United States District Court, E.D. Pennsylvania
April 2, 2004.
CITIZENS FOR HEALTH, et al., Plaintiffs
TOMMY G. THOMPSON, Secretary U.S. Department of Health and Human Services, Defendant
The opinion of the court was delivered by: MARY A. McLAUGHLIN, District Judge
MEMORANDUM AND ORDER
This action is brought by ten national and state associations, seven
individuals and two individual intervenors against the Secretary of the
United States Department of Health and Human Services (the "Secretary").
The plaintiffs seek to invalidate an amended rule governing certain uses
of individuals' identifiable health information that the Secretary
promulgated under the Health Insurance Portability and Accountability Act
of 1996 ("HIPAA"), Pub.L. 104-191, 110 Stat. 1936.
Under the prior version of the challenged rule, certain health care
entities had to first obtain a person's consent before using and
disclosing that person's identifiable health information for certain
routine purposes. The plaintiffs challenge the amended rule to the extent
it makes seeking consent optional. The parties have filed cross-motions
for summary judgment. The Court heard oral argument on December 10, 2003. The
Court will grant the defendant's motion and will deny the plaintiffs'
The Amended Rule is the fourth in a series of proposed and final rules
issued by the Secretary between November 1999 and August 2002. Following
is a list of the proposed and final rules, their dates of issuance, and
their location in the Federal Register:
1. The rule as first proposed (the "Proposed Original Rule") was
published as "Notice of Proposed Rule Making, Standards for Privacy of
Individually Identifiable Health Information." 64 Fed. Reg. 59,918
(proposed Nov. 3, 1999) (the "1999 NPRM").
2. A final rule (the "Original Rule") was published as "Standards for
Privacy of Individually Identifiable Health Information." 65 Fed. Reg.
82,462 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164
3. A proposed amended version of the rule (the "Proposed Amended Rule")
was published as "Notice of Proposed Rule Making, Standards for Privacy
of Individually Identifiable Health Information." 67 Fed. Reg. 14,778
(proposed Mar. 27, 2002) (the "2002 NPRM"). 4. The final version of the amended rule (the "Amended Rule") was
published as "Final Rule, Standards for Privacy of Individually
Identifiable Health Information," 67 Fed. Reg. 53,182 (Aug. 14, 2002),
and codified as Parts 160 and 164 of Title 45 of the Code of Federal
The Court discusses below each of the four rules. All of the material
comes from HIPAA or the Federal Register.
A. Statutory Framework
On August 21, 1996, the President signed HIPAA into law. HIPAA is
organized into five titles.*fn1 The challenged rule was enacted pursuant
to Title II. There were two goals of Title II: to prevent health care
fraud and abuse; and to reduce the costs and administrative burdens of
health care by replacing the many non-standard formats used nationally
with a single set of electronic standards. It is the second goal with
which we are concerned here. In Title II, Congress sought to make the health care industry more
efficient and effective. Congress looked to the adoption of uniform data
standards in using electronic technology critical to reach this goal.
Subtitle F of Title II, therefore, contains provisions intended to ensure
that there are standards for the electronic transmission of financial and
administrative data. HIPAA §§ 261-262(a).
Subtitle F directed the Secretary: (1) to adopt standards and data
elements for the electronic exchange of individually identifiable health
information in connection with the delivery of, and payment for, health
care services; and (2) to adopt standards for the security, integrity,
and confidentiality of electronically stored or transmitted health care
information. HIPAA § 262(a); 42 U.S.C. § 1320d-2.*fn2
Congress, through Subtitle F, also directed the Secretary to submit to
Congress, within twelve months of HIPAA's enactment, recommendations on
standards with respect to the privacy of health information, to be
developed in consultation with the National Committee on Vital and Health
Statistics ("NCVHS"). HIPPA § 264(a). These recommendations had to
address: (1) the rights that an individual who is the subject of individually identifiable health information should have; (2) the
procedures that should be established for the exercise of such rights;
and (3) the uses and disclosures of such information that should be
authorized or required. HIPAA § 264(b). If Congress failed to enact
privacy standards within three years of the statute's enactment, the
Secretary was to do so. HIPAA § 264(c)(1).
B. The Privacy Rule and its Evolution
When Congress did not enact privacy legislation by the third
anniversary of HIPAA's enactment, the Secretary started the rulemaking
process that resulted in the challenged rule.
1. The Proposed Original Rule
The Secretary issued the Proposed Original Rule on November 3, 1999.
Covered health care providers and health plans were prohibited from using
or disclosing protected health information except as provided by the
rule. Protected health information was defined as individually
identifiable health information maintained in or transmitted in any form
or media including electronic media.*fn3 See 1999 NPRM, 64 Fed. Reg.
at 59,918, 59,927, 59,924, 59,939.
The Proposed Original Rule listed the purposes for which protected
health information could be used or disclosed without authorization and
those purposes for which authorization was required. Authorization was
not required for: routine uses; and uses for certain public-policy
purposes, including public health, research, health oversight, law
enforcement, and judicial proceedings.*fn4 1999 NPRM, 64 Fed. Reg. at
60,053, 60,056-60,057 (text of then proposed 45 C.F.R. § 164.506,
164.510). For any purpose not recognized by the rule, covered entities
had to obtain authorizations that had to include, among other things, a
description of to whom and for what purpose the information would be disclosed, and a statement informing individuals of their right
to revoke the authorization. Id. at 60,055-60,056 (text of then
proposed 45 C.F.R. § 164.508).
It is the routine use provision that is at issue in this lawsuit. The
proposed rule would have permitted covered entities to use or disclose
individual health information, without patient authorization or consent,
for treatment, payment and health care operations. This was in part
because treatment and payment were considered core functions of the
health care system for which people expect their health information will
be used. Health care operations were deemed to be activities directly
related to the core functions of treatment and payment, such as quality
assurance, reviews of health care providers, underwriting, auditing,
fraud detection, or legal proceedings.*fn5 Id. at 59,924,
59,933-59,934, 59,940, 60,052-60,054.
The proposed rule prohibited covered entities from seeking individual
authorization for these routine purposes, unless state or other
applicable law required it. The Secretary reasoned that authorizations
for these purposes could not provide meaningful privacy protections or
individual control and could cause individuals to misunderstand what
their rights and protections actually were. Id. at 59,941. The Proposed Original Rule would have given individuals the right to
receive from covered entities a notice of information practices,
informing them about the permitted uses and disclosures the entities
intended to make of the information. Covered entities would have been
required to limit their uses or disclosures to those reflected in their
notices. Id. at 59,926, 59,945, 59,978.
According to the Secretary, the notice was also meant to advise
individuals of their right under the rule to request restrictions on the
uses or disclosures of their health information. A covered entity would
not have been required to agree to such a request, but if it did so, it
would have to abide by the agreed to limitations. Id.
The standards in the Proposed Original Rule were described as creating
"a federal floor of privacy protection." That is, they were not meant to
supercede state or other applicable laws that provide more stringent
privacy protections. Id. at 59,926.
2. The Original Rule
The Original Rule kept the structure of the proposed rule.*fn6 The
most significant difference between the Proposed Original Rule and the Original Rule concerned consent. Consent for
the use and disclosure of health information drew the most comments.*fn7
65 Fed. Reg. at 82,472. The Secretary adopted a consent requirement in
the Original Rule for the routine uses of health information as follows:
(a) Standard: Consent Requirement. (1)
Except as provided in paragraph (a)(2) or (a)(3)
of this section, a covered health care provider
must obtain the individual's consent, in
accordance with this section, prior to using or
disclosing protected health information to carry
out treatment, payment, or health care operations.
65 Fed. Reg. at 82,810 (text of former 45 C.F.R. § 164.506(a)(1)).
The forms used to obtain consent had to: (1) include a general
statement that protected health information may be used for routine
purposes; (2) refer patients to the provider's notice of privacy
practices; (3) inform patients of their right to request restrictions on
the use and disclosure of their health information; and (4) inform
individuals of their right to revoke this consent at any time. Covered
health providers could refuse to treat patients who refused to give their consent in these
situations. 65 Fed. Reg. at 82,810 (text of former
45 C.F.R. § 164.506(b)-(c)).
Subsection (a)(2) permitted certain covered health care providers to
use health information for routine purposes without consent: providers
who had an indirect treatment relationship with the patient; and those
who created or received the health information in the course of treating
an inmate patient. Id. (text of former
45 C.F.R. § 164.506(a)).
Subsection (a)(3) provided three other situations under which covered
health care providers did not have to obtain consent from a patient
before a routine use or disclosure of the patient's protected health
information. First, no prior consent was needed in emergency treatment
situations so long as consent was sought as soon as reasonably
practicable after the emergency treatment. Second, consent was not
required if the provider was required by law to treat the individual and
had attempted, but was unable, to obtain his or her consent. Third, prior
consent was unnecessary if the provider attempted to obtain consent of
the patient, was unable to do so because of "substantial barriers to
communicating," and, in the professional judgment of the provider, the
patient's consent could clearly be inferred from the circumstances.*fn8
Id. Covered health care providers had to comply with the Original Rule by
April 14, 2003.*fn9 Covered providers would have been permitted to use
or disclose health information created or obtained prior to the
compliance date based on consent obtained prior to that date. This was
true even where the consent did not meet the formal requirements of the
Original Rule. In the absence of pre-existing consent, use of health
information created or obtained prior to April 14, 2003, would be
prohibited. 65 Fed. Reg. at 82,828 (text of former
45 C.F.R. § 164.532(a)-(b)).
As with the Proposed Original Rule, the Original Rule preempted
contrary state law only to the extent that the rule provided more privacy
protections than the state law. 65 Fed. Reg. at 82,800-82,801 (text of
former 45 C.F.R. § 160.203(b)).
3. The Proposed Amended Rule
After publication of the Original Rule, the Secretary received many
inquiries and unsolicited comments about the impact and operation of the
Original Rule on numerous sectors of the health care industry regarding
the rule's complexity and practicability. On February 28, 2001, the Secretary solicited
additional public comment on the Original Rule. A purpose for the
additional comment period was "to ensure that the provisions of the
Privacy Rule would protect patients' privacy without creating
unanticipated consequences that might harm patients' access to health
care or quality of health care. . . ." 2002 NPRM, 67 Fed. Reg. at 14,777;
see also Request for Comments, 66 Fed. Reg. 12,738 (Feb. 28,
Many of the comments received discussed the potential adverse effects
that the consent provisions would have on access to, and delivery of,
health care services. The NCVHS also held public hearings that elicited
public testimony on certain provisions, including consent. According to
the Secretary, these comments and testimony prompted him to propose
several modifications to the Original Rule, including the consent
requirement. 2002 NPRM, 67 Fed. Reg. at 14,777.
On March 27, 2002, the Secretary proposed to amend the Original Rule.
The Proposed Amended Rule rescinded the consent requirement by granting
covered entities regulatory permission to use health information for
routine purposes. Covered entities would no longer be required to obtain
consent before using health information for treatment, payment, or health
care operations. Providers, however, would be permitted to seek consent
if and in any manner they chose. Additionally, the Amended Rule would
require direct treatment providers to make good-faith efforts to obtain patients' written acknowledgment that
they received the notice of privacy practices. Id. at 14,777,
The comment period on the Proposed Amended Rule ran from March 27, 2002
to April 26, 2002. During that period the Secretary received over 11,400
comments which were primarily devoted to the subject of consent. 67 Fed.
Reg. at 53,183.
The Secretary found that many comments supported the elimination of the
consent requirement. Many other comments urged the Secretary to require
consent, but to "make targeted fixes to address workability issues." Some
comments sought a stronger consent requirement. Id. at 53,210.
According to the Secretary, many covered entities were concerned about,
or had experienced significant practical problems with, the delivery of
timely health care under the Original Rule. Pharmacists, for example,
were concerned that they would be unable to fill prescriptions, search
for potential drug interactions, determine eligibility or verify coverage
before an individual arrived to pick up a prescription if the individual
had not already provided consent. Hospitals would not have been able to
use information from referring doctors to schedule and prepare procedures
before the patient arrived there. Emergency medical providers were
concerned that attempting to seek consent prior to treatment in some
situations was inconsistent with appropriate emergency care. The
requirement that they seek consent as soon as reasonably practicable after an
emergency greatly increased their administrative burden and could be
viewed as harassment by the individuals. For the most part, these
commenters supported rescission of the consent requirement. Id.
Some commenters were concerned that the Proposed Amended Rule would
eliminate an important consumer protection, and that rescission of the
consent requirement was too radical. They suggested targeted fixes to the
practical problems caused by the requirement. Id. at
53,210-53,211. For example, some suggested to allow certain uses and
disclosures prior to first patient encounters. Others suggested expanding
the definition of health care providers with indirect treatment
relationships to include pharmacists. Others proposed permitting oral or
telephonic consent. Id. at 53,211-53,212.
A few commenters urged the Secretary to strengthen the consent
requirement. For example, some commenters suggested that health plans as
well as health care providers be covered by the requirement.
Id. at 53,212.
4. The Amended Rule
The Secretary decided that, in light of the record, incorporating
targeted fixes would require adding additional complexity to the rule.
The Secretary claimed that a global approach to resolving the problems
raised by the consent requirement was consistent with one of the basic goals of the rule,
namely, to provide necessary flexibility for the standards to work for
the entire health care system. The Secretary therefore promulgated the
Amended Rule with the provisions that he had proposed, thereby
eliminating the consent requirement. Id.
The removal of the consent requirement applied only to uses or
disclosures for treatment, payment or health care operations. Section
164.506, the provision that formerly contained the consent requirement,
now reads in relevant part as follows:
(a) Standard: Permitted uses and
disclosures. Except with respect to uses or
disclosures that require an authorization under
§ 164.508(a)(2) [relating to psychotherapy
notes] and (3) [relating to marketing], a covered
entity may use or disclose protected health
information for treatment, payment, or health care
operations . . . provided that such use or
disclosure is consistent with other applicable
requirements of this subpart.
(b) Standard: Consent for uses and
disclosures permitted. (1) A covered entity
may obtain consent of the individual to use or
disclose protected health information to carry out
treatment, payment, or health care operations.
(2) Consent under paragraph (b) of this section,
shall not be effective to permit use or disclosure
of protected health information when an
authorization . . . is required or when another
condition must be met for such use and disclosure
to be permitted under this subpart.
45. C.F.R. § 164.506. The Amended Rule otherwise retained almost all the other protections
and provisions of the Original Rule. In particular, authorization is
still required for any uses not otherwise permitted by the Amended Rule.
Individuals retain their right to request additional restrictions, and
covered plans or providers that agree to these restrictions are still
required to abide by those restrictions. Covered entities are still
required to ensure that their business associates are under contract to
abide by the same restrictions as they are. Provisions regarding uses and
disclosures of identifiable health information for public-policy-related
purposes were unaffected by the rescission of the consent requirement,
because consent for such uses was not required by the Original Rule.
See 67 Fed. Reg. at 53,211; 45 C.F.R. § 164.504, 164.508,
Like the Original Rule, the Amended Rule generally preempts contrary
State law. State law, however, will not be preempted if it provides a
more stringent standard for protecting the privacy of individually
identifiable health information. 45 C.F.R. § 160.203.
The compliance date of the Amended Rule was April 14, 2003, the same as
that of the Original Rule. 45. C.F.R. § 164.534. Unlike the Original
Rule, however, the Amended Rule applies to health information created or
obtained prior to the compliance date. This means that health information
created or obtained prior to April 14, 2003, may be used and disclosed
after that date for routine purposes without prior consent. 67 Fed. Reg.
C. The Plaintiffs
The plaintiffs consist of nine individuals, including two intervenors,
and ten organizations. Of the nine individuals, four are health care
consumers and five are practicing mental health care providers some of
whom are also health care consumers. Of the ten organizational
plaintiffs, three are primarily health care consumer organizations with
over 600,000 members collectively, another three are primarily mental
health care provider organizations with over 5,000 members in total, and
four are coalitions of health care providers, consumers and advocates.
Am. Compl. ¶¶ 18-27.
The plaintiffs claim that the Secretary violated the Administrative
Procedure Act ("APA") in promulgating the Amended Rule. They also claim
that, to the extent it rescinds or eliminates the consent requirement
regarding use and disclosure of an individual's health information for
routine purposes, the Amended Rule violates: privacy and property rights
guaranteed by the Fourth, Fifth, and Ninth Amendments of the United
States Constitution; rights protected by the First Amendment of the
United States Constitution; and the federal common-law therapist-patient
privilege. The plaintiffs do not challenge other amendments to the rule, or those portions of the rule that have not
D. The Motions
In their motion for summary judgment, the plaintiffs argue that the
Secretary's rescission of the consent requirement for routine uses was
"arbitrary and capricious," was in excess of his statutory authority, and
violated various constitutional rights. The plaintiffs also argue that
the Secretary gave inadequate public notice of his intent to rescind the
consent requirement, provided an insufficient comment period for the
Amended Rule, and promulgated an impermissibly retroactive rule by
permitting the Amended Rule to apply to records created prior to the
rule's compliance date.
The defendant contests all of these claims, and also argues that the
plaintiffs do not have standing.
In support of their motion, the plaintiffs submitted selected comments
from the administrative record, over twenty affidavits and supplemental
affidavits, numerous privacy notices sent pursuant to the Amended Rule,
and excerpts from HIPAA, the Federal Register, and miscellaneous policy
In their affidavits, the plaintiffs allege various injuries caused by
the Amended Rule's rescission of the consent requirement: (1) an
elimination of the ability to know of and prevent or limit routine use
and disclosure of health information necessary for current or future care; (2) an elimination of the
ability to know of and prevent or limit routine use of health care
information already in the hands of covered entities; (3) an erosion of
patient's trust in health care providers; (4) a chilling effect on
communications between patients and health care providers; and (5) an
impairment of health care providers' ability to deliver effective
The Secretary provided the Court with a copy of the administrative
record compiled in connection with the promulgation of the Amended Rule.
This record includes: (1) forty-eight volumes of hard copy comments
submitted in response to the 2002 NPRM; (2) a CD-ROM containing public
comments filed via email in response to 2002 NPRM; and (3) a CD-ROM
containing public comments filed in response to the February 28, 2001,
request for comments after the Original Rule had been adopted. The
Secretary also submitted three volumes of excerpts from the
The Court cannot reach the merits of the plaintiffs' arguments if they
do not have standing. ACLU-NJ v. Township of Wall,
246 F.3d 258, 261 (3d Cir. 2001). The Court, therefore, shall address this
issue first. Because the Court finds that at least one of the plaintiffs
has standing, the Court will then examine the plaintiffs' claims that the
Secretary violated the APA by acting in an arbitrary and capricious manner in rulemaking
and by failing to provide adequate notice that the Original Rule would be
rescinded. The Court will also consider whether the Secretary violated
the scope of authority granted by HIPAA, and whether the Amended rule was
retroactive. Finally, the Court will examine the plaintiffs'
There are three constitutional requirements that a plaintiff must meet
in order to have standing to sue. First, the plaintiff must demonstrate
an injury in fact. Second, there must be a causal connection between the
plaintiff's injury and the defendant's conduct. Third, the relief
requested must be likely to redress the injury suffered by the
plaintiff.*fn10 See Vt. Agency of Natural Res. v. United States ex
rel. Stevens, 529 U.S. 765, 771 (2002); Luian v. Defenders of
Wildlife, 504 U.S. 555, 560-61 (1992).
The plaintiffs have submitted numerous affidavits, asserting that they
have suffered various injuries as a result of the Amended Rule and that
rescission of the rule will redress those injuries.*fn11 The Court concludes that at least Dr. Deborah
Peel has standing. Because the Court may reach the merits of the case if
at least one plaintiff has standing, the Court will not examine the
standing of the other plaintiffs.
Dr. Peel, an intervenor, is a practicing psychiatrist who alleges harm
to herself and her family as health care consumers. She submitted three
affidavits to the Court. She listed ten providers from which she and/or
her family received privacy notices after the April 14, 2003, compliance
date. The privacy notices are not identical. Some state that the practice
"uses and discloses" health information for routine purposes. Others
state that the practice "may use and disclose" that information for
routine purposes without a patient's authorization. Others state that the
practice "will use and disclose" health information for routine purposes.
All of the notices stated that Dr. Peel had the right to request
additional restrictions on the use and disclosure of her protected health
Dr. Peel requested such restrictions from a variety of these health
care providers. She specifically lists three pharmacies that have refused
her request not to disclose or use her information without her consent. No provider has acted
favorably on any of her requests yet. She states that prior to April 14,
2003, she had been able to obtain restrictions on the use of her
Dr. Peel and her family are now limiting what information they give to
their health care providers. She will avoid medical care for herself and
her family except in dire situations. Dr. Peel states that these
measures, however, cannot protect information that she and her family
have disclosed in the past.
As a practitioner psychiatrist, Dr. Peel now has several patients who
refuse to take their medications in an effort to shield their information
from being used and disclosed by pharmacies. She believes that many more
patients will avoid needed psychiatric care.
1. Injury in Fact
To have Article III standing, Dr. Peel must first demonstrate that she
has suffered an injury in fact. This injury must be concrete and
particularized, and actual or imminent, as opposed to conjectural or
hypothetical. Defenders of Wildlife, 504 U.S. at 560. "The
injury must affect the plaintiff in a personal and individual way."
Id. at 561 n.1.
Dr. Peel has demonstrated a personal stake in the outcome of this
litigation. Three health care providers have refused to grant her request to limit disclosure of the health
information of her and her family. Others have not responded to her
request; but, the notices they sent state that they will routinely
disclose her health information.
The Secretary argued that Dr. Peel has not suffered injury in fact as
to either information that she gave to providers prior to the effective
date of the rule or information that she may be asked to provide in the
future. As to information provided in the past, the Secretary argued that
Dr. Peel has not shown any specific disclosure of her health information.
As to the future, the Secretary contends that Dr. Peel can limit what
information she gives to providers or can cease treatment altogether with
providers who will not agree to seek her consent before disclosing her
health information for routine purposes. The Court is not persuaded by
As to information provided in the past, a plaintiff does not have to
show that the injury has occurred. It is enough to show that injury is
imminent or highly likely to occur. See Defenders of Wildlife,
504 U.S. at 564 n.2. Dr. Peel has shown that here. She has received many
notices from providers telling her that they are using her health
information for routine purposes. On April 14, 2003, she received a
notice that stated: "This practice uses and discloses health information
about you for treatment, to obtain payment for treatment, for
administrative purposes, and to evaluate the quality of care you receive." Notice of Privacy Practices, Austin Internal Medicine
Associates, L.L.P., Peel Aff. I. This language indicates that such
information has already been, or will imminently be, disclosed without
her consent. Under these circumstances, Dr. Peel has demonstrated injury
Even as to future health information, Dr. Peel has made a strong
argument for injury in fact. It is true that, in the future, patients can
limit what information they give to their providers or can cease
treatment altogether with providers who will not agree not to disclose
their information without their consent. It is also true that under the
Original Rule, providers had the right to refuse to give treatment if the
patient would not consent to disclosure for routine purposes. The Court,
however, does not agree with the defendant that these facts negate any
injury. The Amended Rule has changed the landscape established by the
Original Rule for the disclosure of health information for routine
purposes. That fact does not mean that the change is in violation of law.
But it does mean that Dr. Peel can challenge that change.
The next question is whether Dr. Peel's injury in fact is causally
connected and traceable to an action of the defendant. See Pitt News
v. Fisher, 215 F.3d 354, 360 (3d Cir. 2000) (citing Doe v.
Nat'l Bd. of Med. Exam'rs, 199 F.3d 146, 152-53 (3d Cir. 1999)). The defendant argues that there is no
causation and traceability because Dr. Peel's injuries are the result of
independent choices made by third parties not before the Court
health care providers. The defendant is correct that when, as here, the
allegedly unlawful rule regulates the conduct of someone other than the
plaintiff, the plaintiff will not have standing if his injury is the
result of unfettered or independent choices of "third parties not before
the court." Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26,
41-42 (1976); see Bennett, 520 U.S. at 169. There is causation,
however, if the injury is "produced by determinative or coercive effect
upon the action of someone else." Bennett, 520 U.S. at 169;
see Pitt News, 215 F.3d at 360-61.
It is true that the providers are permitted by the rule to seek consent
before using or disclosing Dr. Peel's health information. They have
chosen not to do so. There is causation, however, because the Amended
Rule has a sufficiently determinative or coercive effect on the action of
The impact of the Amended Rule on providers must be considered in the
context of the Original Rule. The plaintiffs allege that the amendment of
the Original Rule was illegal. They seek to have the Original Rule
reinstated. Under the Original Rule, Dr. Peel's health care provider
would have had to seek her consent before using her health information
for routine purposes. Under the Amended Rule, it no longer does. The
Amended Rule has changed the landscape established by the Original Rule in which
decisions will be made by providers as to whether they will seek consent
or agree to patients' demands for consent. In this situation, there is
causation. See Bennett, 520 U.S. at 169 (finding causation and,
thus, that the plaintiffs had standing to sue a government agency that
issued the non-binding opinion relied upon by a different government
agency to enact regulations that injured the plaintiffs); see also
Pitt News, 215 F.3d at 360-61 (finding causation, and standing, when
a newspaper sued the Attorney General for enforcing a law intended to
encourage third party activity that harmed the newspapers).
The third requirement for Article III standing is that "it is likely,
as opposed to merely speculative, that the injury will be redressed by a
favorable decision." Friends of the Earth, Inc. v. Laidlaw Envtl.
Servs., Inc., 528 U.S. 167, 181 (2000). Dr. Peel has demonstrated
that it is not "merely speculative" that vacating the Amended Rule and
reinstating the Original Rule would redress Dr. Peel's alleged injury.
The Original Rule prohibited covered entities from using or disclosing
protected health information for routine purposes without patient
The Court finds that Dr. Peel does have Article III standing. B. APA Claims
The plaintiffs argue that the Secretary's rulemaking was arbitrary and
capricious, and that the Secretary failed to provide adequate notice of
the rescission of the Original Rule.
1. The Arbitrary and Capricious Claim
The plaintiffs argue that the Secretary acted arbitrarily and
capriciously by failing adequately to explain the rescission of the
consent requirement, ignoring earlier findings, and failing to respond to
public comments. An agency's action in promulgating standards may be set
aside if it is "arbitrary, capricious, an abuse of discretion, or
otherwise not in accordance with law." 5 U.S.C. § 706(2)(a); see
Motor Vehicle Mfrs. Ass'n, Inc. v. State Farm Mut. Auto. Ins. Co.,
463 U.S. 29, 41 (1983). This standard also applies to the rescission of
an existing regulatory standard.
An agency acts arbitrarily and capriciously if it rescinds a
promulgated rule without providing a "reasoned analysis" for the change.
Id. at 41-42; see Fertilizer Inst. v. Browner,
163 F.3d 774, 778 (3d Cir. 1998). A reasoned analysis requires the Secretary
to examine the relevant data and articulate a satisfactory explanation
that shows a "rational connection between the facts found and the choice
made." Motor Vehicles, 463 U.S. at 43 (quoting Burlington
Truck Lines, Inc. v. United States, 371 U.S. 156, 168 (1962)). The
Court is not supposed to substitute its own judgment for that of the Secretary.
If the agency action is rational, based on a consideration of relevant
factors, and within the scope of the statutory delegation of power, it
may not be set aside. Id. at 42-43.
a. The Secretary's Explanation
The Secretary explained that the consent requirement in the Original
Rule was added in an attempt to strike a balance between privacy concerns
and the need to use certain health care information.*fn12 The Secretary
stated that the consent requirement in the Original Rule responded to
comments that consent provides individuals with a sense of control over
how their information will be used, was a current practice of health care
providers, and was expected by many patients. 2002 NPRM, 67 Fed. Reg. at
According to the Secretary, comments and inquiries received after the
Original Rule was implemented revealed many unintended consequences of
the consent requirement. The comments received after the Amended Rule was
proposed indicated that the consent requirement represented a significant
change in practice and could substantially impair delivery of health
care. The consent requirement could have also deprived providers and
plans of information necessary for quality assurance, accreditation, and
fraud and waste detection. 67 Fed. Reg. at 53,214.
The Secretary then explained that rescinding the consent requirement
solved the identified health care delivery problems caused by the
requirement in the most efficient manner. According to the Secretary,
incorporating targeted fixes as suggested by some commenters would make
the rule even more complex, without solving all of the problems.
Id. at 53,212.
The Secretary added that all the other protections were left in place.
In addition, the notice of privacy practices provision was strengthened
to preserve the intended benefit of the consent requirement, that is, to
provide patients with an opportunity to discuss privacy practices and
concerns and to request restrictions on use and disclosure. Id.
at 53,209, 53,211.
The plaintiffs rely on two cases in arguing that the Secretary's
explanation is inadequate. In Motor Vehicle, 463 U.S. at 2864,
the National Highway Traffic Safety Administration ("NHTSA") rescinded a
regulation requiring new cars to be equipped with passive restraints,
defined as either automatic seatbelts or airbags. The NHTSA determined
that detachable automatic seatbelts would not be effective in attaining
its safety goals, and so it rescinded the passive restraint requirement.
The Supreme Court held that the NHTSA did not adequately explain the
rescission. The NHTSA did not question that passive restraints were important to safety, but it never
addressed why airbags, as one of the passive restraint options, could not
serve the same safety functions. Id. at 2869. In short, there
was no discussion of any alternatives available to the agency.
In Action on Smoking and Health v. Civil Aeronautics Bd.,
699 F.2d 1209, 1216 (D.C. Cir. 1983), the Civil Aeronautics Board ("Board")
rescinded and modified parts of a rule regulating smoking on aircraft.
The Board's explanation of the rescission was contained in one brief
paragraph that only concluded that carriers should have discretion with
respect to smoking on flights. The court held that the explanation was
"palpably inadequate" because there was no reason for the Board's
The explanation of the rescission provided in the case at hand was much
more detailed and is distinguishable from Action on Smoking and
Health and Motor Vehicle. The Board in Action on
Smoking and Health did not explain its reasons for rescinding the
smoking regulations. The Secretary here, however, explained the
rescission of the consent requirement in detail, as discussed above. With
respect to the holding of Motor Vehicle, and in contrast to the
explanation provided by the NHTSA in that case, the Secretary discussed
possible alternatives and the reasons for the rescission. He determined
that the rescission was the most efficient means to achieving the
purposes set forth in HIPAA, § 261. The Secretary also explained why the alternative
solutions would not be effective, or work at all. For these reasons, the
Court finds that the Secretary's explanation was adequate and provided a
reasoned analysis for the change.
b. Examination of the Relevant Data
The plaintiffs argue that the Secretary ignored the agency's earlier
findings and thus did not establish a rational connection between agency
findings supporting the Original Rule and the choice made in the Amended
Rule. The Secretary, however, need only establish a rational connection
between the most current findings and the changes to a rule. See
United States Air Tour Ass'n. v. Fed. Aviation Admin., 298 F.3d 997,
1007-08 (D.C. Cir. 2002).
The Court reviewed the administrative record and finds that the
Secretary used the agency's current findings in explaining his rescission
of the consent requirement. Based on the comments submitted during the
comment period for the Proposed Amended Rule, the Secretary found that
the consent requirement caused unintended inefficiencies in the delivery
of health care. The Court's review of the record revealed that even some
commenters who did not favor rescission acknowledged that there were
unintended consequences that could hamper effective delivery of health
care. See, e.g., Comments of the Amer. Counseling Ass'n, Pls.'
Reply Br., App. II, at Tab 12. Even if the Secretary had to reconcile past findings with the Amended
Rule, the rescission of the consent requirement is not so inconsistent
with earlier findings as to render the change so implausible that it
could not be ascribed to a difference in viewpoint or the product of
agency expertise. Contrary to the plaintiffs' suggestion, the agency
never stated that the right to privacy was absolute when it implemented
the Original Rule. Privacy concerns were always to be balanced against
the goal of improving efficiency of the health care system. See
65 Fed. Reg. at 82,464.
Indeed, the very findings that supported the Original Rule had
supported the initial proposal to prohibit consent. According to the
Secretary, the prohibition in the Proposed Original Rule was based on the
undisputed finding that patient consent was frequently uninformed and
involuntary. See 1999 NPRM, 64 Fed. Reg. at 59,940-59,941.
Consent in the Original Rule was required to provide patients with the
opportunity to discuss privacy practices and request further
restrictions. The Secretary explained that, far from ignoring the need to
provide patients with this opportunity, the Amended Rule achieves the
same goal through its more stringent notice requirements. 67 Fed. Reg. at
The Court finds that the Secretary examined the relevant data and the
Secretary's explanation shows more than a mere rational connection
between the facts and the choice to rescind the consent requirement. He found that the requirement was
impeding the ability of different sets of health care providers for
different reasons. He considered alternatives to rescission but found
that none of the alternatives would fix the problems for all health care
providers. His decision to rescind was reasonable given these findings.
c. The Secretary's Response to Public Comments
The plaintiffs' argument that the Secretary failed adequately to
respond to comments in the record is also unpersuasive. Agencies do not
have to address every comment. They need only respond in a reasoned
manner to comments raising significant problems. A failure to respond to
comments is significant only insofar as it demonstrates that the decision
was not based on relevant factors. See City of Waukesha v. EPA,
320 F.3d 228, 257 (D.C. Cir. 2003).
The Secretary's response to the comments revealed that he considered
the relevant factors Congress intended the agency to consider. The two
factors referred to in Subtitle F of HIPAA are the efficiency and
effectiveness of the health care system, and the privacy of health
information. See HIPAA § 261.
The Secretary justified the rescission of the consent requirement
primarily because the requirement impeded efficient delivery of health
care. The Secretary also took the privacy interests of patients into
account by permitting health care providers to obtain prior consent, in contrast with the Proposed
Original Rule. He just balanced the factors in a way with which the
plaintiffs disagree. The Secretary, in any event, responded to many
comments that did not support rescission of the consent requirement,
including those similar to the plaintiffs' argument that targeted fixes
instead of rescission should be implemented. See 67 Fed. Reg.
2. Notice of Rulemaking
The plaintiffs argue that the Secretary violated the APA because his
notice of rulemaking did not adequately inform the public of his
intention to rescind the consent requirement. A notice of proposed
rulemaking must include either: (I) "the terms or substance of the
proposed rule or;" (ii) "a description of the subjects and issues
involved." 5 U.S.C. § 553(b)(3).
The Secretary's notice for the Amended Rule did both. The notice of
proposed rulemaking for the Amended Rule provided the text of the
proposed amendments. See 2002 NPRM, 67 Fed. Reg. at
14,810-14,815. The notice also described the proposed modification in
detail, including the proposal to make consent optional for routine uses.
See id. at 14,780-14,781. C. Scope of Authority Granted by HIPAA
The plaintiffs argue that the Secretary exceeded the scope of authority
granted to him by HIPAA in two ways. First, they claim that HIPAA
authorizes the defendant to promulgate only regulations that enhance
privacy. Second, they argue that the Amended Rule is retroactive in
violation of HIPAA and the APA.
1. Reasonable Relationship of the Amended Rule to Statute
A regulation falls within the scope of statutory authority as long as
it is reasonably related to the purposes of the enabling legislation.
Mourning v. Family Publ'ns Serv., Inc., 411 U.S. 356, 369
(1973). Subtitle F of HIPAA Title II states that its purpose is "to
improve . . . the efficiency and effectiveness of the health care
system . . . through the establishment of standards and requirements for
the electronic transmission of certain health information." HIPAA §
Although HIPAA also required the Secretary to protect the privacy of
health information, the Court finds nothing in the statute requiring the
Secretary to maximize privacy interests over efficiency interests. His
mandate is to balance privacy protection and the efficiency of the health
care system not simply to enhance privacy.
The Court finds that the amendments to the Original Rule embodied in
the Amended Rule are reasonably related to the legislative purpose of
Subtitle F. The Secretary explained that he rescinded the consent requirement because it
caused practical problems that interfered with the efficient delivery of
health care. The Amended Rule kept all the other protections of the
Original Rule and did nothing to remove more stringent protections
afforded by state or other applicable law.
A rule is retroactive if it impairs the rights already possessed when a
person acted, or increases one's liability for past conduct, or imposes
new duties with respect to transactions already completed. Landgraf
v. USI Film Prod., 511 U.S. 244, 269-70, 280 (1994); see also
Avila-Macias v. Ashcroft, 328 F.3d 108, 113 (3d Cir. 2003) (holding
that the application of a new immigration act to a deportee who was
removed before the passage of act, but who reentered after the passage of
act, was not retroactive).
A rule is not retroactive just because it upsets expectations based on
prior law. A new zoning regulation, for example, may upset the reasonable
expectations that prompted the property owners to purchase the property.
Likewise, a new law banning gambling may harm the person who had begun to
construct a casino before the law's enactment. See Landgraf,
511 U.S. at 270 n.24.
According to the plaintiffs, individuals were vested with the right to
give or withhold consent before their protected health information could be used for routine purposes once the
Original Rule was implemented on April 14, 2001. The Original Rule,
however, was amended before its April 14, 2003, compliance date. Covered
entities were never under a legal obligation to comply with the Original
Rule's consent requirement. Under these circumstances, the Original Rule
did not create rights that were subsequently eliminated by the Amended
The plaintiffs also argue that the Amended Rule eliminates their
reasonable expectations "based on federal and state law, standards of
medical ethics and established standards of practice" that their health
information created prior to the Amended Rule's compliance date would not
be used for routine purposes without consent. But the Amended Rule does
not impair any stricter privacy rights created by state law, ethical
codes or standards of practice. The Amended Rule is not retroactive.
C. Constitutional Claims
The plaintiffs claim that the Amended Rule violates Due Process rights
to medical privacy, and First Amendment rights to private
physician-patient communications. Because the Amended Rule does not
compel anyone to use or disclose the plaintiffs' health information for
routine purposes without the plaintiffs' consent, the Court finds that
the Amended Rule does not violate the plaintiffs' constitutional rights. The Due Process Clause forbids the government from depriving
individuals of life, liberty, or property without due process of law.
Generally, the clause does not "impose an affirmative obligation on the
State to ensure that those interests do not come to harm through other
means." DeShaney v. Winnebago County Soc. Servs. Dep't,
489 U.S. 189, 195 (1989).
The First Amendment right to free speech is similarly framed. See
Alston v. Redman, 34 F.3d 1237, 1247 (3d Cir. 1994). The government
cannot place obstacles in the path of an individual's exercise of free
speech, but it does not have to act to eliminate obstacles that it did
not create. Regan v. Taxation With Representation,
461 U.S. 540, 549-50 (1983) (citing Harris v. McRae, 448 U.S. 297, 316
Even assuming that the plaintiffs have a constitutional right to
privacy over their medical records and to patient-health care provider
communications, the Amended Rule does not violate those rights.*fn13 The
Amended Rule is wholly permissive with respect to whether a covered
entity should seek consent from a patient before using his or her
information for routine purposes. The Amended Rule neither requires nor
prohibits that practice.
Nor does the Amended Rule place obstacles in the paths of patients
seeking to have confidential communications with their health care
providers. The Amended Rule does not require doctors to do anything with respect to routine uses of health care
information. Because the Amended Rule is not compulsory in nature, it
does not affirmatively interfere with any right.*fn14
To the extent the Amended Rule mandates any actions, it protects the
plaintiffs' putative rights. For example, the Amended Rule prohibits
covered entities from disclosing and using health information for reasons
unrelated to health care without proper authorization.
In essence, the plaintiffs challenge the Amended Rule because the
Secretary decided not to compel covered entities to obtain prior consent.
The Constitution, however, does not command the Secretary to act
affirmatively to protect such rights. See DeShaney, 489 U.S. at
195; Alston, 34 F.3d at 1247.
The plaintiffs have directed the Court's attention to recent cases that
involve the attempts of the United States' Department of Justice ("DOJ")
to subpoena or otherwise compel health care providers to produce the
medical records of their patients who had undergone abortions. The DOJ
has subpoenaed or sought court orders compelling the production of these
medical records in connection with a law suit challenging a federal law banning so-called "partial-birth abortions." See, e.g.,
Northwestern Mem'l Hosp. v. Ashcroft, No. 04-1379, 2004 U.S. App,
LEXIS 5724 (3d Cir. Mar. 26, 2004).
The plaintiffs claim that these cases support their argument that the
Amended Rule violates fundamental privacy rights. The
Northwestern decision and the other DOJ cases cited by the
plaintiff have no bearing on the plaintiffs' narrow challenge here. Those
cases do not involve the disclosure of protected health information for
routine purposes. They involve the disclosure of protected health
information for other, nonroutine purposes. These disclosures are
governed by provisions of the Amended Rule that the plaintiffs have not
An appropriate Order follows.
AND NOW, this 2nd day of April, 2004, upon consideration of the
defendant's Motion for Summary Judgment (Docket No. 13), the plaintiffs'
Motion for Summary Judgment (Docket No. 24), as well as all responses and
replies thereto, and following oral argument on December 10, 2003, IT IS
HEREBY ORDERED that the defendant's motion is GRANTED and the plaintiffs'
motion is DENIED for the reasons stated in a memorandum of today's date.
Judgment is entered in favor of the defendant and against the plaintiffs.