The opinion of the court was delivered by: MARY A. McLAUGHLIN, District Judge
This action is brought by ten national and state associations, seven
individuals and two individual intervenors against the Secretary of the
United States Department of Health and Human Services (the "Secretary").
The plaintiffs seek to invalidate an amended rule governing certain uses
of individuals' identifiable health information that the Secretary
promulgated under the Health Insurance Portability and Accountability Act
of 1996 ("HIPAA"), Pub.L. 104-191, 110 Stat. 1936.
Under the prior version of the challenged rule, certain health care
entities had to first obtain a person's consent before using and
disclosing that person's identifiable health information for certain
routine purposes. The plaintiffs challenge the amended rule to the extent
it makes seeking consent optional. The parties have filed cross-motions
for summary judgment. The Court heard oral argument on December 10, 2003. The
Court will grant the defendant's motion and will deny the plaintiffs'
The Amended Rule is the fourth in a series of proposed and final rules
issued by the Secretary between November 1999 and August 2002. Following
is a list of the proposed and final rules, their dates of issuance, and
their location in the Federal Register:
1. The rule as first proposed (the "Proposed Original Rule") was
published as "Notice of Proposed Rule Making, Standards for Privacy of
Individually Identifiable Health Information." 64 Fed. Reg. 59,918
(proposed Nov. 3, 1999) (the "1999 NPRM").
2. A final rule (the "Original Rule") was published as "Standards for
Privacy of Individually Identifiable Health Information." 65 Fed. Reg.
82,462 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164
3. A proposed amended version of the rule (the "Proposed Amended Rule")
was published as "Notice of Proposed Rule Making, Standards for Privacy
of Individually Identifiable Health Information." 67 Fed. Reg. 14,778
(proposed Mar. 27, 2002) (the "2002 NPRM"). 4. The final version of the amended rule (the "Amended Rule") was
published as "Final Rule, Standards for Privacy of Individually
Identifiable Health Information," 67 Fed. Reg. 53,182 (Aug. 14, 2002),
and codified as Parts 160 and 164 of Title 45 of the Code of Federal
The Court discusses below each of the four rules. All of the material
comes from HIPAA or the Federal Register.
On August 21, 1996, the President signed HIPAA into law. HIPAA is
organized into five titles.*fn1 The challenged rule was enacted pursuant
to Title II. There were two goals of Title II: to prevent health care
fraud and abuse; and to reduce the costs and administrative burdens of
health care by replacing the many non-standard formats used nationally
with a single set of electronic standards. It is the second goal with
which we are concerned here. In Title II, Congress sought to make the health care industry more
efficient and effective. Congress looked to the adoption of uniform data
standards in using electronic technology critical to reach this goal.
Subtitle F of Title II, therefore, contains provisions intended to ensure
that there are standards for the electronic transmission of financial and
administrative data. HIPAA §§ 261-262(a).
Subtitle F directed the Secretary: (1) to adopt standards and data
elements for the electronic exchange of individually identifiable health
information in connection with the delivery of, and payment for, health
care services; and (2) to adopt standards for the security, integrity,
and confidentiality of electronically stored or transmitted health care
information. HIPAA § 262(a); 42 U.S.C. § 1320d-2.*fn2
Congress, through Subtitle F, also directed the Secretary to submit to
Congress, within twelve months of HIPAA's enactment, recommendations on
standards with respect to the privacy of health information, to be
developed in consultation with the National Committee on Vital and Health
Statistics ("NCVHS"). HIPPA § 264(a). These recommendations had to
address: (1) the rights that an individual who is the subject of individually identifiable health information should have; (2) the
procedures that should be established for the exercise of such rights;
and (3) the uses and disclosures of such information that should be
authorized or required. HIPAA § 264(b). If Congress failed to enact
privacy standards within three years of the statute's enactment, the
Secretary was to do so. HIPAA § 264(c)(1).
B. The Privacy Rule and its Evolution
When Congress did not enact privacy legislation by the third
anniversary of HIPAA's enactment, the Secretary started the rulemaking
process that resulted in the challenged rule.
1. The Proposed Original Rule
The Secretary issued the Proposed Original Rule on November 3, 1999.
Covered health care providers and health plans were prohibited from using
or disclosing protected health information except as provided by the
rule. Protected health information was defined as individually
identifiable health information maintained in or transmitted in any form
or media including electronic media.*fn3 See 1999 NPRM, 64 Fed. Reg.
at 59,918, 59,927, 59,924, 59,939.
The Proposed Original Rule listed the purposes for which protected
health information could be used or disclosed without authorization and
those purposes for which authorization was required. Authorization was
not required for: routine uses; and uses for certain public-policy
purposes, including public health, research, health oversight, law
enforcement, and judicial proceedings.*fn4 1999 NPRM, 64 Fed. Reg. at
60,053, 60,056-60,057 (text of then proposed 45 C.F.R. § 164.506,
164.510). For any purpose not recognized by the rule, covered entities
had to obtain authorizations that had to include, among other things, a
description of to whom and for what purpose the information would be disclosed, and a statement informing individuals of their right
to revoke the authorization. Id. at 60,055-60,056 (text of then
proposed 45 C.F.R. § 164.508).
It is the routine use provision that is at issue in this lawsuit. The
proposed rule would have permitted covered entities to use or disclose
individual health information, without patient authorization or consent,
for treatment, payment and health care operations. This was in part
because treatment and payment were considered core functions of the
health care system for which people expect their health information will
be used. Health care operations were deemed to be activities directly
related to the core functions of treatment and payment, such as quality
assurance, reviews of health care providers, underwriting, auditing,
fraud detection, or legal proceedings.*fn5 Id. at 59,924,
59,933-59,934, 59,940, 60,052-60,054.
The proposed rule prohibited covered entities from seeking individual
authorization for these routine purposes, unless state or other
applicable law required it. The Secretary reasoned that authorizations
for these purposes could not provide meaningful privacy protections or
individual control and could cause individuals to misunderstand what
their rights and protections actually were. Id. at 59,941. The Proposed Original Rule would have given individuals the right to
receive from covered entities a notice of information practices,
informing them about the permitted uses and disclosures the entities
intended to make of the information. Covered entities would have been
required to limit their uses or disclosures to those reflected in their
notices. Id. at 59,926, 59,945, 59,978.
According to the Secretary, the notice was also meant to advise
individuals of their right under the rule to request restrictions on the
uses or disclosures of their health information. A covered entity would
not have been required to agree to such a request, but if it did so, it
would have to abide by the agreed to limitations. Id.
The standards in the Proposed Original Rule were described as creating
"a federal floor of privacy protection." That is, they were not meant to
supercede state or other applicable laws that provide more stringent
privacy protections. Id. at 59,926.
The Original Rule kept the structure of the proposed rule.*fn6
most significant difference between the Proposed Original Rule and the Original Rule concerned consent. Consent for
the use and disclosure of health information drew the most comments.*fn7
65 Fed. Reg. at 82,472. The Secretary adopted a consent requirement in
the Original Rule for the routine uses of health information as follows:
(a) Standard: Consent Requirement. (1)
Except as provided in paragraph (a)(2) or (a)(3)
of this section, a covered health care provider
must obtain the individual's consent, in
accordance with this section, prior to using or
disclosing protected health information to carry
out treatment, payment, or health care operations.
65 Fed. Reg. at 82,810 (text of former 45 C.F.R. § 164.506(a)(1)).
The forms used to obtain consent had to: (1) include a general
statement that protected health information may be used for routine
purposes; (2) refer patients to the provider's notice of privacy
practices; (3) inform patients of their right to request restrictions on
the use and disclosure of their health information; and (4) inform
individuals of their right to revoke this consent at any time. Covered
health providers could refuse to treat patients who refused to give their consent in these
situations. 65 Fed. Reg. at 82,810 (text of former
45 C.F.R. § 164.506(b)-(c)).
Subsection (a)(2) permitted certain covered health care providers to
use health information for routine purposes without consent: providers
who had an indirect treatment relationship with the patient; and those
who created or received the health information in the course of treating
an inmate patient. Id. (text of former
45 C.F.R. § 164.506(a)).
Subsection (a)(3) provided three other situations under which covered
health care providers did not have to obtain consent from a patient
before a routine use or disclosure of the patient's protected health
information. First, no prior consent was needed in emergency treatment
situations so long as consent was sought as soon as reasonably
practicable after the emergency treatment. Second, consent was not
required if the provider was required by law to treat the individual and
had attempted, but was unable, to obtain his or her consent. Third, prior
consent was unnecessary if the provider attempted to obtain consent of
the patient, was unable to do so because of "substantial barriers to
communicating," and, in the professional judgment of the provider, the
patient's consent could clearly be inferred from the circumstances.*fn8
Id. Covered health care providers had to comply with the Original Rule by
April 14, 2003.*fn9 Covered providers would have been permitted to use
or disclose health information created or obtained prior to the
compliance date based on consent obtained prior to that date. This was
true even where the consent did not meet the formal requirements of the
Original Rule. In the absence of pre-existing consent, use of health
information created or obtained prior to April 14, 2003, would be
prohibited. 65 Fed. Reg. at 82,828 (text of former
45 C.F.R. § 164.532(a)-(b)).
As with the Proposed Original Rule, the Original Rule preempted
contrary state law only to the extent that the rule provided more privacy
protections than the state law. 65 Fed. Reg. at 82,800-82,801 (text of
former 45 C.F.R. § 160.203(b)).
3. The Proposed Amended Rule
After publication of the Original Rule, the Secretary received many
inquiries and unsolicited comments about the impact and operation of the
Original Rule on numerous sectors of the health care industry regarding
the rule's complexity and practicability. On February 28, 2001, the Secretary solicited
additional public comment on the Original Rule. A purpose for the
additional comment period was "to ensure that the provisions of the
Privacy Rule would protect patients' privacy without creating
unanticipated consequences that might harm patients' access to health
care or quality of health care. . . ." 2002 NPRM, 67 Fed. Reg. at 14,777;
see also Request for Comments, 66 Fed. Reg. 12,738 (Feb. 28,
Many of the comments received discussed the potential adverse effects
that the consent provisions would have on access to, and delivery of,
health care services. The NCVHS also held public hearings that elicited
public testimony on certain provisions, including consent. According to
the Secretary, these comments and testimony prompted him to propose
several modifications to the Original Rule, including the consent
requirement. 2002 NPRM, 67 Fed. Reg. at 14,777.
On March 27, 2002, the Secretary proposed to amend the Original Rule.
The Proposed Amended Rule rescinded the consent requirement by granting
covered entities regulatory permission to use health information for
routine purposes. Covered entities would no longer be required to obtain
consent before using health information for treatment, payment, or health
care operations. Providers, however, would be permitted to seek consent
if and in any manner they chose. Additionally, the Amended Rule would
require direct treatment providers to make good-faith efforts to obtain patients' written acknowledgment that
they received the notice of privacy practices. Id. at 14,777,
The comment period on the Proposed Amended Rule ran from March 27, 2002
to April 26, 2002. During that period the Secretary received over 11,400
comments which were primarily devoted to the subject of consent. 67 Fed.
Reg. at 53,183.
The Secretary found that many comments supported the elimination of the
consent requirement. Many other comments urged the Secretary to require
consent, but to "make targeted fixes to address workability issues." Some
comments sought a stronger consent requirement. Id. at 53,210.
According to the Secretary, many covered entities were concerned about,
or had experienced significant practical problems with, the delivery of
timely health care under the Original Rule. Pharmacists, for example,
were concerned that they would be unable to fill prescriptions, search
for potential drug interactions, determine eligibility or verify coverage
before an individual arrived to pick up a prescription if the individual
had not already provided consent. Hospitals would not have been able to
use information from referring doctors to schedule and prepare procedures
before the patient arrived there. Emergency medical providers were
concerned that attempting to seek consent prior to treatment in some
situations was inconsistent with appropriate emergency care. The
requirement that they seek consent as soon as reasonably practicable ...