A healthcare technology company that assists providers with medical records requests has filed a lawsuit against the Department of Health and Human Services to prevent the agency from enforcing portions of HIPAA that limit the amount providers can charge for patient records.
Calling updates to the federal privacy law “irrational, arbitrary, capricious and absurd,” Georgia-based Ciox Health claims HHS’s enforcement approach “imposes tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical-records industry that services them,” according to the lawsuit filed against the agency as well as Acting Secretary Eric Hargan.
Although the company says it supports the basic tenets of HIPAA and patient access to medical records, the lawsuit takes specific aim at 2013 rulemaking and 2016 enforcement guidance that have reshaped the medical records industry, asking the courts to invalidate those changes.
Ciox Health processes “tens of millions” of medical records requests each year for healthcare providers in all 50 states and qualifies as a business associate under HIPAA. The company’s website claims it services “three out of five hospitals and more than 16,000 physician practices” across the country.
In the complaint, filed on Monday in the U.S. District Court of Washington, D.C., Ciox takes issue with two agency actions. The first occurred in 2013 when the agency issued a final rule requiring providers to a transmit health records to a designated individual, and include any medical information housed electronically, regardless of whether or not it resides in the EHR. Those changes failed to consider the "sizeable costs" associated with collecting that information and HHS even acknowledged that it was pushing beyond the regulatory language of the HITECH Act, according to the complaint.
Second, the company claims HHS guidance issued in 2016 made “dramatic changes” to HIPAA enforcement by requiring all records requests—including those made by third parties like law firms and life insurance companies—to limit charges to a “reasonable cost-based fee.” HHS outlined three ways covered entities could charge a fee: Actual labor costs, average labor costs or a flat fee of $6.50.
This guidance, Ciox argues, was a distinct departure from the original law and contradicts updates in the HITECH Act that limited the amount covered entities could charge individuals for their medical records but placed no restriction for third parties. The company says calculating the actual or average costs is impractical and that the $6.50 fee “bears no rational relationship to the actual cost of fulfilling these requests.”
Ciox Health was ultimately caught up in HHS enforcement of the 2016 guidance. The company points to a letter it received in March 2017 from an OCR official warning Ciox that it may have violated HIPAA when it charged one patient at CHI Health St. Francis Hospital $224.65 after sending 353 pages of medical records to her lawyer.
Ciox claims that guidance, plus a 2013 modification to the privacy rule, directly contradict the statutory language in the HITECH Act that placed limits on medical records fees only when patients were making the request.
Approximately 4% of the records requests the company handles each year are from patients, while 40%-50% involve transmitting records from one provider to another. In both instances, Ciox fulfills those requests free of charge, but those costs are subsidized by revenue generated through requests by third-party commercial businesses.
“The long-term viability of the medical-records industry is critical to the delivery of high-quality, error-free and cost-effective healthcare services to patients by ensuring that healthcare providers have timely access to individual medical records,” Ciox said in a statement emailed to FierceHealthcare.
HHS did not immediately respond to a request for comment.
The complaint warns that continued enforcement by HHS could substantially increase healthcare costs with “dire consequences for millions of Americans."
The court filing is the beginning of "a very long game filled with potential challenges on procedural and substantive grounds," Lucia Savage, the former chief privacy officer at the Office of the National Coordinator for Health IT, who provided FierceHealthcare her own analysis of the complaint. She noted that the company did not include any references to ONC's 2014 EHR certification standards that required systems to allow patients to view, download and transmit records, or updated standards that require application program interfacing (API).
Ciox has been the target of several legal spats, including a class-action lawsuit filed earlier this year in Georgia alleging the company overcharged for medical records. That case was dismissed by a district court judge on Tuesday.
Ciox was also included in a complaint filed in November by two attorneys alleging 62 hospitals in Indiana submitted fraudulent Meaningful Use data by failing to fulfill medical records requests within three days. The attorneys claimed Ciox “routinely and repeatedly” overcharged patients for medical records.