HIPAA lawsuit raises questions about HHS’ oversight of business associates

HIPAA document
A recent case filing raises new questions about how business associates factor into HIPAA enforcement. (Getty/designer491)

A recent court filing from the Department of Health and Human Services (HHS) has raised new questions about how the agency enforces HIPAA regulations for business associates.

A court filing last month from HHS urging the U.S. District Court in Washington D.C., to dismiss a lawsuit filed by Ciox Health surprised some privacy attorneys. In its response to Ciox’s allegations that a 2013 rule and 2016 guidance have led to "irrational" enforcement by the federal agency, HHS countered that it “imposes no requirements or restrictions on business associates like Ciox.”

Ciox fulfills tens of millions of medical records requests for the majority of hospitals across the country, according to its website. 

Specifically, HHS indicates it does not regulate how much business associates charge for records requests, even if it prohibits covered entities from overcharging patients.

RELATED: HHS says Ciox Health lawsuit challenging HIPAA enforcement lacks standing

“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of [personal health information], Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue,” HHS wrote.

That defense struck a chord with some healthcare attorneys. 

“It’s puzzling that the government seems to be saying the business associate doesn’t have to comply with the privacy rule,” Shannon Hartsfield, an attorney with Holland & Knight, told FierceHealthcare.

For its part, in a recent filing (PDF), Ciox calls HHS’s position “astonishing,” and cited specific portions of HIPAA that imposes certain restrictions on the contract terms between business associates and covered entities.

But the government’s main focus appears to be the amount of money business associates can charge for processing medical records request. That’s where HHS steps aside, arguing that Ciox is “free to negotiate the terms of the payments that Ciox may receive for its services.”

“What HHS seems to be saying—which is much narrower but still interesting—is that particular element isn’t enforceable by us,” said Kirk Nahra, a privacy attorney and partner at Wiley Rein in Washington, D.C.

RELATED: Ciox Health sues HHS to stop ‘irrational’ HIPAA enforcement

Ciox has said the regulation changes failed to consider the "sizable costs" associated with collected medical records, costs the company passes on to life insurance companies and personal injury attorneys rather than patients. 

But Ciox says the notion business associates can negotiate those prices “outside the shadow of HHS’s rules is pure fantasy.” Furthermore, the company argues that it generally receives its fees from the party or recipient requesting the information and that the effort and disruption it would take to renegotiate “roughly 1,300” contracts is proof of regulatory harm.

“I’ve always taken the view that the business associate needs to comply with the privacy rule to the extent they’ve been delegated,” Hartsfield says. “Maybe [HHS] isn’t really stepping away from that, but it creates confusion about that issue.”