Ciox Health Sues to Trim HIPAA
Ciox Health, a national healthcare technology company that helps physicians and facilities with medical records requests, is suing to stop the agency from enforcing parts of HIPAA limiting the amount providers can charge for medical records.
Ciox: HHS Violated HIPAA
In its lawsuit, Ciox claims the Department of Health and Human Affairs’ (HHS) approach “imposes tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical-records industry that services them”, Fierce Healthcare reports. The company said in its complaint that it supports the basic tenets of HIPAA and patient access to medical records, but two elements of HIPAA enforcement are particular barriers.
- A 2013 final rule requiring providers to transmit health records to a designated individual and include any medical information electronically, regardless if it came from a paper or electronic source.
- HHS guidance in 2016 that requires all records requests – including those made by law firms and payers – to limit charges to a “reasonable cost fee.” HHS said the covered entity could charge a fee based on actual labor costs, average labor costs, or for a flat fee of $6.50.
Ciox argues the directions departed from HITECH Act limiting the amount covered entities could charge individuals but put no restriction on third parties. The company feels the $6.50 fee is unrealistic. Ciox reports that 4 percent of the records requests are from patients and 40 to 50 percent are providers transmitting records to others. Ciox fulfilsl those requests for free and generates revenue through data requests by third party businesses.
Latest in Ciox HIPAA Action
Before the suit was filed, Ciox received a warning from the HHS Office of Civil Rights (OCR) that it may have violated HIPAA when it charged a hospital patient $224.65 after sending 353 medical records pages to her lawyer.
Ciox is also the target of two actions – One in Georgia alleging the company overcharged for medical records, and another in Indiana where 62 hospitals are being accused of having submitted fraudulent Meaningful Use data by not meeting a three day limit.