Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.


April 2, 2004.

CITIZENS FOR HEALTH, et al., Plaintiffs
TOMMY G. THOMPSON, Secretary U.S. Department of Health and Human Services, Defendant

The opinion of the court was delivered by: MARY A. McLAUGHLIN, District Judge


This action is brought by ten national and state associations, seven individuals and two individual intervenors against the Secretary of the United States Department of Health and Human Services (the "Secretary"). The plaintiffs seek to invalidate an amended rule governing certain uses of individuals' identifiable health information that the Secretary promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. 104-191, 110 Stat. 1936.

Under the prior version of the challenged rule, certain health care entities had to first obtain a person's consent before using and disclosing that person's identifiable health information for certain routine purposes. The plaintiffs challenge the amended rule to the extent it makes seeking consent optional. The parties have filed cross-motions for summary judgment. The Court heard oral argument on December 10, 2003. The Court will grant the defendant's motion and will deny the plaintiffs' motion.

 I. Background

  The Amended Rule is the fourth in a series of proposed and final rules issued by the Secretary between November 1999 and August 2002. Following is a list of the proposed and final rules, their dates of issuance, and their location in the Federal Register:

  1. The rule as first proposed (the "Proposed Original Rule") was published as "Notice of Proposed Rule Making, Standards for Privacy of Individually Identifiable Health Information." 64 Fed. Reg. 59,918 (proposed Nov. 3, 1999) (the "1999 NPRM").

  2. A final rule (the "Original Rule") was published as "Standards for Privacy of Individually Identifiable Health Information." 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164 (2002)).

  3. A proposed amended version of the rule (the "Proposed Amended Rule") was published as "Notice of Proposed Rule Making, Standards for Privacy of Individually Identifiable Health Information." 67 Fed. Reg. 14,778 (proposed Mar. 27, 2002) (the "2002 NPRM"). 4. The final version of the amended rule (the "Amended Rule") was published as "Final Rule, Standards for Privacy of Individually Identifiable Health Information," 67 Fed. Reg. 53,182 (Aug. 14, 2002), and codified as Parts 160 and 164 of Title 45 of the Code of Federal Regulations.

  The Court discusses below each of the four rules. All of the material comes from HIPAA or the Federal Register.

  A. Statutory Framework

  On August 21, 1996, the President signed HIPAA into law. HIPAA is organized into five titles.*fn1 The challenged rule was enacted pursuant to Title II. There were two goals of Title II: to prevent health care fraud and abuse; and to reduce the costs and administrative burdens of health care by replacing the many non-standard formats used nationally with a single set of electronic standards. It is the second goal with which we are concerned here. In Title II, Congress sought to make the health care industry more efficient and effective. Congress looked to the adoption of uniform data standards in using electronic technology critical to reach this goal. Subtitle F of Title II, therefore, contains provisions intended to ensure that there are standards for the electronic transmission of financial and administrative data. HIPAA §§ 261-262(a).

  Subtitle F directed the Secretary: (1) to adopt standards and data elements for the electronic exchange of individually identifiable health information in connection with the delivery of, and payment for, health care services; and (2) to adopt standards for the security, integrity, and confidentiality of electronically stored or transmitted health care information. HIPAA § 262(a); 42 U.S.C. § 1320d-2.*fn2

  Congress, through Subtitle F, also directed the Secretary to submit to Congress, within twelve months of HIPAA's enactment, recommendations on standards with respect to the privacy of health information, to be developed in consultation with the National Committee on Vital and Health Statistics ("NCVHS"). HIPPA § 264(a). These recommendations had to address: (1) the rights that an individual who is the subject of individually identifiable health information should have; (2) the procedures that should be established for the exercise of such rights; and (3) the uses and disclosures of such information that should be authorized or required. HIPAA § 264(b). If Congress failed to enact privacy standards within three years of the statute's enactment, the Secretary was to do so. HIPAA § 264(c)(1).

  B. The Privacy Rule and its Evolution

  When Congress did not enact privacy legislation by the third anniversary of HIPAA's enactment, the Secretary started the rulemaking process that resulted in the challenged rule.

  1. The Proposed Original Rule

  The Secretary issued the Proposed Original Rule on November 3, 1999. Covered health care providers and health plans were prohibited from using or disclosing protected health information except as provided by the rule. Protected health information was defined as individually identifiable health information maintained in or transmitted in any form or media including electronic media.*fn3 See 1999 NPRM, 64 Fed. Reg. at 59,918, 59,927, 59,924, 59,939.

  The Proposed Original Rule listed the purposes for which protected health information could be used or disclosed without authorization and those purposes for which authorization was required. Authorization was not required for: routine uses; and uses for certain public-policy purposes, including public health, research, health oversight, law enforcement, and judicial proceedings.*fn4 1999 NPRM, 64 Fed. Reg. at 60,053, 60,056-60,057 (text of then proposed 45 C.F.R. § 164.506, 164.510). For any purpose not recognized by the rule, covered entities had to obtain authorizations that had to include, among other things, a description of to whom and for what purpose the information would be disclosed, and a statement informing individuals of their right to revoke the authorization. Id. at 60,055-60,056 (text of then proposed 45 C.F.R. § 164.508).

  It is the routine use provision that is at issue in this lawsuit. The proposed rule would have permitted covered entities to use or disclose individual health information, without patient authorization or consent, for treatment, payment and health care operations. This was in part because treatment and payment were considered core functions of the health care system for which people expect their health information will be used. Health care operations were deemed to be activities directly related to the core functions of treatment and payment, such as quality assurance, reviews of health care providers, underwriting, auditing, fraud detection, or legal proceedings.*fn5 Id. at 59,924, 59,933-59,934, 59,940, 60,052-60,054.

  The proposed rule prohibited covered entities from seeking individual authorization for these routine purposes, unless state or other applicable law required it. The Secretary reasoned that authorizations for these purposes could not provide meaningful privacy protections or individual control and could cause individuals to misunderstand what their rights and protections actually were. Id. at 59,941. The Proposed Original Rule would have given individuals the right to receive from covered entities a notice of information practices, informing them about the permitted uses and disclosures the entities intended to make of the information. Covered entities would have been required to limit their uses or disclosures to those reflected in their notices. Id. at 59,926, 59,945, 59,978.

  According to the Secretary, the notice was also meant to advise individuals of their right under the rule to request restrictions on the uses or disclosures of their health information. A covered entity would not have been required to agree to such a request, but if it did so, it would have to abide by the agreed to limitations. Id.

  The standards in the Proposed Original Rule were described as creating "a federal floor of privacy protection." That is, they were not meant to supercede state or other applicable laws that provide more stringent privacy protections. Id. at 59,926.

  2. The Original Rule

  The Original Rule kept the structure of the proposed rule.*fn6 The most significant difference between the Proposed Original Rule and the Original Rule concerned consent. Consent for the use and disclosure of health information drew the most comments.*fn7 65 Fed. Reg. at 82,472. The Secretary adopted a consent requirement in the Original Rule for the routine uses of health information as follows:
(a) Standard: Consent Requirement. (1) Except as provided in paragraph (a)(2) or (a)(3) of this section, a covered health care provider must obtain the individual's consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations.
65 Fed. Reg. at 82,810 (text of former 45 C.F.R. § 164.506(a)(1)).

  The forms used to obtain consent had to: (1) include a general statement that protected health information may be used for routine purposes; (2) refer patients to the provider's notice of privacy practices; (3) inform patients of their right to request restrictions on the use and disclosure of their health information; and (4) inform individuals of their right to revoke this consent at any time. Covered health providers could refuse to treat patients who refused to give their consent in these situations. 65 Fed. Reg. at 82,810 (text of former 45 C.F.R. § 164.506(b)-(c)).

  Subsection (a)(2) permitted certain covered health care providers to use health information for routine purposes without consent: providers who had an indirect treatment relationship with the patient; and those who created or received the health information in the course of treating an inmate patient. Id. (text of former 45 C.F.R. § 164.506(a)).

  Subsection (a)(3) provided three other situations under which covered health care providers did not have to obtain consent from a patient before a routine use or disclosure of the patient's protected health information. First, no prior consent was needed in emergency treatment situations so long as consent was sought as soon as reasonably practicable after the emergency treatment. Second, consent was not required if the provider was required by law to treat the individual and had attempted, but was unable, to obtain his or her consent. Third, prior consent was unnecessary if the provider attempted to obtain consent of the patient, was unable to do so because of "substantial barriers to communicating," and, in the professional judgment of the provider, the patient's consent could clearly be inferred from the circumstances.*fn8 Id. Covered health care providers had to comply with the Original Rule by April 14, 2003.*fn9 Covered providers would have been permitted to use or disclose health information created or obtained prior to the compliance date based on consent obtained prior to that date. This was true even where the consent did not meet the formal requirements of the Original Rule. In the absence of pre-existing consent, use of health information created or obtained prior to April 14, 2003, would be prohibited. 65 Fed. Reg. at 82,828 (text of former 45 C.F.R. § 164.532(a)-(b)).

  As with the Proposed Original Rule, the Original Rule preempted contrary state law only to the extent that the rule provided more privacy protections than the state law. 65 Fed. Reg. at 82,800-82,801 (text of former 45 C.F.R. § 160.203(b)).

  3. The Proposed Amended Rule

  After publication of the Original Rule, the Secretary received many inquiries and unsolicited comments about the impact and operation of the Original Rule on numerous sectors of the health care industry regarding the rule's complexity and practicability. On February 28, 2001, the Secretary solicited additional public comment on the Original Rule. A purpose for the additional comment period was "to ensure that the provisions of the Privacy Rule would protect patients' privacy without creating unanticipated consequences that might harm patients' access to health care or quality of health care. . . ." 2002 NPRM, 67 Fed. Reg. at 14,777; see also Request for Comments, 66 Fed. Reg. 12,738 (Feb. 28, 2001).

  Many of the comments received discussed the potential adverse effects that the consent provisions would have on access to, and delivery of, health care services. The NCVHS also held public hearings that elicited public testimony on certain provisions, including consent. According to the Secretary, these comments and testimony prompted him to propose several modifications to the Original Rule, including the consent requirement. 2002 NPRM, 67 Fed. Reg. at 14,777.

  On March 27, 2002, the Secretary proposed to amend the Original Rule. The Proposed Amended Rule rescinded the consent requirement by granting covered entities regulatory permission to use health information for routine purposes. Covered entities would no longer be required to obtain consent before using health information for treatment, payment, or health care operations. Providers, however, would be permitted to seek consent if and in any manner they chose. Additionally, the Amended Rule would require direct treatment providers to make good-faith efforts to obtain patients' written acknowledgment that they received the notice of privacy practices. Id. at 14,777, 14,780, 14,783.

  The comment period on the Proposed Amended Rule ran from March 27, 2002 to April 26, 2002. During that period the Secretary received over 11,400 comments which were primarily devoted to the subject of consent. 67 Fed. Reg. at 53,183.

  The Secretary found that many comments supported the elimination of the consent requirement. Many other comments urged the Secretary to require consent, but to "make targeted fixes to address workability issues." Some comments sought a stronger consent requirement. Id. at 53,210.

  According to the Secretary, many covered entities were concerned about, or had experienced significant practical problems with, the delivery of timely health care under the Original Rule. Pharmacists, for example, were concerned that they would be unable to fill prescriptions, search for potential drug interactions, determine eligibility or verify coverage before an individual arrived to pick up a prescription if the individual had not already provided consent. Hospitals would not have been able to use information from referring doctors to schedule and prepare procedures before the patient arrived there. Emergency medical providers were concerned that attempting to seek consent prior to treatment in some situations was inconsistent with appropriate emergency care. The requirement that they seek consent as soon as reasonably practicable ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.