the Patient Rate’s coverage. The summary passage

also falls well short of the type clear recognition and articulation of a policy change required under

the APA. Cf. FCC v. Fox Television Stations, Inc., 556 U.S. 502, 515 (2009) (“To be sure, the

requirement that an agency provide reasoned explanation for its action would ordinarily demand

that it display awareness that it is changing position. An agency may not, for example, depart from

38 a prior policy sub silentio . . . .”). 8 The 2013 Omnibus Rule therefore did not alter the legal

landscape as it had stood since 2000 with respect to the Patient Rate. Accordingly, the 2016

Guidance’s broadening of the Patient Rate is a final agency action subject to review.

b. Costs Included in the Patient Rate

The next aspect of the 2016 Guidance challenged by Ciox is its exclusion from the Patient

Rate those labor costs associated with accessing, searching for, and compiling PHI. See Compl.

¶¶ 51–53, 76. HHS, once more, asserts that this portion of the 2016 Guidance is not final, because

it does not impose any rights, obligations, or legal consequences on regulated entities; rather, it

“publicly clarifies HHS’s position about what 45 C.F.R. §164.524(c)(4)(i) has always meant by

allowing covered entities to charge labor costs for copying.” Defs.’ Mot. to Dismiss at 25. For its

part, Ciox describes the 2016 Guidance’s directions on allowable labor costs as a “dramatic

change[ ] to the component terms of the Patient Rate,” Compl. ¶ 51, one that conflicts with the

plain terms of the 2013 Omnibus Rule, which allowed recovery of the costs of “skilled technical

staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and

burning [PHI] to media, and distributing the media.” 78 Fed. Reg. at 5,636.

The 2016 Guidance’s directives concerning allowable labor costs give rise to “direct and

appreciable legal consequences.” Bennett, 520 U.S. at 178. On this topic, the 2016 Guidance

reads like a recipe from which a chef is not permitted to deviate. See 2016 Guidance at 10–12.

It starts by stating that covered entities may charge individuals a fee for providing a copy of PHI

“but only within specific limits.” Id. at 10. Reasonable labor costs include “only”—the underscore

for emphasis is in the Guidance itself—the “labor for copying the PHI requested by the individual,

8 As further evidence that the 2013 Omnibus Rule did not work a change, Ciox’s counsel represented that it had reviewed all comments from the 2013 Regulation’s notice-and-comment process, and not one comment discussed the Patient Rate applying to third-party directives. See Hr’g Tr., ECF No. 41, at 53:17–54:1.

39 whether in paper or electronic form.” Id. at 11. 9 “Labor for copying includes only labor for

creating and delivering the electronic or paper copy in the form and format requested or agreed

upon by the individual, once the PHI that is responsive to the request has been identified, retrieved

or collected, compiled and/or collated, and is ready to be copied.” Id. Examples of covered labor

activities contained in the 2016 Guidance include “[p]hotocopying paper PHI”; “[s]canning paper

PHI into an electronic format”; converting from one electronic format to another; transferring

electronic PHI from a covered entity’s system to an electronic delivery system or platform, like a

web-based portal, portable media, or email; and creating or executing an email with responsive

PHI. Id. at 12. The Guidance is equally precise in identifying what is not included in the Patient

Rate. “[L]abor for copying does not include labor costs associated with: [r]eviewing the request

for access,” and “[s]earching for, retrieving, and otherwise preparing the responsive information

for copying.” Id. This latter excluded cost category covers “labor to locate the appropriate

designated record sets about the individual, to review the records to identify the PHI that is

responsive to the request and to ensure the information relates to the correct individual, and to

segregate, collect, compile, and otherwise prepare the responsive information for copying.” Id.

The 2016 Guidance thus seeks to draw a bright line between the labor costs incurred in the process

of duplicating and delivering PHI—which are recoverable—and the labor costs antecedent to

duplication and delivery—which are not. See id. at 10. HHS made sure regulated entities

understood that this “clarification” represented the agency’s interpretation of the Patient Rate,

see id. (“This clarification is important to ensure that the fees charged reflect only what the

Department considers ‘copying’ for purposes of applying 45 CFR 164.524(c)(4)(1) . . . .”), and

reminded them that it “will take enforcement action where necessary,” id. at 11. The 2016

9 Allowable reasonable labor costs also include “labor to prepare an explanation or summary of PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.” Id.

40 Guidance’s firm prescriptions as to what can and cannot be included in the Patient Rate, when

coupled with the attendant enforcement threat in the event of noncompliance, create actual legal

consequences for regulated entities that render this challenged aspect of the Guidance a final

agency action.

HHS’s insistence that the 2016 Guidance breaks no new ground and merely “publicly

clarifies” what the regulations have meant all along, Defs.’ Mot. to Dismiss at 25, does not defeat

its classification as a final agency action. In Hawkes Co., the Supreme Court described its earlier

decision in Frozen Food Express v. United States, 351 U.S. 40 (1956), as follows:

[There,] we considered the finality of an order specifying which commodities the Interstate Commerce Commission believed were exempt by statute from regulation, and which it believed were not. Although the order “had no authority except to give notice of how the Commission interpreted” the relevant statute, and “would have effect only if and when a particular action was brought against a particular carrier,” Abbott, 387 U.S. at 150, we held that the order was nonetheless immediately reviewable, Frozen Food, 351 U.S. at 44–45. The order, we explained, “warns every carrier, who does not have authority from the Commission to transport those commodities, that it does so at the risk of incurring criminal penalties.” Id. at 44.

Hawkes Co., 136 S. Ct. at 1815. The same is true of the 2016 Guidance in this case. It too

expresses the agency’s view, in categorical terms, as to what costs are covered by the Patient Rate.

Any regulated entity that runs afoul of this aspect of the 2016 Guidance does so at the risk of

inviting an agency investigation and incurring civil penalties. Indeed, the agency has noticed its

intention to enforce the Patient Rate, as it is interpreted in the 2016 Guidance, on multiple

occasions. See Ciox Letter (letter from HHS to Ciox opening an investigation into charging fees

in excess of the Patient Rate, though the agency later closed the investigation claiming lack of

enforcement authority); Pl.’s Reply to Defs.’ Suppl. Filing, Decl. of Marla Herndon DeLatte, ECF

No. 38-1, ¶ 4 & Ex. A, ECF No. 38-2, at 2, 4, 6 (announcing an investigation of MedSouth, a

41 records management company, for charging in excess of the Patient Rate). Thus, like the order in

Frozen Foods, the 2016 Guidance’s directive on the permissible components of the Patient Rate

qualifies as a final agency action.

c. Three Methods for Calculating the Patient Rate

The court reaches a different conclusion with respect to the last portion of the 2016

Guidance challenged by Ciox—HHS’s listing of three methodologies for calculating the Patient

Rate. That aspect of the Guidance, unlike those previously discussed, “imposes no obligations,

prohibitions, or restrictions.” Valero Energy Corp., 927 F.3d at 536. Rather, in recognizing three

ways in which to calculate the Patient Rate, the 2016 Guidance speaks in permissive, not

mandatory, terms. See Nat’l Ass’n of Home Builders, 415 F.3d at 14 (finding an agency action to

be non-final that was “consistently referred to in agency documents as ‘recommended,’ rather than

mandatory”). The Guidance states that “[t]he following methods may be used, as specified below,

to calculate [the Patient Rate]:” actual costs, average costs, or a $6.50 flat fee. 2016 Guidance at

14–15 (emphasis added). The 2016 Guidance confirms that no one method is mandated. It

provides that, even where an entity generally chooses to use the average cost or flat-fee methods,

it is free to use the actual cost method when it “receive[s] an unusual or uncommon type of request

that it had not considered in setting up its fee structure.” Id. at 15. Furthermore, the Guidance

makes clear that $6.50 is not the maximum allowable fee for PHI. It answers “No” to the question

“Is $6.50 the maximum amount that can be charged to provide individuals with a copy of their

PHI?” Id. At bottom, whatever method an entity chooses to calculate the Patient Rate, the 2016

Guidance makes clear that the entity is compliant so “long as the costs [assessed] are reasonable

and only the type permitted by the Privacy Rule.” Id.

42 Ciox acknowledges that the 2016 Guidance uses permissive language to describe the three

ways of calculating the Patient Rate, but nevertheless contends that “the key point here is that [the

Guidance] allow[s] CIOX to choose only from these three methods and expressly bar[s] Ciox from

charging the traditional state-authorized rates it would prefer.” Pl.’s Opp’n Mem. at 39. In that

way, Ciox says, this case is controlled by the D.C. Circuit’s decision in General Electric Co. v.

EPA, 290 F.3d 377 (D.C. Cir. 2002), in which the court purportedly “had no trouble recognizing

that [ ] optionality does not make a guidance any less mandatory,” Pl.’s Opp’n Mem. at 39. But

that argument is unpersuasive. Nowhere does the 2016 Guidance state, expressly or otherwise,

that the three identified methods are the only acceptable means of calculating the Patient Rate.

Ciox is free to use any method it wishes to calculate the Patient Rate, so long as it produces a

reasonable fee that includes only “certain labor, supply, and postage costs,” as authorized by

§ 164.524(c)(4). 2016 Guidance at 13.

Nor does General Electric help Ciox. In that case, the court considered an EPA guidance

document that offered two alternatives to obtaining preapproval for waste disposal based on a risk

assessment approach, in lieu of approaches specified in the regulations. General Electric, 290

F.3d at 379. The EPA guidance specified that applicants may take “either of two approaches to

risk assessment.” Id. The applicant could either (1) calculate cancer and non-cancer risks

separately or (2) use a defined “total toxicity factor” to account for cancer and non-cancer risks

together. Id. (internal quotation marks omitted). The court found that the EPA guidance was a

final agency action, although it did so in the context of determining that the controversy was ripe

for judicial review. Id. at 380. The court also held—in the portion of the decision upon with Ciox

relies—that the EPA guidance was a legislative rule, because it “bind[s] applicants for approval of

a risk-based cleanup plan” under the controlling regulations. Id. at 384. The fact that the guidance

43 presented two options for calculating risk did not change that assessment, the court explained,

because the guidance “still requires [applicants] to conform to one or the other, that is, not to

submit an application based upon a third way. . . . [I]n reviewing applications the Agency will not

be open to considering approaches other than those prescribed in the Document.” Id. Here, in

sharp contrast, the three options that HHS presents for calculating the Patient Rate do not arise, as

in General Electric, in the context of seeking agency approval pursuant to any regulation. See

Cal. Cmtys. Against Toxics, 934 F.3d at 637 (directing that the Bennett prong-two determinations

be made “based on the concrete consequences an agency action has or does not have as a result of

the specific statutes and regulations that govern it”). In General Electric, unless the applicant

conformed to the standards set forth in the EPA’s guidance, it risked agency rejection of its cleanup

plan. 290 F.3d at 384–85. No similar consequence attends the three methods set forth in the 2016

Guidance. Instead, the Guidance presents three options for calculating the Patient Rate, and it

leaves it to the entity to decide which approach to use as appropriate. Thus, an entity is not directed

to use any particular method and, indeed, the Guidance does not foreclose the possibility of using

a different method altogether, so as long as it produces a reasonable fee that is consistent with the

allowable component costs. Nor does the Guidance fix a cap on the Patient Rate. To the contrary,

although it identifies a flat fee of $6.50 as one option, the Guidance expressly contemplates that in

some instances a reasonable fee could exceed that amount. 2016 Guidance at 15. Thus, there is

no specific legal consequence for charging in excess of $6.50 for delivery of PHI. As it presents

no more than a non-exhaustive list of options for calculating the Patient Rate, that aspect of the

2016 Guidance is not a reviewable final agency action.

Ciox’s additional complaint that it cannot charge the state-authorized rates it prefers does

not transform the alternative methodologies into final agency action. That roadblock is attributable

44 to a different aspect of the 2016 Guidance. Ciox admits that, under its business model, and as is

typical of standard industry practice, it charges state-authorized rates only for PHI requests

directed to third parties; it charges the Patient Rate, if at all, for personal requests. See Kabaria

Decl. ¶¶ 11, 13, 17; Gartland Decl. ¶¶ 11–12; Compl. ¶¶ 31–32, 40. Thus, Ciox’s lament that it

cannot charge state-authorized rates is traceable to the Guidance’s extension of the Patient Rate to

third-party requests, not to the three identified methods for calculating the Patient Rate. That

aspect of the 2016 Guidance therefore is not a reviewable agency action.

C. The Merits of Ciox’s APA Claims

1. 2013 Omnibus Rule

At last, the court arrives at the merits of Ciox’s claims, beginning with Count One. The

2013 Omnibus Rule modified the Privacy Rule to require providers to deliver an individual’s PHI

to third parties regardless of whether the information is contained in an EHR. See 45 C.F.R.

§ 164.524(c)(2)(i)–(ii), (3)(ii). It also obligated providers to make PHI available in “the format

requested by the individual.” Id. § 164.524(c)(2)(i)–(ii). Count One contests these changes.

See Compl. ¶¶ 59–65. Ciox asserts that this expansion by rulemaking violates the APA “because

it (1) conflicts with HITECH’s plain language, and (2) exceeds HHS’s lawful authority.” Pl.’s

Opp’n. Mem. at 29. The court concurs with both arguments.

Either framing of Ciox’s APA claim in Count One is controlled by the Chevron framework.

See Chevron, U.S.A., Inc. v. Nat. Res. Def. Council, Inc., 467 U.S. 837 (1984). In every challenge

to agency action, “the question a court faces when confronted with an agency’s interpretation of a

statute it administers is always, simply, whether the agency has stayed within the bounds of its

statutory authority.” City of Arlington v. FCC, 569 U.S. 290, 297 (2013). Stated differently, “the

question in every case is, simply, whether the statutory text forecloses the agency’s assertion of

45 authority, or not.” Id. at 301. The answer to that question is determined by following the Chevron

two-step framework. See id. at 307. Under that approach, “applying the ordinary tools of statutory

construction, the court must [first] determine ‘whether Congress has directly spoken to the precise

question at issue. If the intent of Congress is clear, that is the end of the matter; for the court, as

well as the agency, must give effect to the unambiguously expressed intent of Congress.’” Id. at

296 (quoting Chevron, 467 U.S. at 842–43). If, however, “the statute is silent or ambiguous with

respect to the specific issue, the question for the court is whether the agency’s answer is based on

a permissible construction of the statute.” Chevron, 467 U.S. at 843.

The HITECH Act on its face is far more limited than the 2013 Omnibus Rule. It provides

that, “in the case that a covered entity uses or maintains an [EHR] with respect to [PHI],” an

individual has “a right to obtain” a “copy of such information in an electronic format” and to

transmit “such copy” to a third party. 42 U.S.C. § 17935(e)(1). The Act says nothing about a right

to transmit PHI contained in any format other than an EHR. This plain text limitation prompted

HHS to observe during the rulemaking process that § 17935(e) “applies by its terms only to [PHI]

in EHRs.” 78 Fed. Reg. at 5,631.

Still, HHS insisted then, as it does now, that it has the authority to extend the third-party

directive to reach PHI contained in formats other than EHRs. HHS justified this expansion during

the rulemaking as follows:

Section [17935(e)] applies by its terms only to [PHI] in EHRs. However, incorporating these new provisions in such a limited manner in the Privacy Rule could result in a complex set of disparate requirements for access to [PHI] in EHR systems versus other types of electronic records systems. As such, the Department proposed to use its authority under section 264(c) of HIPAA to prescribe the rights individuals should have with respect to their individually identifiable health information to strengthen the right of access as provided under section [17935(e)] of the HITECH Act more uniformly to all [PHI] maintained in one or more designated record

46 sets electronically, regardless of whether the designated record set is an EHR.

Id. Thus, during the rulemaking, HHS looked to another statute, section 264(c) of HIPAA, for its

authority to expand the third-party directive, not the HITECH Act. Now, cloaking itself in section

264(c)’s “broad grant of authority from Congress to HHS as to the regulation of medical

information,” Defs.’ Summ. J. Opp’n at 15 (quoting S.C. Med. Ass’n v. Thompson, 327 F.3d 346,

353 (D.C. Cir. 2003)), HHS asserts that such “authority necessarily gives the Secretary the ability

to change the standards and procedures he has established to reflect actual experience gained in

implementing pre-existing Privacy Rule [regulations] as well as changes in technology and

medical record-keeping practices,” id. at 16.

HHS’s argument suffers from multiple flaws. For one, neither the plain text nor the

structure of the HITECH Act supports the agency’s position. As HHS properly conceded during

the rulemaking process, section 17935(e) “applies by its terms only to [PHI] in EHRs.” 78 Fed.

Reg. at 5,631. Moreover, section 17935(e) evinces no intent by Congress for HHS to take steps to

augment or further define the third-party directive. In sharp contrast, in the preceding sub-

paragraphs of § 17935—sections (b), (c), and (d)—Congress required HHS to fill in gaps left by

the statute. See 42 U.S.C. § 17935(b)(1)(B) (stating that “the Secretary shall issue guidance on

what constitutes ‘minimum necessary’ for purposes of subpart E of part 164 of [45 C.F.R.]”);

§ 17935(c)(2) (stating “[t]he Secretary shall promulgate regulations on what information shall be

collected about each disclosure referred to in paragraph (1)”); § 17935(d)(3) (providing that “the

Secretary shall promulgate regulations to carry out this subsection”). The absence of any similar

directive by Congress in paragraph (e) is telling. “Congress knows to speak in plain terms when

it wishes to circumscribe, and in capacious terms when it wishes to enlarge, agency discretion,”

47 City of Arlington, 569 U.S. at 296, and here Congress spoke plainly in limiting the reach of the

third-party directive.

Timing is also relevant. The Privacy Rule preceded the HITECH Act by nearly a decade.

So, Congress would have known when it enacted the HITECH Act in 2009 that the Privacy Rule,

at that time, required covered entities to “provide the individual with access to the protected health

information in the form or format requested by the individual, if it is readily producible in such

form or format; or, if not, in a readable hard copy form or such other form or format as agreed to

by the covered entity and the individual.” 45 C.F.R. § 164.524(c)(2)(i) (2008). Yet, when it

defined the reach of the third-party directive, Congress elected not to draw the directive as

expansively as the Privacy Rule’s guarantee of access “in the form or format requested by the

individual.” Instead, Congress created a more restricted patient right to transmit only an EHR “in

an electronic format” to a third person. 42 U.S.C. § 17935(e)(1). HHS’s fear that such a limited

right would give rise to a hodgepodge of “disparate requirements” for accessing PHI cannot justify

its “strengthen[ing] the [statutory] right of access.” 78 Fed. Reg. at 5,631. “Disagreeing with

Congress’s expressly codified policy choices isn’t a luxury administrative agencies enjoy.” Cent.

United Life Ins. Co. v. Burwell, 827 F.3d 70, 73 (D.C. Cir. 2016).

Nor can HHS turn to Section 264(c) of HIPAA as the source for its power to expand the

third-party directive. As a threshold matter, whether HHS retains general rulemaking power under

that statute is not free from doubt. Section 264 of HIPAA, which Congress passed in 1996, directed

HHS to develop “detailed recommendations on standards with respect to the privacy of

individually identifiable health information” and submit them to Congress within 12 months.

HIPAA § 264(a) (formerly codified at 42 U.S.C. § 1320d-2). In the event Congress received the

agency’s recommendations but did not act within 36 months of the HIPAA’s enactment, HIPAA

48 directed HHS “to promulgate final regulations containing such standards not later than the date

that is 42 months after the date of the enactment of this Act.” Id. § 264(c)(1) (formerly codified

at 42 U.S.C. § 1320d-2). Congress did not act within the prescribed time, so the agency adopted

final privacy regulations as directed. See generally HHS, Standards for Privacy of Individually

Identifiable Health Information—Final Rule, 65 Fed. Reg. 82,462 (Dec. 28, 2000). HHS’s power

to promulgate additional individual-privacy regulations pursuant to § 264(c) thus arguably expired

long ago. HHS nonetheless insists that its rulemaking authority pursuant to § 264(c) remains

extant. See Defs.’ Mot. for Summ. J. at 15–17, 19–21.

The court need not definitively resolve the issue. For even if HHS’s power to make rules

pursuant to § 264(c) is alive and well, an agency’s general rulemaking authority cannot be used to

expand a congressionally imposed restriction, see Teva Pharm. Indus. Ltd. v. Crawford, 410 F.3d

51, 55 (D.C. Cir. 2005); Nat. Res. Def. Council, Inc. v. Reilly, 976 F.2d 36, 41 (D.C. Cir. 1992),

and “Congress’s more specific enactment controls a prior grant of general authority,” Helicopter

Ass’n Int’l, Inc. v. FAA, 722 F.3d 430, 435 (D.C. Cir. 2013). In short, HHS cannot rely on its

general rulemaking authority to supplement the limited-scope, third-party directive enacted by

Congress. 10 The 2013 Omnibus Rule’s expansion of the third-party directive is therefore arbitrary

and capricious.

2. 2016 Guidance

That leaves Ciox’s APA challenges to two aspects of the 2016 Guidance, which are Counts

Two and Three of the Complaint, respectively: (1) applying the Patient Rate to third-party

directives, and (2) excluding from the Patient Rate the labor costs of searching for and retrieving

PHI. (The court already found the 2016 Guidance’s identification of three methods to calculate

10 Ciox also argued that Defendants’ interpretation of HIPAA § 264(c) would violate the non-delegation doctrine. See Pl.’s Mem. at 32–33. The court need not reach this issue.

49 the Patient Rate is a nonreviewable, nonfinal agency action.) With respect to both the Patient Rate

expansion and the exclusion of certain labor costs from the Patient Rate, Ciox contends that those

actions are procedurally invalid because they are legislative rules that HHS failed to subject to

notice and comment. See Pl.’s Opp’n Mem. at 34–40. Additionally, Ciox maintains that the

Patient Rate expansion is substantively invalid as it conflicts with the plain language of the

HITECH Act. See id. at 40–43. The court first considers the parties’ arguments concerning

broadening the Patient Rate before turning to the limits placed on recoverable labor costs.

a. Patient Rate Expansion

The expansion of the Patient Rate in the 2016 Guidance is a legislative rule.

“[L]egislative rules are those that grant rights, impose obligations, [ ] produce other significant

effects on private interests, or . . . effect a change in existing law or policy.” Am. Tort Reform

Ass’n v. Occupational Safety & Health Admin., 738 F.3d 387, 395 (D.C. Cir. 2013) (internal

quotation marks and citations omitted). Stated differently, a rule is legislative, and therefore must

undergo notice and comment, when it “change[s] the law,” Nat’l Res. Def. Council v. EPA, 643

F.3d 311, 320 (D.C. Cir. 2011), or “effectively amends a prior legislative rule,” Am. Min. Cong. v.

Mine Safety & Health Admin., 995 F.2d 1106, 1112 (D.C. Cir. 1993). On the other hand, an agency

action that merely “clarifies” the agency’s interpretation of the legal landscape and that neither

binds the agency nor “create[s] a new burden” on regulated entities is not a legislative rule.

See Catawba County v. EPA, 571 F.3d 20, 34 (D.C. Cir. 2009); see also United Techs. Corp. v.

EPA, 821 F.2d 714, 718 (D.C. Cir. 1987). In distinguishing between legislative and non-legislative

rules, courts consider both the actual legal effects of the agency action and the agency’s

characterization of the action, see Nat’l Mining Ass’n v. McCarthy, 758 F.3d 243, 252 (D.C. Cir.

50 2014), though agencies cannot “avoid notice and comment simply by mislabeling their substantive

pronouncements,” Azar v. Allina Health Servs., 139 S. Ct. 1804, 1812 (2019).

Here, the 2016 Guidance works a change in the law with respect to the Patient Rate and

therefore is a legislative rule that HHS had no authority to adopt without notice and comment.

See Nat’l Res. Def. Council, 643 F.3d at 320. As explained above, the 2016 Guidance’s

unequivocal command that the Patient Rate applies to all third-party directives cannot be sourced

to either the HITECH Act or the 2013 Omnibus Rule. Neither the legislation nor the regulations

makes the Patient Rate applicable to third-party directives. The HITECH Act on its face applies

the Patient Rate only to individual requests for PHI in electronic form, and the 2013 Omnibus Rule

says nothing at all about the Patient Rate’s application. Indeed, the 2016 Guidance represents an

about-face from HHS’s proclamation, made in 2000 when it first adopted the Privacy Rule and the

Patient Rate, that “[w]e do not intend to affect the fees that covered entities charge for providing

protected health information to anyone other than the individual,” 65 Fed. Reg. at 82,557

(emphasis added), and “[t]he proposed and final rule establish the right to access and copy records

only for individuals, not other entities; the ‘reasonable fee’ is only applicable to the individual’s

request,” id. at 82,754 (emphasis added); see also id. (“The Department’s expectation is that other

existing practices regarding fees, if any, for the exchange of records not requested by an individual

will not be affected by this rule.”). HHS could have made such a dramatic change only through

notice and comment.

Having determined that HHS extended the Patient Rate to third-party directives in violation

of the APA’s notice-and-comment requirement, the question becomes whether the court should go

on to resolve Ciox’s substantive challenge. See Nat’l Res. Def. Council, 643 F.3d at 321. In so

deciding, the court must be conscious not to “prejudge[e] the notice-and-comment process, the

51 very purpose of which is to give interested parties the opportunity to participate in rulemaking and

to ensure that the agency has before it all relevant information,” but on the other hand, be mindful

of whether passing on making a substantive determination would exacerbate the injury to Ciox

and other affected entities. See id.

Having weighed these factors, the court declines to enter judgment on the merits of Ciox’s

substantive claim. Ciox’s limited substantive challenge to the Patient Rate expansion is that it

conflicts with the plain text of the HITECH Act. See Pl.’s Opp’n Mem. at 41–43. As discussed,

the court does not read the HITECH Act to support the agency’s expanded treatment of the Patient

Rate to third-party directives. The court is reluctant, however, to commit that interpretation to a

judgment out of concern that it could be viewed as foreclosing HHS from revisiting its original

articulation, from 2000, of the Patient Rate’s scope. Such a re-evaluation, if it is to occur, is better

undertaken without a judgment from the court that might be viewed as prejudging a fulsome

notice-and-comment process.

b. Exclusion of labor costs for search and retrieval

The 2016 Guidance’s exclusion of skilled technical staff time to search and retrieve PHI

from the Patient Rate is an interpretive rule that the agency was not required to subject to notice

and comment. Although the court held this proscription to be final for purposes of judicial review,

it is not a legislative rule because it breaks no new legal ground but merely clarifies ambiguity

arising from the 2013 Omnibus Rule. See Cal. Cmtys. Against Toxics, 934 F.3d at 635 (drawing

a distinction between finality analysis and rule classification under the APA); see also Cellnet

Commc’n, Inc. v. FCC, 965 F.2d 1106, 1110–11 (D.C. Cir. 1992), as amended (Sept. 4, 1992)

(holding that an agency’s action that “resolved an ambiguity” in its own rules was not a legislative

rule because it “clarified, rather than changed, the rules”); United Techs. Corp. v. EPA, 821 F.2d

52 714, 718 (D.C. Cir. 1987) (explaining that a rule is interpretive, not legislative, when it “simply

states what the administrative agency thinks the underlying [law] means, and only reminds affected

parties of existing duties” (cleaned up)).

Contrary to Ciox’s contention, the 2013 Omnibus Rule did not authorize entities to bill for,

under the Patient Rate, skilled technical staff time devoted to “segregate, collect, compile, and

otherwise prepare the responsive [PHI] for copying.” See Pl.’s Combined Reply Mem. in Supp.

of Mot. for Summ. J. and in Opp’n to Defs.’ Cross-Mot., ECF No. 25, at 18 (quoting 2016

Guidance at 12). The Rule itself is vague as to the specifics, providing only that the Patient Rate

includes “[l]abor for copying the protected health information requested by the individual, whether

in paper or electronic form.” 45 C.F.R. § 164.524(c)(4)(i). The explanatory text accompanying

the 2013 Omnibus Rule tried to provide some clarity. It attempted to draw a line between labor

costs incurred in identifying and retrieving PHI, which is not recoverable, and the labor costs

associated with copying such information, which is recoverable. The 2013 Omnibus Rule

explained that,

although the proposed rule indicated that a covered entity could charge for the actual labor costs associated with the retrieval of electronic information, in this final rule we clarify that a covered entity may not charge a retrieval fee (whether it be a standard retrieval fee or one based on actual retrieval costs). This interpretation will ensure that the fee requirements for electronic access are consistent with the requirements for hard copies, which do not allow retrieval fees for locating the data.

78 Fed. Reg. at 5,636 (emphasis added). The 2013 Omnibus Rule thus tried to make clear that

labor associated with “locating the data” is excluded from the Patient Rate. The 2016 Guidance

draws the same line. It states that “copying” costs include “labor for creating and delivering the

electronic or paper copy in the form and format requested or agreed upon by the individual, once

the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or

53 collated, and is ready to be copied.” 2016 Guidance at 11 (emphasis added). So, the labor costs

associated with preparing the responsive information for copying cannot be recovered, but the

labor costs incurred in copying can be.

To be sure, HHS bears responsibility for any industry uncertainty as to what precise actions

qualify as “[l]abor for copying” PHI that can be charged under the Patient Rate. 45 C.F.R.

§ 164.524(c)(4)(i). In 2013, the agency wrote that “labor costs included in [the Patient Rate] could

include skilled technical staff time spent to create and copy the electronic file, such as compiling,

extracting, scanning and burning [PHI] to media.” 78 Fed. Reg. at 5,636 (emphasis added). But

in 2016, the agency stated that the Patient Rate “does not include labor costs associated with . . .

segregat[ing], collect[ing], compil[ing], and otherwise prepar[ing] the responsive information for

copying.” 2016 Guidance at 12 (emphasis added). The overlapping use of the verb “compile,”

along with the use of near synonyms such as “extract” and “collect,” is surely a source of great

confusion—and frustration—within the industry. But the agency’s word soup does not alter what

the Privacy Rule allows, which is recovery of the costs of “[l]abor for copying [PHI],” as distinct

from the costs incurred from pre-copying activities. 45 C.F.R. § 164.524(c)(4)(i). The 2016

Guidance’s instructions concerning the component costs of the Patient Rate therefore do not

qualify as a legislative rule.

IV. CONCLUSION

For the foregoing reasons, the court grants in part and denies in part Defendants’ Motion

to Dismiss, ECF No. 9, grants in part and denies in part Ciox’s Cross-Motion for Summary

Judgment, ECF No. 12, and grants in part and denies in part Defendants’ Cross-Motion for

Summary Judgment, ECF No. 22.

54 Consistent with this Memorandum Opinion, the court (1) declares unlawful and vacates the

2013 Omnibus Rule insofar as it expands the HITECH Act’s third-party directive beyond requests

for a copy of “an [EHR] with respect to [PHI] of an individual . . . in an electronic format,”

42 U.S.C. § 17935(e); and (2) declares unlawful and vacates the 2016 Guidance insofar as it,

without going through notice and comment, extends the Patient Rate to reach third-party directives.

A final order accompanies this Memorandum Opinion.

Dated: January 23, 2020 Amit P. Mehta United States District Court Judge