HHS Explains Why Ciox Health Lawsuit Lacks Standing

The Department of Health and Human Services filed a motion to dismiss the lawsuit filed by Ciox Health for lack of standing. Early this year, healthcare information management company Ciox Health filed a lawsuit against HHS to challenge the changes to HIPAA in 2013 and the enforcement guidance they issued in 2016.

Ciox Health questioned the change to the HIPAA Privacy Rule in 2013, which put a limit on the amount the covered entities can charge for giving patients copies of their health records. The amount is limited to a reasonable cost-based fee. HHS issued guidance in 2016 to explain to the public the rulemaking and answer frequently asked questions about accessing medical records.

Ciox Health claims that the above changes threaten to upset the medical records industry and that the updates are ultra vires, illogical and capricious. Its lawsuit seeks injuctive relief to stop the enforcement of the regulations.

HHS filed a motion to dismiss the lawsuit in the U.S. District Court in Washington, D.C. The basis of the motion is the fact that Ciox Health’s claims lack standing. The rulemaking that Ciox Health is challenging must be followed only by HIPAA-covered entities. Ciox Health is a business associate and not a covered entity, hence it is not subject to the rule it is challenging. Further, the guidance has no force or effect of law on Ciox.

Ciox Health is not limited by HIPAA when it comes to the amount it can charge for providing copies of medical records. The HIPAA Rule can only control the fees that covered entities charge their patients. Whatever fees Ciox Health charges must be resolved with the covered entities it serves if there are any.

HHS further explained that Ciox Health challenged “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action.” Ciox Health was not able to establish that it suffered an injury as a result of the 2013 rulemaking and 2016 guidance. So there are no constitutional grounds for Ciox Health to make the claims. Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.