HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Files Motion to Dismiss Ciox Health Lawsuit

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing.

Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access.

Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations.

In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS explains that the claims made by Ciox Health lack standing as the rulemaking it is challenging only applies to HIPAA-covered entities. Ciox Health a business associate, not a covered entity. HHS points out Ciox Health is challenging a rule that the company is not subject to. Further, the guidance which has been challenged has no force or effect of law and as such, there is nothing for Ciox Health to challenge.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The fees that Ciox Health can charge for providing copies of medical records are not limited by HIPAA. The HIPAA Rule that the firm is challenging is concerned with the fees that covered entities can charge patients. The fees that Ciox Health charges covered entities is a matter for Ciox Health to resolve with the covered entities that it serves.

HHS explained the claims of Ciox Health lack standing and a challenge has been made against “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action,” also  CIOX Health failed to establish that it has suffered an injury as a result of the 2013 rulemaking and 2016 guidance and there are no constitutional grounds to make the claims.

“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.