HHS says Ciox Health lawsuit challenging HIPAA enforcement lacks standing

In a court filing, HHS said Ciox Health is a covered entity, which means it falls outside of the agency's HIPAA enforcement. (Sarah Stierch/CC BY 4.0)

The Department of Health and Human Services (HHS) is pushing back on a lawsuit from a technology firm that helps providers fulfill medical records requests, arguing the company falls outside of the agency’s HIPAA enforcement.

Urging the U.S. District Court in Washington, D.C., to dismiss a lawsuit filed by Ciox Health, HHS said the company’s claims lack standing because the HIPAA guidance called into question applies to covered entities and Ciox is considered a business associate.

RELATED: Ciox Health sues HHS to stop ‘irrational’ HIPAA enforcement

Featured Webinar

Patient experience and the bottom-line impact on a practice

Practices that deliver exceptional experience often demonstrate strong financial performance and efficient operations. Join us to learn how to identify the most impactful connections between patient experience and financial performance, how to measure, track and improve patient experience as it relates to the bottom line, and identify patient experience measures that affect financial performance.

The Georgia-based company filed the lawsuit against HHS at the beginning of the year, challenging 2013 rulemaking requiring providers to transmit all electronic patient data to a designated individual along with 2016 enforcement guidance from the Office for Civil Rights (OCR) that limited charges for medical records to a “reasonable cost-based fee.”

Ciox called the guidance “irrational, arbitrary, capricious and absurd” and asked the court for injunctive relief to stop HHS from unlawfully enforcing the regulations. Ciox, which services 60% of hospitals across the nation, argued the guidance would be disastrous for the medical records industry.

RELATED: OCR appoints Timothy Noonan as acting deputy director after losing its second health privacy lead in 4 months

In its response (PDF), HHS said Ciox failed to show it suffered an injury and lacks constitutional standing to assert its claims.

“Indeed, because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue,” agency officials wrote in a motion to dismiss.

HHS added that even if Ciox had standing, its claims are “unripe,” since the agency’s 2016 guidance “imposes no independent legal obligations of its own” and merely “explains HHS’s current, nonbinding view of the law.” Agency officials noted that if it were to restructure its guidance to allow search and retrieval costs to fall within “labor for copying” costs, it would impose additional obligations on those requesting records.

Suggested Articles

CMS announced it will offer the COVID-19 vaccine to Medicare beneficiaries at no cost to patients and issued new add-on payments for virus treatments.

Nearly half of employees have deferred care amid the pandemic, according to a new survey from Willis Towers Watson.

A new Moody's analysis finds the global supply chain is becoming more fragmented and less global, which will mean higher costs for hospitals.