HHS says Ciox Health lawsuit challenging HIPAA enforcement lacks standing

hhs
In a court filing, HHS said Ciox Health is a covered entity, which means it falls outside of the agency's HIPAA enforcement. (Sarah Stierch/CC BY 4.0)

The Department of Health and Human Services (HHS) is pushing back on a lawsuit from a technology firm that helps providers fulfill medical records requests, arguing the company falls outside of the agency’s HIPAA enforcement.

Urging the U.S. District Court in Washington, D.C., to dismiss a lawsuit filed by Ciox Health, HHS said the company’s claims lack standing because the HIPAA guidance called into question applies to covered entities and Ciox is considered a business associate.

RELATED: Ciox Health sues HHS to stop ‘irrational’ HIPAA enforcement

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

The Georgia-based company filed the lawsuit against HHS at the beginning of the year, challenging 2013 rulemaking requiring providers to transmit all electronic patient data to a designated individual along with 2016 enforcement guidance from the Office for Civil Rights (OCR) that limited charges for medical records to a “reasonable cost-based fee.”

Ciox called the guidance “irrational, arbitrary, capricious and absurd” and asked the court for injunctive relief to stop HHS from unlawfully enforcing the regulations. Ciox, which services 60% of hospitals across the nation, argued the guidance would be disastrous for the medical records industry.

RELATED: OCR appoints Timothy Noonan as acting deputy director after losing its second health privacy lead in 4 months

In its response (PDF), HHS said Ciox failed to show it suffered an injury and lacks constitutional standing to assert its claims.

“Indeed, because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue,” agency officials wrote in a motion to dismiss.

HHS added that even if Ciox had standing, its claims are “unripe,” since the agency’s 2016 guidance “imposes no independent legal obligations of its own” and merely “explains HHS’s current, nonbinding view of the law.” Agency officials noted that if it were to restructure its guidance to allow search and retrieval costs to fall within “labor for copying” costs, it would impose additional obligations on those requesting records.