Ciox Health, LLC v. Hargan ( 2020 )

                       UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
_________________________________________
)
CIOX HEALTH, LLC,                          )
)
Plaintiff,                           )
)
v.                            ) Case No. 18-cv-00040 (APM)
)
ALEX AZAR, et al.,                         )
)
Defendants.                          )
_________________________________________ )
MEMORANDUM OPINION
I.     INTRODUCTION
Plaintiff Ciox Health, LLC (“Ciox”) is a specialized medical-records provider that
contracts with healthcare suppliers nationwide to maintain, retrieve, and produce individuals’
protected health information (“PHI”). Ciox handles tens of millions of records requests annually
for its clients. Such requests include PHI demands by healthcare providers for treatment purposes,
patients asking for their own PHI, and third parties, such as life insurance companies and law firms,
seeking a patient’s PHI for commercial or legal reasons.
This case centers on various legal restrictions and conditions placed on producing PHI.
Most significantly, it concerns what a company like Ciox can charge for searching for, retrieving,
and delivering PHI. To ensure that patient access to PHI is not thwarted by excessive fees, the
United States Department of Health and Human Services (“HHS”) has adopted rules that limit
what companies may charge for delivering PHI. These restrictions are known as the “Patient
Rate.” For years, the medical records industry understood that the limitations imposed by the
Patient Rate applied only to requests for PHI made by the patient for use by the patient. For other
types of requests, such as those made by commercial entities, like insurance companies and law
firms, the records industry understood that the allowable fee was not restricted by the Patient Rate.
That understanding changed, however, in 2016, when HHS issued a guidance document, which
stated that the Patient Rate applies even to requests to deliver PHI to third parties. This change,
according to Ciox, caused Ciox and other medical records companies to lose millions of dollars in
revenue. Ciox challenges the 2016 expansion of the Patient Rate as violative of the procedural
and substantive protections of the Administrative Procedure Act (“APA”).
In addition to the scope of the Patient Rate, Ciox also contests two additional
pronouncements made by HHS in the 2016 guidance document. The first addresses the types of
labor costs that are recoverable under the Patient Rate. The second concerns three alternative
methods identified for calculating the Patient Rate. Ciox argues that these actions violate the
APA’s procedural and substantive provisions. Ciox also challenges under the APA a regulation
adopted in 2013, which requires records companies to send PHI to third parties regardless of the
format in which the PHI is contained and in the format specified by the patient. According to
Ciox, Congress required only that certain types of electronic health records be delivered to third
parties, not all records regardless of their format, as HHS’s regulations now command.
Before the court is HHS’s motion to dismiss and the parties’ cross-motions for summary
judgment. For the reasons discussed below, HHS’s motion to dismiss is granted in part and denied
in part, and the parties’ cross-motions are granted in part and denied in part. The court rejects the
agency’s grounds for dismissal in all respects, except one: the court finds that the agency’s three
methods for calculating the Patient Rate is not a reviewable final agency action. That claim is thus
dismissed. As for the parties’ cross-motions, the court holds that: (1) HHS’s 2013 rule compelling
delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar
as it goes beyond the statutory requirements set by Congress; (2) HHS’s broadening of the Patient
2
Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation
of the APA; and finally, (3) HHS’s 2016 explanation concerning what labor costs can be recovered
under the Patient Rate is an interpretative rule that HHS was not required to subject to notice and
comment. Accordingly, the court declares unlawful and vacates (1) the 2016 Patient Rate
expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format.
II.    BACKGROUND
A.      Statutory and Regulatory Background
1.      HIPAA and the Privacy Rule (2000)
In 1996, Congress passed the Health Insurance Portability and Accountability Act
(“HIPAA”) to “encourag[e] the development of a health information system,” and tasked the
Department of Health and Human Services (“HHS”) with providing Congress recommendations
on standards with respect to PHI, including individuals’ rights to their PHI, the procedures for
exercising such rights, and the authorized uses and disclosure of PHI. See Pub. L. 104-191, title
II, §§ 261, 264(a)–(b), 110 Stat. 1936, 2021, 2033 (1996). Congress directed HHS to make its
recommendations regarding PHI within 12 months of HIPAA’s enactment. 

HIPAA
also provided that, if Congress did not act on the agency’s recommendations within 36 months of
HIPAA’s enactment, HHS would be required to promulgate regulations regarding PHI within six
months of the 36-month period’s expiration. 

HHS timely made the required privacy
recommendations to Congress, but Congress failed to enact legislation, thus triggering HHS’s
rulemaking authority under HIPAA. In 2000, HHS issued a final rule, known as the “Privacy
Rule.” See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg.
82,462 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.500 et seq.).
3
Critical to understanding the parties’ dispute is the distinction that the Privacy Rule draws
between “covered entities” and “business associates.” The Privacy Rule is directed primarily to
regulating “covered entities.”     See 45 C.F.R. § 164.500(a) (stating that “the standards,
requirements, and implementation specifications of this subpart apply to covered entities with
respect to [PHI]”). A “covered entity” includes health plans, health care clearinghouses, and health
providers that “transmit[] any health information in electronic form in connection with a [covered]
transaction.” 

The Privacy Rule also regulates “business associates,” albeit to a
lesser extent than covered entities. See, e.g., 

(setting forth permitted uses and
disclosures for both covered entities and business associates); 

(setting forth
terms for business associate contracts and subcontracts). A “business associate,” generally
speaking, operates on behalf of a covered entity and “creates, receives, maintains, or transmits
protected health information for a [regulated] function or activity.” 

Business
associates include a “person that offers a personal health record to one or more individuals on
behalf of a covered entity” and a “subcontractor that creates, receives, maintains, or transmits
protected health information on behalf of the business associate.” 

definitions,
Plaintiff Ciox Health, LLC (“Ciox”) qualifies as a “business associate,” and not a “covered entity.”
See Ciox Health’s Compl. for Declaratory and Injunctive Relief, ECF No. 1 [hereinafter Compl.],
¶ 5.
As relevant here, the Privacy Rule establishes an individual’s right to access PHI and the
permissible fee that can be charged for such production. See generally 45 C.F.R. § 164.524. For
requests brought by an individual seeking her own PHI—known as a “personal use request”—the
Privacy Rule permits a “covered entity” to “charge a reasonable, cost-based fee.”                

The court refers to this “reasonable, cost-based fee” as the “Patient Rate.” As
4
originally enacted, the Privacy Rule provided that the Patient Rate could comprise the following
elements: (1) the cost of “[c]opying, including the costs of supplies for and labor for copying, the
[PHI]”; (2) “[p]ostage, when the individual has requested the copy, or the summary or explanation,
be mailed”; and (3) “[p]reparing an explanation or summary of the [PHI].” 

(iii) (2012). Notably, the Patient Rate excluded other common costs associated with maintaining
and producing PHI, such as costs of data storage, data infrastructure, and document retrieval.
See 65 Fed. Reg. at 82,557; Compl. ¶ 31.
When HHS promulgated the Privacy Rule in 2000, it made clear that the purpose of the
Patient Rate was to ensure that individuals would not be deterred from seeking PHI due to its cost.
The inclusion of a fee for copying is not intended to impede the
ability of individuals to copy their records. Rather, it is intended to
reduce the burden on covered entities. If the cost is excessively
high, some individuals will not be able to obtain a copy. We
encourage covered entities to limit the fee for copying so that it is
within reach of all individuals.
65 Fed. Reg. at 82,577. Conversely, when the cost of obtaining and transmitting PHI was to be
borne by someone other than the patient, HHS did not require charging the Patient Rate.
We do not intend to affect the fees that covered entities charge for
providing protected health information to anyone other than the
individual. For example, we do not intend to affect current practices
with respect to the fees one health care provider charges for
forwarding records to another health care provider for treatment
purposes.

Elsewhere in the Final Rule HHS stated:
The proposal and the final rule establish the right to access and copy
records only for individuals, not other entities; the ‘reasonable fee’
is only applicable to the individual’s request. The Department’s
expectation is that other existing practices regarding fees, if any, for
the exchange of records not requested by an individual will not be
affected by this rule.
5

(emphasis added). Thus, the Final Rule made an express distinction between patient-
requested PHI and non-patient-requested PHI. The Patient Rate applied to the former but not the
latter.
2.       The HITECH Act (2009)
Nearly a decade later, in 2009, Congress passed the Health Information Technology for
Economic and Clinical Health Act, or HITECH Act, in response to the growth of distinct digital-
record formats and storage systems. Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 226 (2009).
The HITECH Act made two key changes relevant to this litigation.
The first is that it created the “third-party directive,” a simplified process for requesting
delivery of certain PHI to third persons. Under the pre-2009 Privacy Rule, a covered entity was
prohibited from releasing PHI stored in any format to a third party without a “valid authorization.”
45 C.F.R. §§ 164.502(a)(1)(iv) (2008). Such an authorization was burdensome. 1 It had to include
certain “[c]ore elements,” such as description of the information sought, the purposes for its
disclosure, and the authorization’s expiration date or event, as well as “statements adequate to
place the individual on notice” of her rights. 

(2008). The HITECH Act
stripped away these requirements for “electronic health record[s],” or “EHRs.” See 42 U.S.C.
§ 17935(e); see also 

(defining an “electronic health record” as “an electronic record
of health-related information on an individual that is created, gathered, managed, and consulted by
authorized health care clinicians and staff”). 2 The Act provides:
[I]n the case that a covered entity uses or maintains an electronic
health record with respect to protected health information of an
1
In a 2016 guidance document, HHS observed that “because a HIPAA authorization requests more information than
is necessary or that may not be relevant for individuals to exercise their access rights, requiring execution of a HIPAA
authorization may create impermissible obstacles to the exercise of this right.” See Compl., Ex. A., ECF No. 1-1, at
17.
2
EHR systems are distinct from a record that merely exists in electronic form. Joint App’x, ECF No. 27 [hereinafter
J.A.], at 67. Electronic record systems include many “legacy systems” that existed prior to EHRs and are “incapable
of producing reports in easily readable formats that can be transmitted electronically.” 

. . . the individual shall have a right to obtain from such
covered entity a copy of such information in an electronic format
and, if the individual chooses, to direct the covered entity to transmit
such copy directly to an entity or person designated by the
individual, provided that any such choice is clear, conspicuous, and
specific.

So, with respect to PHI contained in an EHR, the HITECH Act expressly entitles
patients to obtain such information for themselves or to direct the information to a third party,
without the need for a “valid authorization” under the Privacy Rule.
The second relevant change made by the HITECH Act is a statutory cap on the fee that a
covered entity may charge a patient for delivering EHRs. The Act states that “notwithstanding
[45 C.F.R. § 164.524(c)(4)]”—a cross-reference to the Patient Rate—“any fee that the covered
entity may impose for providing such individual with a copy of such information . . . if such copy
. . . is in electronic form shall not be greater than the entity’s labor costs in responding to the request
for the copy.” 

As the plain text makes clear, the HITECH Act’s fee cap applies
at least to personal use requests produced as EHRs. Whether the statutory fee cap extends beyond
such demands is the subject of dispute.
3.      The Omnibus Rule (2013)
In 2013, HHS amended the Privacy Rule as part of broad set of new regulations, which the
court refers to as the “2013 Omnibus Rule.” See Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic
Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566
(Jan. 25, 2013).
The 2013 Omnibus Rule made two modifications relevant to this case.                     First, the
2013 Omnibus Rule broadened the third-party directive created by the HITECH Act to reach
requests for PHI contained in any format, and not just in an EHR. The Privacy Rule states: “If an
7
individual’s request for access directs the covered entity to transmit the copy of [PHI] directly to
another person designated by the individual, the covered entity must provide the copy to the person
designated by the individual.” 45 C.F.R. § 164.524(c)(3)(ii). The copy must be provided to the
individual “in the form and format requested by the individual, if it is readily producible in such
form and format.” 

Additionally, if the requested PHI is maintained in any
electronic format, the covered entity must provide the information in “the electronic form and
format requested by the individual, if it is readily producible in such form and format.” 

When it expanded the third-party directive to PHI contained in any format, HHS
acknowledged it was going beyond the text of the HITECH Act. The agency conceded that the
HITECH Act “applies by its terms only to protected health information in EHRs.” 78 Fed. Reg.
at 5,631. Yet, HHS insisted it had the authority to command the expansion. It explained that
“incorporating [the HITECH Act’s] new provisions in such a limited manner in the Privacy Rule
could result in a complex set of disparate requirements for access to [PHI] in EHR systems versus
other types of electronic records systems.” 

to address this concern, the agency
cited its general rulemaking power under section 264(c) of HIPAA. That provision, HHS said,
allowed it “to prescribe the rights individuals should have with respect to their [PHI] to strengthen
the right of access provided under section [17935(e)] of the HITECH Act more uniformly to all
[PHI] maintained in one or more designated record sets electronically, regardless of whether the
designated record set is an EHR.” 

Omnibus Rule also amended that portion of the Privacy Rule that specifies the
costs recoverable under the Patient Rate. HHS broke out, as part of the reasonable cost-based fee,
the cost of labor for copying PHI, whether in paper or electronic format. See 

45
8
C.F.R. § 164.524(c)(4)(i). Such cost “could include skilled technical staff time spent to create and
copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media, and
distributing the media.” 78 Fed. Reg. at 5,636. “[A]ctual labor costs associated with the retrieval
of electronic information,” however, would not be recoverable under the Patient Rate. 

“[f]ees associated with maintaining systems and recouping capital for data access, storage
and infrastructure” be “considered reasonable, cost-based fees.” 

Privacy Rule Guidance (2016)
Three years after adopting the 2013 Omnibus Rule, HHS issued a guidance document in
2016 titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R.
§ 164.524.” See Compl., Ex. A, ECF 1-1 [hereinafter 2016 Guidance]. The 2016 Guidance made
two notable pronouncements that gave rise to this lawsuit.
Most significantly, HHS declared that the Patient Rate applies “when an individual directs
a covered entity to send the PHI to a third party.” 

“This limitation,” HHS said, referring
to the Patient Rate, “applies regardless of whether the individual has requested that the copy of
PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party
designated by the individual (and it doesn’t matter who the third party is).” Id.; see also 

the Patient Rate applies “regardless of whether the access request was submitted to the covered
entity by the individual directly or forwarded to the covered entity by a third party on behalf and
at the direction of the individual”). The 2016 Guidance noted that the Patient Rate does not apply
when “the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA
authorization.” 

But the agency again emphasized that “where the third party is
forwarding—on behalf and at the direction of the individual—the individual’s access request for
9
a covered entity to direct a copy of the individual’s PHI to the third party, the fee limitations
apply.” 

industry viewed this announcement as a seismic shift in the agency’s
articulation of the law. Before the 2016 Guidance, the industry understood that the Patient Rate
applied only to personal use requests for PHI and not to third-party directives under the HITECH
Act, and it structured its contracts and pricing models accordingly. See Decl. of Tarun Kabaria,
ECF No. 12-2 [hereinafter Kabaria Decl.], ¶¶ 11–14; Decl. of Jeff Gartland, ECF No. 44-1
[hereinafter Gartland Decl.], ¶¶ 5–6, 17–19.           The 2016 Guidance, however, upended that
understanding, as it declared that the Patient Rate applied to all requests for PHI initiated by an
individual, even if such information was requested for use by a third party, like an insurance
company or a law firm. Only requests for PHI made directly by the third party with a HIPAA
authorization (or pursuant to another permissible disclosure provision in the Privacy Rule) would
not be subject to the Patient Rate cap. 2016 Guidance at 17.
The 2016 Guidance also provided direction with respect to determining the Patient Rate.
First, it stated that the Patient Rate reaches only those labor costs incurred after the responsive PHI
“has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.”

On the other hand, labor for “[s]earching for, retrieving, and otherwise preparing the
responsive information for copying” is not recoverable. 

Second, the 2016 Guidance set
forth three alternatives for calculating, subject to the Patient Rate’s strictures, the “reasonable,
cost-based fee” that may be charged for fulfilling a patient-initiated PHI request.             These
alternatives apply to “a covered entity (or business associate operating on its behalf).” 

A holder of PHI may determine such fee: “(1) by calculating actual allowable costs to fulfill each
request; or (2) by using a schedule of costs based on average allowable labor costs to fulfill
10
standard requests.” 

the case of requests for an electronic copy of PHI
maintained electronically, covered entities may: (3) charge a flat fee not to exceed $6.50 (inclusive
of all labor, supplies, and postage).” 

Guidance notes that “[c]harging a flat fee not
to exceed $6.50 per request is therefore an option available to entities that do not want to go
through the process of calculating actual or average allowable costs for requests for electronic
copies of PHI maintained electronically.” 

that “[w]e will continue to
monitor whether the fees that are being charged to individuals are creating barriers to this access
[and] will take enforcement action where necessary.” 

Less than a year later, HHS demonstrated its resolve to enforce the Patient Rate. In March
2017, HHS notified CHI Health St. Francis, a covered entity contracting with Ciox, that it had
received a complaint from a patient, alleging that Ciox had charged an excessive fee for forwarding
her electronic medical records to a law firm. See Compl., Ex. B, ECF No. 1-2 [hereinafter St.
Francis Letter], at 1. HHS warned St. Francis that, as a result of Ciox’s actions, St. Francis may
have violated the Privacy Rule, but the agency took no further action. See 

year, Ciox itself received a letter from HHS. On November 16, 2018, HHS
advised Ciox that it had received a complaint, asserting that “when an individual makes a request
through Ciox for his/her medical records to be directed to a third party, such as a law firm, Ciox
routinely charges fees that are not compliant with” the Privacy Rule. See Pl.’s Notice and Request
for Oral Argument, Ex. B, ECF No. 29-2 [hereinafter Ciox Letter], at 1 (citing 45 C.F.R.
§ 164.524(c)(4)). HHS demanded Ciox produce records to aid in HHS’s investigation. See 

Two weeks later, HHS announced that the investigation of Ciox was in error because the agency
does not have jurisdiction to enforce the Privacy Rule against business associates like Ciox.
See Defs.’ Response to Pl.’s Notice and Request for Oral Argument, ECF No. 30, at 1.
11
B.       Procedural Background
1.      Ciox’s Complaint
This action has had a long history. Ciox filed suit against Defendants HHS and the
Secretary of HHS on January 8, 2018, asserting three causes of action under the APA, 5 U.S.C.
§ 706(2). See Compl. ¶¶ 59–77.
First, Ciox claims that HHS’s decision under the 2013 Omnibus Rule to expand the
HITECH Act’s third-party directive to PHI contained in formats other than an EHR, and to require
production of PHI in any format demanded by the requester, conflicts with the plain text of the
HITECH Act. See 

Ciox also alleges that these actions were ultra vires, as the agency
lacked statutory authority to adopt the charges made by the 2013 Omnibus Rule. See 

65. Next, Ciox avers that the changes announced in the 2016 Guidance were “legislative rules”
within the meaning of the APA that HHS failed to promulgate through public notice and comment.
See 

In particular, Ciox contests HHS’s expansion of the Patient Rate to all third-
party directives, as well as the three enumerated methods by which to calculate disclosure fees, as
violative of the APA’s procedural requirements. See 

It also contends that the 2016
Guidance is procedurally deficient in its announced exclusion from the Patient Rate the cost of
skilled technical staff who search for and retrieve electronically stored PHI. See 

3 Third,
Ciox challenges aspects of the 2016 Guidance as arbitrary and capricious. It contests HHS’s
declaration that the Patient Rate applies to third-party directives, 

as well as its
3
The Complaint also alleges that the exclusion of skilled technical staff time is an arbitrary and capricious agency
action, because it “directly conflicts with the 2013 Omnibus Rule’s explicit inclusion of such costs in the Patient
Rate.” Compl. ¶ 76. Ciox, however, fails to advance this claim in its motion for summary judgment. See Mem. of
P. & A. in Opp’n to Defs.’ Mot. to Dismiss and in Supp. of Ciox’s Cross-Mot. for Summ. J., ECF No. 12-1, at 40–45.
The claim is therefore forfeited.
12
“tripartite methodology for calculating allowable costs under the Patient Rate,” 

Ciox
seeks declaratory and injunctive relief as to all three claims. See 

2.      Proceedings
On April 2, 2018, Defendants moved to dismiss the action for lack of jurisdiction and
failure to state a claim. See generally Defs.’ Mot. to Dismiss, ECF No. 9, Mem. in Support of
Mot. to Dismiss, ECF No. 9-1 [hereinafter Defs.’ Mot. to Dismiss Mem.]. Defendants assert that
Ciox lacks constitutional standing because the 2013 Omnibus Rule and the 2016 Guidance apply
only to covered entities, and not to business associates like Ciox, and therefore Ciox is not
encumbered by the limitations, including the Patient Rate, set forth in those agency
pronouncements. See 

Defendants additionally disavow any enforcement authority with
respect to business associates, see 

and they assert that, to the extent that the challenged
actions have affected Ciox’s revenues, that injury is the result of its own business judgments, not
agency action, see 

Defendants also argue that each of Ciox’s claims is unripe. See 

Relatedly, Defendants contend that Ciox fails to state a claim upon which relief may be
granted because Ciox lacks statutory standing under the HITECH Act and because the 2016
Guidance is not a final agency action, and thus, unreviewable under the APA. See 

On May 2, 2018, Ciox opposed Defendants’ Motion to Dismiss and moved for summary
judgment. See Mot. for Summ. J. of Pl. Ciox Health, ECF No. 12; Mem. of P. & A. in Opp’n to
Defs.’ Mot. to Dismiss and in Supp. of Ciox’s Cross-Mot. for Summ. J., ECF No. 12-1 [hereinafter
Pl.’s Opp’n Mem.]. Defendants filed a reply in support of their Motion to Dismiss on May 14,
2018, see Defs.’ Reply Mem. in Supp. of Mot. to Dismiss, ECF No. 16 [hereinafter Defs.’ Mot. to
Dismiss Reply], and, after the court denied Defendants’ request to stay further summary judgment
briefing, see Order, ECF No. 18, Defendants filed their own motion for summary judgment on
13
September 14, 2018, see Defs.’ Cross-Mot. for Summ. J., ECF No. 22, Mem. in Supp. of Defs.’
Opp’n to Pl.’s Mot. for Summ. J. and Cross-Mot. for Summ. J., ECF No. 22-1. Briefing on the
cross-motions for summary judgment concluded on October 5, 2018. See Defs.’ Reply in Supp.
of Defs.’ Cross-Mot. for Summ. J., ECF No. 26.
After a brief delay due to the shutdown of government operations, see Minute Order, Jan.
2, 2019, the court held an initial hearing on the parties’ motions on April 10, 2019. See Hr’g Tr.,
Apr. 15, 2019, ECF No. 34. At that hearing, Defendants offered conflicting interpretations of the
Patient Rate’s applicability to third-party directives, at first suggesting that the Patient Rate does
not apply to third-party directives if the third party paid the associated fees, 

but later
reversing course and saying that the Patient Rate applies to all third-party directives, regardless of
who pays for the fees, so long as the request for PHI originates with the patient, 

Frustrated by the about-face, the court ordered the parties to confer and report back on whether
they had reached a mutual understanding as to how the Patient Rate applies to third-party
directives. See 

On April 24, 2019, Defendants submitted a supplemental filing that sought to clarify the
agency’s position. See Defs.’ Suppl. Filing in Supp. of their Mot. to Dismiss and Cross Mot. for
Summ. J., ECF No. 35-1 [hereinafter Defs.’ Suppl. Filing]. As part of that filing, Defendants
included a table “to illustrate how the fee limitation operates.” 

The table summarized
the agency’s position that “whether the fee limitation applies depends entirely on whether the
individual has initiated the request for the production of his or her PHI. It is irrelevant whether
the individual or a third party directly pays the bill for the request.” 

Ciox responded that
HHS’s clarified position only confirmed its standing to challenge the agency’s actions and the
14
ripeness of its claims. See Pl.’s Mem. in Reply to Defs.’ Suppl. Filing, ECF No. 38 [hereinafter
Pl.’s Reply to Defs.’ Suppl. Filing.].
The court held a second hearing on the parties’ motions on May 8, 2019. Hr’g Tr., May 8,
2019, ECF No. 41. Following that hearing, on May 24, 2019, HHS notified the court that it had
published a “Fact Sheet” on its website that “explains when business associates are directly liable
to HHS for violating provisions of” HIPAA. Defs.’ Notice of Filing of Fact Sheet, ECF No. 39,
at 1. As pertinent here, the Fact Sheet states that HHS “lacks the authority to enforce the
‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 164.524(c)(4) against business associates
because the HITECH Act does not apply the fee limitation provision to business associates.”
See 

ECF No. 39-1 [hereinafter Fact Sheet], at 2. Not surprisingly, Ciox responded that
the Fact Sheet did not alter its standing to contest the agency’s actions in federal court.
See Pl.’s Reply to Defs.’ Notice of Filing of Fact Sheet, ECF No. 40.
The unanticipated Fact Sheet prompted the court to invite further briefing. The court
observed that, based on the Fact Sheet’s clear disavowal of enforcement authority over business
associates’ fee practices, “it would appear that [Ciox] cannot establish standing directly based on
the threat of an enforcement action against it, as it has argued,” and Ciox “is thus left to assert that
its injuries arise from the actions of covered entities who are subject to regulation,” thereby making
the establishment of standing “substantially more difficult.” Order, ECF No. 42, at 1 (quoting
Lujan v. Defs. of Wildlife, 

, 562 (1992)). “[N]ot confident that [Ciox] has had a full
and fair opportunity to make its record,” the court allowed Ciox to supplement the factual record
to supports its theory of standing. 

Ciox submitted additional evidence to support standing and an accompanying legal
memorandum on June 28, 2019. See Pl.’s Mem. in Resp. to June 4, 2019 Order, ECF No. 43
15
[hereinafter Pl.’s Suppl. Standing Br.]. Defendants submitted a memorandum in response on July
12, 2019, see Defs.’ Resp. to Pl.’s Suppl. Br., ECF No. 46 [hereinafter Defs.’ Resp. to Pl.’s Suppl.
Standing Br.], and Ciox offered a reply on July 17, 2019, see Pl.’s Reply in Supp. of its Suppl. Br.,
ECF No. 47. That final brief brought the record to a close.
III.   DISCUSSION
A.      Jurisdiction
The court begins with the question of whether it has jurisdiction to decide this matter.
Defendants assert that Ciox lacks standing under Article III of the Constitution. See Defs.’ Mot.
to Dismiss Mem. at 11–17. They also contend that Ciox’s claims are not ripe. 

The
court addresses standing before turning to ripeness.
1.      Article III Standing
As the party seeking to invoke the court’s jurisdiction, the burden lies with Ciox to
establishing standing. See Arpaio v. Obama, 

, 19 (D.C. Cir. 2015). Ciox must
demonstrate standing “with the manner and degree of evidence required at the successive stages
of the litigation.” 

. In this case, the parties have filed cross-motions for
summary judgment, and the court afforded Ciox an opportunity to supplement the factual record
as to its standing. Accordingly, the court will evaluate standing under the summary judgment
standard. Under that standard, the “plaintiff can no longer rest on . . . ‘mere allegations’” to
establish standing. 

R. Civ. P. 56(e)). Rather, it “must ‘set forth’ by affidavit or
other evidence ‘specific facts,’ . . . which for purposes of the summary judgment motion will be
taken to be true.” 

R. Civ. P. 56(e)).
Standing consists of three elements. First, a plaintiff must have suffered an injury in fact,
or “an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual
16
or imminent, not conjectural or hypothetical.” 

(cleaned up). Second, there must be
causation, that is, the injury is “fairly traceable to the challenged action of the defendant, and not
the result of the independent action of some third party not before the court.” 

Third, “it must be likely as opposed to merely speculative that the injury will be redressed by a
favorable decision.” 

(cleaned up).
Ciox submits affidavits from two of its business executives—Tarun Kabaria, Vice
President of Operations, and Jeff Gartland, President of Life Sciences—to demonstrate financial
losses caused by the agency’s challenged actions. According to Kabaria, per HHS regulations, a
business associate can provide health records services to a covered entity only pursuant to a formal
contract. See Kabaria Decl. ¶ 7; see also 45 C.F.R. § 164.502(e)(2) (providing that a covered
entity’s relationship with a business associate “must be documented through a written contract or
other written agreement or arrangement”); 

(setting forth requirements of business
associate contracts). Ciox’s contracts require the company to produce PHI for covered entities in
accordance with the restrictions set forth in HIPAA, the HITECH Act, and the Privacy Rule—
including the Patient Rate. Kabaria Decl. ¶ 8. Kabaria explains that, before 2009, commercial
third parties requesting PHI did so through “patient authorization[s]” that allowed release of PHI
to the third party. 

Ciox understood, as did the industry, that the Patient Rate did not apply
to such third-party requests and therefore charged state-authorized or independently-contracted
rates to fulfill such “authorized” requests. 

often exceeded the Patient Rate by
several hundred dollars per request. 

16. The advent of the HITECH Act’s third-party
directive in 2009 did not change the industry’s or Ciox’s practice, according to Kabaria. 

The industry still understood that the Patient Rate did not apply to requests for PHI delivered to
third parties. 

ground began to shift slightly with the 2013 Omnibus Rule, says Kabaria. By
expanding the HITECH Act’s third-party directive to records in formats other than EHRs, Ciox
saw a modest increase in third-party directives. 

Ciox still continued to receive most
third-party requests through third-party authorizations, and thus persisted in charging above the
Patient Rate for such requests. 

Guidance caused a major shift in the industry,
however. The 2016 Guidance’s requirement that the Patient Rate apply to third-party directives
accelerated the number of third-party directives relative to authorizations. 

Also, the 2016
Guidance’s three options for calculating the Patient Rate caused some of Ciox’s covered-entity
clients to require Ciox to use the flat-fee option of $6.50 for fulfilling third-party directives. 

These changes, according to Kabaria, are “costing Ciox well over $10 million per year” and
those losses are likely to “continue growing.” 

Gartland amplifies the points made in Kabaria’s declaration, using actual contracts as
examples. Gartland explains that nearly all of Ciox’s contracts provide that Ciox’s compensation
is limited to the fees chargeable for transmitting PHI. Gartland Decl. ¶ 5. These compensation
provisions require that Ciox charge only “in accordance with Section 164.524(c)(4) of the Privacy
Regulations.” 

Ciox’s contracts, according to Gartland, reflect a compensation model that
is “typical” in the industry. 

Additionally, Gartland explains, Ciox’s agreements contain
provisions that expose it to stiff sanctions if Ciox were to run afoul of federal laws. Covered
entities can terminate a contract if Ciox is noncompliant, and Ciox is required to indemnify covered
entities for liability arising from violations by Ciox. 

Gartland also confirms that, as
a result of the 2016 Guidance’s expansion of the Patient Rate to all third-party directives and its
option of a $6.50 flat fee, “Ciox as a matter of course now only charges $6.50 for most Third Party
Directive requests.” 

The resulting lost revenue in 2017 and 2018 has totaled $35 million
18
and “will continue growing year-over-year,” as third-party directives increase as a percentage of
overall requests. 

Gartland, since 2016, Ciox has spent thousands of employee
hours attempting to renegotiate contracts to mitigate its losses, but still continues to suffer reduced
revenues. 

a.      Injury in fact
Ciox posits as its injury in fact the quintessential harm of lost revenue. See Pl.’s Opp’n
Mem. at 17; Pl.’s Suppl. Standing Br. at 6–7; Czyzewski v. Jevic Holding Corp., 

,
983 (2017) (“For standing purposes, a loss of even a small amount of money is ordinarily an
‘injury.’”). Although Defendants question the sufficiency of the Complaint’s allegations of harm,
see Defs.’ Mot. to Dismiss Mem. at 13–14, they do not challenge the adverse fiscal impact that
Ciox claims to have suffered, as outlined in the declarations. See generally Defs.’ Resp. to Pl.’s
Suppl. Standing Br. The element of injury in fact is therefore largely uncontested.
b.      Causation
The element of causation presents a threshold dispute: Does Ciox’s claimed financial
injury arise from direct regulation by HHS, or is the injury the result of the agency’s regulation of
others, namely, covered entities? See 

(stating that “when the plaintiff is
not himself the object of the government action or inaction he challenges, standing is not
precluded, but it is ordinarily substantially more difficult to establish” (internal quotation marks
and citations omitted)).
According to HHS, “the relevant portion of the [Privacy Rule], which is also the basis for
the 2016 guidance, imposes no requirements or restrictions on business associates like Ciox.”
Defs.’ Mot. to Dismiss Mem. at 11; see also Defs.’ Suppl. Filing at 3 (“HHS has no authority to
hold Ciox liable for failing to observe the fee limitation.”). Instead, HHS argues, the challenged
19
actions are enforceable only against covered entities, a position memorialized in the agency’s
published “Fact Sheet.” See Fact Sheet at 2 (stating that HHS “lacks the authority to enforce the
‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 165.524(c)(4) against business associates”).
Accordingly, HHS maintains, the element of causation in this case must be analyzed under the
more rigorous standard for alleged injuries caused indirectly by government action. See 

.
Ciox reads the controlling law differently. It asserts that business associates are directly
subject to the Privacy Rule; the Rule’s limitations, including the Patient Rate, govern the conduct
of business associates; and the failure to comply with the Rule subjects business associates to
potential enforcement and punitive consequences. Pl.’s Opp’n Mem. at 18–21. Ciox thus insists
HHS possesses the direct authority over business associates that the agency disclaims.
Although interesting, the parties’ debate is not one the court need resolve. That is because,
even if HHS cannot directly regulate business associates, Ciox’s financial injury is still traceable
to agency action through the effect those actions have had on Ciox’s contracting partners, the
covered entities.
When . . . a plaintiff’s asserted injury arises from the government’s
allegedly unlawful regulation . . . of someone else, much more is
needed [to prove standing]. In that circumstance, causation and
redressability ordinarily hinge on the response of the regulated (or
regulable) third party to the government action or inaction—and
perhaps on the response of others as well.

(internal quotation marks and citations omitted). “[I]t becomes the burden
of the plaintiff to adduce facts showing that [the regulated third-party’s] choices have been or will
be made in such a manner as to produce causation and permit redressability of injury.” 

must show that “the agency action is at least a substantial factor motivating the third
parties’ actions.” Tozzi v. HHS, 

, 308 (D.C. Cir. 2001) (quoting Cmty. for Creative
20
Non-Violence v. Pierce, 

, 669 (D.C. Cir. 1987)). “Unadorned speculation” connecting
the challenged government action and third-party conduct will not suffice. Nat’l Wrestling
Coaches Ass’n v. Dept. of Educ., 

, 938 (D.C. Cir. 2004) (quoting Simon v. E. Ky.
Welfare Rights Org., 

, 44 (1976)). Here, the regulatory scheme governing the medical
records management industry, when combined with the evidence presented by Ciox, leaves “little
doubt as to causation and the likelihood of redress.” 

HHS’s regulations all but ensure that business associates will limit the fees they charge in
a manner consistent with HHS’s interpretation of the Patient Rate. The regulations expressly make
covered entities liable for their business associates’ violations. See 45 C.F.R. § 160.402(c)(1)
(“A covered entity is liable . . . for a civil money penalty for a violation based on the act or
omission of any agent of the covered entity, including a . . . business associate, acting with the
scope of the agency.”). So, for example, if Ciox were to charge more than the Patient Rate to carry
out a third-party directive, HHS could hold the covered entity responsible. See Defs.’ Suppl. Filing
at 3. HHS’s letter dated March 22, 2017, to CHI St. Francis illustrates this reality. See St. Francis
Letter at 3. In that case, HHS received a complaint that Ciox had charged $224.65 for 353 pages
of electronic medical records that the patient had requested be sent to her law firm. 

HHS
warned CHI St. Francis that “[t]his allegation could reflect a violation of [the Patient Rate].” 

CHI St. Francis—seemingly at odds with its position taken here—that “all of the
access requirements that apply with respect to PHI held by the covered entity (e.g., the individual
may be charged only a reasonable, cost-based fee [Patient Rate] that complies with [the Privacy
Rule]) apply with respect to PHI held by the business associate.” 

Although HHS took no
formal action against CHI St. Francis for Ciox’s actions, it warned that should it “receive a similar
allegation of noncompliance . . . in the future, [HHS] may initiate a formal investigation of that
21
matter.” 

The prospect that a covered entity could be held liable for the transgressions of
its business associates provides a powerful incentive for covered entities to ensure that business
associates comply with the Privacy Rule, including the Patient Rate. Indeed, the regulations
expressly provide that a covered entity’s failure to address a business associate’s non-compliance
is itself a violation of the regulations. See 45 C.F.R. § 164.504(e)(1). 4
Not surprisingly, covered entities have structured their contracts to require their business
associates to follow the regulations and to protect themselves against liability. Ciox’s contracts,
for instance, require the company to charge fees “in accordance with Section 164.524(c)(4) of the
Privacy Regulations.” Gartland Decl. ¶ 6 (quoting various contracts); see also Sealed Mot. for
Leave to File Docs. Under Seal, Ex. A, Ex. 44-2, at 29 ¶ 4.1 (under seal); 

ECF No. 44-
3, at 17 ¶ 5.1 (under seal); 

ECF No. 44-4, at 15 ¶ 4.1 (under seal); 

ECF No.
44-5, at 17 (under seal). Additionally, “all of Ciox’s contracts, no matter what model, include
provisions requiring Ciox to indemnify the covered entity for any violation of HIPAA, HITECH,
or the Privacy Rule that is attributable to the covered entity for Ciox’s actions . . . , including
violations of the Patient Rate if that Rate applies to a given request.” Gartland Decl. ¶ 16. Such
indemnification provisions are sure to discourage Ciox from charging more than the Patient Rate.
And, of course, Ciox risks termination of a contract should it charge more than the Patient Rate.
4
That regulation provides:
A covered entity is not in compliance with the standards of § 164.502(e) and this paragraph, if the
covered entity knew of a pattern of activity or practice of the business associate that constituted a
material breach or violation of the business associate’s obligation under the contract or other
arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation,
as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if
feasible.

22
If these regulatory and contractual provisions were not enough to establish causation,
Ciox also provides testimonial evidence of industry impacts following HHS’s issuance of the 2016
Guidance. According to Gartland, following the 2016 Guidance, “the volume of Third Party
Directive requests has increased by nearly 700 percent, as law firms and other for-profit entities
realized they could use Third Party Directives to avoid the typically higher state-authorized fees
that Ciox previously could charge for fulfilling HIPAA authorizations.” Gartland Decl. ¶ 17.
Moreover, after 2016, covered entities began to insist that “Ciox charge no more than $6.50 for
fulfilling a Third Party Directive because they fear both federal enforcement action and potential
liability if Ciox charges more than that when fulfilling Third Party Directives. As a result, Ciox
as a matter of course now only charges $6.50 for most Third Party Directive requests . . . .” 

These sworn statements, which the agency does not contest, demonstrate the real-world
impacts of the challenged actions and how they have caused Ciox’s financial injuries.
Defendants advance two primary arguments in response. First, HHS maintains that Ciox’s
losses are “self-inflicted.” Defs.’ Mot. to Dismiss Reply at 8. Ciox chose to enter into contracts
that “structure its compensation . . . in the form of fees charged to requesters of PHI,” Defs.’ Resp.
to Pl.’s Suppl. Standing Br. at 4, and that include indemnification clauses, Defs.’ Mot. to Dismiss
Reply at 8. Instead, HHS insists, Ciox could have entered into agreements that secured payment
from the covered entities instead of patients, which would have insulated them from the losses
they now claim. See 

see also Defs.’ Resp. to Pl.’s Suppl. Standing Br. at 4 (arguing that
“nothing prevents Ciox from negotiating its compensation structure with covered entities
differently”).   HHS analogizes this case to the D.C. Circuit’s decision in Brotherhood of
Locomotive Engineers. See Defs.’ Mot. to Dismiss Reply at 8 (citing Bhd. of Locomotive Eng’rs.
& Trainmen, a Div. of Rail Conf.-Int’l Bhd. of Teamsters v. Surface Transp. Bd. 

23
(D.C. Cir. 2006)). There, the court held that a union could not demonstrate causation where the
Surface Transportation Board’s classification of a type of transaction foreclosed the union from
invoking its bargaining rights; the union previously had agreed under its collective bargaining
agreement not to bargain over the effects of such a transaction. Brotherhood of Locomotive

. In that scenario, the injury “was not in any meaningful way ‘caused’
by the Board; rather, it was entirely self-inflicted.” 

union in Brotherhood of
Locomotive Engineers, HHS contends, Ciox “is injured by the specific terms of the contracts it
entered into with the covered entities” and thus its injury is similarly self-inflicted. Defs.’ Mot. to
Dismiss Reply at 8.
HHS’s self-infliction argument is flawed both legally and factually. Legally it is flawed
because it raises the bar for standing too high. To the extent that injury is self-inflicted, it must be
“so completely due to the complainant’s own fault as to break the causal chain.” Petro-Chem
Processing, Inc. v. EPA, 

, 438 (D.C. Cir. 1989) (cleaned up) (internal quotation marks
and citation omitted). Standing doctrine thus does not require a plaintiff to show that it made no
choice that put it at risk of injury. See Ellis v. Comm’r of Internal Revenue Serv., 

, 337 (D.D.C. 2014) (stating that “it has been observed that all injuries are in some sense self-
inflicted”), aff’d 622 F. App’x 2 (D.C. Cir. 2015). Therefore, the mere fact that Ciox negotiated
agreements in a highly regulated environment that linked its compensation to the Patient Rate does
not make its injury self-inflicted. See Cent. Ariz. Water Conservation Dist. v. EPA, 

,
1538 (9th Cir. 1993) (“While [the] contractual obligations may provide the basis for its economic
liability for the increased costs imposed by the Final Rule, that hardly means that the Final Rule
itself is not the direct cause of that liability.”). Thus, this case is not like Brotherhood of
24
Locomotive Engineers, in which the union was found to have a self-inflicted injury because, of its
own accord, it made the choice to forego bargaining with respect to the type of transaction at issue.
Factually, HHS’s insistence that Ciox’s injury is self-inflicted wholly ignores industry
realities. For example, HHS’s argument that Ciox voluntarily acceded to contracts containing
indemnification provisions, see Defs.’ Mot. to Dismiss Reply at 8, fails to appreciate that its own
regulations make covered entities liable for the acts of their business associates. It should come
as no surprise then that Ciox’s contracts contain indemnity provisions that require the company to
make covered entities whole for any liability resulting from Ciox’s transgressions. Moreover,
HHS overlooks the fact that, for years, it took the position that the Patient Rate applied only to
personal use requests for PHI, and not to requests directing PHI to third parties. See 65 Fed. Reg.
at 82,754 (stating in 2000 that the Privacy Rule “establish[es] the right to access and copy records
only for individuals, not other entities; the ‘reasonable fee’ is only applicable to the individual’s
request”). That the industry, quite sensibly, structured its compensation scheme to fit HHS’s
pronouncements, see Kabaria Decl. ¶ 11, does not mean that Ciox’s injury is now self-inflicted.
Second, HHS argues that Ciox fails to provide substantial evidence of a causal relationship
between the agency’s actions and the response of third parties, which resulted in Ciox’s losses.
See Defs.’ Resp. to Pl.’s Suppl. Standing Br. at 9–10. But the uncontested Gartland Declaration
establishes otherwise. As noted, Gartland explains how, following the 2016 Guidance, Ciox began
to incur greater losses as requesters shifted to third-party directives subject to the Patient Rate.
Gartland Decl. ¶ 17. Additionally, since the 2016 Guidance, covered entities have demanded that
Ciox charge no more than $6.50 for third-party directives, such that Ciox now charges that fixed
amount “as a matter of course” for most third-party directives. 

HHS faults Ciox for not
re-negotiating its contracts after 2016 to allow it to collect additional fees from covered entities.
25
But even suggesting that Ciox had to incur new contracting costs to avoid injury only underscores
the causal effect of the agency’s actions. See 

(explaining that Ciox has “expended
thousands of hours of employee time renegotiating—to only partial success—many contracts that,
but for the 2016 mandates, would not have been at issue”). Ciox has satisfied the element of
causation.
c.      Redressability
Having found that Ciox satisfies the element of causation, the issue of redressability is
straightforward. “Causation and redressability typically ‘overlap as two sides of a causation coin.’
After all, if a government action causes an injury, enjoining the action usually will redress that
injury.” Carpenters Indus. Council v. Zinke, 

, 6 n.1 (D.C. Cir. 2017) (quoting
Dynalantic Corp. v. Dep’t of Defense, 

, 1017 (D.C. Cir. 1997)). Here, if the court
were to enjoin the challenged portions of the 2013 Omnibus Rule and the 2016 Guidance,
see Compl. at 42, as Gartland explains:
[Ciox] could maintain the overwhelming majority of its existing
contracts in their current form and, for those contracts that already
have been renegotiated, revert to the time-tested model that covered
entities and business associates uniformly prefer . . . , which allow[s]
Ciox to charge the state-authorized rates it previously was allowed
to charge for delivering PHI to third parties, including for Third
Party Directives.
Gartland ¶ 21. In short, because Ciox could start recouping the loses it presently incurs by charging
the Patient Rate for third-party directives, it has demonstrated that the court can redress its injuries.
HHS resists this uncomplicated logic. It contends that “the 2016 [G]uidance works no
change in the law; it simply clarified what the 2013 Regulation requires. And the 2013 Regulation,
in turn, implemented the HITECH Act. Therefore, vacating the 2016 Guidance would also have
no legal effect.” Defs.’ Resp. to Pl.’s Suppl. Standing Br. at 9–10. But this is a merits argument,
26
and for purposes of standing, the court must assume the merits of Ciox’s claims—the precise
opposite interpretation put forward by HHS. See Warth v. Seldin, 422 U.S 490, 502 (1975);
see also City of Waukeshau v. EPA, 

, 235 (D.C. Cir. 2003). HHS cannot defeat
standing by asserting it will prevail on the merits.
2.      Ripeness
Next, HHS asserts that the court lacks jurisdiction because Ciox’s claims are not ripe.
See Defs.’ Mot. to Dismiss Mem. at 17–20. The court disagrees.
“Ripeness is a justiciability doctrine designed ‘to prevent the courts, through avoidance of
premature adjudication, from entangling themselves in abstract disagreements over administrative
policies, and also to protect the agencies from judicial interference until an administrative decision
has been formalized and its effects felt in a concrete way by the challenging parties.’” Nat’l Park
Hosp. Ass’n v. Dep’t of Interior, 

, 807–08 (2003) (quoting Abbott Labs. v. Gardner,

, 148–149 (1967)). “Determining whether administrative action,” as here, “is ripe for
judicial review requires [courts] to evaluate (1) the fitness of the issues for judicial decision and
(2) the hardship to the parties of withholding court consideration.” 

Under the first
prong, courts consider whether the issue presented is “purely legal,” whether the court’s
consideration would benefit from a more concrete setting, and whether the agency’s action is
“sufficiently final.” Nat’l Ass’n of Home Builders v. U.S. Army Corps of Eng’rs, 

,
463–64 (D.C. Cir. 2006) (internal quotation marks omitted). As to the second prong, the question
is not whether the parties have suffered a “direct hardship,” but rather whether postponing judicial
review would impose an undue hardship or benefit the court. See 

marks
omitted). In the end, “the primary focus of the ripeness doctrine is to balance the [plaintiff’s]
interest in prompt consideration of allegedly unlawful agency action against the agency’s interest
27
in crystallizing its policy before that policy is subject to review and the court’s interest in avoiding
unnecessary adjudication and in deciding issues in a concrete setting.” AT&T Corp. v. FCC, 

, 699 (D.C. Cir. 2003) (internal quotation marks omitted).
Ciox readily satisfies both prongs of the ripeness doctrine. It is undisputed that the issues
presented by Ciox are “purely legal,” as they involve questions of statutory interpretation and the
agency’s adherence to rulemaking requirements. See Compl. at 33–41. Having presented such
pure legal questions, Ciox’s claims are “presumptively suitable for judicial review.” AT&T 

(internal quotation marks omitted). HHS nonetheless contends that the dispute
would benefit from a more concrete setting, see Defs.’ Mot. to Dismiss. Mem. at 18–19, but never
explains what “additional factual development” is necessary to resolve the claims, Action All. of
Senior Citizens of Greater Phila. v. Heckler, 

, 940 (D.C. Cir. 1986); cf. Nat’l Park
Hosp. 

(finding administrative challenge unripe where “the question
presented here should await a concrete dispute about a particular concession contract”). HHS also
suggests that the “complex[ity]” of the statutory and regulatory scheme warrants a more specific
factual setting, Defs.’ Mot. to Dismiss Mem. at 19, but courts routinely deal with complex
administrative statutes and regulations, and there is nothing uniquely difficult about interpreting
the HITECH Act or the Privacy Rule that would justify deferring a decision to develop more facts.
On the second prong, Ciox plainly has demonstrated hardship in the form of financial
losses. HHS’s only response is that Ciox’s losses are not causally connected to the agency’s
actions, see Defs.’ Mot. to Dismiss Reply at 13, but the court already has found otherwise.
Moreover, where, as here, “there are no significant agency or judicial interests militating in favor
of delay, lack of hardship cannot tip the balance against judicial review.” Nat’l Ass’n of Home

(cleaned up). HHS generically claims that it has “an interest in thinking
28
through its policy choices and completing its decisionmaking process,” Defs.’ Mot. to Dismiss
Reply at 13 (internal quotation marks and citation omitted), but it nowhere says what more thinking
or decisionmaking it is doing with respect to the 2013 Omnibus Rule or the 2016 Guidance. Ciox’s
claims are ripe.
B.      Failure to State a Claim
HHS advances two grounds to dismiss Ciox’s causes of action for failure to state a claim.
First, HHS says that, under the HITECH Act, Ciox lacks “statutory standing,” which “concern[s]
a party’s cause of action, not the court’s jurisdiction.” See Kaplan v. Cent. Bank of the Islamic
Republic of Iran, 

, 519–20 (D.C. Cir. 2018).          Second, HHS asserts that the
2016 Guidance is not a challengeable final agency action under the APA, thereby requiring
dismissal of Counts Two and Three. The court considers each argument in turn.
1.     Statutory Standing
HHS contends that Ciox lacks statutory standing because its “interests do not fall within
the zone of interests to be protected or regulated by” 42 U.S.C. § 17935(e)—the section of the
HITECH Act upon which Ciox bases its claims. See Defs.’ Mot. to Dismiss Mem. at 20–23. As
support, HHS asserts that § 17935(e) regulates only the fees that a covered entity may charge
patients but is silent as to how much and against whom a business associate may assess fees.
See 

The agency also points to two other statutory provisions, namely, §§ 17931(a) and
17934(a), that extend certain existing regulations to business associates, but exclude the “fee and
format” requirements of 45 C.F.R. § 164.524. 

In Lexmark International, Inc. v. Static Control Components, Inc., 

(2014),
the Supreme Court emphasized the “‘lenient approach’ that the courts must follow in determining
whether a party has stated a cause of action under the APA.” Indian River Cty. v. Dep’t of Transp.,
29

, 527 (D.C. Cir. 2019) (quoting Lexmark 

). A plaintiff must
show that “the interest sought to be protected by the complainant is arguably within the zone of
interests to be protected or regulated by the statute . . . in question.” Ass’n of Data Processing
Serv. Orgs., Inc. v. Camp, 

, 153 (1970). In making that assessment, courts must
consider the “context and purpose” of the relevant statutory provisions and regulations. See Indian
River 

(quoting Match–E–Be–Nash–She–Wish Band of Pottawatomi Indians
v. Patchak, 

, 226 (2012)). The “zone of interests” test is not “especially demanding”
in the APA context. 

(quoting Match–E–Be–Nash–She–Wish Band of
Pottawatomi 

–25). For that reason, the Supreme Court has “conspicuously
included the word ‘arguably’ in the test to indicate that the benefit of any doubt goes to the
plaintiff.” 

Band of Pottawatomi 

). “[T]here does not have to be an indication of congressional purpose to benefit the would-be
plaintiff,” and “a plaintiff certainly need not be expressly listed as a beneficiary of a statutory
provision in order to be within its protected zone-of-interests.” Indian River 

–
30 (quoting Nat’l Credit Union Admin. v. First Nat. Bank & Tr. Co., 

, 492 (1998)).
Ultimately, the test denies a right of review only “when a plaintiff’s ‘interests are so marginally
related to or inconsistent with the purposes implicit in the statute that it cannot reasonably be
assumed that Congress intended to permit the suit.’” Match-E-Be-Nash-She-Wish Band of
Pottawatomi 

(citation omitted).
Although HHS insists that only covered entities are covered by the HITECH Act’s fees
restriction, the agency’s reading is far from obvious. To be sure, the HITECH Act refers expressly
only to the “fee that the covered entity may impose” for delivering PHI in electronic form.
42 U.S.C. § 17935(e)(3). But other portions of the Act are designed to extend existing regulatory
30
limits to business associates. Specifically, section 17934(a) of the HITECH Act provides that
business associates are subject to “each applicable requirement” of 45 C.F.R. § 164.504(e).
42 U.S.C. § 17934(a). Section 164.504(e) in turn cross-references § 164.524, see 45 C.F.R.
§ 164.504(e)(ii)(E) (stating that business associates must “[m]ake available [PHI] in accordance
with § 164.524”), the section which contains the Patient Rate, see 

Thus, as
Ciox argues, by placing business associates within the reach of 45 C.F.R. § 164.524, the HITECH
Act would appear to extend the Patient Rate to business associates. See Pl.’s Opp’n Mem. at 8–9.
The court need not, for present purposes, decide whether HHS’s or Ciox’s reading of the
HITECH act is the correct one. The “lenient approach” to the zone-of-interests test in the APA
context merely requires the court to determine whether Ciox’s interests “are, at the least, ‘arguably
within the zone of interests’” regulated by the HITECH Act. Bank of Am. Corp. v. City of Miami,

, 1303 (2017) (quoting Ass’n of Data 

). As Ciox’s
reading of the HITECH Act is entirely reasonable, Ciox easily surpasses that low bar.
2.      Final Agency Action
Two independent conditions must be met for an agency action to be considered “final,”
and thus reviewable, for purposes of the APA. 5 U.S.C. § 704; Bennett v. Spear, 

,
175 (1997). The challenged action must be the “consummation of the agency’s decisionmaking
process” and it must be an action in which “rights or obligations have been determined” or “legal
consequences will flow.” 

(internal quotation marks omitted); see also
Soundboard Ass’n v. Fed. Trade Comm’n, 

, 1267 (D.C. Cir. 2018). In approaching
the question of finality, the D.C. Circuit has warned that “courts should resist the temptation to
define the action by comparing it to superficially similar actions in the caselaw.” Cal. Cmtys.
31
Against Toxics v. EPA, 

, 631 (D.C. Cir. 2019). “Rather, courts should take as their
NorthStar the unique constellation of statutes and regulations that govern the action at issue.” 

to the first Bennett prong, the 2016 Guidance marks the consummation of the agency’s
decisionmaking process. 6 The Guidance “comes to a definitive conclusion,” Scenic Am., Inc. v.
U.S. Dep’t of Transp., 

, 56 (D.C. Cir. 2016), as to the content and scope of the
allowable “reasonable, cost-based fee” permitted under the Privacy Rule, 45 C.F.R.
§ 164.524(c)(4), with regard to each of the three issues challenged by Ciox. The 2016 Guidance
confirms that (1) the Patient Rate applies to third-party directives and (2) the Patient Rate excludes
labor costs associated with searching for and retrieving responsive records, and it identifies three
ways in which to calculate the Patient Rate. The agency does not assert that its position as to any
of these issues remains in flux. Cf. Barrick Goldstrike Mines Inc. v. Browner, 

, 48
(D.C. Cir. 2000) (stating that, to be a final agency action, the action “must not be of a merely
tentative or interlocutory nature”). HHS still urges the court “not [to] treat HHS’s guidance as the
‘consummation’ of its decisionmaking,” but in support of that position it simply repeats the
common refrain that the agency “retains complete discretion to rescind or change this guidance.”
Defs.’ Mot. to Dismiss Mem. at 25–26. It is well-settled, however, that the mere possibility of a
future revision cannot, by itself, make an agency act non-final. See Gen. Elec. Co. v. EPA, 

, 380 (D.C. Cir. 2002); see also U.S. Army Corps of Eng’rs v. Hawkes Co., 

, 1814 (2016) (observing that the possibility of future revision “is a common characteristic of
5
At the outset, HHS urges the court to find that the 2016 Guidance is not a final agency action because it is an
“interpretative” rule, as distinct from a “legislative” rule, as those terms are understood under the APA. See Defs.’
Mot. to Dismiss Mem. at 24. But that argument improperly conflates the finality analysis with “the related but separate
analysis of whether an agency action is a legislative rule.” Cal. Cmtys. Against 

. The court
therefore undertakes a separate finality inquiry, as directed by the D.C. Circuit.
6
There is no dispute as to whether the 2013 Omnibus Rule is a final agency action. It clearly is. See Abbott 

–53 (holding that the publication of certain regulations by the FDA was final agency action).
32
agency action, and does not make an otherwise definitive decision nonfinal”). The first prong of
Bennett is therefore satisfied.
The second Bennett factor—whether “direct and appreciable legal consequences” flow
from the agency’s action, 

—demands greater consideration in this case.
The Supreme Court has described this second inquiry as a “pragmatic” one. Hawkes 

(internal quotation marks omitted). It is one “based on the concrete consequences
an agency action has or does not have as a result of the specific statutes and regulations that govern
it.” Cal. Cmtys. Against 

. “The court here primarily looks to ‘the actual
legal effect (or lack thereof) of the agency action in question on regulated entities.’” Cal. By &
Through Brown v. EPA, 

, 1352 (D.C. Cir. 2019) (quoting Nat’l Mining Ass’n v.
McCarthy, 

, 252 (D.C. Cir. 2014)).              The parties address separately the legal
consequences (or lack thereof) of each of the three aspects of the 2016 Guidance challenged by
Ciox. So, the court does the same, starting with the Guidance’s statement that the Patient Rate
applies to third-party directives.
a.        Patient Rate applies to third-party directives
The 2016 Guidance supplies the type of obligation, prohibition, or restriction on regulated
entities that makes it a final agency action insofar as it directs regulated entities to apply the Patient
Rate to fulfill third-party directives. See Valero Energy Corp. v. EPA, 

, 536 (D.C.
Cir. 2019). It provides that “[the Patient Rate] appl[ies] when an individual directs a covered entity
to send the PHI to the third party.” 2016 Guidance at 16. The Guidance speaks to the issue without
qualification. It states: “[The Patient Rate] applies regardless of whether the individual has
requested that the copy of PHI be sent to herself, or has directed that the covered entity send the
copy directly to a third party designated by the individual (and it doesn’t matter who the third party
33
is).” 

admonishes that the fee limit cannot be “circumvent[ed] . . . by treating individual
requests for access like other HIPAA disclosures—such as by having an individual fill out a
HIPAA authorization when the individual requests access to her PHI, including to direct a copy of
PHI to a third party.” 

The 2016 Guidance thus provides an unequivocal command that
the Patient Rate applies to third-party directive requests. Accordingly, it bears the hallmarks of a
final agency action. See Appalachian Power Co. v. EPA, 

, 1023 (D.C. Cir. 2000)
(“At any rate, the entire Guidance, from beginning to end—except the last paragraph—reads like
a ukase. It commands, it requires, it orders, it dictates.”).
Additionally, the 2016 Guidance’s expansion of the Patient Rate satisfies the second
Bennett prong, because it indisputably has “direct and appreciable legal consequences” for, at a
minimum, one class of regulated persons—the covered entities. See Hawkes 

–15 (considering under the second Bennett prong the legal consequences for the agency and
nonparties). HHS does not assert otherwise. See Defs.’ Mot. to Dismiss Mem. at 11 (arguing that
challenged “provision[s] of the Privacy Rule and the guidance apply only to covered entities”).
This aspect of the 2016 Guidance has legal and practical consequences for business
associates, as well. See Valero Energy 

(noting that, in addition an actual
legal effect, some D.C. Circuit cases “have indicated that the finality analysis can look to whether
the agency action has a practical effect on regulated parties, even if it has no formal legal force”). 7
HHS concedes that, pursuant to 45 C.F.R. § 164.402(c)(1), it can take enforcement action against
a covered entity if its business associate charges in excess of the Patient Rate. Defs.’ Suppl. Filing
7
Once more, the court need not reach the parties’ dispute as to whether the Patient Rate directly binds business
associates. The court notes, however, the 2016 Guidance itself would appear to stake out a position different than the
one advocated by the agency in this case. See 2016 Guidance at 27 (“[A]ll of the access requirements that apply with
respect to PHI held by the covered entity (e.g., limitations on fees that may be charged) apply with respect to PHI held
by the business associate.”); 

(stating that “a covered entity (or a business associate) may not circumvent the
access fee limitations”).
34
at 2 (“[I]f a ‘business associates’ charges . . . more than a ‘reasonable, cost-based fee’ for providing
a copy of an individual’s [PHI], it is the covered entity—with whom the business associate has
contracted to provide service—that is liable to HHS for violating the fee limitation.”); Defs.’ Mot.
to Dismiss Reply at 5 (“[W]hen a business associate fulfills a covered entity’s responsibilities
under § 164.524 as an agent, it is the covered entity who may be penalized to the extent that the
business associate’s actions do not comport with the law’s requirements on covered entities, not
the business associate.” (citing 45 C.F.R. § 164.402(c)(1))). The potential vicarious liability of
covered entities for the misdeeds of their business associates effectively compels business
associates to abide by the Patient Rate and its scope. Business associates who fail to charge the
Patient Rate for third-party directives risk incurring costs associated with indemnifying covered
entities or, even more seriously, termination of their contracts. Under the “pragmatic” approach
to finality, Hawkes 

, the 2016 Guidance’s extension of the Patient Rate to
third-party directives has both actual legal and practical consequences for business associates,
qualifying it as a final agency action.
HHS disputes that the 2016 Guidance’s discussion of the Patient Rate and third-party
directives has any independent legal or practical effect. Observing that the Guidance is “replete
with citations,” HHS claims that the discussion “does not issue a new directive or rescind an old
one; it merely explains what the regulation already directs.” Defs.’ Mot. to Dismiss Reply at 16;
see also 

“the guidance itself merely expounds on § 164.524’s requirements”). That
argument is flawed for two reasons. First, it fails to acknowledge the ambiguity in the text of
§ 164.524(c)(4). The regulation merely states that “[i]f the individual requests a copy of the [PHI]
. . . the covered entity may impose a reasonable, cost-based fee.” 45 C.F.R. § 164.524(c)(4). The
regulation is silent as to whether the reasonable, cost-based fee applies only when providing PHI
35
to the individual requestor or includes requests to send PHI to third parties. Second, and more
significantly, HHS’s position is fundamentally at odds with what it said in 2000 when it first
adopted the Patient Rate. HHS said then: “We do not intend to affect the fees that covered entities
charge for providing protected health information to anyone other than the individual,” 65 Fed.
Reg. at 82,557 (emphasis added), and “[t]he proposed and final rule establish the right to access
and copy records only for individuals, not other entities; the ‘reasonable fee’ is only applicable to
the individual’s request,” 

(emphasis added). HHS concluded: “The Department’s
expectation is that other existing practices regarding fees, if any, for the exchange of records not
requested by an individual will not be affected by this rule.” 

HHS adopted the
Patient Rate, it expressly limited it to PHI requested by, and for, the individual requester; the Rate
did not apply to PHI destined for third parties. That distinction makes sense, as the whole point
of placing a limit on fees was to ensure that individual patients would not be foreclosed or inhibited
from accessing their PHI by excessive fees. See 

(“We intend this provision to reduce
covered entities’ burden in complying with requests without reducing individuals’ access to
protected health information.”). That same rationale does not apply when the PHI is directed to
and paid for by a third party, like an insurance company or a law firm.
Still, HHS insists that the 2016 Guidance works no change in the legal obligations of
regulated entities. Although HHS accepts that the original Patient Rate rule “did not govern the
fees that covered entities charge for providing [PHI] to designated third parties,” Defs.’ Summ. J.
Mem. at 27 (citing 65 Fed. Reg. 82,557), it claims “that [policy] was overtaken by the HITECH
Act and subsequent modification of the Privacy Rule in 2013,” 

words, according to
HHS, the 2016 Guidance “at most clarifies HHS’s position regarding the effect of the 2013 rule,”
Defs.’ Mot. to Dismiss at 25, and therefore it “is not a certain change in the legal obligations of a
36
party,” as required to qualify as a final agency action, Nat’l Ass’n of Home Builders v. Norton, 

, 15 (D.C. Cir. 2005). The agency’s argument, however, misreads the HITECH Act and
misunderstands the regulatory history.
The HITECH Act does not speak to the allowable fees for PHI that a person directs to a
third party. Rather, the Act provides that, “[i]n applying [45 C.F.R. § 164.524],” “notwithstanding
paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such
individual with a copy of such information . . . if such copy . . . is in an electronic form shall not
be greater than the entity’s labor costs in responding to the request for the copy.” 42 U.S.C.
§ 17935(e)(3) (emphasis added). Thus, the plain text of the HITECH Act’s fee limit concerns
“providing” PHI in electronic form to “such individual,” not to a third party. 

is
buttressed by the neighboring statutory language used to create the third-party directive, which
provides that individuals shall have the right to “to direct the covered entity to transmit such copy
direct to an entity or person designated by the individual,” i.e., a third party. 

Congress thus clearly understood how to reference third parties in the HITECH Act when it wanted
to but elected not to do so when establishing the fee limitation. Also, it stands to reason that, by
expressly referencing the existing Patient Rate regulation, Congress did not intend to modify the
then-existing scope of the Patient Rate, which, since its inception in 2000, applied only to delivery
of PHI to the individual requester, and not to third parties. If Congress had intended to expand the
Patient Rate beyond its original parameters, the court would have expected it to say so more
clearly. See Whitman v. Am. Trucking Ass’ns, 

, 468 (2001) (“Congress, we have held,
does not alter the fundamental details of a regulatory scheme in vague terms or ancillary
provisions—it does not, one might say, hide elephants in mouseholes.”). Thus, contrary to HHS’s
position, the 2016 Guidance does not merely “clarify” the requirements of the HITECH Act.
37
Nor does the 2016 Guidance “clarify” the 2013 Omnibus Rule. That Rule did not untether
the Patient Rate from its original personal-use moorings established in 2000. To the contrary, the
Rule and the accompanying Federal Register discussion are silent as to the Patient Rate’s
applicability to third-party directives. To the extent the 2013 Omnibus Rule addressed the Patient
Rate, its focus was on defining the Rate’s recoverable cost components, not broadening the Rate’s
reach beyond its original scope. See 78 Fed. Reg. at 5,635–36. When asked at oral argument to
point to where in the 2013 Omnibus Rule the agency notified the industry that it had pivoted from
its over-decade-old position and expanded the Patient Rate to third-party directives, agency
counsel referenced the following explanatory text accompanying the Rule:
Section [17935(e)] of the HITECH Act strengthens the Privacy
Rule’s right of access with respect to covered entities that use or
maintain an [EHR] on an individual. Section [17935(e)] provides
that when a covered entity uses or maintains an EHR with respect to
[PHI] of an individual, the individual shall have a right to obtain
from the covered entity a copy of such information in an electronic
format and the individual may direct the covered entity to transmit
such copy directly to the individual’s designee . . . . Section
[17935(e)] also provides that any fee imposed by the covered entity
for providing such an electronic copy shall not be greater than the
entity’s labor costs in responding to the request for the copy.
See Hr’g Tr., ECF No. 41, at 16:4–19:3 (citing 78 Fed. Reg. at 5,631) (emphasis added). But that
passage is no more than the agency’s summation of the HITECH Act’s new provisions; the Act,
as discussed, did not alter the status quo as to the Patient Rate’s coverage. The summary passage
also falls well short of the type clear recognition and articulation of a policy change required under
the APA. Cf. FCC v. Fox Television Stations, Inc., 

, 515 (2009) (“To be sure, the
requirement that an agency provide reasoned explanation for its action would ordinarily demand
that it display awareness that it is changing position. An agency may not, for example, depart from
38
a prior policy sub silentio . . . .”). 8 The 2013 Omnibus Rule therefore did not alter the legal
landscape as it had stood since 2000 with respect to the Patient Rate. Accordingly, the 2016
Guidance’s broadening of the Patient Rate is a final agency action subject to review.
b.      Costs Included in the Patient Rate
The next aspect of the 2016 Guidance challenged by Ciox is its exclusion from the Patient
Rate those labor costs associated with accessing, searching for, and compiling PHI. See Compl.
¶¶ 51–53, 76. HHS, once more, asserts that this portion of the 2016 Guidance is not final, because
it does not impose any rights, obligations, or legal consequences on regulated entities; rather, it
“publicly clarifies HHS’s position about what 45 C.F.R. §164.524(c)(4)(i) has always meant by
allowing covered entities to charge labor costs for copying.” Defs.’ Mot. to Dismiss at 25. For its
part, Ciox describes the 2016 Guidance’s directions on allowable labor costs as a “dramatic
change[ ] to the component terms of the Patient Rate,” Compl. ¶ 51, one that conflicts with the
plain terms of the 2013 Omnibus Rule, which allowed recovery of the costs of “skilled technical
staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and
burning [PHI] to media, and distributing the media.” 78 Fed. Reg. at 5,636.
The 2016 Guidance’s directives concerning allowable labor costs give rise to “direct and
appreciable legal consequences.” 

. On this topic, the 2016 Guidance
reads like a recipe from which a chef is not permitted to deviate. See 2016 Guidance at 10–12.
It starts by stating that covered entities may charge individuals a fee for providing a copy of PHI
“but only within specific limits.” 

Reasonable labor costs include “only”—the underscore
for emphasis is in the Guidance itself—the “labor for copying the PHI requested by the individual,
8
As further evidence that the 2013 Omnibus Rule did not work a change, Ciox’s counsel represented that it had
reviewed all comments from the 2013 Regulation’s notice-and-comment process, and not one comment discussed the
Patient Rate applying to third-party directives. See Hr’g Tr., ECF No. 41, at 53:17–54:1.
39
whether in paper or electronic form.” 

9 “Labor for copying includes only labor for
creating and delivering the electronic or paper copy in the form and format requested or agreed
upon by the individual, once the PHI that is responsive to the request has been identified, retrieved
or collected, compiled and/or collated, and is ready to be copied.” 

covered labor
activities contained in the 2016 Guidance include “[p]hotocopying paper PHI”; “[s]canning paper
PHI into an electronic format”; converting from one electronic format to another; transferring
electronic PHI from a covered entity’s system to an electronic delivery system or platform, like a
web-based portal, portable media, or email; and creating or executing an email with responsive
PHI. 

The Guidance is equally precise in identifying what is not included in the Patient
Rate. “[L]abor for copying does not include labor costs associated with: [r]eviewing the request
for access,” and “[s]earching for, retrieving, and otherwise preparing the responsive information
for copying.” 

excluded cost category covers “labor to locate the appropriate
designated record sets about the individual, to review the records to identify the PHI that is
responsive to the request and to ensure the information relates to the correct individual, and to
segregate, collect, compile, and otherwise prepare the responsive information for copying.” 

Guidance thus seeks to draw a bright line between the labor costs incurred in the process
of duplicating and delivering PHI—which are recoverable—and the labor costs antecedent to
duplication and delivery—which are not. See 

HHS made sure regulated entities
understood that this “clarification” represented the agency’s interpretation of the Patient Rate,
see 

is important to ensure that the fees charged reflect only what the
Department considers ‘copying’ for purposes of applying 45 CFR 164.524(c)(4)(1) . . . .”), and
reminded them that it “will take enforcement action where necessary,” 

The 2016
9
Allowable reasonable labor costs also include “labor to prepare an explanation or summary of PHI, if the individual
in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.” 

firm prescriptions as to what can and cannot be included in the Patient Rate, when
coupled with the attendant enforcement threat in the event of noncompliance, create actual legal
consequences for regulated entities that render this challenged aspect of the Guidance a final
agency action.
HHS’s insistence that the 2016 Guidance breaks no new ground and merely “publicly
clarifies” what the regulations have meant all along, Defs.’ Mot. to Dismiss at 25, does not defeat
its classification as a final agency action. In Hawkes Co., the Supreme Court described its earlier
decision in Frozen Food Express v. United States, 

(1956), as follows:
[There,] we considered the finality of an order specifying which
commodities the Interstate Commerce Commission believed were
exempt by statute from regulation, and which it believed were not.
Although the order “had no authority except to give notice of how
the Commission interpreted” the relevant statute, and “would have
effect only if and when a particular action was brought against a
particular carrier,” 

, we held that the order
was nonetheless immediately reviewable, Frozen 

–45. The order, we explained, “warns every carrier, who does not
have authority from the Commission to transport those
commodities, that it does so at the risk of incurring criminal
penalties.” 

Hawkes 

. The same is true of the 2016 Guidance in this case. It too
expresses the agency’s view, in categorical terms, as to what costs are covered by the Patient Rate.
Any regulated entity that runs afoul of this aspect of the 2016 Guidance does so at the risk of
inviting an agency investigation and incurring civil penalties. Indeed, the agency has noticed its
intention to enforce the Patient Rate, as it is interpreted in the 2016 Guidance, on multiple
occasions. See Ciox Letter (letter from HHS to Ciox opening an investigation into charging fees
in excess of the Patient Rate, though the agency later closed the investigation claiming lack of
enforcement authority); Pl.’s Reply to Defs.’ Suppl. Filing, Decl. of Marla Herndon DeLatte, ECF
No. 38-1, ¶ 4 & Ex. A, ECF No. 38-2, at 2, 4, 6 (announcing an investigation of MedSouth, a
41
records management company, for charging in excess of the Patient Rate). Thus, like the order in
Frozen Foods, the 2016 Guidance’s directive on the permissible components of the Patient Rate
qualifies as a final agency action.
c.      Three Methods for Calculating the Patient Rate
The court reaches a different conclusion with respect to the last portion of the 2016
Guidance challenged by Ciox—HHS’s listing of three methodologies for calculating the Patient
Rate. That aspect of the Guidance, unlike those previously discussed, “imposes no obligations,
prohibitions, or restrictions.” Valero Energy 

. Rather, in recognizing three
ways in which to calculate the Patient Rate, the 2016 Guidance speaks in permissive, not
mandatory, terms. See Nat’l Ass’n of Home 

(finding an agency action to
be non-final that was “consistently referred to in agency documents as ‘recommended,’ rather than
mandatory”). The Guidance states that “[t]he following methods may be used, as specified below,
to calculate [the Patient Rate]:” actual costs, average costs, or a $6.50 flat fee. 2016 Guidance at
14–15 (emphasis added). The 2016 Guidance confirms that no one method is mandated. It
provides that, even where an entity generally chooses to use the average cost or flat-fee methods,
it is free to use the actual cost method when it “receive[s] an unusual or uncommon type of request
that it had not considered in setting up its fee structure.” 

Furthermore, the Guidance
makes clear that $6.50 is not the maximum allowable fee for PHI. It answers “No” to the question
“Is $6.50 the maximum amount that can be charged to provide individuals with a copy of their
PHI?” 

whatever method an entity chooses to calculate the Patient Rate, the 2016
Guidance makes clear that the entity is compliant so “long as the costs [assessed] are reasonable
and only the type permitted by the Privacy Rule.” 

acknowledges that the 2016 Guidance uses permissive language to describe the three
ways of calculating the Patient Rate, but nevertheless contends that “the key point here is that [the
Guidance] allow[s] CIOX to choose only from these three methods and expressly bar[s] Ciox from
charging the traditional state-authorized rates it would prefer.” Pl.’s Opp’n Mem. at 39. In that
way, Ciox says, this case is controlled by the D.C. Circuit’s decision in General Electric Co. v.
EPA, 

(D.C. Cir. 2002), in which the court purportedly “had no trouble recognizing
that [ ] optionality does not make a guidance any less mandatory,” Pl.’s Opp’n Mem. at 39. But
that argument is unpersuasive. Nowhere does the 2016 Guidance state, expressly or otherwise,
that the three identified methods are the only acceptable means of calculating the Patient Rate.
Ciox is free to use any method it wishes to calculate the Patient Rate, so long as it produces a
reasonable fee that includes only “certain labor, supply, and postage costs,” as authorized by
§ 164.524(c)(4). 2016 Guidance at 13.
Nor does General Electric help Ciox. In that case, the court considered an EPA guidance
document that offered two alternatives to obtaining preapproval for waste disposal based on a risk
assessment approach, in lieu of approaches specified in the regulations. General 

. The EPA guidance specified that applicants may take “either of two approaches to
risk assessment.” 

could either (1) calculate cancer and non-cancer risks
separately or (2) use a defined “total toxicity factor” to account for cancer and non-cancer risks
together. 

marks omitted). The court found that the EPA guidance was a
final agency action, although it did so in the context of determining that the controversy was ripe
for judicial review. 

The court also held—in the portion of the decision upon with Ciox
relies—that the EPA guidance was a legislative rule, because it “bind[s] applicants for approval of
a risk-based cleanup plan” under the controlling regulations. 

The fact that the guidance
43
presented two options for calculating risk did not change that assessment, the court explained,
because the guidance “still requires [applicants] to conform to one or the other, that is, not to
submit an application based upon a third way. . . . [I]n reviewing applications the Agency will not
be open to considering approaches other than those prescribed in the Document.” 

sharp contrast, the three options that HHS presents for calculating the Patient Rate do not arise, as
in General Electric, in the context of seeking agency approval pursuant to any regulation. See
Cal. Cmtys. Against 

(directing that the Bennett prong-two determinations
be made “based on the concrete consequences an agency action has or does not have as a result of
the specific statutes and regulations that govern it”). In General Electric, unless the applicant
conformed to the standards set forth in the EPA’s guidance, it risked agency rejection of its cleanup

–85. No similar consequence attends the three methods set forth in the 2016
Guidance. Instead, the Guidance presents three options for calculating the Patient Rate, and it
leaves it to the entity to decide which approach to use as appropriate. Thus, an entity is not directed
to use any particular method and, indeed, the Guidance does not foreclose the possibility of using
a different method altogether, so as long as it produces a reasonable fee that is consistent with the
allowable component costs. Nor does the Guidance fix a cap on the Patient Rate. To the contrary,
although it identifies a flat fee of $6.50 as one option, the Guidance expressly contemplates that in
some instances a reasonable fee could exceed that amount. 2016 Guidance at 15. Thus, there is
no specific legal consequence for charging in excess of $6.50 for delivery of PHI. As it presents
no more than a non-exhaustive list of options for calculating the Patient Rate, that aspect of the
2016 Guidance is not a reviewable final agency action.
Ciox’s additional complaint that it cannot charge the state-authorized rates it prefers does
not transform the alternative methodologies into final agency action. That roadblock is attributable
44
to a different aspect of the 2016 Guidance. Ciox admits that, under its business model, and as is
typical of standard industry practice, it charges state-authorized rates only for PHI requests
directed to third parties; it charges the Patient Rate, if at all, for personal requests. See Kabaria
Decl. ¶¶ 11, 13, 17; Gartland Decl. ¶¶ 11–12; Compl. ¶¶ 31–32, 40. Thus, Ciox’s lament that it
cannot charge state-authorized rates is traceable to the Guidance’s extension of the Patient Rate to
third-party requests, not to the three identified methods for calculating the Patient Rate. That
aspect of the 2016 Guidance therefore is not a reviewable agency action.
C.      The Merits of Ciox’s APA Claims
1.      2013 Omnibus Rule
At last, the court arrives at the merits of Ciox’s claims, beginning with Count One. The
2013 Omnibus Rule modified the Privacy Rule to require providers to deliver an individual’s PHI
to third parties regardless of whether the information is contained in an EHR. See 45 C.F.R.
§ 164.524(c)(2)(i)–(ii), (3)(ii). It also obligated providers to make PHI available in “the format
requested by the individual.” 

Count One contests these changes.
See Compl. ¶¶ 59–65. Ciox asserts that this expansion by rulemaking violates the APA “because
it (1) conflicts with HITECH’s plain language, and (2) exceeds HHS’s lawful authority.” Pl.’s
Opp’n. Mem. at 29. The court concurs with both arguments.
Either framing of Ciox’s APA claim in Count One is controlled by the Chevron framework.
See Chevron, U.S.A., Inc. v. Nat. Res. Def. Council, Inc., 

(1984). In every challenge
to agency action, “the question a court faces when confronted with an agency’s interpretation of a
statute it administers is always, simply, whether the agency has stayed within the bounds of its
statutory authority.” City of Arlington v. FCC, 

, 297 (2013). Stated differently, “the
question in every case is, simply, whether the statutory text forecloses the agency’s assertion of
45
authority, or not.” 

The answer to that question is determined by following the Chevron
two-step framework. See 

Under that approach, “applying the ordinary tools of statutory
construction, the court must [first] determine ‘whether Congress has directly spoken to the precise
question at issue. If the intent of Congress is clear, that is the end of the matter; for the court, as
well as the agency, must give effect to the unambiguously expressed intent of Congress.’” 

(quoting 

–43). If, however, “the statute is silent or ambiguous with
respect to the specific issue, the question for the court is whether the agency’s answer is based on
a permissible construction of the statute.” 

.
The HITECH Act on its face is far more limited than the 2013 Omnibus Rule. It provides
that, “in the case that a covered entity uses or maintains an [EHR] with respect to [PHI],” an
individual has “a right to obtain” a “copy of such information in an electronic format” and to
transmit “such copy” to a third party. 42 U.S.C. § 17935(e)(1). The Act says nothing about a right
to transmit PHI contained in any format other than an EHR. This plain text limitation prompted
HHS to observe during the rulemaking process that § 17935(e) “applies by its terms only to [PHI]
in EHRs.” 78 Fed. Reg. at 5,631.
Still, HHS insisted then, as it does now, that it has the authority to extend the third-party
directive to reach PHI contained in formats other than EHRs. HHS justified this expansion during
the rulemaking as follows:
Section [17935(e)] applies by its terms only to [PHI] in EHRs.
However, incorporating these new provisions in such a limited
manner in the Privacy Rule could result in a complex set of disparate
requirements for access to [PHI] in EHR systems versus other types
of electronic records systems. As such, the Department proposed to
use its authority under section 264(c) of HIPAA to prescribe the
rights individuals should have with respect to their individually
identifiable health information to strengthen the right of access as
provided under section [17935(e)] of the HITECH Act more
uniformly to all [PHI] maintained in one or more designated record
46
sets electronically, regardless of whether the designated record set
is an EHR.

the rulemaking, HHS looked to another statute, section 264(c) of HIPAA, for its
authority to expand the third-party directive, not the HITECH Act. Now, cloaking itself in section
264(c)’s “broad grant of authority from Congress to HHS as to the regulation of medical
information,” Defs.’ Summ. J. Opp’n at 15 (quoting S.C. Med. Ass’n v. Thompson, 

,
353 (D.C. Cir. 2003)), HHS asserts that such “authority necessarily gives the Secretary the ability
to change the standards and procedures he has established to reflect actual experience gained in
implementing pre-existing Privacy Rule [regulations] as well as changes in technology and
medical record-keeping practices,” 

HHS’s argument suffers from multiple flaws. For one, neither the plain text nor the
structure of the HITECH Act supports the agency’s position. As HHS properly conceded during
the rulemaking process, section 17935(e) “applies by its terms only to [PHI] in EHRs.” 78 Fed.
Reg. at 5,631. Moreover, section 17935(e) evinces no intent by Congress for HHS to take steps to
augment or further define the third-party directive. In sharp contrast, in the preceding sub-
paragraphs of § 17935—sections (b), (c), and (d)—Congress required HHS to fill in gaps left by
the statute. See 42 U.S.C. § 17935(b)(1)(B) (stating that “the Secretary shall issue guidance on
what constitutes ‘minimum necessary’ for purposes of subpart E of part 164 of [45 C.F.R.]”);
§ 17935(c)(2) (stating “[t]he Secretary shall promulgate regulations on what information shall be
collected about each disclosure referred to in paragraph (1)”); § 17935(d)(3) (providing that “the
Secretary shall promulgate regulations to carry out this subsection”). The absence of any similar
directive by Congress in paragraph (e) is telling. “Congress knows to speak in plain terms when
it wishes to circumscribe, and in capacious terms when it wishes to enlarge, agency discretion,”
47
City of 

, and here Congress spoke plainly in limiting the reach of the
third-party directive.
Timing is also relevant. The Privacy Rule preceded the HITECH Act by nearly a decade.
So, Congress would have known when it enacted the HITECH Act in 2009 that the Privacy Rule,
at that time, required covered entities to “provide the individual with access to the protected health
information in the form or format requested by the individual, if it is readily producible in such
form or format; or, if not, in a readable hard copy form or such other form or format as agreed to
by the covered entity and the individual.” 45 C.F.R. § 164.524(c)(2)(i) (2008). Yet, when it
defined the reach of the third-party directive, Congress elected not to draw the directive as
expansively as the Privacy Rule’s guarantee of access “in the form or format requested by the
individual.” Instead, Congress created a more restricted patient right to transmit only an EHR “in
an electronic format” to a third person. 42 U.S.C. § 17935(e)(1). HHS’s fear that such a limited
right would give rise to a hodgepodge of “disparate requirements” for accessing PHI cannot justify
its “strengthen[ing] the [statutory] right of access.” 78 Fed. Reg. at 5,631. “Disagreeing with
Congress’s expressly codified policy choices isn’t a luxury administrative agencies enjoy.” Cent.
United Life Ins. Co. v. Burwell, 

, 73 (D.C. Cir. 2016).
Nor can HHS turn to Section 264(c) of HIPAA as the source for its power to expand the
third-party directive. As a threshold matter, whether HHS retains general rulemaking power under
that statute is not free from doubt. Section 264 of HIPAA, which Congress passed in 1996, directed
HHS to develop “detailed recommendations on standards with respect to the privacy of
individually identifiable health information” and submit them to Congress within 12 months.
HIPAA § 264(a) (formerly codified at 42 U.S.C. § 1320d-2). In the event Congress received the
agency’s recommendations but did not act within 36 months of the HIPAA’s enactment, HIPAA
48
directed HHS “to promulgate final regulations containing such standards not later than the date
that is 42 months after the date of the enactment of this Act.” 

(formerly codified
at 42 U.S.C. § 1320d-2). Congress did not act within the prescribed time, so the agency adopted
final privacy regulations as directed. See generally HHS, Standards for Privacy of Individually
Identifiable Health Information—Final Rule, 65 Fed. Reg. 82,462 (Dec. 28, 2000). HHS’s power
to promulgate additional individual-privacy regulations pursuant to § 264(c) thus arguably expired
long ago. HHS nonetheless insists that its rulemaking authority pursuant to § 264(c) remains
extant. See Defs.’ Mot. for Summ. J. at 15–17, 19–21.
The court need not definitively resolve the issue. For even if HHS’s power to make rules
pursuant to § 264(c) is alive and well, an agency’s general rulemaking authority cannot be used to
expand a congressionally imposed restriction, see Teva Pharm. Indus. Ltd. v. Crawford, 

, 55 (D.C. Cir. 2005); Nat. Res. Def. Council, Inc. v. Reilly, 

, 41 (D.C. Cir. 1992),
and “Congress’s more specific enactment controls a prior grant of general authority,” Helicopter
Ass’n Int’l, Inc. v. FAA, 

, 435 (D.C. Cir. 2013). In short, HHS cannot rely on its
general rulemaking authority to supplement the limited-scope, third-party directive enacted by
Congress. 10 The 2013 Omnibus Rule’s expansion of the third-party directive is therefore arbitrary
and capricious.
2.       2016 Guidance
That leaves Ciox’s APA challenges to two aspects of the 2016 Guidance, which are Counts
Two and Three of the Complaint, respectively: (1) applying the Patient Rate to third-party
directives, and (2) excluding from the Patient Rate the labor costs of searching for and retrieving
PHI. (The court already found the 2016 Guidance’s identification of three methods to calculate
10
Ciox also argued that Defendants’ interpretation of HIPAA § 264(c) would violate the non-delegation doctrine. See
Pl.’s Mem. at 32–33. The court need not reach this issue.
49
the Patient Rate is a nonreviewable, nonfinal agency action.) With respect to both the Patient Rate
expansion and the exclusion of certain labor costs from the Patient Rate, Ciox contends that those
actions are procedurally invalid because they are legislative rules that HHS failed to subject to
notice and comment. See Pl.’s Opp’n Mem. at 34–40. Additionally, Ciox maintains that the
Patient Rate expansion is substantively invalid as it conflicts with the plain language of the
HITECH Act. See 

The court first considers the parties’ arguments concerning
broadening the Patient Rate before turning to the limits placed on recoverable labor costs.
a.      Patient Rate Expansion
The expansion of the Patient Rate in the 2016 Guidance is a legislative rule.
“[L]egislative rules are those that grant rights, impose obligations, [ ] produce other significant
effects on private interests, or . . . effect a change in existing law or policy.” Am. Tort Reform
Ass’n v. Occupational Safety & Health Admin., 

, 395 (D.C. Cir. 2013) (internal
quotation marks and citations omitted). Stated differently, a rule is legislative, and therefore must
undergo notice and comment, when it “change[s] the law,” Nat’l Res. Def. Council v. EPA, 

, 320 (D.C. Cir. 2011), or “effectively amends a prior legislative rule,” Am. Min. Cong. v.
Mine Safety & Health Admin., 

, 1112 (D.C. Cir. 1993). On the other hand, an agency
action that merely “clarifies” the agency’s interpretation of the legal landscape and that neither
binds the agency nor “create[s] a new burden” on regulated entities is not a legislative rule.
See Catawba County v. EPA, 

, 34 (D.C. Cir. 2009); see also United Techs. Corp. v.
EPA, 

, 718 (D.C. Cir. 1987). In distinguishing between legislative and non-legislative
rules, courts consider both the actual legal effects of the agency action and the agency’s
characterization of the action, see Nat’l Mining Ass’n v. McCarthy, 

, 252 (D.C. Cir.
50
2014), though agencies cannot “avoid notice and comment simply by mislabeling their substantive
pronouncements,” Azar v. Allina Health Servs., 

, 1812 (2019).
Here, the 2016 Guidance works a change in the law with respect to the Patient Rate and
therefore is a legislative rule that HHS had no authority to adopt without notice and comment.
See Nat’l Res. Def. 

.         As explained above, the 2016 Guidance’s
unequivocal command that the Patient Rate applies to all third-party directives cannot be sourced
to either the HITECH Act or the 2013 Omnibus Rule. Neither the legislation nor the regulations
makes the Patient Rate applicable to third-party directives. The HITECH Act on its face applies
the Patient Rate only to individual requests for PHI in electronic form, and the 2013 Omnibus Rule
says nothing at all about the Patient Rate’s application. Indeed, the 2016 Guidance represents an
about-face from HHS’s proclamation, made in 2000 when it first adopted the Privacy Rule and the
Patient Rate, that “[w]e do not intend to affect the fees that covered entities charge for providing
protected health information to anyone other than the individual,” 65 Fed. Reg. at 82,557
(emphasis added), and “[t]he proposed and final rule establish the right to access and copy records
only for individuals, not other entities; the ‘reasonable fee’ is only applicable to the individual’s
request,” 

(emphasis added); see also 

expectation is that other
existing practices regarding fees, if any, for the exchange of records not requested by an individual
will not be affected by this rule.”). HHS could have made such a dramatic change only through
notice and comment.
Having determined that HHS extended the Patient Rate to third-party directives in violation
of the APA’s notice-and-comment requirement, the question becomes whether the court should go
on to resolve Ciox’s substantive challenge. See Nat’l Res. Def. 

. In so
deciding, the court must be conscious not to “prejudge[e] the notice-and-comment process, the
51
very purpose of which is to give interested parties the opportunity to participate in rulemaking and
to ensure that the agency has before it all relevant information,” but on the other hand, be mindful
of whether passing on making a substantive determination would exacerbate the injury to Ciox
and other affected entities. See 

these factors, the court declines to enter judgment on the merits of Ciox’s
substantive claim. Ciox’s limited substantive challenge to the Patient Rate expansion is that it
conflicts with the plain text of the HITECH Act. See Pl.’s Opp’n Mem. at 41–43. As discussed,
the court does not read the HITECH Act to support the agency’s expanded treatment of the Patient
Rate to third-party directives. The court is reluctant, however, to commit that interpretation to a
judgment out of concern that it could be viewed as foreclosing HHS from revisiting its original
articulation, from 2000, of the Patient Rate’s scope. Such a re-evaluation, if it is to occur, is better
undertaken without a judgment from the court that might be viewed as prejudging a fulsome
notice-and-comment process.
b.      Exclusion of labor costs for search and retrieval
The 2016 Guidance’s exclusion of skilled technical staff time to search and retrieve PHI
from the Patient Rate is an interpretive rule that the agency was not required to subject to notice
and comment. Although the court held this proscription to be final for purposes of judicial review,
it is not a legislative rule because it breaks no new legal ground but merely clarifies ambiguity
arising from the 2013 Omnibus Rule. See Cal. Cmtys. Against 

(drawing
a distinction between finality analysis and rule classification under the APA); see also Cellnet
Commc’n, Inc. v. FCC, 

, 1110–11 (D.C. Cir. 1992), as amended (Sept. 4, 1992)
(holding that an agency’s action that “resolved an ambiguity” in its own rules was not a legislative
rule because it “clarified, rather than changed, the rules”); United Techs. Corp. v. EPA, 

714, 718 (D.C. Cir. 1987) (explaining that a rule is interpretive, not legislative, when it “simply
states what the administrative agency thinks the underlying [law] means, and only reminds affected
parties of existing duties” (cleaned up)).
Contrary to Ciox’s contention, the 2013 Omnibus Rule did not authorize entities to bill for,
under the Patient Rate, skilled technical staff time devoted to “segregate, collect, compile, and
otherwise prepare the responsive [PHI] for copying.” See Pl.’s Combined Reply Mem. in Supp.
of Mot. for Summ. J. and in Opp’n to Defs.’ Cross-Mot., ECF No. 25, at 18 (quoting 2016
Guidance at 12). The Rule itself is vague as to the specifics, providing only that the Patient Rate
includes “[l]abor for copying the protected health information requested by the individual, whether
in paper or electronic form.” 45 C.F.R. § 164.524(c)(4)(i). The explanatory text accompanying
the 2013 Omnibus Rule tried to provide some clarity. It attempted to draw a line between labor
costs incurred in identifying and retrieving PHI, which is not recoverable, and the labor costs
associated with copying such information, which is recoverable.           The 2013 Omnibus Rule
explained that,
although the proposed rule indicated that a covered entity could
charge for the actual labor costs associated with the retrieval of
electronic information, in this final rule we clarify that a covered
entity may not charge a retrieval fee (whether it be a standard
retrieval fee or one based on actual retrieval costs). This
interpretation will ensure that the fee requirements for electronic
access are consistent with the requirements for hard copies, which
do not allow retrieval fees for locating the data.
78 Fed. Reg. at 5,636 (emphasis added). The 2013 Omnibus Rule thus tried to make clear that
labor associated with “locating the data” is excluded from the Patient Rate. The 2016 Guidance
draws the same line. It states that “copying” costs include “labor for creating and delivering the
electronic or paper copy in the form and format requested or agreed upon by the individual, once
the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or
53
collated, and is ready to be copied.” 2016 Guidance at 11 (emphasis added). So, the labor costs
associated with preparing the responsive information for copying cannot be recovered, but the
labor costs incurred in copying can be.
To be sure, HHS bears responsibility for any industry uncertainty as to what precise actions
qualify as “[l]abor for copying” PHI that can be charged under the Patient Rate. 45 C.F.R.
§ 164.524(c)(4)(i). In 2013, the agency wrote that “labor costs included in [the Patient Rate] could
include skilled technical staff time spent to create and copy the electronic file, such as compiling,
extracting, scanning and burning [PHI] to media.” 78 Fed. Reg. at 5,636 (emphasis added). But
in 2016, the agency stated that the Patient Rate “does not include labor costs associated with . . .
segregat[ing], collect[ing], compil[ing], and otherwise prepar[ing] the responsive information for
copying.” 2016 Guidance at 12 (emphasis added). The overlapping use of the verb “compile,”
along with the use of near synonyms such as “extract” and “collect,” is surely a source of great
confusion—and frustration—within the industry. But the agency’s word soup does not alter what
the Privacy Rule allows, which is recovery of the costs of “[l]abor for copying [PHI],” as distinct
from the costs incurred from pre-copying activities. 45 C.F.R. § 164.524(c)(4)(i). The 2016
Guidance’s instructions concerning the component costs of the Patient Rate therefore do not
qualify as a legislative rule.
IV.     CONCLUSION
For the foregoing reasons, the court grants in part and denies in part Defendants’ Motion
to Dismiss, ECF No. 9, grants in part and denies in part Ciox’s Cross-Motion for Summary
Judgment, ECF No. 12, and grants in part and denies in part Defendants’ Cross-Motion for
Summary Judgment, ECF No. 22.
54
Consistent with this Memorandum Opinion, the court (1) declares unlawful and vacates the
2013 Omnibus Rule insofar as it expands the HITECH Act’s third-party directive beyond requests
for a copy of “an [EHR] with respect to [PHI] of an individual . . . in an electronic format,”
42 U.S.C. § 17935(e); and (2) declares unlawful and vacates the 2016 Guidance insofar as it,
without going through notice and comment, extends the Patient Rate to reach third-party directives.
A final order accompanies this Memorandum Opinion.
Dated: January 23, 2020                                     Amit P. Mehta
United States District Court Judge
55