HHS says Ciox Health lawsuit challenging HIPAA enforcement lacks standing

In a court filing, HHS said Ciox Health is a covered entity, which means it falls outside of the agency's HIPAA enforcement. (Sarah Stierch/CC BY 4.0)

The Department of Health and Human Services (HHS) is pushing back on a lawsuit from a technology firm that helps providers fulfill medical records requests, arguing the company falls outside of the agency’s HIPAA enforcement.

Urging the U.S. District Court in Washington, D.C., to dismiss a lawsuit filed by Ciox Health, HHS said the company’s claims lack standing because the HIPAA guidance called into question applies to covered entities and Ciox is considered a business associate.

RELATED: Ciox Health sues HHS to stop ‘irrational’ HIPAA enforcement


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

The Georgia-based company filed the lawsuit against HHS at the beginning of the year, challenging 2013 rulemaking requiring providers to transmit all electronic patient data to a designated individual along with 2016 enforcement guidance from the Office for Civil Rights (OCR) that limited charges for medical records to a “reasonable cost-based fee.”

Ciox called the guidance “irrational, arbitrary, capricious and absurd” and asked the court for injunctive relief to stop HHS from unlawfully enforcing the regulations. Ciox, which services 60% of hospitals across the nation, argued the guidance would be disastrous for the medical records industry.

RELATED: OCR appoints Timothy Noonan as acting deputy director after losing its second health privacy lead in 4 months

In its response (PDF), HHS said Ciox failed to show it suffered an injury and lacks constitutional standing to assert its claims.

“Indeed, because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue,” agency officials wrote in a motion to dismiss.

HHS added that even if Ciox had standing, its claims are “unripe,” since the agency’s 2016 guidance “imposes no independent legal obligations of its own” and merely “explains HHS’s current, nonbinding view of the law.” Agency officials noted that if it were to restructure its guidance to allow search and retrieval costs to fall within “labor for copying” costs, it would impose additional obligations on those requesting records.

Suggested Articles

Humana is teaming up with telehealth company Doctor on Demand to launch a new virtual care model focused on primary care.

A federal judge in Pennsylvania has tossed UPMC’s class action suit against the state’s attorney general.

Seema Verma said Thursday that while the Trump administration has focused on voluntary payment models to date, that is likely to change.