United States: Obama-Era Administrative Overreach And Its Multi-Billion Dollar Adverse Impact On The U.S. Health Care System

The Trump Administration has prioritized the elimination of overreaching regulations:1 In FY 2017, the Trump Administration reduced lifetime net regulatory costs across all agencies by $8.1 billion ($570 million per year). Further, it committed to reducing net lifetime regulatory cost in FY '18 by another $9.8 billion ($686.6 million per year).2 By contrast, the Obama-Era Department of Health and Human Services ("HHS") imposed in just one single example of its administrative overreach almost $22 billion in lifetime regulatory costs3 (more than 1.5 billion per year) on health care providers when it issued regulations and sub-regulatory guidance purporting to implement just one statute, as discussed more fully below.

Under the Obama Administration, HHS Unlawfully Imposed Almost $22 Billion in Net Lifetime Regulatory Costs on Health Care Providers by Requiring that They Provide Voluminous Patient Health Records to Commercial Third Parties (Mostly Trial Attorneys) at the Subsidized, Below Cost "Patient Rate": HHS promulgated regulations in 2013 (the "2013 Omnibus Rule")4 and then issued sub-regulatory guidance in 2016 (the "2016 Guidance")5 that purported to implement the health record access provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")6, as amended by the Health Information Technology for Clinical and Economic Health Act ("HITECH")7. HHS acted beyond its authority when issuing the 2013 Omnibus Rule and the 2016 Guidance. As a consequence of this administrative overreach, HHS imposed more than $1.5 billion in annual costs (approx. $21.7 billion in net lifetime regulatory costs) on health care providers and their business associates, virtually all to the benefit of malpractice lawyers, without providing any benefit to the health care system.8 In fact, far from providing a benefit to patient care, the 2013 Omnibus Rule and the 2016 Guidance impose a lifetime burden of almost $22 billion on the health care system.

HIPAA - A Guiding Principle of HIPAA was to "make the exchange of protected health information relatively easy for health care purposes".9 HIPAA and it implementing regulations (the "Privacy Rule")10 have long provided individuals with a broad right of access to their own health records. To ensure access, HIPAA limited the fees that providers can charge individuals for copies of their records to the labor costs for copying and the cost of supplies, while foreclosing recovery of other costs, such as those incurred for record search, retrieval, handling, and ensuring compliance with the disclosure limitations of HIPAA. Importantly, however, this below cost, subsidized "Patient Rate" was never intended to apply to fees charged to third parties.11/12 However, today, attorneys and other commercial third parties are exploiting the 2013 Omnibus Rule and the 2016 Guidance to force health care providers to provide them with records at a financial loss estimated by Leavitt Partners at $1.52 billion per year, and HHS is reinforcing this behavior.

HITECH - The Primary Purpose of HITECH was to Encourage Interoperability for Health Care Purposes by Promoting "the Adoption and Meaningful Use of Interoperable Health Information Technology and Qualified Electronic Health Records."13 It Was Not Intended to Be Subverted to Benefit Commercial Third Parties Seeking Vast Stores of Patient Health Information, Often Covering Decades of Treatment, That Have to be Manually Compiled and Provided at the Patient Rate. HITECH also amended HIPAA to codify a limited "Third Party Directive" right by which an individual could direct copies of his or her electronic health record (and only the electronic health record) to third parties, provided that the subject patient's health care provider, in fact, maintained such an electronic health record.14 Moreover, when considered in the full context of HITECH, it is clear that the focus of the directive right was intended to be the Qualified Electronic Health Record (as defined by HITECH).15 This right to direct the Qualified Electronic Health Record made sense. It "promote[d] the adoption and meaningful use of interoperable health information technology and Qualified Electronic Health Records".16 It allowed patients to participate in their own health care decisions by forwarding the readily available electronic record to a third party without adding undue burden to the health care system and without creating a multi-billion dollar windfall to trial attorneys.

The Obama Administration Lacked the Statutory Authority to Expand the Reach of (1) the Third Party Directive from the Qualified Electronic Health Record to Any and All Health Information and (2) the Patient Rate from Just Patients, their Health Care Providers, and their Personal Representatives to Commercial Third Parties. This Combined Administrative Overreach Stymied HITECH's Health Care Interoperability Initiative by Imposing Billions in Unnecessary and, Indeed, Unlawful Cost on Providers :

First, while acknowledging that the statutory Third Party Directive applied only to the electronic health record18, HHS promulgated a wide-ranging regulatory directive that applied broadly to all patient health information in any form or media, regardless of whether it was part of the Qualified Electronic Health Record or not. That administrative action was in direct conflict with the limits of the HITECH Act. Making matters worse, HHS claimed authority to do so by express reliance upon section 264(c) of HIPAA. This reliance was misplaced and, indeed, unlawful because section 264(c) was enacted for the very specific and time-limited purpose of promulgating HIPAA's Privacy Rule, and the authority granted in that section had already expired by its terms more than 13 years before the promulgation of the 2013 Omnibus Rule.19/20

Second, three years later, HHS issued its 2016 Guidance, stating that third parties, acting pursuant to a Third Party Directive, were entitled to the benefits of the Patient Rate.21 This new substantive rule was promulgated without congressional authority, and without satisfying the requirements of the Administrative Procedure Act.

THE PROBLEM - The 2013 Omnibus Rule and the 2016 Guidance Are Now Being Exploited to Provide a Multi-Billion Dollar Windfall to Malpractice Attorneys and Other Commercial Third Parties at the Expense of the Health Care System. The 2013 Omnibus Rule and the 2016 Guidance taken together created a windfall for malpractice lawyers - 99% of all Third Party Directive demands are made for the benefit of trial attorneys - and other commercial third parties who are now demanding production of "any and all" patient health records in a variety of media and format, located in multiple locations, and often covering decades of health care by simply paying the below-cost, federally mandated Patient Rate.22 These discovery demands can often require the production of thousands of pages of records that have nothing to do with a patient's present health concerns. As a result, health care providers, large and small alike, including non-profit institutions and small doctor's offices and rural clinics, are bearing new incremental costs of more than $1.5 billion annually (almost $22 billion in net lifetime regulatory cost) for the production of patient health records to commercial third parties who are exploiting the special Patient Rate that was formerly reserved for treatment purposes.

THE SOLUTION - Correct the Obama-Era Administrative Overreach By Stating that the Third Party Directive Applies only to the Qualified Electronic Health Record and that the Patient Rate Is Available Only to Patients and Their Health Care Providers and Personal Representatives, as Intended: The 2013 Omnibus Rule and the 2016 Guidance unlawfully extend the reach of the Third Party Directive and the Patient Rate, virtually all to the benefit of malpractice lawyers, and to the great detriment of the health care system. The Guidance should be withdrawn. Moreover, HHS should immediately clarify that: (1) a commercial third party's right to receive a copy of an individual's health records, pursuant to a "Third Party Directive", extends only to the Qualified Electronic Health Record referred to as the Continuity of Care Document ("CCD"); and (2) the "Patient Rate" does not apply to records produced to third parties, except in the very limited circumstance in which the third party is serving as the individual's personal representative for health care decisions.

This solution would provide a major deregulation victory to the Administration while eliminating $22 billion in lifetime regulatory cost which, left uncorrected, will be borne by the U.S. health care system.


1 E.g., Executive Order 13777, issued February 24, 2017.

2 Fact Sheet, President Donald J. Trump is Delivering on Deregulation, issued on December 14, 2017.

3 This figure was calculated using the same methodology employed by the Administration when calculating the net lifetime regulatory cost savings in the Fact Sheet referenced at note ii above. For a cost that continues in perpetuity, the calculation for present value using the discount rate assumed in the Fact Sheet (7%) is (annualized cost) / (discount rate). The calculation is $1,520 / 7% = $21,714m.

4 See Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013).

5 Individuals' Right under HIPAA to Access their Health Information 45 CFR 164.524.

6 Pub. L. No. 104-191, 110 Stat. 1936 (1996).

7 Pub. L. No. 111-5, 123 Stat. 226 (2009).

8 Broad Patient Directive and February OCR Guidance May Trigger a $1.52 Billion Cost Shift to Providers (Leavitt Partners).

9 See 64 Fed. Reg. 59918, 59940.

10 See 65 Fed. Reg. 82462

11 As HHS made clear at the time, it did not "intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual." 65 Fed. Reg. 82557.

12 In fact, extending the "Patient Rate" to commercial third parties would have been inconsistent with one of HIPAA's primary goals, which was to ensure the confidentiality of patient PHI. The Privacy Rule focused not only on ensuring patient access but also, as the name suggests, on ensuring the privacy/confidentiality of patient records. Once patient records are given to non-HIPAA covered entities (e.g. commercial third parties), those records are no longer subject to HIPAA's use and disclosure restrictions.

13 75 Fed. Reg. 44314, 44316. (Emphasis Added.)

14 Section 13405(e) of HITECH (codified at 42 U.S.C. §17935(e)(1) states, in part: In applying section 164.524 of Title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to the protected health information of an individual - the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific. (Emphasis Added.)

15 A review of the relevant health IT certification criteria regulations suggests that the Third Party Directive should only apply to the data typically contained in the certified Continuity of Care Document ("CCD"). 45 C.F.R. §170.315 (10-1-16 Edition)

16 Supra at note xiii.

17 See supra at notes ii and viii

18 See the Preamble to the 2013 Omnibus Rule (78 Fed. Reg. at 5631), which states, in part:

Section 13405(e) [of the HITECH Act] applies by its terms only to protected health information in EHRs. However, incorporating these new provisions in such a manner in the Privacy Rule could result in a complex set of disparate requirements for access to protected health information in EHR systems versus other types of electronic records systems. As such, the Department proposes to use its authority under section 264(c) of HIPAA to prescribe the rights individuals should have with respect to their individually identifiable health information to strengthen the right of access as provided under section 13405(e) of the HITECH Act more uniformly to all protected health information maintained in one or more designated record sets electronically, regardless of whether the designated record set is an EHR. (Emphasis Added.)

19 See HIPAA §264 (formerly codified at 42 U.S.C. §1320d-2). Click Here for HIPAA.

20 See, e.g., Association of American Physicians and Surgeons, Inc. v. FDA, 226 F. Supp. 2d 204, 222 (D.D.C. 2002) (Administrative agencies do not have the authority to promulgate regulations that exceed the authority granted by statute, irrespective of whether the agency believes that its actions advance preferable public policy.).

21 See, the 2016 Guidance (the Patient Rate applies "regardless of whether the individual has requested that the copy of the PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn't matter who the third party is".)

22 Supra notes v and xxi.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions