Share this article on:
The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing.
Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access.
Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations.
In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS explains that the claims made by Ciox Health lack standing as the rulemaking it is challenging only applies to HIPAA-covered entities. Ciox Health a business associate, not a covered entity. HHS points out Ciox Health is challenging a rule that the company is not subject to. Further, the guidance which has been challenged has no force or effect of law and as such, there is nothing for Ciox Health to challenge.
The fees that Ciox Health can charge for providing copies of medical records are not limited by HIPAA. The HIPAA Rule that the firm is challenging is concerned with the fees that covered entities can charge patients. The fees that Ciox Health charges covered entities is a matter for Ciox Health to resolve with the covered entities that it serves.
HHS explained the claims of Ciox Health lack standing and a challenge has been made against “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action,” also CIOX Health failed to establish that it has suffered an injury as a result of the 2013 rulemaking and 2016 guidance and there are no constitutional grounds to make the claims.
“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.”