rejecting application to third-party requestsSummary of this case from Deming v. Ciox Health, LLC
Case No. 18-cv-00040 (APM)
Jay Philip Lefkowitz, Gilad Bendheim, Kirkland & Ellis LLP, New York, NY, Thomas J. Tobin, Perkins Coie LLP, Seattle, WA, Michael D. Shumsky, Hyman, Phelps & McNamara, P.C., Washington, DC, for Plaintiff. Vinita B. Andrapalliyal, U.S. Department of Justice, Washington, DC, for Defendants.
Jay Philip Lefkowitz, Gilad Bendheim, Kirkland & Ellis LLP, New York, NY, Thomas J. Tobin, Perkins Coie LLP, Seattle, WA, Michael D. Shumsky, Hyman, Phelps & McNamara, P.C., Washington, DC, for Plaintiff.
Vinita B. Andrapalliyal, U.S. Department of Justice, Washington, DC, for Defendants.
Amit P. Mehta, United States District Court Judge
Plaintiff Ciox Health, LLC ("Ciox") is a specialized medical-records provider that contracts with healthcare suppliers nationwide to maintain, retrieve, and produce individuals' protected health information ("PHI"). Ciox handles tens of millions of records requests annually for its clients. Such requests include PHI demands by healthcare providers for treatment purposes, patients asking for their own PHI, and third parties, such as life insurance companies and law firms, seeking a patient's PHI for commercial or legal reasons. This case centers on various legal restrictions and conditions placed on producing PHI. Most significantly, it concerns what a company like Ciox can charge for searching for, retrieving, and delivering PHI. To ensure that patient access to PHI is not thwarted by excessive fees, the United States Department of Health and Human Services ("HHS") has adopted rules that limit what companies may charge for delivering PHI. These restrictions are known as the "Patient Rate." For years, the medical records industry understood that the limitations imposed by the Patient Rate applied only to requests for PHI made by the patient for use by the patient. For other types of requests, such as those made by commercial entities, like insurance companies and law firms, the records industry understood that the allowable fee was not restricted by the Patient Rate. That understanding changed, however, in 2016, when HHS issued a guidance document, which stated that the Patient Rate applies even to requests to deliver PHI to third parties. This change, according to Ciox, caused Ciox and other medical records companies to lose millions of dollars in revenue. Ciox challenges the 2016 expansion of the Patient Rate as violative of the procedural and substantive protections of the Administrative Procedure Act ("APA").
In addition to the scope of the Patient Rate, Ciox also contests two additional pronouncements made by HHS in the 2016 guidance document. The first addresses the types of labor costs that are recoverable under the Patient Rate. The second concerns three alternative methods identified for calculating the Patient Rate. Ciox argues that these actions violate the APA's procedural and substantive provisions. Ciox also challenges under the APA a regulation adopted in 2013, which requires records companies to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient. According to Ciox, Congress required only that certain types of electronic health records be delivered to third parties, not all records regardless of their format, as HHS's regulations now command.
Before the court is HHS's motion to dismiss and the parties' cross-motions for summary judgment. For the reasons discussed below, HHS's motion to dismiss is granted in part and denied in part, and the parties' cross-motions are granted in part and denied in part. The court rejects the agency's grounds for dismissal in all respects, except one: the court finds that the agency's three methods for calculating the Patient Rate is not a reviewable final agency action. That claim is thus dismissed. As for the parties' cross-motions, the court holds that: (1) HHS's 2013 rule compelling delivery of PHI to third parties regardless of the records' format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress; (2) HHS's broadening of the Patient Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA; and finally, (3) HHS's 2016 explanation concerning what labor costs can be recovered under the Patient Rate is an interpretative rule that HHS was not required to subject to notice and comment. Accordingly, the court declares unlawful and vacates (1) the 2016 Patient Rate expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format.
A. Statutory and Regulatory Background
1. HIPAA and the Privacy Rule (2000)
In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA") to "encourag[e] the development of a health information system," and tasked the Department of Health and Human Services ("HHS") with providing Congress recommendations on standards with respect to PHI, including individuals' rights to their PHI, the procedures for exercising such rights, and the authorized uses and disclosure of PHI. See Pub. L. 104-191, title II, §§ 261, 264(a)–(b), 110 Stat. 1936, 2021, 2033 (1996). Congress directed HHS to make its recommendations regarding PHI within 12 months of HIPAA's enactment. Id. § 264(a). HIPAA also provided that, if Congress did not act on the agency's recommendations within 36 months of HIPAA's enactment, HHS would be required to promulgate regulations regarding PHI within six months of the 36-month period's expiration. Id. § 264(c). HHS timely made the required privacy recommendations to Congress, but Congress failed to enact legislation, thus triggering HHS's rulemaking authority under HIPAA. In 2000, HHS issued a final rule, known as the "Privacy Rule." See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.500 et seq. ).
Critical to understanding the parties' dispute is the distinction that the Privacy Rule draws between "covered entities" and "business associates." The Privacy Rule is directed primarily to regulating "covered entities." See 45 C.F.R. § 164.500(a) (stating that "the standards, requirements, and implementation specifications of this subpart apply to covered entities with respect to [PHI]"). A "covered entity" includes health plans, health care clearinghouses, and health providers that "transmit[ ] any health information in electronic form in connection with a [covered] transaction." Id. § 160.103. The Privacy Rule also regulates "business associates," albeit to a lesser extent than covered entities. See, e.g. , id. § 164.502 (setting forth permitted uses and disclosures for both covered entities and business associates); id. § 164.504(e)(1) (setting forth terms for business associate contracts and subcontracts). A "business associate," generally speaking, operates on behalf of a covered entity and "creates, receives, maintains, or transmits protected health information for a [regulated] function or activity." Id. § 160.103. Business associates include a "person that offers a personal health record to one or more individuals on behalf of a covered entity" and a "subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate." Id. Under these definitions, Plaintiff Ciox Health, LLC ("Ciox") qualifies as a "business associate," and not a "covered entity." See Ciox Health's Compl. for Declaratory and Injunctive Relief, ECF No. 1 [hereinafter Compl.], ¶ 5.
As relevant here, the Privacy Rule establishes an individual's right to access PHI and the permissible fee that can be charged for such production. See generally 45 C.F.R. § 164.524. For requests brought by an individual seeking her own PHI—known as a "personal use request"—the Privacy Rule permits a "covered entity" to "charge a reasonable, cost-based fee." Id. § 164.524(c)(4). The court refers to this "reasonable, cost-based fee" as the "Patient Rate." As originally enacted, the Privacy Rule provided that the Patient Rate could comprise the following elements: (1) the cost of "[c]opying, including the costs of supplies for and labor for copying, the [PHI]"; (2) "[p]ostage, when the individual has requested the copy, or the summary or explanation, be mailed"; and (3) "[p]reparing an explanation or summary of the [PHI]." Id. § 164.524(c)(4)(i)–(iii) (2012). Notably, the Patient Rate excluded other common costs associated with maintaining and producing PHI, such as costs of data storage, data infrastructure, and document retrieval. See 65 Fed. Reg. at 82,557 ; Compl. ¶ 31.
When HHS promulgated the Privacy Rule in 2000, it made clear that the purpose of the Patient Rate was to ensure that individuals would not be deterred from seeking PHI due to its cost.
The inclusion of a fee for copying is not intended to impede the ability of individuals to copy their records. Rather, it is intended to reduce the burden on covered entities. If the cost is excessively high, some individuals will not be able to obtain a copy. We encourage covered entities to limit the fee for copying so that it is within reach of all individuals.
65 Fed. Reg. at 82,577. Conversely, when the cost of obtaining and transmitting PHI was to be borne by someone other than the patient, HHS did not require charging the Patient Rate.
We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual. For example, we do not intend to affect current practices with respect to the fees one health care provider charges for forwarding records to another health care provider for treatment purposes.
Id. (emphasis added). Elsewhere in the Final Rule HHS stated:
The proposal and the final rule establish the right to access and copy records only for individuals, not other entities ; the ‘reasonable fee’ is only applicable to the individual's request. The Department's expectation is that other existing practices regarding fees, if any, for the exchange of records not requested by an individual will not be affected by this rule.
Id. at 82,754 (emphasis added). Thus, the Final Rule made an express distinction between patient-requested PHI and non-patient-requested PHI. The Patient Rate applied to the former but not the latter.
2. The HITECH Act (2009)
Nearly a decade later, in 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, in response to the growth of distinct digital-record formats and storage systems. Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 226 (2009). The HITECH Act made two key changes relevant to this litigation.
The first is that it created the "third-party directive," a simplified process for requesting delivery of certain PHI to third persons. Under the pre-2009 Privacy Rule, a covered entity was prohibited from releasing PHI stored in any format to a third party without a "valid authorization." 45 C.F.R. §§ 164.502(a)(1)(iv) (2008). Such an authorization was burdensome. It had to include certain "[c]ore elements," such as description of the information sought, the purposes for its disclosure, and the authorization's expiration date or event, as well as "statements adequate to place the individual on notice" of her rights. Id. § 164.508(c)(1)–(2) (2008). The HITECH Act stripped away these requirements for "electronic health record[s]," or "EHRs." See 42 U.S.C. § 17935(e) ; see also id. § 17921(5) (defining an "electronic health record" as "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff"). The Act provides:
In a 2016 guidance document, HHS observed that "because a HIPAA authorization requests more information than is necessary or that may not be relevant for individuals to exercise their access rights, requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right." See Compl., Ex. A., ECF No. 1-1, at 17.
EHR systems are distinct from a record that merely exists in electronic form. Joint App'x, ECF No. 27 [hereinafter J.A.], at 67. Electronic record systems include many "legacy systems" that existed prior to EHRs and are "incapable of producing reports in easily readable formats that can be transmitted electronically." Id.
[I]n the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual ... the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.
Id. § 17935(e)(1). So, with respect to PHI contained in an EHR, the HITECH Act expressly entitles patients to obtain such information for themselves or to direct the information to a third party, without the need for a "valid authorization" under the Privacy Rule.
The second relevant change made by the HITECH Act is a statutory cap on the fee that a covered entity may charge a patient for delivering EHRs. The Act states that "notwithstanding [ 45 C.F.R. § 164.524(c)(4) ]"—a cross-reference to the Patient Rate—"any fee that the covered entity may impose for providing such individual with a copy of such information ... if such copy ... is in electronic form shall not be greater than the entity's labor costs in responding to the request for the copy." Id. § 17935(e)(3). As the plain text makes clear, the HITECH Act's fee cap applies at least to personal use requests produced as EHRs. Whether the statutory fee cap extends beyond such demands is the subject of dispute.
3. The Omnibus Rule (2013)
In 2013, HHS amended the Privacy Rule as part of broad set of new regulations, which the court refers to as the "2013 Omnibus Rule." See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566 (Jan. 25, 2013).
The 2013 Omnibus Rule made two modifications relevant to this case. First, the 2013 Omnibus Rule broadened the third-party directive created by the HITECH Act to reach requests for PHI contained in any format, and not just in an EHR. The Privacy Rule states: "If an individual's request for access directs the covered entity to transmit the copy of [PHI] directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual." 45 C.F.R. § 164.524(c)(3)(ii). The copy must be provided to the individual "in the form and format requested by the individual, if it is readily producible in such form and format." Id. § 164.524(c)(2)(i). Additionally, if the requested PHI is maintained in any electronic format, the covered entity must provide the information in "the electronic form and format requested by the individual, if it is readily producible in such form and format." Id. § 164.524(c)(2)(ii).
When it expanded the third-party directive to PHI contained in any format, HHS acknowledged it was going beyond the text of the HITECH Act. The agency conceded that the HITECH Act "applies by its terms only to protected health information in EHRs." 78 Fed. Reg. at 5,631. Yet, HHS insisted it had the authority to command the expansion. It explained that "incorporating [the HITECH Act's] new provisions in such a limited manner in the Privacy Rule could result in a complex set of disparate requirements for access to [PHI] in EHR systems versus other types of electronic records systems." Id. As authority to address this concern, the agency cited its general rulemaking power under section 264(c) of HIPAA. That provision, HHS said, allowed it "to prescribe the rights individuals should have with respect to their [PHI] to strengthen the right of access provided under section [17935(e) ] of the HITECH Act more uniformly to all [PHI] maintained in one or more designated record sets electronically, regardless of whether the designated record set is an EHR." Id.
The 2013 Omnibus Rule also amended that portion of the Privacy Rule that specifies the costs recoverable under the Patient Rate. HHS broke out, as part of the reasonable cost-based fee, the cost of labor for copying PHI, whether in paper or electronic format. See id. at 5,635 –36; 45 C.F.R. § 164.524(c)(4)(i). Such cost "could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media, and distributing the media." 78 Fed. Reg. at 5,636. "[A]ctual labor costs associated with the retrieval of electronic information," however, would not be recoverable under the Patient Rate. Id. Nor would "[f]ees associated with maintaining systems and recouping capital for data access, storage and infrastructure" be "considered reasonable, cost-based fees." Id.
4. The Privacy Rule Guidance (2016)
Three years after adopting the 2013 Omnibus Rule, HHS issued a guidance document in 2016 titled "Individuals' Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524." See Compl., Ex. A, ECF 1-1 [hereinafter 2016 Guidance]. The 2016 Guidance made two notable pronouncements that gave rise to this lawsuit.
Most significantly, HHS declared that the Patient Rate applies "when an individual directs a covered entity to send the PHI to a third party." Id. at 16. "This limitation," HHS said, referring to the Patient Rate, "applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn't matter who the third party is)." Id. ; see also id. (stating that the Patient Rate applies "regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual"). The 2016 Guidance noted that the Patient Rate does not apply when "the third party is initiating a request for PHI on its own behalf, with the individual's HIPAA authorization." Id. at 17. But the agency again emphasized that "where the third party is forwarding—on behalf and at the direction of the individual—the individual's access request for a covered entity to direct a copy of the individual's PHI to the third party, the fee limitations apply." Id.
The medical-records industry viewed this announcement as a seismic shift in the agency's articulation of the law. Before the 2016 Guidance, the industry understood that the Patient Rate applied only to personal use requests for PHI and not to third-party directives under the HITECH Act, and it structured its contracts and pricing models accordingly. See Decl. of Tarun Kabaria, ECF No. 12-2 [hereinafter Kabaria Decl.], ¶¶ 11–14; Decl. of Jeff Gartland, ECF No. 44-1 [hereinafter Gartland Decl.], ¶¶ 5–6, 17–19. The 2016 Guidance, however, upended that understanding, as it declared that the Patient Rate applied to all requests for PHI initiated by an individual, even if such information was requested for use by a third party, like an insurance company or a law firm. Only requests for PHI made directly by the third party with a HIPAA authorization (or pursuant to another permissible disclosure provision in the Privacy Rule) would not be subject to the Patient Rate cap. 2016 Guidance at 17.
The 2016 Guidance also provided direction with respect to determining the Patient Rate. First, it stated that the Patient Rate reaches only those labor costs incurred after the responsive PHI "has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied." Id. at 11. On the other hand, labor for "[s]earching for, retrieving, and otherwise preparing the responsive information for copying" is not recoverable. Id. at 12. Second, the 2016 Guidance set forth three alternatives for calculating, subject to the Patient Rate's strictures, the "reasonable, cost-based fee" that may be charged for fulfilling a patient-initiated PHI request. These alternatives apply to "a covered entity (or business associate operating on its behalf)." Id. at 15. A holder of PHI may determine such fee: "(1) by calculating actual allowable costs to fulfill each request; or (2) by using a schedule of costs based on average allowable labor costs to fulfill standard requests." Id. "Alternatively, in the case of requests for an electronic copy of PHI maintained electronically, covered entities may: (3) charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage)." Id. The 2016 Guidance notes that "[c]harging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically." Id. HHS admonished that "[w]e will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access [and] will take enforcement action where necessary." Id. at 11.
Less than a year later, HHS demonstrated its resolve to enforce the Patient Rate. In March 2017, HHS notified CHI Health St. Francis, a covered entity contracting with Ciox, that it had received a complaint from a patient, alleging that Ciox had charged an excessive fee for forwarding her electronic medical records to a law firm. See Compl., Ex. B, ECF No. 1-2 [hereinafter St. Francis Letter], at 1. HHS warned St. Francis that, as a result of Ciox's actions, St. Francis may have violated the Privacy Rule, but the agency took no further action. See id.
The following year, Ciox itself received a letter from HHS. On November 16, 2018, HHS advised Ciox that it had received a complaint, asserting that "when an individual makes a request through Ciox for his/her medical records to be directed to a third party, such as a law firm, Ciox routinely charges fees that are not compliant with" the Privacy Rule. See Pl.'s Notice and Request for Oral Argument, Ex. B, ECF No. 29-2 [hereinafter Ciox Letter], at 1 (citing 45 C.F.R. § 164.524(c)(4) ). HHS demanded Ciox produce records to aid in HHS's investigation. See id. at 2. Two weeks later, HHS announced that the investigation of Ciox was in error because the agency does not have jurisdiction to enforce the Privacy Rule against business associates like Ciox. See Defs.' Response to Pl.'s Notice and Request for Oral Argument, ECF No. 30, at 1.
B. Procedural Background
1. Ciox's Complaint
This action has had a long history. Ciox filed suit against Defendants HHS and the Secretary of HHS on January 8, 2018, asserting three causes of action under the APA, 5 U.S.C. § 706(2). See Compl. ¶¶ 59–77.
First, Ciox claims that HHS's decision under the 2013 Omnibus Rule to expand the HITECH Act's third-party directive to PHI contained in formats other than an EHR, and to require production of PHI in any format demanded by the requester, conflicts with the plain text of the HITECH Act. See id. ¶¶ 62–63. Ciox also alleges that these actions were ultra vires , as the agency lacked statutory authority to adopt the charges made by the 2013 Omnibus Rule. See id. ¶¶ 64–65. Next, Ciox avers that the changes announced in the 2016 Guidance were "legislative rules" within the meaning of the APA that HHS failed to promulgate through public notice and comment. See id. ¶¶ 66–69. In particular, Ciox contests HHS's expansion of the Patient Rate to all third-party directives, as well as the three enumerated methods by which to calculate disclosure fees, as violative of the APA's procedural requirements. See id. ¶¶ 66–69. It also contends that the 2016 Guidance is procedurally deficient in its announced exclusion from the Patient Rate the cost of skilled technical staff who search for and retrieve electronically stored PHI. See id. ¶ 68. Third, Ciox challenges aspects of the 2016 Guidance as arbitrary and capricious. It contests HHS's declaration that the Patient Rate applies to third-party directives, id. ¶¶ 71–75, as well as its "tripartite methodology for calculating allowable costs under the Patient Rate," id. ¶ 77. Ciox seeks declaratory and injunctive relief as to all three claims. See id. at 42.
The Complaint also alleges that the exclusion of skilled technical staff time is an arbitrary and capricious agency action, because it "directly conflicts with the 2013 Omnibus Rule's explicit inclusion of such costs in the Patient Rate." Compl. ¶ 76. Ciox, however, fails to advance this claim in its motion for summary judgment. See Mem. of P. & A. in Opp'n to Defs.' Mot. to Dismiss and in Supp. of Ciox's Cross-Mot. for Summ. J., ECF No. 12-1, at 40–45. The claim is therefore forfeited.
On April 2, 2018, Defendants moved to dismiss the action for lack of jurisdiction and failure to state a claim. See generally Defs.' Mot. to Dismiss, ECF No. 9, Mem. in Support of Mot. to Dismiss, ECF No. 9-1 [hereinafter Defs.' Mot. to Dismiss Mem.]. Defendants assert that Ciox lacks constitutional standing because the 2013 Omnibus Rule and the 2016 Guidance apply only to covered entities, and not to business associates like Ciox, and therefore Ciox is not encumbered by the limitations, including the Patient Rate, set forth in those agency pronouncements. See id. at 11. Defendants additionally disavow any enforcement authority with respect to business associates, see id. at 14, and they assert that, to the extent that the challenged actions have affected Ciox's revenues, that injury is the result of its own business judgments, not agency action, see id. at 15–16. Defendants also argue that each of Ciox's claims is unripe. See id. at 17–20. Relatedly, Defendants contend that Ciox fails to state a claim upon which relief may be granted because Ciox lacks statutory standing under the HITECH Act and because the 2016 Guidance is not a final agency action, and thus, unreviewable under the APA. See id. at 20–28.
On May 2, 2018, Ciox opposed Defendants' Motion to Dismiss and moved for summary judgment. See Mot. for Summ. J. of Pl. Ciox Health, ECF No. 12; Mem. of P. & A. in Opp'n to Defs.' Mot. to Dismiss and in Supp. of Ciox's Cross-Mot. for Summ. J., ECF No. 12-1 [hereinafter Pl.'s Opp'n Mem.]. Defendants filed a reply in support of their Motion to Dismiss on May 14, 2018, see Defs.' Reply Mem. in Supp. of Mot. to Dismiss, ECF No. 16 [hereinafter Defs.' Mot. to Dismiss Reply], and, after the court denied Defendants' request to stay further summary judgment briefing, see Order, ECF No. 18, Defendants filed their own motion for summary judgment on September 14, 2018, see Defs.' Cross-Mot. for Summ. J., ECF No. 22, Mem. in Supp. of Defs.' Opp'n to Pl.'s Mot. for Summ. J. and Cross-Mot. for Summ. J., ECF No. 22-1. Briefing on the cross-motions for summary judgment concluded on October 5, 2018. See Defs.' Reply in Supp. of Defs.' Cross-Mot. for Summ. J., ECF No. 26.
After a brief delay due to the shutdown of government operations, see Minute Order, Jan. 2, 2019, the court held an initial hearing on the parties' motions on April 10, 2019. See Hr'g Tr., Apr. 15, 2019, ECF No. 34. At that hearing, Defendants offered conflicting interpretations of the Patient Rate's applicability to third-party directives, at first suggesting that the Patient Rate does not apply to third-party directives if the third party paid the associated fees, id. at 41–42, but later reversing course and saying that the Patient Rate applies to all third-party directives, regardless of who pays for the fees, so long as the request for PHI originates with the patient, id. at 47–48. Frustrated by the about-face, the court ordered the parties to confer and report back on whether they had reached a mutual understanding as to how the Patient Rate applies to third-party directives. See id. at 49.
On April 24, 2019, Defendants submitted a supplemental filing that sought to clarify the agency's position. See Defs.' Suppl. Filing in Supp. of their Mot. to Dismiss and Cross Mot. for Summ. J., ECF No. 35-1 [hereinafter Defs.' Suppl. Filing]. As part of that filing, Defendants included a table "to illustrate how the fee limitation operates." Id. at 3–4. The table summarized the agency's position that "whether the fee limitation applies depends entirely on whether the individual has initiated the request for the production of his or her PHI. It is irrelevant whether the individual or a third party directly pays the bill for the request." Id. at 3. Ciox responded that HHS's clarified position only confirmed its standing to challenge the agency's actions and the ripeness of its claims. See Pl.'s Mem. in Reply to Defs.' Suppl. Filing, ECF No. 38 [hereinafter Pl.'s Reply to Defs.' Suppl. Filing.].
The court held a second hearing on the parties' motions on May 8, 2019. Hr'g Tr., May 8, 2019, ECF No. 41. Following that hearing, on May 24, 2019, HHS notified the court that it had published a "Fact Sheet" on its website that "explains when business associates are directly liable to HHS for violating provisions of" HIPAA. Defs.' Notice of Filing of Fact Sheet, ECF No. 39, at 1. As pertinent here, the Fact Sheet states that HHS "lacks the authority to enforce the ‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates." See id. , Ex. A, ECF No. 39-1 [hereinafter Fact Sheet], at 2. Not surprisingly, Ciox responded that the Fact Sheet did not alter its standing to contest the agency's actions in federal court. See Pl.'s Reply to Defs.' Notice of Filing of Fact Sheet, ECF No. 40.
The unanticipated Fact Sheet prompted the court to invite further briefing. The court observed that, based on the Fact Sheet's clear disavowal of enforcement authority over business associates' fee practices, "it would appear that [Ciox] cannot establish standing directly based on the threat of an enforcement action against it, as it has argued," and Ciox "is thus left to assert that its injuries arise from the actions of covered entities who are subject to regulation," thereby making the establishment of standing "substantially more difficult." Order, ECF No. 42, at 1 (quoting Lujan v. Defs. of Wildlife , 504 U.S. 555, 562, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). "[N]ot confident that [Ciox] has had a full and fair opportunity to make its record," the court allowed Ciox to supplement the factual record to supports its theory of standing. Id. at 2.
Ciox submitted additional evidence to support standing and an accompanying legal memorandum on June 28, 2019. See Pl.'s Mem. in Resp. to June 4, 2019 Order, ECF No. 43 [hereinafter Pl.'s Suppl. Standing Br.]. Defendants submitted a memorandum in response on July 12, 2019, see Defs.' Resp. to Pl.'s Suppl. Br., ECF No. 46 [hereinafter Defs.' Resp. to Pl.'s Suppl. Standing Br.], and Ciox offered a reply on July 17, 2019, see Pl.'s Reply in Supp. of its Suppl. Br., ECF No. 47. That final brief brought the record to a close.
The court begins with the question of whether it has jurisdiction to decide this matter. Defendants assert that Ciox lacks standing under Article III of the Constitution. See Defs.' Mot. to Dismiss Mem. at 11–17. They also contend that Ciox's claims are not ripe. Id. at 17–20. The court addresses standing before turning to ripeness.
1. Article III Standing
As the party seeking to invoke the court's jurisdiction, the burden lies with Ciox to establishing standing. See Arpaio v. Obama , 797 F.3d 11, 19 (D.C. Cir. 2015). Ciox must demonstrate standing "with the manner and degree of evidence required at the successive stages of the litigation." Lujan , 504 U.S. at 561, 112 S.Ct. 2130. In this case, the parties have filed cross-motions for summary judgment, and the court afforded Ciox an opportunity to supplement the factual record as to its standing. Accordingly, the court will evaluate standing under the summary judgment standard. Under that standard, the "plaintiff can no longer rest on ... ‘mere allegations’ " to establish standing. Id. (quoting Fed. R. Civ. P. 56(e) ). Rather, it "must ‘set forth’ by affidavit or other evidence ‘specific facts,’ ... which for purposes of the summary judgment motion will be taken to be true." Id. (quoting Fed. R. Civ. P. 56(e) ).
Standing consists of three elements. First, a plaintiff must have suffered an injury in fact, or "an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical." Id. at 560, 112 S.Ct. 2130 (cleaned up). Second, there must be causation, that is, the injury is "fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court." Id. (cleaned up). Third, "it must be likely as opposed to merely speculative that the injury will be redressed by a favorable decision." Id. at 561, 112 S.Ct. 2130 (cleaned up).
Ciox submits affidavits from two of its business executives—Tarun Kabaria, Vice President of Operations, and Jeff Gartland, President of Life Sciences—to demonstrate financial losses caused by the agency's challenged actions. According to Kabaria, per HHS regulations, a business associate can provide health records services to a covered entity only pursuant to a formal contract. See Kabaria Decl. ¶ 7; see also 45 C.F.R. § 164.502(e)(2) (providing that a covered entity's relationship with a business associate "must be documented through a written contract or other written agreement or arrangement"); id. § 164.504(e) (setting forth requirements of business associate contracts). Ciox's contracts require the company to produce PHI for covered entities in accordance with the restrictions set forth in HIPAA, the HITECH Act, and the Privacy Rule—including the Patient Rate. Kabaria Decl. ¶ 8. Kabaria explains that, before 2009, commercial third parties requesting PHI did so through "patient authorization[s]" that allowed release of PHI to the third party. Id. ¶ 11. Ciox understood, as did the industry, that the Patient Rate did not apply to such third-party requests and therefore charged state-authorized or independently-contracted rates to fulfill such "authorized" requests. Id. These rates often exceeded the Patient Rate by several hundred dollars per request. Id. ¶¶ 11, 16. The advent of the HITECH Act's third-party directive in 2009 did not change the industry's or Ciox's practice, according to Kabaria. Id. ¶ 12. The industry still understood that the Patient Rate did not apply to requests for PHI delivered to third parties. Id.
The ground began to shift slightly with the 2013 Omnibus Rule, says Kabaria. By expanding the HITECH Act's third-party directive to records in formats other than EHRs, Ciox saw a modest increase in third-party directives. Id. ¶ 13. Ciox still continued to receive most third-party requests through third-party authorizations, and thus persisted in charging above the Patient Rate for such requests. Id. The 2016 Guidance caused a major shift in the industry, however. The 2016 Guidance's requirement that the Patient Rate apply to third-party directives accelerated the number of third-party directives relative to authorizations. Id. ¶ 14. Also, the 2016 Guidance's three options for calculating the Patient Rate caused some of Ciox's covered-entity clients to require Ciox to use the flat-fee option of $6.50 for fulfilling third-party directives. Id. ¶ 15. These changes, according to Kabaria, are "costing Ciox well over $10 million per year" and those losses are likely to "continue growing." Id. ¶ 16.
Gartland amplifies the points made in Kabaria's declaration, using actual contracts as examples. Gartland explains that nearly all of Ciox's contracts provide that Ciox's compensation is limited to the fees chargeable for transmitting PHI. Gartland Decl. ¶ 5. These compensation provisions require that Ciox charge only "in accordance with Section 164.524(c)(4) of the Privacy Regulations." Id. ¶ 6. Ciox's contracts, according to Gartland, reflect a compensation model that is "typical" in the industry. Id. ¶ 11. Additionally, Gartland explains, Ciox's agreements contain provisions that expose it to stiff sanctions if Ciox were to run afoul of federal laws. Covered entities can terminate a contract if Ciox is noncompliant, and Ciox is required to indemnify covered entities for liability arising from violations by Ciox. Id. ¶¶ 15–16. Gartland also confirms that, as a result of the 2016 Guidance's expansion of the Patient Rate to all third-party directives and its option of a $6.50 flat fee, "Ciox as a matter of course now only charges $6.50 for most Third Party Directive requests." Id. ¶ 18. The resulting lost revenue in 2017 and 2018 has totaled $35 million and "will continue growing year-over-year," as third-party directives increase as a percentage of overall requests. Id. According to Gartland, since 2016, Ciox has spent thousands of employee hours attempting to renegotiate contracts to mitigate its losses, but still continues to suffer reduced revenues. Id. ¶ 19.
a. Injury in fact
Ciox posits as its injury in fact the quintessential harm of lost revenue. See Pl.'s Opp'n Mem. at 17; Pl.'s Suppl. Standing Br. at 6–7; Czyzewski v. Jevic Holding Corp. , ––– U.S. ––––, 137 S. Ct. 973, 983, 197 L.Ed.2d 398 (2017) ("For standing purposes, a loss of even a small amount of money is ordinarily an ‘injury.’ "). Although Defendants question the sufficiency of the Complaint's allegations of harm, see Defs.' Mot. to Dismiss Mem. at 13–14, they do not challenge the adverse fiscal impact that Ciox claims to have suffered, as outlined in the declarations. See generally Defs.' Resp. to Pl.'s Suppl. Standing Br. The element of injury in fact is therefore largely uncontested.
The element of causation presents a threshold dispute: Does Ciox's claimed financial injury arise from direct regulation by HHS, or is the injury the result of the agency's regulation of others, namely, covered entities? See Lujan , 504 U.S. at 562, 112 S.Ct. 2130 (stating that "when the plaintiff is not himself the object of the government action or inaction he challenges, standing is not precluded, but it is ordinarily substantially more difficult to establish" (internal quotation marks and citations omitted)).
According to HHS, "the relevant portion of the [Privacy Rule], which is also the basis for the 2016 guidance, imposes no requirements or restrictions on business associates like Ciox." Defs.' Mot. to Dismiss Mem. at 11; see also Defs.' Suppl. Filing at 3 ("HHS has no authority to hold Ciox liable for failing to observe the fee limitation."). Instead, HHS argues, the challenged actions are enforceable only against covered entities, a position memorialized in the agency's published "Fact Sheet." See Fact Sheet at 2 (stating that HHS "lacks the authority to enforce the ‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 165.524(c)(4) against business associates"). Accordingly, HHS maintains, the element of causation in this case must be analyzed under the more rigorous standard for alleged injuries caused indirectly by government action. See Lujan , 504 U.S. at 562, 112 S.Ct. 2130.
Ciox reads the controlling law differently. It asserts that business associates are directly subject to the Privacy Rule; the Rule's limitations, including the Patient Rate, govern the conduct of business associates; and the failure to comply with the Rule subjects business associates to potential enforcement and punitive consequences. Pl.'s Opp'n Mem. at 18–21. Ciox thus insists HHS possesses the direct authority over business associates that the agency disclaims.
Although interesting, the parties' debate is not one the court need resolve. That is because, even if HHS cannot directly regulate business associates, Ciox's financial injury is still traceable to agency action through the effect those actions have had on Ciox's contracting partners, the covered entities.
When ... a plaintiff's asserted injury arises from the government's allegedly unlawful regulation ... of someone else , much more is needed [to prove standing]. In that circumstance, causation and redressability ordinarily hinge on the response of the regulated (or regulable) third party to the government action or inaction—and perhaps on the response of others as well.
Lujan , 504 U.S. at 562, 112 S.Ct. 2130 (internal quotation marks and citations omitted). "[I]t becomes the burden of the plaintiff to adduce facts showing that [the regulated third-party's] choices have been or will be made in such a manner as to produce causation and permit redressability of injury." Id. The plaintiff must show that "the agency action is at least a substantial factor motivating the third parties' actions." Tozzi v. HHS , 271 F.3d 301, 308 (D.C. Cir. 2001) (quoting Cmty. for Creative Non-Violence v. Pierce , 814 F.2d 663, 669 (D.C. Cir. 1987) ). "Unadorned speculation" connecting the challenged government action and third-party conduct will not suffice. Nat'l Wrestling Coaches Ass'n v. Dept. of Educ. , 366 F.3d 930, 938 (D.C. Cir. 2004) (quoting Simon v. E. Ky. Welfare Rights Org. , 426 U.S. 26, 44, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976) ). Here, the regulatory scheme governing the medical records management industry, when combined with the evidence presented by Ciox, leaves "little doubt as to causation and the likelihood of redress." Id. at 941.
HHS's regulations all but ensure that business associates will limit the fees they charge in a manner consistent with HHS's interpretation of the Patient Rate. The regulations expressly make covered entities liable for their business associates' violations. See 45 C.F.R. § 160.402(c)(1) ("A covered entity is liable ... for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a ... business associate, acting with the scope of the agency."). So, for example, if Ciox were to charge more than the Patient Rate to carry out a third-party directive, HHS could hold the covered entity responsible. See Defs.' Suppl. Filing at 3. HHS's letter dated March 22, 2017, to CHI St. Francis illustrates this reality. See St. Francis Letter at 3. In that case, HHS received a complaint that Ciox had charged $224.65 for 353 pages of electronic medical records that the patient had requested be sent to her law firm. Id. at 1. HHS warned CHI St. Francis that "[t]his allegation could reflect a violation of [the Patient Rate]." Id. HHS advised CHI St. Francis—seemingly at odds with its position taken here—that "all of the access requirements that apply with respect to PHI held by the covered entity (e.g., the individual may be charged only a reasonable, cost-based fee [Patient Rate] that complies with [the Privacy Rule] ) apply with respect to PHI held by the business associate." Id. at 3. Although HHS took no formal action against CHI St. Francis for Ciox's actions, it warned that should it "receive a similar allegation of noncompliance ... in the future, [HHS] may initiate a formal investigation of that matter." Id. at 4. The prospect that a covered entity could be held liable for the transgressions of its business associates provides a powerful incentive for covered entities to ensure that business associates comply with the Privacy Rule, including the Patient Rate. Indeed, the regulations expressly provide that a covered entity's failure to address a business associate's non-compliance is itself a violation of the regulations. See 45 C.F.R. § 164.504(e)(1).
That regulation provides:
A covered entity is not in compliance with the standards of § 164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.
Id. § 164.504(e)(1)(ii).
Not surprisingly, covered entities have structured their contracts to require their business associates to follow the regulations and to protect themselves against liability. Ciox's contracts, for instance, require the company to charge fees "in accordance with Section 164.524(c)(4) of the Privacy Regulations." Gartland Decl. ¶ 6 (quoting various contracts); see also Sealed Mot. for Leave to File Docs. Under Seal, Ex. A, Ex. 44-2, at 29 ¶ 4.1 (under seal); id. , Ex. B, ECF No. 44-3, at 17 ¶ 5.1 (under seal); id. , Ex. C, ECF No. 44-4, at 15 ¶ 4.1 (under seal); id. , Ex. D, ECF No. 44-5, at 17 (under seal). Additionally, "all of Ciox's contracts, no matter what model, include provisions requiring Ciox to indemnify the covered entity for any violation of HIPAA, HITECH, or the Privacy Rule that is attributable to the covered entity for Ciox's actions ..., including violations of the Patient Rate if that Rate applies to a given request." Gartland Decl. ¶ 16. Such indemnification provisions are sure to discourage Ciox from charging more than the Patient Rate. And, of course, Ciox risks termination of a contract should it charge more than the Patient Rate.
If these regulatory and contractual provisions were not enough to establish causation, Ciox also provides testimonial evidence of industry impacts following HHS's issuance of the 2016 Guidance. According to Gartland, following the 2016 Guidance, "the volume of Third Party Directive requests has increased by nearly 700 percent , as law firms and other for-profit entities realized they could use Third Party Directives to avoid the typically higher state-authorized fees that Ciox previously could charge for fulfilling HIPAA authorizations." Gartland Decl. ¶ 17. Moreover, after 2016, covered entities began to insist that "Ciox charge no more than $6.50 for fulfilling a Third Party Directive because they fear both federal enforcement action and potential liability if Ciox charges more than that when fulfilling Third Party Directives. As a result, Ciox as a matter of course now only charges $6.50 for most Third Party Directive requests...." Id. ¶ 18. These sworn statements, which the agency does not contest, demonstrate the real-world impacts of the challenged actions and how they have caused Ciox's financial injuries.
Defendants advance two primary arguments in response. First, HHS maintains that Ciox's losses are "self-inflicted." Defs.' Mot. to Dismiss Reply at 8. Ciox chose to enter into contracts that "structure its compensation ... in the form of fees charged to requesters of PHI," Defs.' Resp. to Pl.'s Suppl. Standing Br. at 4, and that include indemnification clauses, Defs.' Mot. to Dismiss Reply at 8. Instead, HHS insists, Ciox could have entered into agreements that secured payment from the covered entities instead of patients, which would have insulated them from the losses they now claim. See id. at 7–8; see also Defs.' Resp. to Pl.'s Suppl. Standing Br. at 4 (arguing that "nothing prevents Ciox from negotiating its compensation structure with covered entities differently"). HHS analogizes this case to the D.C. Circuit's decision in Brotherhood of Locomotive Engineers . See Defs.' Mot. to Dismiss Reply at 8 (citing Bhd. of Locomotive Eng'rs. & Trainmen, a Div. of Rail Conf.-Int'l Bhd. of Teamsters v. Surface Transp. Bd. 457 F.3d 24 (D.C. Cir. 2006) ). There, the court held that a union could not demonstrate causation where the Surface Transportation Board's classification of a type of transaction foreclosed the union from invoking its bargaining rights; the union previously had agreed under its collective bargaining agreement not to bargain over the effects of such a transaction. Brotherhood of Locomotive Engineers , 457 F.3d at 28. In that scenario, the injury "was not in any meaningful way ‘caused’ by the Board; rather, it was entirely self-inflicted." Id. Like the union in Brotherhood of Locomotive Engineers , HHS contends, Ciox "is injured by the specific terms of the contracts it entered into with the covered entities" and thus its injury is similarly self-inflicted. Defs.' Mot. to Dismiss Reply at 8.
HHS's self-infliction argument is flawed both legally and factually. Legally it is flawed because it raises the bar for standing too high. To the extent that injury is self-inflicted, it must be "so completely due to the complainant's own fault as to break the causal chain." Petro-Chem Processing, Inc. v. EPA , 866 F.2d 433, 438 (D.C. Cir. 1989) (cleaned up) (internal quotation marks and citation omitted). Standing doctrine thus does not require a plaintiff to show that it made no choice that put it at risk of injury. See Ellis v. Comm'r of Internal Revenue Serv. , 67 F. Supp. 3d 325, 337 (D.D.C. 2014) (stating that "it has been observed that all injuries are in some sense self-inflicted"), aff'd 622 F. App'x 2 (D.C. Cir. 2015). Therefore, the mere fact that Ciox negotiated agreements in a highly regulated environment that linked its compensation to the Patient Rate does not make its injury self-inflicted. See Cent. Ariz. Water Conservation Dist. v. EPA , 990 F.2d 1531, 1538 (9th Cir. 1993) ("While [the] contractual obligations may provide the basis for its economic liability for the increased costs imposed by the Final Rule, that hardly means that the Final Rule itself is not the direct cause of that liability."). Thus, this case is not like Brotherhood of Locomotive Engineers , in which the union was found to have a self-inflicted injury because, of its own accord, it made the choice to forego bargaining with respect to the type of transaction at issue.
Factually, HHS's insistence that Ciox's injury is self-inflicted wholly ignores industry realities. For example, HHS's argument that Ciox voluntarily acceded to contracts containing indemnification provisions, see Defs.' Mot. to Dismiss Reply at 8, fails to appreciate that its own regulations make covered entities liable for the acts of their business associates. It should come as no surprise then that Ciox's contracts contain indemnity provisions that require the company to make covered entities whole for any liability resulting from Ciox's transgressions. Moreover, HHS overlooks the fact that, for years, it took the position that the Patient Rate applied only to personal use requests for PHI, and not to requests directing PHI to third parties. See 65 Fed. Reg. at 82,754 (stating in 2000 that the Privacy Rule "establish[es] the right to access and copy records only for individuals, not other entities; the ‘reasonable fee’ is only applicable to the individual's request"). That the industry, quite sensibly, structured its compensation scheme to fit HHS's pronouncements, see Kabaria Decl. ¶ 11, does not mean that Ciox's injury is now self-inflicted.
Second, HHS argues that Ciox fails to provide substantial evidence of a causal relationship between the agency's actions and the response of third parties, which resulted in Ciox's losses. See Defs.' Resp. to Pl.'s Suppl. Standing Br. at 9–10. But the uncontested Gartland Declaration establishes otherwise. As noted, Gartland explains how, following the 2016 Guidance, Ciox began to incur greater losses as requesters shifted to third-party directives subject to the Patient Rate. Gartland Decl. ¶ 17. Additionally, since the 2016 Guidance, covered entities have demanded that Ciox charge no more than $6.50 for third-party directives, such that Ciox now charges that fixed amount "as a matter of course" for most third-party directives. Id. ¶ 18. HHS faults Ciox for not re-negotiating its contracts after 2016 to allow it to collect additional fees from covered entities. But even suggesting that Ciox had to incur new contracting costs to avoid injury only underscores the causal effect of the agency's actions. See id. ¶ 19 (explaining that Ciox has "expended thousands of hours of employee time renegotiating—to only partial success—many contracts that, but for the 2016 mandates, would not have been at issue"). Ciox has satisfied the element of causation. c. Redressability
Having found that Ciox satisfies the element of causation, the issue of redressability is straightforward. "Causation and redressability typically ‘overlap as two sides of a causation coin.’ After all, if a government action causes an injury, enjoining the action usually will redress that injury." Carpenters Indus. Council v. Zinke , 854 F.3d 1, 6 n.1 (D.C. Cir. 2017) (quoting Dynalantic Corp. v. Dep't of Defense , 115 F.3d 1012, 1017 (D.C. Cir. 1997) ). Here, if the court were to enjoin the challenged portions of the 2013 Omnibus Rule and the 2016 Guidance, see Compl. at 42, as Gartland explains:
[Ciox] could maintain the overwhelming majority of its existing contracts in their current form and, for those contracts that already have been renegotiated, revert to the time-tested model that covered entities and business associates uniformly prefer ..., which allow[s] Ciox to charge the state-authorized rates it previously was allowed to charge for delivering PHI to third parties, including for Third Party Directives.
Gartland ¶ 21. In short, because Ciox could start recouping the loses it presently incurs by charging the Patient Rate for third-party directives, it has demonstrated that the court can redress its injuries.
HHS resists this uncomplicated logic. It contends that "the 2016 [G]uidance works no change in the law; it simply clarified what the 2013 Regulation requires. And the 2013 Regulation, in turn, implemented the HITECH Act. Therefore, vacating the 2016 Guidance would also have no legal effect." Defs.' Resp. to Pl.'s Suppl. Standing Br. at 9–10. But this is a merits argument, and for purposes of standing, the court must assume the merits of Ciox's claims—the precise opposite interpretation put forward by HHS. See Warth v. Seldin , 422 U.S. 490, 502, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) ; see also City of Waukesha v. EPA , 320 F.3d 228, 235 (D.C. Cir. 2003). HHS cannot defeat standing by asserting it will prevail on the merits.
Next, HHS asserts that the court lacks jurisdiction because Ciox's claims are not ripe. See Defs.' Mot. to Dismiss Mem. at 17–20. The court disagrees.
"Ripeness is a justiciability doctrine designed ‘to prevent the courts, through avoidance of premature adjudication, from entangling themselves in abstract disagreements over administrative policies, and also to protect the agencies from judicial interference until an administrative decision has been formalized and its effects felt in a concrete way by the challenging parties.’ " Nat'l Park Hosp. Ass'n v. Dep't of Interior , 538 U.S. 803, 807–08, 123 S.Ct. 2026, 155 L.Ed.2d 1017 (2003) (quoting Abbott Labs. v. Gardner , 387 U.S. 136, 148–149, 87 S.Ct. 1507, 18 L.Ed.2d 681 (1967) ). "Determining whether administrative action," as here, "is ripe for judicial review requires [courts] to evaluate (1) the fitness of the issues for judicial decision and (2) the hardship to the parties of withholding court consideration." Id. at 808, 123 S.Ct. 2026. Under the first prong, courts consider whether the issue presented is "purely legal," whether the court's consideration would benefit from a more concrete setting, and whether the agency's action is "sufficiently final." Nat'l Ass'n of Home Builders v. U.S. Army Corps of Eng'rs , 440 F.3d 459, 463–64 (D.C. Cir. 2006) (internal quotation marks omitted). As to the second prong, the question is not whether the parties have suffered a "direct hardship," but rather whether postponing judicial review would impose an undue hardship or benefit the court. See id. (internal quotation marks omitted). In the end, "the primary focus of the ripeness doctrine is to balance the [plaintiff's] interest in prompt consideration of allegedly unlawful agency action against the agency's interest in crystallizing its policy before that policy is subject to review and the court's interest in avoiding unnecessary adjudication and in deciding issues in a concrete setting." AT & T Corp. v. FCC , 349 F.3d 692, 699 (D.C. Cir. 2003) (internal quotation marks omitted).
Ciox readily satisfies both prongs of the ripeness doctrine. It is undisputed that the issues presented by Ciox are "purely legal," as they involve questions of statutory interpretation and the agency's adherence to rulemaking requirements. See Compl. at 33–41. Having presented such pure legal questions, Ciox's claims are "presumptively suitable for judicial review." AT & T Corp. , 349 F.3d at 699 (internal quotation marks omitted). HHS nonetheless contends that the dispute would benefit from a more concrete setting, see Defs.' Mot. to Dismiss. Mem. at 18–19, but never explains what "additional factual development" is necessary to resolve the claims, Action All. of Senior Citizens of Greater Phila. v. Heckler , 789 F.2d 931, 940 (D.C. Cir. 1986) ; cf. Nat'l Park Hosp. Ass'n , 538 U.S. at 812, 123 S.Ct. 2026 (finding administrative challenge unripe where "the question presented here should await a concrete dispute about a particular concession contract"). HHS also suggests that the "complex[ity]" of the statutory and regulatory scheme warrants a more specific factual setting, Defs.' Mot. to Dismiss Mem. at 19, but courts routinely deal with complex administrative statutes and regulations, and there is nothing uniquely difficult about interpreting the HITECH Act or the Privacy Rule that would justify deferring a decision to develop more facts.
On the second prong, Ciox plainly has demonstrated hardship in the form of financial losses. HHS's only response is that Ciox's losses are not causally connected to the agency's actions, see Defs.' Mot. to Dismiss Reply at 13, but the court already has found otherwise. Moreover, where, as here, "there are no significant agency or judicial interests militating in favor of delay, lack of hardship cannot tip the balance against judicial review." Nat'l Ass'n of Home Builders , 440 F.3d at 465 (cleaned up). HHS generically claims that it has "an interest in thinking through its policy choices and completing its decisionmaking process," Defs.' Mot. to Dismiss Reply at 13 (internal quotation marks and citation omitted), but it nowhere says what more thinking or decisionmaking it is doing with respect to the 2013 Omnibus Rule or the 2016 Guidance. Ciox's claims are ripe.
B. Failure to State a Claim
HHS advances two grounds to dismiss Ciox's causes of action for failure to state a claim. First, HHS says that, under the HITECH Act, Ciox lacks "statutory standing," which "concern[s] a party's cause of action, not the court's jurisdiction." See Kaplan v. Cent. Bank of the Islamic Republic of Iran , 896 F.3d 501, 519–20 (D.C. Cir. 2018). Second, HHS asserts that the 2016 Guidance is not a challengeable final agency action under the APA, thereby requiring dismissal of Counts Two and Three. The court considers each argument in turn.
1. Statutory Standing
HHS contends that Ciox lacks statutory standing because its "interests do not fall within the zone of interests to be protected or regulated by" 42 U.S.C. § 17935(e) —the section of the HITECH Act upon which Ciox bases its claims. See Defs.' Mot. to Dismiss Mem. at 20–23. As support, HHS asserts that § 17935(e) regulates only the fees that a covered entity may charge patients but is silent as to how much and against whom a business associate may assess fees. See id. at 22. The agency also points to two other statutory provisions, namely, §§ 17931(a) and 17934(a), that extend certain existing regulations to business associates, but exclude the "fee and format" requirements of 45 C.F.R. § 164.524. Id. at 22–23.
In Lexmark International, Inc. v. Static Control Components, Inc. , 572 U.S. 118, 134 S.Ct. 1377, 188 L.Ed.2d 392 (2014), the Supreme Court emphasized the " ‘lenient approach’ that the courts must follow in determining whether a party has stated a cause of action under the APA." Indian River Cty. v. Dep't of Transp. , 945 F.3d 515, 527 (D.C. Cir. 2019) (quoting Lexmark Int'l , 572 U.S. at 130, 134 S.Ct. 1377 ). A plaintiff must show that "the interest sought to be protected by the complainant is arguably within the zone of interests to be protected or regulated by the statute ... in question." Ass'n of Data Processing Serv. Orgs., Inc. v. Camp , 397 U.S. 150, 153, 90 S.Ct. 827, 25 L.Ed.2d 184 (1970). In making that assessment, courts must consider the "context and purpose" of the relevant statutory provisions and regulations. See Indian River Cty. , 945 F.3d at 530 (quoting Match–E–Be–Nash–She–Wish Band of Pottawatomi Indians v. Patchak , 567 U.S. 209, 226, 132 S.Ct. 2199, 183 L.Ed.2d 211 (2012) ). The "zone of interests" test is not "especially demanding" in the APA context. Lexmark , 572 U.S. at 130, 134 S.Ct. 1377 (quoting Match–E–Be–Nash–She–Wish Band of Pottawatomi Indians , 567 U.S. at 224–25, 132 S.Ct. 2199 ). For that reason, the Supreme Court has "conspicuously included the word ‘arguably’ in the test to indicate that the benefit of any doubt goes to the plaintiff." Id. (quoting Match–E–Be–Nash–She–Wish Band of Pottawatomi Indians , 567 U.S. at 225, 132 S.Ct. 2199 ). "[T]here does not have to be an indication of congressional purpose to benefit the would-be plaintiff," and "a plaintiff certainly need not be expressly listed as a beneficiary of a statutory provision in order to be within its protected zone-of-interests." Indian River Cty. , 945 F.3d at 529–30 (quoting Nat'l Credit Union Admin. v. First Nat. Bank & Tr. Co. , 522 U.S. 479, 492, 118 S.Ct. 927, 140 L.Ed.2d 1 (1998) ). Ultimately, the test denies a right of review only "when a plaintiff's ‘interests are so marginally related to or inconsistent with the purposes implicit in the statute that it cannot reasonably be assumed that Congress intended to permit the suit.’ " Match-E-Be-Nash-She-Wish Band of Pottawatomi Indians , 567 U.S. at 225, 132 S.Ct. 2199 (citation omitted).
Although HHS insists that only covered entities are covered by the HITECH Act's fees restriction, the agency's reading is far from obvious. To be sure, the HITECH Act refers expressly only to the "fee that the covered entity may impose" for delivering PHI in electronic form. 42 U.S.C. § 17935(e)(3). But other portions of the Act are designed to extend existing regulatory limits to business associates. Specifically, section 17934(a) of the HITECH Act provides that business associates are subject to "each applicable requirement" of 45 C.F.R. § 164.504(e). 42 U.S.C. § 17934(a). Section 164.504(e) in turn cross-references § 164.524, see 45 C.F.R. § 164.504(e)(ii)(E) (stating that business associates must "[m]ake available [PHI] in accordance with § 164.524"), the section which contains the Patient Rate, see id. § 164.524(c)(4). Thus, as Ciox argues, by placing business associates within the reach of 45 C.F.R. § 164.524, the HITECH Act would appear to extend the Patient Rate to business associates. See Pl.'s Opp'n Mem. at 8–9.
The court need not, for present purposes, decide whether HHS's or Ciox's reading of the HITECH act is the correct one. The "lenient approach" to the zone-of-interests test in the APA context merely requires the court to determine whether Ciox's interests "are, at the least, ‘arguably within the zone of interests’ " regulated by the HITECH Act. Bank of Am. Corp. v. City of Miami , ––– U.S. ––––, 137 S. Ct. 1296, 1303, 197 L.Ed.2d 678 (2017) (quoting Ass'n of Data Processing , 397 U.S. at 153, 90 S.Ct. 827 ). As Ciox's reading of the HITECH Act is entirely reasonable, Ciox easily surpasses that low bar.
2. Final Agency Action
Two independent conditions must be met for an agency action to be considered "final," and thus reviewable, for purposes of the APA. 5 U.S.C. § 704 ; Bennett v. Spear , 520 U.S. 154, 175, 117 S.Ct. 1154, 137 L.Ed.2d 281 (1997). The challenged action must be the "consummation of the agency's decisionmaking process" and it must be an action in which "rights or obligations have been determined" or "legal consequences will flow." Bennett , 520 U.S. at 175, 117 S.Ct. 1154 (internal quotation marks omitted); see also Soundboard Ass'n v. Fed. Trade Comm'n , 888 F.3d 1261, 1267 (D.C. Cir. 2018). In approaching the question of finality, the D.C. Circuit has warned that "courts should resist the temptation to define the action by comparing it to superficially similar actions in the caselaw." Cal. Cmtys. Against Toxics v. EPA , 934 F.3d 627, 631 (D.C. Cir. 2019). "Rather, courts should take as their NorthStar the unique constellation of statutes and regulations that govern the action at issue." Id.
At the outset, HHS urges the court to find that the 2016 Guidance is not a final agency action because it is an "interpretative" rule, as distinct from a "legislative" rule, as those terms are understood under the APA. See Defs.' Mot. to Dismiss Mem. at 24. But that argument improperly conflates the finality analysis with "the related but separate analysis of whether an agency action is a legislative rule." Cal. Cmtys. Against Toxics , 934 F.3d at 634. The court therefore undertakes a separate finality inquiry, as directed by the D.C. Circuit.
As to the first Bennett prong, the 2016 Guidance marks the consummation of the agency's decisionmaking process. The Guidance "comes to a definitive conclusion," Scenic Am., Inc. v. U.S. Dep't of Transp. , 836 F.3d 42, 56 (D.C. Cir. 2016), as to the content and scope of the allowable "reasonable, cost-based fee" permitted under the Privacy Rule, 45 C.F.R. § 164.524(c)(4), with regard to each of the three issues challenged by Ciox. The 2016 Guidance confirms that (1) the Patient Rate applies to third-party directives and (2) the Patient Rate excludes labor costs associated with searching for and retrieving responsive records, and it identifies three ways in which to calculate the Patient Rate. The agency does not assert that its position as to any of these issues remains in flux. Cf. Barrick Goldstrike Mines Inc. v. Browner , 215 F.3d 45, 48 (D.C. Cir. 2000) (stating that, to be a final agency action, the action "must not be of a merely tentative or interlocutory nature"). HHS still urges the court "not [to] treat HHS's guidance as the ‘consummation’ of its decisionmaking," but in support of that position it simply repeats the common refrain that the agency "retains complete discretion to rescind or change this guidance." Defs.' Mot. to Dismiss Mem. at 25–26. It is well-settled, however, that the mere possibility of a future revision cannot, by itself, make an agency act non-final. See Gen. Elec. Co. v. EPA , 290 F.3d 377, 380 (D.C. Cir. 2002) ; see also U.S. Army Corps of Eng'rs v. Hawkes Co. , ––– U.S. ––––, 136 S. Ct. 1807, 1814, 195 L.Ed.2d 77 (2016) (observing that the possibility of future revision "is a common characteristic of agency action, and does not make an otherwise definitive decision nonfinal"). The first prong of Bennett is therefore satisfied.
There is no dispute as to whether the 2013 Omnibus Rule is a final agency action. It clearly is. See Abbott Labs. , 387 U.S. at 151–53, 87 S.Ct. 1507 (holding that the publication of certain regulations by the FDA was final agency action).
The second Bennett factor—whether "direct and appreciable legal consequences" flow from the agency's action, Bennett , 520 U.S. at 178, 117 S.Ct. 1154 —demands greater consideration in this case. The Supreme Court has described this second inquiry as a "pragmatic" one. Hawkes Co. , 136 S. Ct. at 1815 (internal quotation marks omitted). It is one "based on the concrete consequences an agency action has or does not have as a result of the specific statutes and regulations that govern it." Cal. Cmtys. Against Toxics , 934 F.3d at 637. "The court here primarily looks to ‘the actual legal effect (or lack thereof) of the agency action in question on regulated entities.’ " Cal. By & Through Brown v. EPA , 940 F.3d 1342, 1352 (D.C. Cir. 2019) (quoting Nat'l Mining Ass'n v. McCarthy , 758 F.3d 243, 252 (D.C. Cir. 2014) ). The parties address separately the legal consequences (or lack thereof) of each of the three aspects of the 2016 Guidance challenged by Ciox. So, the court does the same, starting with the Guidance's statement that the Patient Rate applies to third-party directives.
a. Patient Rate applies to third-party directives
The 2016 Guidance supplies the type of obligation, prohibition, or restriction on regulated entities that makes it a final agency action insofar as it directs regulated entities to apply the Patient Rate to fulfill third-party directives. See Valero Energy Corp. v. EPA , 927 F.3d 532, 536 (D.C. Cir. 2019). It provides that "[the Patient Rate] appl[ies] when an individual directs a covered entity to send the PHI to the third party." 2016 Guidance at 16. The Guidance speaks to the issue without qualification. It states: "[The Patient Rate] applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn't matter who the third party is)." Id. It also admonishes that the fee limit cannot be "circumvent[ed] ... by treating individual requests for access like other HIPAA disclosures—such as by having an individual fill out a HIPAA authorization when the individual requests access to her PHI, including to direct a copy of PHI to a third party." Id. at 17. The 2016 Guidance thus provides an unequivocal command that the Patient Rate applies to third-party directive requests. Accordingly, it bears the hallmarks of a final agency action. See Appalachian Power Co. v. EPA , 208 F.3d 1015, 1023 (D.C. Cir. 2000) ("At any rate, the entire Guidance, from beginning to end—except the last paragraph—reads like a ukase. It commands, it requires, it orders, it dictates.").
Additionally, the 2016 Guidance's expansion of the Patient Rate satisfies the second Bennett prong, because it indisputably has "direct and appreciable legal consequences" for, at a minimum, one class of regulated persons—the covered entities. See Hawkes Co. , 136 S. Ct. at 1814–15 (considering under the second Bennett prong the legal consequences for the agency and nonparties). HHS does not assert otherwise. See Defs.' Mot. to Dismiss Mem. at 11 (arguing that challenged "provision[s] of the Privacy Rule and the guidance apply only to covered entities").
This aspect of the 2016 Guidance has legal and practical consequences for business associates, as well. See Valero Energy Corp. , 927 F.3d at 537 (noting that, in addition an actual legal effect, some D.C. Circuit cases "have indicated that the finality analysis can look to whether the agency action has a practical effect on regulated parties, even if it has no formal legal force"). HHS concedes that, pursuant to 45 C.F.R. § 164.402(c)(1), it can take enforcement action against a covered entity if its business associate charges in excess of the Patient Rate. Defs.' Suppl. Filing at 2 ("[I]f a ‘business associates’ charges ... more than a ‘reasonable, cost-based fee’ for providing a copy of an individual's [PHI], it is the covered entity—with whom the business associate has contracted to provide service—that is liable to HHS for violating the fee limitation."); Defs.' Mot. to Dismiss Reply at 5 ("[W]hen a business associate fulfills a covered entity's responsibilities under § 164.524 as an agent, it is the covered entity who may be penalized to the extent that the business associate's actions do not comport with the law's requirements on covered entities, not the business associate." (citing 45 C.F.R. § 164.402(c)(1) )). The potential vicarious liability of covered entities for the misdeeds of their business associates effectively compels business associates to abide by the Patient Rate and its scope. Business associates who fail to charge the Patient Rate for third-party directives risk incurring costs associated with indemnifying covered entities or, even more seriously, termination of their contracts. Under the "pragmatic" approach to finality, Hawkes Co. , 136 S. Ct. at 1815, the 2016 Guidance's extension of the Patient Rate to third-party directives has both actual legal and practical consequences for business associates, qualifying it as a final agency action.
Once more, the court need not reach the parties' dispute as to whether the Patient Rate directly binds business associates. The court notes, however, the 2016 Guidance itself would appear to stake out a position different than the one advocated by the agency in this case. See 2016 Guidance at 27 ("[A]ll of the access requirements that apply with respect to PHI held by the covered entity (e.g., limitations on fees that may be charged) apply with respect to PHI held by the business associate."); id. at 17 (stating that "a covered entity (or a business associate) may not circumvent the access fee limitations").
HHS disputes that the 2016 Guidance's discussion of the Patient Rate and third-party directives has any independent legal or practical effect. Observing that the Guidance is "replete with citations," HHS claims that the discussion "does not issue a new directive or rescind an old one; it merely explains what the regulation already directs." Defs.' Mot. to Dismiss Reply at 16; see also id. (stating that "the guidance itself merely expounds on § 164.524's requirements"). That argument is flawed for two reasons. First, it fails to acknowledge the ambiguity in the text of § 164.524(c)(4). The regulation merely states that "[i]f the individual requests a copy of the [PHI] ... the covered entity may impose a reasonable, cost-based fee." 45 C.F.R. § 164.524(c)(4). The regulation is silent as to whether the reasonable, cost-based fee applies only when providing PHI to the individual requestor or includes requests to send PHI to third parties. Second, and more significantly, HHS's position is fundamentally at odds with what it said in 2000 when it first adopted the Patient Rate. HHS said then: "We do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual ," 65 Fed. Reg. at 82,557 (emphasis added), and "[t]he proposed and final rule establish the right to access and copy records only for individuals, not other entities ; the ‘reasonable fee’ is only applicable to the individual's request," id. at 82,754 (emphasis added). HHS concluded: "The Department's expectation is that other existing practices regarding fees, if any, for the exchange of records not requested by an individual will not be affected by this rule." Id. Thus, when HHS adopted the Patient Rate, it expressly limited it to PHI requested by, and for, the individual requester; the Rate did not apply to PHI destined for third parties. That distinction makes sense, as the whole point of placing a limit on fees was to ensure that individual patients would not be foreclosed or inhibited from accessing their PHI by excessive fees. See id. at 82,556 ("We intend this provision to reduce covered entities' burden in complying with requests without reducing individuals' access to protected health information."). That same rationale does not apply when the PHI is directed to and paid for by a third party, like an insurance company or a law firm.
Still, HHS insists that the 2016 Guidance works no change in the legal obligations of regulated entities. Although HHS accepts that the original Patient Rate rule "did not govern the fees that covered entities charge for providing [PHI] to designated third parties," Defs.' Summ. J. Mem. at 27 (citing 65 Fed. Reg. 82,557 ), it claims "that [policy] was overtaken by the HITECH Act and subsequent modification of the Privacy Rule in 2013," id. In other words, according to HHS, the 2016 Guidance "at most clarifies HHS's position regarding the effect of the 2013 rule," Defs.' Mot. to Dismiss at 25, and therefore it "is not a certain change in the legal obligations of a party," as required to qualify as a final agency action, Nat'l Ass'n of Home Builders v. Norton , 415 F.3d 8, 15 (D.C. Cir. 2005). The agency's argument, however, misreads the HITECH Act and misunderstands the regulatory history.
The HITECH Act does not speak to the allowable fees for PHI that a person directs to a third party. Rather, the Act provides that, "[i]n applying [ 45 C.F.R. § 164.524 ]," "notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information ... if such copy ... is in an electronic form shall not be greater than the entity's labor costs in responding to the request for the copy." 42 U.S.C. § 17935(e)(3) (emphasis added). Thus, the plain text of the HITECH Act's fee limit concerns "providing" PHI in electronic form to "such individual," not to a third party. Id. This reading is buttressed by the neighboring statutory language used to create the third-party directive, which provides that individuals shall have the right to "to direct the covered entity to transmit such copy direct to an entity or person designated by the individual," i.e., a third party. Id. § 17935(e)(1). Congress thus clearly understood how to reference third parties in the HITECH Act when it wanted to but elected not to do so when establishing the fee limitation. Also, it stands to reason that, by expressly referencing the existing Patient Rate regulation, Congress did not intend to modify the then-existing scope of the Patient Rate, which, since its inception in 2000, applied only to delivery of PHI to the individual requester, and not to third parties. If Congress had intended to expand the Patient Rate beyond its original parameters, the court would have expected it to say so more clearly. See Whitman v. Am. Trucking Ass'ns , 531 U.S. 457, 468, 121 S.Ct. 903, 149 L.Ed.2d 1 (2001) ("Congress, we have held, does not alter the fundamental details of a regulatory scheme in vague terms or ancillary provisions—it does not, one might say, hide elephants in mouseholes."). Thus, contrary to HHS's position, the 2016 Guidance does not merely "clarify" the requirements of the HITECH Act.
Nor does the 2016 Guidance "clarify" the 2013 Omnibus Rule. That Rule did not untether the Patient Rate from its original personal-use moorings established in 2000. To the contrary, the Rule and the accompanying Federal Register discussion are silent as to the Patient Rate's applicability to third-party directives. To the extent the 2013 Omnibus Rule addressed the Patient Rate, its focus was on defining the Rate's recoverable cost components, not broadening the Rate's reach beyond its original scope. See 78 Fed. Reg. at 5,635 –36. When asked at oral argument to point to where in the 2013 Omnibus Rule the agency notified the industry that it had pivoted from its over-decade-old position and expanded the Patient Rate to third-party directives, agency counsel referenced the following explanatory text accompanying the Rule:
Section [17935(e) ] of the HITECH Act strengthens the Privacy Rule's right of access with respect to covered entities that use or maintain an [EHR] on an individual. Section [17935(e) ] provides that when a covered entity uses or maintains an EHR with respect to [PHI] of an individual, the individual shall have a right to obtain from the covered entity a copy of such information in an electronic format and the individual may direct the covered entity to transmit such copy directly to the individual's designee.... Section [17935(e) ] also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity's labor costs in responding to the request for the copy.
See Hr'g Tr., ECF No. 41, at 16:4–19:3 (citing 78 Fed. Reg. at 5,631 ) (emphasis added). But that passage is no more than the agency's summation of the HITECH Act's new provisions; the Act, as discussed, did not alter the status quo as to the Patient Rate's coverage. The summary passage also falls well short of the type clear recognition and articulation of a policy change required under the APA. Cf. FCC v. Fox Television Stations, Inc. , 556 U.S. 502, 515, 129 S.Ct. 1800, 173 L.Ed.2d 738 (2009) ("To be sure, the requirement that an agency provide reasoned explanation for its action would ordinarily demand that it display awareness that it is changing position. An agency may not, for example, depart from a prior policy sub silentio ...."). The 2013 Omnibus Rule therefore did not alter the legal landscape as it had stood since 2000 with respect to the Patient Rate. Accordingly, the 2016 Guidance's broadening of the Patient Rate is a final agency action subject to review.
As further evidence that the 2013 Omnibus Rule did not work a change, Ciox's counsel represented that it had reviewed all comments from the 2013 Regulation's notice-and-comment process, and not one comment discussed the Patient Rate applying to third-party directives. See Hr'g Tr., ECF No. 41, at 53:17–54:1.
b. Costs Included in the Patient Rate
The next aspect of the 2016 Guidance challenged by Ciox is its exclusion from the Patient Rate those labor costs associated with accessing, searching for, and compiling PHI. See Compl. ¶¶ 51–53, 76. HHS, once more, asserts that this portion of the 2016 Guidance is not final, because it does not impose any rights, obligations, or legal consequences on regulated entities; rather, it "publicly clarifies HHS's position about what 45 C.F.R. § 164.524(c)(4)(i) has always meant by allowing covered entities to charge labor costs for copying." Defs.' Mot. to Dismiss at 25. For its part, Ciox describes the 2016 Guidance's directions on allowable labor costs as a "dramatic change[ ] to the component terms of the Patient Rate," Compl. ¶ 51, one that conflicts with the plain terms of the 2013 Omnibus Rule, which allowed recovery of the costs of "skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media, and distributing the media." 78 Fed. Reg. at 5,636.
The 2016 Guidance's directives concerning allowable labor costs give rise to "direct and appreciable legal consequences." Bennett , 520 U.S. at 178, 117 S.Ct. 1154. On this topic, the 2016 Guidance reads like a recipe from which a chef is not permitted to deviate. See 2016 Guidance at 10–12. It starts by stating that covered entities may charge individuals a fee for providing a copy of PHI "but only within specific limits." Id. at 10. Reasonable labor costs include "only"—the underscore for emphasis is in the Guidance itself—the "labor for copying the PHI requested by the individual, whether in paper or electronic form." Id. at 11. "Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied." Id. Examples of covered labor activities contained in the 2016 Guidance include "[p]hotocopying paper PHI"; "[s]canning paper PHI into an electronic format"; converting from one electronic format to another; transferring electronic PHI from a covered entity's system to an electronic delivery system or platform, like a web-based portal, portable media, or email; and creating or executing an email with responsive PHI. Id. at 12. The Guidance is equally precise in identifying what is not included in the Patient Rate. "[L]abor for copying does not include labor costs associated with: [r]eviewing the request for access," and "[s]earching for, retrieving, and otherwise preparing the responsive information for copying." Id. This latter excluded cost category covers "labor to locate the appropriate designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile, and otherwise prepare the responsive information for copying." Id. The 2016 Guidance thus seeks to draw a bright line between the labor costs incurred in the process of duplicating and delivering PHI—which are recoverable—and the labor costs antecedent to duplication and delivery—which are not. See id. at 10. HHS made sure regulated entities understood that this "clarification" represented the agency's interpretation of the Patient Rate, see id. ("This clarification is important to ensure that the fees charged reflect only what the Department considers ‘copying’ for purposes of applying 45 CFR 164.524(c)(4)(1) ...."), and reminded them that it "will take enforcement action where necessary," id. at 11. The 2016 Guidance's firm prescriptions as to what can and cannot be included in the Patient Rate, when coupled with the attendant enforcement threat in the event of noncompliance, create actual legal consequences for regulated entities that render this challenged aspect of the Guidance a final agency action.
Allowable reasonable labor costs also include "labor to prepare an explanation or summary of PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged." Id.
HHS's insistence that the 2016 Guidance breaks no new ground and merely "publicly clarifies" what the regulations have meant all along, Defs.' Mot. to Dismiss at 25, does not defeat its classification as a final agency action. In Hawkes Co. , the Supreme Court described its earlier decision in Frozen Food Express v. United States , 351 U.S. 40, 76 S.Ct. 569, 100 L.Ed. 910 (1956), as follows:
[There,] we considered the finality of an order specifying which commodities the Interstate Commerce Commission believed were exempt by statute from regulation, and which it believed were not. Although the order "had no authority except to give notice of how the Commission interpreted" the relevant statute, and "would have effect only if and when a particular action was brought against a particular carrier," Abbott , 387 U.S. at 150, 87 S.Ct. 1507, we held that the order was nonetheless immediately reviewable, Frozen Food , 351 U.S. at 44–45, 76 S.Ct. 569. The order, we explained, "warns every carrier, who does not have authority from the Commission to transport those commodities, that it does so at the risk of incurring criminal penalties." Id. at 44, 76 S.Ct. 569.
Hawkes Co. , 136 S. Ct. at 1815. The same is true of the 2016 Guidance in this case. It too expresses the agency's view, in categorical terms, as to what costs are covered by the Patient Rate. Any regulated entity that runs afoul of this aspect of the 2016 Guidance does so at the risk of inviting an agency investigation and incurring civil penalties. Indeed, the agency has noticed its intention to enforce the Patient Rate, as it is interpreted in the 2016 Guidance, on multiple occasions. See Ciox Letter (letter from HHS to Ciox opening an investigation into charging fees in excess of the Patient Rate, though the agency later closed the investigation claiming lack of enforcement authority); Pl.'s Reply to Defs.' Suppl. Filing, Decl. of Marla Herndon DeLatte, ECF No. 38-1, ¶ 4 & Ex. A, ECF No. 38-2, at 2, 4, 6 (announcing an investigation of MedSouth, a records management company, for charging in excess of the Patient Rate). Thus, like the order in Frozen Foods , the 2016 Guidance's directive on the permissible components of the Patient Rate qualifies as a final agency action.
c. Three Methods for Calculating the Patient Rate
The court reaches a different conclusion with respect to the last portion of the 2016 Guidance challenged by Ciox—HHS's listing of three methodologies for calculating the Patient Rate. That aspect of the Guidance, unlike those previously discussed, "imposes no obligations, prohibitions, or restrictions." Valero Energy Corp. , 927 F.3d at 536. Rather, in recognizing three ways in which to calculate the Patient Rate, the 2016 Guidance speaks in permissive, not mandatory, terms. See Nat'l Ass'n of Home Builders , 415 F.3d at 14 (finding an agency action to be non-final that was "consistently referred to in agency documents as ‘recommended,’ rather than mandatory"). The Guidance states that "[t]he following methods may be used, as specified below, to calculate [the Patient Rate]:" actual costs, average costs, or a $6.50 flat fee. 2016 Guidance at 14–15 (emphasis added). The 2016 Guidance confirms that no one method is mandated. It provides that, even where an entity generally chooses to use the average cost or flat-fee methods, it is free to use the actual cost method when it "receive[s] an unusual or uncommon type of request that it had not considered in setting up its fee structure." Id. at 15. Furthermore, the Guidance makes clear that $6.50 is not the maximum allowable fee for PHI. It answers "No" to the question "Is $6.50 the maximum amount that can be charged to provide individuals with a copy of their PHI?" Id. At bottom, whatever method an entity chooses to calculate the Patient Rate, the 2016 Guidance makes clear that the entity is compliant so "long as the costs [assessed] are reasonable and only the type permitted by the Privacy Rule." Id.
Ciox acknowledges that the 2016 Guidance uses permissive language to describe the three ways of calculating the Patient Rate, but nevertheless contends that "the key point here is that [the Guidance] allow[s] CIOX to choose only from these three methods and expressly bar[s] Ciox from charging the traditional state-authorized rates it would prefer." Pl.'s Opp'n Mem. at 39. In that way, Ciox says, this case is controlled by the D.C. Circuit's decision in General Electric Co. v. EPA , 290 F.3d 377 (D.C. Cir. 2002), in which the court purportedly "had no trouble recognizing that [ ] optionality does not make a guidance any less mandatory," Pl.'s Opp'n Mem. at 39. But that argument is unpersuasive. Nowhere does the 2016 Guidance state, expressly or otherwise, that the three identified methods are the only acceptable means of calculating the Patient Rate. Ciox is free to use any method it wishes to calculate the Patient Rate, so long as it produces a reasonable fee that includes only "certain labor, supply, and postage costs," as authorized by § 164.524(c)(4). 2016 Guidance at 13.
Nor does General Electric help Ciox. In that case, the court considered an EPA guidance document that offered two alternatives to obtaining preapproval for waste disposal based on a risk assessment approach, in lieu of approaches specified in the regulations. General Electric , 290 F.3d at 379. The EPA guidance specified that applicants may take "either of two approaches to risk assessment." Id. The applicant could either (1) calculate cancer and non-cancer risks separately or (2) use a defined "total toxicity factor" to account for cancer and non-cancer risks together. Id. (internal quotation marks omitted). The court found that the EPA guidance was a final agency action, although it did so in the context of determining that the controversy was ripe for judicial review. Id. at 380. The court also held—in the portion of the decision upon with Ciox relies—that the EPA guidance was a legislative rule, because it "bind[s] applicants for approval of a risk-based cleanup plan" under the controlling regulations. Id. at 384. The fact that the guidance presented two options for calculating risk did not change that assessment, the court explained, because the guidance "still requires [applicants] to conform to one or the other, that is, not to submit an application based upon a third way.... [I]n reviewing applications the Agency will not be open to considering approaches other than those prescribed in the Document." Id. Here, in sharp contrast, the three options that HHS presents for calculating the Patient Rate do not arise, as in General Electric , in the context of seeking agency approval pursuant to any regulation. See Cal. Cmtys. Against Toxics , 934 F.3d at 637 (directing that the Bennett prong-two determinations be made "based on the concrete consequences an agency action has or does not have as a result of the specific statutes and regulations that govern it"). In General Electric , unless the applicant conformed to the standards set forth in the EPA's guidance, it risked agency rejection of its cleanup plan. 290 F.3d at 384–85. No similar consequence attends the three methods set forth in the 2016 Guidance. Instead, the Guidance presents three options for calculating the Patient Rate, and it leaves it to the entity to decide which approach to use as appropriate. Thus, an entity is not directed to use any particular method and, indeed, the Guidance does not foreclose the possibility of using a different method altogether, so as long as it produces a reasonable fee that is consistent with the allowable component costs. Nor does the Guidance fix a cap on the Patient Rate. To the contrary, although it identifies a flat fee of $6.50 as one option, the Guidance expressly contemplates that in some instances a reasonable fee could exceed that amount. 2016 Guidance at 15. Thus, there is no specific legal consequence for charging in excess of $6.50 for delivery of PHI. As it presents no more than a non-exhaustive list of options for calculating the Patient Rate, that aspect of the 2016 Guidance is not a reviewable final agency action.
Ciox's additional complaint that it cannot charge the state-authorized rates it prefers does not transform the alternative methodologies into final agency action. That roadblock is attributable to a different aspect of the 2016 Guidance. Ciox admits that, under its business model, and as is typical of standard industry practice, it charges state-authorized rates only for PHI requests directed to third parties; it charges the Patient Rate, if at all, for personal requests. See Kabaria Decl. ¶¶ 11, 13, 17; Gartland Decl. ¶¶ 11–12; Compl. ¶¶ 31–32, 40. Thus, Ciox's lament that it cannot charge state-authorized rates is traceable to the Guidance's extension of the Patient Rate to third-party requests, not to the three identified methods for calculating the Patient Rate. That aspect of the 2016 Guidance therefore is not a reviewable agency action.
C. The Merits of Ciox's APA Claims
1. 2013 Omnibus Rule
At last, the court arrives at the merits of Ciox's claims, beginning with Count One. The 2013 Omnibus Rule modified the Privacy Rule to require providers to deliver an individual's PHI to third parties regardless of whether the information is contained in an EHR. See 45 C.F.R. § 164.524(c)(2)(i)–(ii), (3)(ii). It also obligated providers to make PHI available in "the format requested by the individual." Id. § 164.524(c)(2)(i)–(ii). Count One contests these changes. See Compl. ¶¶ 59–65. Ciox asserts that this expansion by rulemaking violates the APA "because it (1) conflicts with HITECH's plain language, and (2) exceeds HHS's lawful authority." Pl.'s Opp'n. Mem. at 29. The court concurs with both arguments.
Either framing of Ciox's APA claim in Count One is controlled by the Chevron framework. See Chevron, U.S.A., Inc. v. Nat. Res. Def. Council, Inc. , 467 U.S. 837, 104 S.Ct. 2778, 81 L.Ed.2d 694 (1984). In every challenge to agency action, "the question a court faces when confronted with an agency's interpretation of a statute it administers is always, simply, whether the agency has stayed within the bounds of its statutory authority. " City of Arlington v. FCC , 569 U.S. 290, 297, 133 S.Ct. 1863, 185 L.Ed.2d 941 (2013). Stated differently, "the question in every case is, simply, whether the statutory text forecloses the agency's assertion of authority, or not." Id. at 301, 133 S.Ct. 1863. The answer to that question is determined by following the Chevron two-step framework. See id. at 307, 133 S.Ct. 1863. Under that approach, "applying the ordinary tools of statutory construction, the court must [first] determine ‘whether Congress has directly spoken to the precise question at issue. If the intent of Congress is clear, that is the end of the matter; for the court, as well as the agency, must give effect to the unambiguously expressed intent of Congress.’ " Id. at 296, 133 S.Ct. 1863 (quoting Chevron , 467 U.S. at 842–43, 104 S.Ct. 2778 ). If, however, "the statute is silent or ambiguous with respect to the specific issue, the question for the court is whether the agency's answer is based on a permissible construction of the statute." Chevron , 467 U.S. at 843, 104 S.Ct. 2778.
The HITECH Act on its face is far more limited than the 2013 Omnibus Rule. It provides that, "in the case that a covered entity uses or maintains an [EHR] with respect to [PHI]," an individual has "a right to obtain" a "copy of such information in an electronic format" and to transmit "such copy" to a third party. 42 U.S.C. § 17935(e)(1). The Act says nothing about a right to transmit PHI contained in any format other than an EHR. This plain text limitation prompted HHS to observe during the rulemaking process that § 17935(e) "applies by its terms only to [PHI] in EHRs." 78 Fed. Reg. at 5,631.
Still, HHS insisted then, as it does now, that it has the authority to extend the third-party directive to reach PHI contained in formats other than EHRs. HHS justified this expansion during the rulemaking as follows:
Section [17935(e) ] applies by its terms only to [PHI] in EHRs. However, incorporating these new provisions in such a limited manner in the Privacy Rule could result in a complex set of disparate requirements for access to [PHI] in EHR systems versus other types of electronic records systems. As such, the Department proposed to use its authority under section 264(c) of HIPAA to prescribe the rights individuals should have with respect to their individually identifiable health information to strengthen the right of access as provided under section [17935(e) ] of the HITECH Act more uniformly to all [PHI] maintained in one or more designated record sets electronically, regardless of whether the designated record set is an EHR.
Id. Thus, during the rulemaking, HHS looked to another statute, section 264(c) of HIPAA, for its authority to expand the third-party directive, not the HITECH Act. Now, cloaking itself in section 264(c)'s "broad grant of authority from Congress to HHS as to the regulation of medical information," Defs.' Summ. J. Opp'n at 15 (quoting S.C. Med. Ass'n v. Thompson , 327 F.3d 346, 353 (D.C. Cir. 2003) ), HHS asserts that such "authority necessarily gives the Secretary the ability to change the standards and procedures he has established to reflect actual experience gained in implementing pre-existing Privacy Rule [regulations] as well as changes in technology and medical record-keeping practices," id. at 16.
HHS's argument suffers from multiple flaws. For one, neither the plain text nor the structure of the HITECH Act supports the agency's position. As HHS properly conceded during the rulemaking process, section 17935(e) "applies by its terms only to [PHI] in EHRs." 78 Fed. Reg. at 5,631. Moreover, section 17935(e) evinces no intent by Congress for HHS to take steps to augment or further define the third-party directive. In sharp contrast, in the preceding sub-paragraphs of § 17935—sections (b), (c), and (d)—Congress required HHS to fill in gaps left by the statute. See 42 U.S.C. § 17935(b)(1)(B) (stating that "the Secretary shall issue guidance on what constitutes ‘minimum necessary’ for purposes of subpart E of part 164 of [45 C.F.R.]"); § 17935(c)(2) (stating "[t]he Secretary shall promulgate regulations on what information shall be collected about each disclosure referred to in paragraph (1)"); § 17935(d)(3) (providing that "the Secretary shall promulgate regulations to carry out this subsection"). The absence of any similar directive by Congress in paragraph (e) is telling. "Congress knows to speak in plain terms when it wishes to circumscribe, and in capacious terms when it wishes to enlarge, agency discretion," City of Arlington , 569 U.S. at 296, 133 S.Ct. 1863, and here Congress spoke plainly in limiting the reach of the third-party directive. Timing is also relevant. The Privacy Rule preceded the HITECH Act by nearly a decade. So, Congress would have known when it enacted the HITECH Act in 2009 that the Privacy Rule, at that time, required covered entities to "provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual." 45 C.F.R. § 164.524(c)(2)(i) (2008). Yet, when it defined the reach of the third-party directive, Congress elected not to draw the directive as expansively as the Privacy Rule's guarantee of access "in the form or format requested by the individual." Instead, Congress created a more restricted patient right to transmit only an EHR "in an electronic format" to a third person. 42 U.S.C. § 17935(e)(1). HHS's fear that such a limited right would give rise to a hodgepodge of "disparate requirements" for accessing PHI cannot justify its "strengthen[ing] the [statutory] right of access." 78 Fed. Reg. at 5,631. "Disagreeing with Congress's expressly codified policy choices isn't a luxury administrative agencies enjoy." Cent. United Life Ins. Co. v. Burwell , 827 F.3d 70, 73 (D.C. Cir. 2016).
Nor can HHS turn to Section 264(c) of HIPAA as the source for its power to expand the third-party directive. As a threshold matter, whether HHS retains general rulemaking power under that statute is not free from doubt. Section 264 of HIPAA, which Congress passed in 1996, directed HHS to develop "detailed recommendations on standards with respect to the privacy of individually identifiable health information" and submit them to Congress within 12 months. HIPAA § 264(a) (formerly codified at 42 U.S.C. § 1320d-2 ). In the event Congress received the agency's recommendations but did not act within 36 months of the HIPAA's enactment, HIPAA directed HHS "to promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act." Id. § 264(c)(1) (formerly codified at 42 U.S.C. § 1320d-2 ). Congress did not act within the prescribed time, so the agency adopted final privacy regulations as directed. See generally HHS, Standards for Privacy of Individually Identifiable Health Information—Final Rule , 65 Fed. Reg. 82,462 (Dec. 28, 2000). HHS's power to promulgate additional individual-privacy regulations pursuant to § 264(c) thus arguably expired long ago. HHS nonetheless insists that its rulemaking authority pursuant to § 264(c) remains extant. See Defs.' Mot. for Summ. J. at 15–17, 19–21.
The court need not definitively resolve the issue. For even if HHS's power to make rules pursuant to § 264(c) is alive and well, an agency's general rulemaking authority cannot be used to expand a congressionally imposed restriction, see Teva Pharm. Indus. Ltd. v. Crawford , 410 F.3d 51, 55 (D.C. Cir. 2005) ; Nat. Res. Def. Council, Inc. v. Reilly , 976 F.2d 36, 41 (D.C. Cir. 1992), and "Congress's more specific enactment controls a prior grant of general authority," Helicopter Ass'n Int'l, Inc. v. FAA , 722 F.3d 430, 435 (D.C. Cir. 2013). In short, HHS cannot rely on its general rulemaking authority to supplement the limited-scope, third-party directive enacted by Congress. The 2013 Omnibus Rule's expansion of the third-party directive is therefore arbitrary and capricious. 2. 2016 Guidance
Ciox also argued that Defendants' interpretation of HIPAA § 264(c) would violate the non-delegation doctrine. See Pl.'s Mem. at 32–33. The court need not reach this issue.
That leaves Ciox's APA challenges to two aspects of the 2016 Guidance, which are Counts Two and Three of the Complaint, respectively: (1) applying the Patient Rate to third-party directives, and (2) excluding from the Patient Rate the labor costs of searching for and retrieving PHI. (The court already found the 2016 Guidance's identification of three methods to calculate the Patient Rate is a nonreviewable, nonfinal agency action.) With respect to both the Patient Rate expansion and the exclusion of certain labor costs from the Patient Rate, Ciox contends that those actions are procedurally invalid because they are legislative rules that HHS failed to subject to notice and comment. See Pl.'s Opp'n Mem. at 34–40. Additionally, Ciox maintains that the Patient Rate expansion is substantively invalid as it conflicts with the plain language of the HITECH Act. See id. at 40–43. The court first considers the parties' arguments concerning broadening the Patient Rate before turning to the limits placed on recoverable labor costs.
a. Patient Rate Expansion
The expansion of the Patient Rate in the 2016 Guidance is a legislative rule. "[L]egislative rules are those that grant rights, impose obligations, [ ] produce other significant effects on private interests, or ... effect a change in existing law or policy." Am. Tort Reform Ass'n v. Occupational Safety & Health Admin. , 738 F.3d 387, 395 (D.C. Cir. 2013) (internal quotation marks and citations omitted). Stated differently, a rule is legislative, and therefore must undergo notice and comment, when it "change[s] the law," Nat'l Res. Def. Council v. EPA , 643 F.3d 311, 320 (D.C. Cir. 2011), or "effectively amends a prior legislative rule," Am. Min. Cong. v. Mine Safety & Health Admin. , 995 F.2d 1106, 1112 (D.C. Cir. 1993). On the other hand, an agency action that merely "clarifies" the agency's interpretation of the legal landscape and that neither binds the agency nor "create[s] a new burden" on regulated entities is not a legislative rule. See Catawba County v. EPA , 571 F.3d 20, 34 (D.C. Cir. 2009) ; see also United Techs. Corp. v. EPA , 821 F.2d 714, 718 (D.C. Cir. 1987). In distinguishing between legislative and non-legislative rules, courts consider both the actual legal effects of the agency action and the agency's characterization of the action, see Nat'l Mining Ass'n v. McCarthy , 758 F.3d 243, 252 (D.C. Cir. 2014), though agencies cannot "avoid notice and comment simply by mislabeling their substantive pronouncements," Azar v. Allina Health Servs. , ––– U.S. ––––, 139 S. Ct. 1804, 1812, 204 L.Ed.2d 139 (2019).
Here, the 2016 Guidance works a change in the law with respect to the Patient Rate and therefore is a legislative rule that HHS had no authority to adopt without notice and comment. See Nat'l Res. Def. Council , 643 F.3d at 320. As explained above, the 2016 Guidance's unequivocal command that the Patient Rate applies to all third-party directives cannot be sourced to either the HITECH Act or the 2013 Omnibus Rule. Neither the legislation nor the regulations makes the Patient Rate applicable to third-party directives. The HITECH Act on its face applies the Patient Rate only to individual requests for PHI in electronic form, and the 2013 Omnibus Rule says nothing at all about the Patient Rate's application. Indeed, the 2016 Guidance represents an about-face from HHS's proclamation, made in 2000 when it first adopted the Privacy Rule and the Patient Rate, that "[w]e do not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual ," 65 Fed. Reg. at 82,557 (emphasis added), and "[t]he proposed and final rule establish the right to access and copy records only for individuals, not other entities ; the ‘reasonable fee’ is only applicable to the individual's request," id. at 82,754 (emphasis added); see also id. ("The Department's expectation is that other existing practices regarding fees, if any, for the exchange of records not requested by an individual will not be affected by this rule."). HHS could have made such a dramatic change only through notice and comment.
Having determined that HHS extended the Patient Rate to third-party directives in violation of the APA's notice-and-comment requirement, the question becomes whether the court should go on to resolve Ciox's substantive challenge. See Nat'l Res. Def. Council , 643 F.3d at 321. In so deciding, the court must be conscious not to "prejudge[e] the notice-and-comment process, the very purpose of which is to give interested parties the opportunity to participate in rulemaking and to ensure that the agency has before it all relevant information," but on the other hand, be mindful of whether passing on making a substantive determination would exacerbate the injury to Ciox and other affected entities. See id.
Having weighed these factors, the court declines to enter judgment on the merits of Ciox's substantive claim. Ciox's limited substantive challenge to the Patient Rate expansion is that it conflicts with the plain text of the HITECH Act. See Pl.'s Opp'n Mem. at 41–43. As discussed, the court does not read the HITECH Act to support the agency's expanded treatment of the Patient Rate to third-party directives. The court is reluctant, however, to commit that interpretation to a judgment out of concern that it could be viewed as foreclosing HHS from revisiting its original articulation, from 2000, of the Patient Rate's scope. Such a re-evaluation, if it is to occur, is better undertaken without a judgment from the court that might be viewed as prejudging a fulsome notice-and-comment process.
b. Exclusion of labor costs for search and retrieval
The 2016 Guidance's exclusion of skilled technical staff time to search and retrieve PHI from the Patient Rate is an interpretive rule that the agency was not required to subject to notice and comment. Although the court held this proscription to be final for purposes of judicial review, it is not a legislative rule because it breaks no new legal ground but merely clarifies ambiguity arising from the 2013 Omnibus Rule. See Cal. Cmtys. Against Toxics , 934 F.3d at 635 (drawing a distinction between finality analysis and rule classification under the APA); see also Cellnet Commc'n, Inc. v. FCC , 965 F.2d 1106, 1110–11 (D.C. Cir. 1992), as amended (Sept. 4, 1992) (holding that an agency's action that "resolved an ambiguity" in its own rules was not a legislative rule because it "clarified, rather than changed, the rules"); United Techs. Corp. v. EPA , 821 F.2d 714, 718 (D.C. Cir. 1987) (explaining that a rule is interpretive, not legislative, when it "simply states what the administrative agency thinks the underlying [law] means, and only reminds affected parties of existing duties" (cleaned up)).
Contrary to Ciox's contention, the 2013 Omnibus Rule did not authorize entities to bill for, under the Patient Rate, skilled technical staff time devoted to "segregate, collect, compile, and otherwise prepare the responsive [PHI] for copying." See Pl.'s Combined Reply Mem. in Supp. of Mot. for Summ. J. and in Opp'n to Defs.' Cross-Mot., ECF No. 25, at 18 (quoting 2016 Guidance at 12). The Rule itself is vague as to the specifics, providing only that the Patient Rate includes "[l]abor for copying the protected health information requested by the individual, whether in paper or electronic form." 45 C.F.R. § 164.524(c)(4)(i). The explanatory text accompanying the 2013 Omnibus Rule tried to provide some clarity. It attempted to draw a line between labor costs incurred in identifying and retrieving PHI, which is not recoverable, and the labor costs associated with copying such information, which is recoverable. The 2013 Omnibus Rule explained that,
although the proposed rule indicated that a covered entity could charge for the actual labor costs associated with the retrieval of electronic information, in this final rule we clarify that a covered entity may not charge a retrieval fee (whether it be a standard retrieval fee or one based on actual retrieval costs). This interpretation will ensure that the fee requirements for electronic access are consistent with the requirements for hard copies, which do not allow retrieval fees for locating the data.
78 Fed. Reg. at 5,636 (emphasis added). The 2013 Omnibus Rule thus tried to make clear that labor associated with "locating the data" is excluded from the Patient Rate. The 2016 Guidance draws the same line. It states that "copying" costs include "labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. " 2016 Guidance at 11 (emphasis added). So, the labor costs associated with preparing the responsive information for copying cannot be recovered, but the labor costs incurred in copying can be.
To be sure, HHS bears responsibility for any industry uncertainty as to what precise actions qualify as "[l]abor for copying" PHI that can be charged under the Patient Rate. 45 C.F.R. § 164.524(c)(4)(i). In 2013, the agency wrote that "labor costs included in [the Patient Rate] could include skilled technical staff time spent to create and copy the electronic file, such as compiling , extracting, scanning and burning [PHI] to media." 78 Fed. Reg. at 5,636 (emphasis added). But in 2016, the agency stated that the Patient Rate "does not include labor costs associated with ... segregat[ing], collect[ing], compil[ing] , and otherwise prepar[ing] the responsive information for copying." 2016 Guidance at 12 (emphasis added). The overlapping use of the verb "compile," along with the use of near synonyms such as "extract" and "collect," is surely a source of great confusion—and frustration—within the industry. But the agency's word soup does not alter what the Privacy Rule allows, which is recovery of the costs of "[l]abor for copying [PHI]," as distinct from the costs incurred from pre-copying activities. 45 C.F.R. § 164.524(c)(4)(i). The 2016 Guidance's instructions concerning the component costs of the Patient Rate therefore do not qualify as a legislative rule.
For the foregoing reasons, the court grants in part and denies in part Defendants' Motion to Dismiss, ECF No. 9, grants in part and denies in part Ciox's Cross-Motion for Summary Judgment, ECF No. 12, and grants in part and denies in part Defendants' Cross-Motion for Summary Judgment, ECF No. 22.
Consistent with this Memorandum Opinion, the court (1) declares unlawful and vacates the 2013 Omnibus Rule insofar as it expands the HITECH Act's third-party directive beyond requests for a copy of "an [EHR] with respect to [PHI] of an individual ... in an electronic format," 42 U.S.C. § 17935(e) ; and (2) declares unlawful and vacates the 2016 Guidance insofar as it, without going through notice and comment, extends the Patient Rate to reach third-party directives.
A final order accompanies this Memorandum Opinion.