Does HIPAA preempt state law claims related to privacy of individually identifiable health information?

Cullen-ArcherBy Cullen Archer for BiolawToday.org.

 

Introduction

The Supremacy Clause provides that the Constitution, and Laws and Treaties made pursuant to it, “shall be the supreme Law of the Land.”[1] Accordingly, if there is a conflict between federal law and state law, the latter is preempted. The difficulty is determining whether state or local law should be invalidated on preemption grounds. There are three situations in which preemption claims arise: (1) express preemption; (2) field preemption, where the scheme of federal regulation is so pervasive as to make reasonable the inference that Congress left no room for the States to supplement it; and (3) conflict preemption, where compliance with both federal and state regulations is a physical impossibility or where state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.[2] Congressional purpose is the ultimate touchstone in every preemption case. Unfortunately, Congress is not always clear about the scope of preemption and courts inevitably inquire into Congressional intent.

 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Among other things, Congress intended HIPAA to facilitate information exchange among participants in the health care system,[3] but they foresaw that easier transmission of intimate medical details would increase the risk of privacy loss.[4] Accordingly, Congress instructed the U.S. Department of Health and Human Services (HHS) to recommend privacy standards for the handling of personal medical information[5] and to promulgate regulations setting forth national medical information privacy standards if no legislation was forthcoming within a specified period.[6] When Congress failed to agree on legislation, HHS fulfilled its mandate and issued detailed regulations commonly known as the Privacy Rule.[7]

HIPAA and the Privacy Rule promulgated pursuant to HIPAA expressly allow for more stringent state legislation, regulation, and common law. Although HIPAA generally preempts state laws,[8] Congress created exceptions for privacy regulation.[9] Congress provided that federal regulation addressing (1) the rights that an individual who is a subject of individually identifiable health information should have, (2) the procedures that should be established for the exercise of such rights, or (3) the uses and disclosures of such information that should be authorized or required, shall not supersede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.[10] Promulgating its rules, HHS offered the following definitions for Subpart B, which is related to the preemption of State laws:

Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:

(1) A covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of Public Law 104–191, or sections 13400–13424 of Public Law 111–5, as applicable.

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter [related to the Privacy of Individually Identifiable Health Information], a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter . . . .

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission . . . .

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

Relates to the privacy of individually identifiable health information means, with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.

State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.[11]

When HHS announced the Privacy Rule, it explained that the protections comprised a mandatory federal floor, which other governments and any covered entity may exceed.[12] “[T]he fact that a state law allows an individual to file a lawsuit to protect privacy does not conflict with the HIPAA penalty provisions.”[13]

 

HIPPA Does Not Preempt State Law Tort Claims and Informs the Standard of Care

Over the past decade, several states have recognized that HIPAA does not preempt state tort claims. At times, courts have also used HIPAA as a national standard with which to measure a healthcare provider’s duty to maintain the privacy of its patients. More recently, where Connecticut’s common law provides a remedy for a healthcare provider’s breach of confidentiality in the course of complying with a subpoena, HIPAA does not preempt the plaintiff’s state common-law causes of action for negligence or negligent infliction of emotional distress against the healthcare providers in this case and, further, that HHS regulations implementing HIPAA may inform the applicable standard of care in certain circumstances.[14] In the course of a paternity suit between Andro Mendoza and Emily Byrne, Mendoza subpoenaed Emily’s medical records.[15] Despite her previous instructions to her healthcare provider, Avery Center for Obstetrics and Gynecology, P.C., not to release her medical records to Mendoza, Avery complied with the subpoena. Alleging harassment and extortion threats from Mendoza since his viewing of her medical records, Emily sued Avery for negligence and negligent infliction of emotional distress.[16] The trial court dismissed these claims explaining that it could not supply a private right of action that the legislature intentionally had omitted.[17] The court noted that although Byrne had labeled her claims as negligence claims, this did not change their essential nature as HIPAA claims.[18] On appeal, Byrne argued that she was not asserting a claim for relief premised solely on a violation of HIPAA, that HIPAA informed the standard of care in common-law negligence actions, and that under the regulations implementing HIPAA, her state law claims for relief are not preempted because it “is not ‘contrary to’ HIPAA to provide for damages under state common-law claims for privacy breaches.”[19] The court reviewed HIPAA’s preemptive effect on state law and noted that the regulatory definition of state law includes common law.[20] The court concluded that because Connecticut’s common law recognized claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.[21] Additionally, the court concluded that, “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.[22]

The Superior Court of Marion County, Indiana, and the Indiana Court of Appeals did not consider whether HIPAA preempted a suit alleging negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion against Walgreen when its pharmacist accessed and disclosed a plaintiff’s medical prescription information for personal reasons.[23] During Abigail Hinchy’s and Davion Peterson’s on-and-off relationship, Peterson became involved with Walgreen’s pharmacist, Audra Withers.[24] After receiving a letter from Peterson informing her that he may have exposed her to genital herpes, Withers became terrified about exposure to a sexually transmitted disease and consequently, looked up Hinchy’s prescription profile in the Walgreen computer system to identify any information about Hinchy’s sexually transmitted disease.[25] Hinchy learned that Peterson had obtained a printout of her medications and later learned that Withers had viewed Hinchy’s prescription information without consent and for personal purposes.[26] Hinchy sued Withers for negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion; she sued Walgreen seeking liability for Withers under respondeat superior, as well as directly for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice.[27] The trial court partially denied Walgreen’s motion for summary judgment except as to Hinchy’s claims for negligent training against Walgreen and invasion of privacy by intrusion against Withers.[28] Following trial, the jury returned a verdict in Hinchy’s favor and found that the total amount of damages suffered by her was $1.8 million.[29] Walgreen’s appealed the trial court’s denial of Walgreen’s motions for summary judgment and directed verdict; the appellate court affirmed the judgment of the trial court.[30] Like Byrne, although Hinchy had labelled her claims as tort claims, this did not change their essential nature as HIPAA claims. Nonetheless, HIPAA did not preempt Hinchy’s state law claims sounding in tort arising from a health care provider’s alleged breach of confidentiality.

The North Carolina Court of Appeals used HIPAA to inform the standard of care when a plaintiff alleged intentional and negligent infliction of emotional distress against her employer-healthcare provider. Acosta was a patient and employee of David Faber, MD.[31] Acosta accused Faber of improperly allowing Byrum, the office manager, to use Faber’s medical record access credentials to retrieve Acosta’s confidential psychiatric, medical, and other healthcare records, which Byrum then provided to third parties without Acosta’s authorization or consent.[32] Acosta alleged violations that Faber negligently engaged in conduct by permitting Byrum to use his access code in violation of University Health Systems policies, hospital policies, and HIPAA. [33] Acosta alleged that these rules provide the standard of care.[34] Reversing the trial court’s decision to grant Faber’s 12(b)(6) motion to dismiss, the court explained inter alia that Acosta’s allegation did not state a cause of action under HIPAA but rather, cited to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence.[35] The court held that because Acosta made no HIPAA claim, HIPAA was inapplicable beyond providing evidence of the duty of care owed by Dr. Faber with regards to the privacy of plaintiff’s medical records.[36]

Utah has taken a position similar to North Carolina. Until Nicholas Sorenson changed providers for insurance reasons, John Barbuto, MD, treated Nicholas Sorenson for seizures secondary to a head injury after a motor vehicle collision.[37] After changing providers, Sorenson sued his automotive insurance provider.[38] In that case, Barbuto produced Sorenson’s medical records, engaged in ex parte communications with the insurance company’s counsel, and agreed to appear as an expert witness for the insurance company.[39] Sorensen then sued Barbuto, asserting torts based on Barbuto’s ex parte communications with defense counsel.[40] The trial court granted Barbuto’s motion to dismiss under Rule 12(b)(6).[41] On appeal, Sorensen asserted that Barbuto breached various duties, including fiduciary duties of confidentiality and loyalty, and violated several professional standards.[42] Although Barbuto argued that Sorensen was not entitled to a private right of action for breach of professional standards, the court noted that Sorensen did not contend that a private right of action existed.[43] Rather, the court recognized that Sorenson cited HIPAA, the American Medical Association’s Principles of Medical Ethics, and the Hippocratic Oath as examples of professional standards that help define the standard of care.[44] Reversing the trial court, the court concluded that Sorenson could pursue his breach of confidentiality claim under tort theory.[45] Utah’s Supreme Court affirmed the appellate court’s decision explaining that “the healthcare fiduciary duty of confidentiality exists to foster appropriate medical treatment of patients by assuring patients that their honest and complete disclosures of symptoms and medical history to treating physicians will be kept confidential.”[46] Accordingly, the court held that Barbuto’s ex parte communications with opposing counsel in Sorensen’s personal injury action was a violation of Dr. Barbuto’s healthcare fiduciary duty of confidentiality.[47] As in Hinchy, HIPAA did not preempt Sorenson’s state law tort claims arising from a health care provider’s alleged breach of confidentiality.

 

Conclusion

The issue of preemption has arisen since HIPAA’s passage and HHS promulgated regulations pursuant to it. Defendants have been quick to assert that HIPAA provides no private right of action. While this is true, this provision does not mean that HIPAA precludes private rights of action under State law for claims related to the privacy of individually identifiable health information. Although Congress provided that HIPAA would supersede contrary provisions of State law and HHS regulations provide for similar preemption, these authorities also provide exceptions for certain contrary provisions of State law. According to pertinent HHS regulations, State law means a State constitution, statute, regulation, rule, common law, or other State action having the force and effect of law. Accordingly, if a State law relates to the privacy of individually identifiable health information and provides more stringent protections than those provided in subpart E of part 164 of the HIPAA Administrative Simplification regulations, HIPAA will not preempt the State law. Recognizing this, the state courts have concluded that where common law recognized claims arising from breach of confidentiality, HIPAA and its implementing regulations did not preempt such claims. Some courts do not even consider whether HIPAA preempts such claims. Additionally, state courts have recognized that HIPAA and its implementing regulations have provided a national standard for privacy and have used these authorities to inform the standard of care applicable to such claims arising from disclosure of patients’ medical records.

Cullen Archer is a class of 2015 graduate at the University of Utah S. J. Quinney College of Law.  Cullen graduated from the University of Texas in Austin with a B.A. in Chemistry and the University of Texas Health Science Center at San Antonio with a Doctor of Medicine.  Cullen has returned to law school after practicing Obstetrics & Gynecology for many years and is focusing his studies on healthcare law and intellectual property.  He volunteers at the Pro Bono Initiative Medical-Legal Clinic. He is also an avid golfer, scuba diver, and antiquarian book collector.

 

[1] U.S. Const. art VI, cl. 2.

[2] Gade v. Nat’l Solid Wastes Mgmt. Ass’n, 505 U.S. 88, 98 (1992)(citations omitted).

[3] Brown v. Mortensen, 253 P.3d 522, 530 (Cal. 2011)(citing HIPAA §§ 261–262, 42 U.S.C. §§ 1320d to 1320d–8 (2012)).

[4] Id. (citing 65 Fed. Reg. 82469 (Dec. 28, 2000)).

[5] Id. (citing HIPAA, § 264(a), 42 U.S.C. § 1320d–2 note (2012)).

[6] Id. (citing HIPAA, § 264(c)(1), 42 U.S.C. § 1320d–2 note (2012)).

[7] Id.

[8] 42 U.S.C. § 1320d–7(a)(1)(2012); see 45 C.F.R. § 160.203 (2013).

[9] 42 U.S.C. § 1320d–7(a)(2)(B)(2012)(providing that a provision or requirement under Part C (“Administrative Simplification”), or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3, supersede any contrary provision of State law, unless the provision of State law subject to HIPAA § 264(c)(2), relates to the privacy of individually identifiable health information).

[10] HIPAA § 264(c)(2), Pub. L. No. 104-191, § 264(c)(2), 110 Stat. 2033-34 (1996).

[11] 45 C.F.R. § 160.202 (2013)(emphasis added), available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.

[12] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82471 (Dec. 28, 2000), available at http://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf.

[13] Id. at 82582.

[14] Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 36 (Conn. 2014).

[15] Id. at 36.

[16] Id. at 36-37.

[17] Id. at 38 “observ[ing] the ‘well settled’ proposition that HIPAA does not create a private right of action, requiring claims of violations instead to be raised through [HHS]’s administrative channels”).

[18] Id.

[19] Id. at 41.

[20] Id. at 44 (reviewing 42 U.S.C. § 1320d‑7(a)(i), 45 C.F.R. § 160.202 (2004), and 45 C.F.R. § 160.203).

[21] Id. at 49.

[22] Id.

[23] Walgreen Co. v. Hinchy, 21 N.E. 99, 105 (Ind. Ct. App. 2014) on reh’g, 25 N.E.3d 748 (Ind. Ct. App. 2015).

[24] Id. at 104.

[25] Id.

[26] Id. at 104-05.

[27] Id. at 105.

[28] Id.

[29] Id. at 106.

[30] Id. at 114.

[31] Acosta v. Byrum, 638 S.E.2d 246, 249 (N.C. App. 2006).

[32] Id.

[33] Id. at 250.

[34] Id. at 251.

[35] Id. at 253.

[36] Id.

[37] Sorensen v. Barbuto, 143 P.3d 295, 298 (Utah Ct. App. 2006) aff’d and remanded, 177 P.3d 614 (Utah 2008).

[38] Id.

[39] Id.

[40] Id.

[41] Id.

[42] Id. at 299.

[43] Id. at 299 n.2.

[44] Id.

[45] Id. at 299.

[46] Sorensen v. Barbuto, 177 P.3d 614, 619 (Utah 2008).

[47] Id. at 620.