United States: Federal Court Upholds HIPAA Rule Against Privacy Challenge

On October 31, 2005, the Third Circuit rejected a challenge by patient advocacy groups to a rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Act). Citizens for Health v. Leavitt,No. 04- 2550 (3d Cir. Oct. 31, 2005). The rule at issue eased a prior regulation in order to permit health care entities to utilize and disclose individually identifiable health information for routine uses without obtaining prior consent. The plaintiffs argued that the more permissive rule violated their substantive due process rights, the First Amendment, the Administrative Procedure Act (APA), 5 U.S.C. §§ 553(b)(3), 706(2)(A), and HIPAA itself. The court rejected these arguments, making clear that HIPAA may be implemented in a manner that places reasonable limits on the privacy protections available under that law. The court expressly noted that the objective of protecting patients’ privacy must be balanced against the statute’s other legitimate goals.

HIPAA was enacted in 1996 to enhance the privacy of patients’ medical records and other protected health information, as well as to improve the efficiency of the health care system by establishing standards for the electronic exchange of health information. HIPAA applies to health plans, health care clearing houses, and health care providers that transmit any health information in electronic form. The Department of Health and Human Services (HHS) has responsibility for administering and enforcing the Act.

HHS promulgated its "Standards for Privacy of Individually Identifiable Health Information," the so-called "Privacy Rule," in 2000. This original version of the Privacy Rule, which would have taken effect for most entities in 2003, required covered entities to obtain individuals’ consent before using or disclosing their health information for routine uses. See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,810 (2000) (codified at former 45 C.F.R. pts. 160, 164) (2002)). In response to concerns expressed by covered entities that this mandatory consent requirement would severely undercut the efficiency of the health care system, HHS reopened the rulemaking process and ultimately issued its Amended Rule. See 45 C.F.R. pts. 160, 164. The Amended Rule took effect in April 2003.

Both the Original Rule and the Amended Rule direct covered entities to obtain authorization before using or disclosing individually identifiable health information, unless an exception applies. Unlike the Original Rule, however, the Amended Rule provides a "routine use" exception that enables the use and disclosure of patient information without authorization or consent for "treatment, payment, or health care operations." Id. § 164.506. "Health care operations" are defined to include a variety of functions related to health care entity management. Id. § 164.501. While the Amended Rule allows individuals to request that covered entities restrict their usage and disclosure of the individual’s health information, entities are not required to honor these requests. See id. § 164.522(a). The Amended Rule also provides entities with the authority to establish a voluntary consent process governing routine uses. See id. § 164.506. The Amended Rule does not prevent states from legislating more stringent protections for health information. See id. § 160.203.

In April 2003, numerous patient advocacy groups and individuals brought suit against HHS challenging the Amended Rule on privacy-related grounds. The plaintiffs alleged that the elimination of the consent requirement for routine uses violated their substantive due process and First Amendment rights and that, in issuing the Amended Rule, HHS exceeded the authority afforded under HIPAA and violated the APA. The district court granted summary judgment in favor of HHS on all claims. The Third Circuit affirmed on appeal.

The plaintiffs argued that the elimination of the consent requirement for routine uses violated their privacy rights in violation of the Fifth Amendment’s due process clause. The court of appeals, however, found that the alleged violations of the plaintiffs’ rights to medical privacy were attributable to private entities, not to the federal government. In the absence of the necessary state action nexus, the Fifth Amendment due process clause was deemed inapposite.

The court arrived at this conclusion by reasoning that the plaintiffs were not challenging the protection of health information by the government itself; rather, they were concerned about the use and disclosure of their health information by third parties, namely pharmacies and private health care entities. Relying on the Supreme Court case of NCAA v. Tarkanian, 488 U.S. 179, 192 (1988), the court noted that whether the government can be said to have authorized private conduct depends upon "whether the State provided a mantle of authority that enhanced the power of the harmcausing individual actor." The court took a narrow view of the circumstances under which this standard may be met, concluding that state action is present when a law requires, compels or commands a rights violation. Applying that rationale to the case before it, the court determined that HHS’Amended Rule could not be interpreted to coerce the conduct in question. Rather, the Amended Rule permits, but does not require, covered entities to disclose protected health information for routine uses without consent.

The court was also unpersuaded by evidence that some covered entities had relied on the Amended Rule to change their privacy policies. In the court’s view,"the fact that a private party changed its behavior in response to a law does not give the law the coercive quality upon which the state action inquiry depends unless the law itself suddenly authorized something that was previously prohibited." Citizens for Health, No. 04- 2550, slip op. at 29. Since the plaintiffs were unable to demonstrate that pre-HIPAA law prohibited covered entities from using or disclosing information for routine uses without consent, the court concluded that the Amended Rule neither authorized previously prohibited conduct nor enhanced the ability of these entities to engage in the challenged conduct. Absent the requisite showing of state action, the court held that the plaintiffs’ substantive due process claim must fail.

The plaintiffs next argued that HHS’ Amended Rule infringed upon patients’ First Amendment right to engage in confidential communications with health care providers. In dismissing this claim, the court again emphasized the lack of a state action nexus. The court determined that any potential chilling effect on communications between patients and health care practitioners could be attributed not to any government action, but rather to decisions by private entities regarding the manner in which they would use or disclose health information. The Third Circuit thus affirmed the district court’s grant of summary judgment in HHS’ favor on the plaintiffs’ First Amendment claim.

The plaintiffs next contended that the Amended Rule violated HIPAA itself, because, according to the plaintiffs, the statute permits HHS to enact only those regulations that enhance privacy, not those that detract from it. The plaintiffs also argued that the Amended Rule conflicted with Congress’ intent in that it disturbed individuals’ reasonable expectations of privacy in their medical information.

The court disagreed with the contention that "the controlling policy underlying HIPAA is medical privacy." Id. at 39. To accept this one-dimensional view of HIPAA would ignore the statute’s other goals of "simplify[ing] the administration of health insurance," Pub. L. No. 104-191 pmbl., and "improv[ing] the efficiency and effectiveness of the health care system," id. § 261. According to the court, the goal of protecting privacy must be balanced against these other, equally important objectives.

The Third Circuit also declined to accept the plaintiffs’ argument that the Amended Rule retroactively rescinded rights conferred by the Original Rule. As the Original Rule was amended before it took effect, covered entities never became legally obligated to comply with the consent requirement contained in that rule. The Original Rule therefore did not secure any rights to individuals with respect to their health information. Moreover, as the Amended Rule permits states to adopt or retain stricter privacy standards, the Amended Rule cannot be treated as disturbing any reasonable expectations derived from non-federal sources of law or practice.

The plaintiffs’ final claims challenged the APA rulemaking process, asserting that HHS acted arbitrarily and capriciously in eliminating the consent requirement, and that the Agency failed to provide adequate notice that the requirement would be rescinded. The court rejected these claims as well.

The court found that HHS fulfilled APA notice requirements by issuing a Notice for Proposed Rulemaking that both informed the public of the substance of the proposed rule and provided a description of the relevant issues. With respect to the allegation that HHS had acted arbitrarily and capriciously by reversing its position on the need to obtain consent for routine uses of health information, the court determined that HHS had properly examined the relevant data and satisfactorily explained the reasons for its action. The court therefore affirmed the district court’s dismissal of the plaintiffs’ suit in its entirety.

A copy of the decision is available at http://www.ca3.uscourts.gov/opinarch/042550p.pdf

This article has been prepared by Sidley Austin Brown & Wood LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Readers should not act upon this without seeking professional counsel.