HHS asks court to dismiss CiOX lawsuit
The U.S. Department of Health and Human Services is asking the U.S. District Court in Washington, D.C. to dismiss the lawsuit filed by CiOX Health against the agency, claiming the medical records vendor falls outside HHS’ HIPAA enforcement.
HHS’ response argues that CiOX’s claims lack standing, as the HIPAA guidance CiOX calls into question in its suit, only applies to covered entities. And CiOX is a business associate. In fact, HHS argues that the regulations in question don’t “impose such obligations” on business associates.
CiOX, which services about 60 percent of U.S. hospitals, filed suit against HHS in January for HHS “absurd” and “irrational” HIPAA enforcement, claiming that regulatory changes to HIPAA in 2013 and 2016 threaten to “upend the medical records industry.”
The vendor asked the judge to halt these changes, which it said limits the amount providers can charge for patient records and asked for injunctive relief to put an end to the agency unlawfully enforcing these regulations.
HHS argues in its response that CiOX failed to demonstrate that the company suffered injury from these guidelines and further argued that the vendor lacks constitutional grounds to make its claims.
“Because HHS has not and cannot take enforcement action against CiOX regarding the fees it charges for individual requests of PHI, CiOX cannot raise either an enforcement or pre-enforcement challenge to the Privacy Rule provision and guidance at issue,” according to the suit.
“CiOX’s claims are similarly unripe,” the suit continued. “It brings a challenge to a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action … “There is not yet anything for CiOX to challenge here.”
CiOX did not respond to request for comment by time of publication.