The Department of Health and Human Services (HHS) is pushing back on a lawsuit from a technology firm that helps providers fulfill medical records requests, arguing the company falls outside of the agency’s HIPAA enforcement.
Urging the U.S. District Court in Washington, D.C., to dismiss a lawsuit filed by Ciox Health, HHS said the company’s claims lack standing because the HIPAA guidance called into question applies to covered entities and Ciox is considered a business associate.
The Georgia-based company filed the lawsuit against HHS at the beginning of the year, challenging 2013 rulemaking requiring providers to transmit all electronic patient data to a designated individual along with 2016 enforcement guidance from the Office for Civil Rights (OCR) that limited charges for medical records to a “reasonable cost-based fee.”
Ciox called the guidance “irrational, arbitrary, capricious and absurd” and asked the court for injunctive relief to stop HHS from unlawfully enforcing the regulations. Ciox, which services 60% of hospitals across the nation, argued the guidance would be disastrous for the medical records industry.
In its response (PDF), HHS said Ciox failed to show it suffered an injury and lacks constitutional standing to assert its claims.
“Indeed, because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue,” agency officials wrote in a motion to dismiss.
HHS added that even if Ciox had standing, its claims are “unripe,” since the agency’s 2016 guidance “imposes no independent legal obligations of its own” and merely “explains HHS’s current, nonbinding view of the law.” Agency officials noted that if it were to restructure its guidance to allow search and retrieval costs to fall within “labor for copying” costs, it would impose additional obligations on those requesting records.