Georgia-based CIOX Health filed a lawsuit against the U.S. Department of Health and Human Services and Acting Secretary Eric Hargan on Monday to halt the agency’s enforcement of parts of HIPAA, which the tech company said limits the amount providers can charge for patient records. 

The suit was filed in the U.S. District Court in Washington, D.C. The medical records vendor took aim at the regulatory changes to HIPAA implemented in 2013 and 2016. These changes broadened the type of patient information that must be transmitted, but limited fees that could be charged for the process.

[Also: UPDATED: 62 Indiana hospitals named in $300 million fraud suit over EHR kickbacks]

For example, the 2013 modification referenced in the lawsuit expanded the type of medical information that could be transmitted, regardless of whether the data was in the EHR. But it disregarded the costs associated with both the collection and transmission of the data.

In fact, the suit claimed that HHS admitted it was pushing past HITECH Act regulations in doing so.

[Also: 5 common HIPAA compliance pitfalls for healthcare orgs to avoid]

Further, the 2016 modifications dramatically changed HIPAA enforcement and required all record requests to limit charges to a reasonable fee, or a flat fee of about $6.50. CIOX claimed this was a huge departure from HIPAA and limited the amount covered entities could charge for medical records.

“A $6.50 flat fee that was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests,” CIOX claimed.

CIOX called these updates “irrational, arbitrary, capricious and absurd.” In fact, the suit claims that the 2013 modification specifically contradicts the HITECH Act, which limits fees on medical records when patients were making the records request.

“HHS’s continued application and enforcement of these rules imposes tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them,” according to the suit.

CIOX was named in a November lawsuit that alleged 62 Indiana hospitals submitted fraudulent meaningful use data when it failed to issue medical records requests in three business days. The lawsuit claimed CIOX consistently overcharged patients for their medical records.

While CIOX said it supports basic HIPAA rules and patient access to their records, the suit asked the court to invalidate the 2013 and 2016 modifications that are “in excess of statutory jurisdiction, authority, or limitations, or short of statutory right.”

HHS did not immediately respond to a request for comment.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com