"HHS’s rules are impossible to square with the plain language of the controlling legislative enactments."
Georgia-based health records management company Ciox Health has filed a lawsuit against the Department of Health and Human Services (HHS) and its Acting Secretary, Eric Hargan, for their enforcement of HIPAA.
The company asserts that changes in the law’s enforcement guidelines resulted in “irrational, arbitrary, capricious, and absurd” actions on the agency’s behalf. The 44-page filing, made this week in the United States District Court in Washington, DC, seeks injunction against HHS to prevent it from limiting healthcare providers—and affiliates like Ciox Health—in how they may assess fees for allowing patients access to their health records.
Charges assessed to patients are to be “reasonable” under current rules, either in the form of a flat $6.50 fee or reimbursement for actual or average labor costs. The company’s suit blasts each of those 3 options, claiming calculations of the actual cost would be prohibitively time-consuming; there is “no rational basis” for the average cost limitations; and the $6.50 flat fee “bears no rational relationship to the actual cost of fulfilling these requests.”
The filing cites a letter that Ciox received from HHS’s Office of Civil Rights in 2017 warning it about its charging practices. The company describes HHS actions as ominous, an “unlawful, unexplained and irrational departure from the 2013 Omnibus Rule,” that also go beyond the stated language regarding records release fees as outlined in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The filing argues that HHS itself acknowledges this.
“HHS’s continued application and enforcement of these rules imposes tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical-records industry that services them,” the filing asserts.
In November, the company was named in a lawsuit filed by Indiana law firm Anderson Agostino & Keller. Ciox Health appears alongside 62 hospitals in that state accused of Meaningful Use noncompliance and the rampant overcharging of CMS. Neither the state of Indiana nor the United States Department of Justice elected to join the suit.
In December, lawmakers in the House introduced a bill that would amend the HITECH Act to exempt some institutions from HIPAA provisions that prevent them from providing health records directly to patients for a fee. Versions of the same bill have been introduced in the past, but HR 4613 has 9 sponsoring and co-sponsoring Representatives, far more than previous incarnations.
Cybersecurity panel: How hospitals can protect their patients and their systems
November 18th 2024Chief Healthcare Executive® presents the final installment in our series, with experts from HIMSS, the American Hospital Association, and Providence. In this episode, our panel offers advice on how health systems can improve.
Cybersecurity panel: The scope of recent ransomware attacks in healthcare
October 28th 2024Chief Healthcare Executive hosted a discussion on cybersecurity with leading experts from the American Hospital Association, HIMSS and the Providence health system. They talked about the growing problem of cyberattacks.