HHS says Ciox Health lawsuit challenging HIPAA enforcement lacks standing

In a court filing, HHS said Ciox Health is a covered entity, which means it falls outside of the agency's HIPAA enforcement. (Sarah Stierch/CC BY 4.0)

The Department of Health and Human Services (HHS) is pushing back on a lawsuit from a technology firm that helps providers fulfill medical records requests, arguing the company falls outside of the agency’s HIPAA enforcement.

Urging the U.S. District Court in Washington, D.C., to dismiss a lawsuit filed by Ciox Health, HHS said the company’s claims lack standing because the HIPAA guidance called into question applies to covered entities and Ciox is considered a business associate.

RELATED: Ciox Health sues HHS to stop ‘irrational’ HIPAA enforcement

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

The Georgia-based company filed the lawsuit against HHS at the beginning of the year, challenging 2013 rulemaking requiring providers to transmit all electronic patient data to a designated individual along with 2016 enforcement guidance from the Office for Civil Rights (OCR) that limited charges for medical records to a “reasonable cost-based fee.”

Ciox called the guidance “irrational, arbitrary, capricious and absurd” and asked the court for injunctive relief to stop HHS from unlawfully enforcing the regulations. Ciox, which services 60% of hospitals across the nation, argued the guidance would be disastrous for the medical records industry.

RELATED: OCR appoints Timothy Noonan as acting deputy director after losing its second health privacy lead in 4 months

In its response (PDF), HHS said Ciox failed to show it suffered an injury and lacks constitutional standing to assert its claims.

“Indeed, because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue,” agency officials wrote in a motion to dismiss.

HHS added that even if Ciox had standing, its claims are “unripe,” since the agency’s 2016 guidance “imposes no independent legal obligations of its own” and merely “explains HHS’s current, nonbinding view of the law.” Agency officials noted that if it were to restructure its guidance to allow search and retrieval costs to fall within “labor for copying” costs, it would impose additional obligations on those requesting records.

Suggested Articles

As drugmakers face billions in legal settlements and judgments, we must keep our eye on what will truly defeat the opioid crisis.

Voters got a better look at Democrats’ healthcare priorities on Tuesday, as 12 of the leading candidates attended the fourth debate.

Electronics company Sony is jumping into the wearables and mobile health technology market with a business-to-business solution for developers.