Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.


United States District Court, E.D. Pennsylvania

April 2, 2004.

CITIZENS FOR HEALTH, et al., Plaintiffs
TOMMY G. THOMPSON, Secretary U.S. Department of Health and Human Services, Defendant

The opinion of the court was delivered by: MARY A. McLAUGHLIN, District Judge


This action is brought by ten national and state associations, seven individuals and two individual intervenors against the Secretary of the United States Department of Health and Human Services (the "Secretary"). The plaintiffs seek to invalidate an amended rule governing certain uses of individuals' identifiable health information that the Secretary promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. 104-191, 110 Stat. 1936.

Under the prior version of the challenged rule, certain health care entities had to first obtain a person's consent before using and disclosing that person's identifiable health information for certain routine purposes. The plaintiffs challenge the amended rule to the extent it makes seeking consent optional. The parties have filed cross-motions for summary judgment. The Court heard oral argument on December 10, 2003. The Court will grant the defendant's motion and will deny the plaintiffs' motion.

 I. Background

  The Amended Rule is the fourth in a series of proposed and final rules issued by the Secretary between November 1999 and August 2002. Following is a list of the proposed and final rules, their dates of issuance, and their location in the Federal Register:

  1. The rule as first proposed (the "Proposed Original Rule") was published as "Notice of Proposed Rule Making, Standards for Privacy of Individually Identifiable Health Information." 64 Fed. Reg. 59,918 (proposed Nov. 3, 1999) (the "1999 NPRM").

  2. A final rule (the "Original Rule") was published as "Standards for Privacy of Individually Identifiable Health Information." 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164 (2002)).

  3. A proposed amended version of the rule (the "Proposed Amended Rule") was published as "Notice of Proposed Rule Making, Standards for Privacy of Individually Identifiable Health Information." 67 Fed. Reg. 14,778 (proposed Mar. 27, 2002) (the "2002 NPRM"). 4. The final version of the amended rule (the "Amended Rule") was published as "Final Rule, Standards for Privacy of Individually Identifiable Health Information," 67 Fed. Reg. 53,182 (Aug. 14, 2002), and codified as Parts 160 and 164 of Title 45 of the Code of Federal Regulations.

  The Court discusses below each of the four rules. All of the material comes from HIPAA or the Federal Register.

  A. Statutory Framework

  On August 21, 1996, the President signed HIPAA into law. HIPAA is organized into five titles.*fn1 The challenged rule was enacted pursuant to Title II. There were two goals of Title II: to prevent health care fraud and abuse; and to reduce the costs and administrative burdens of health care by replacing the many non-standard formats used nationally with a single set of electronic standards. It is the second goal with which we are concerned here. In Title II, Congress sought to make the health care industry more efficient and effective. Congress looked to the adoption of uniform data standards in using electronic technology critical to reach this goal. Subtitle F of Title II, therefore, contains provisions intended to ensure that there are standards for the electronic transmission of financial and administrative data. HIPAA §§ 261-262(a).

  Subtitle F directed the Secretary: (1) to adopt standards and data elements for the electronic exchange of individually identifiable health information in connection with the delivery of, and payment for, health care services; and (2) to adopt standards for the security, integrity, and confidentiality of electronically stored or transmitted health care information. HIPAA § 262(a); 42 U.S.C. § 1320d-2.*fn2

  Congress, through Subtitle F, also directed the Secretary to submit to Congress, within twelve months of HIPAA's enactment, recommendations on standards with respect to the privacy of health information, to be developed in consultation with the National Committee on Vital and Health Statistics ("NCVHS"). HIPPA § 264(a). These recommendations had to address: (1) the rights that an individual who is the subject of individually identifiable health information should have; (2) the procedures that should be established for the exercise of such rights; and (3) the uses and disclosures of such information that should be authorized or required. HIPAA § 264(b). If Congress failed to enact privacy standards within three years of the statute's enactment, the Secretary was to do so. HIPAA § 264(c)(1).

  B. The Privacy Rule and its Evolution

  When Congress did not enact privacy legislation by the third anniversary of HIPAA's enactment, the Secretary started the rulemaking process that resulted in the challenged rule.

  1. The Proposed Original Rule

  The Secretary issued the Proposed Original Rule on November 3, 1999. Covered health care providers and health plans were prohibited from using or disclosing protected health information except as provided by the rule. Protected health information was defined as individually identifiable health information maintained in or transmitted in any form or media including electronic media.*fn3 See 1999 NPRM, 64 Fed. Reg. at 59,918, 59,927, 59,924, 59,939.

  The Proposed Original Rule listed the purposes for which protected health information could be used or disclosed without authorization and those purposes for which authorization was required. Authorization was not required for: routine uses; and uses for certain public-policy purposes, including public health, research, health oversight, law enforcement, and judicial proceedings.*fn4 1999 NPRM, 64 Fed. Reg. at 60,053, 60,056-60,057 (text of then proposed 45 C.F.R. § 164.506, 164.510). For any purpose not recognized by the rule, covered entities had to obtain authorizations that had to include, among other things, a description of to whom and for what purpose the information would be disclosed, and a statement informing individuals of their right to revoke the authorization. Id. at 60,055-60,056 (text of then proposed 45 C.F.R. § 164.508).

  It is the routine use provision that is at issue in this lawsuit. The proposed rule would have permitted covered entities to use or disclose individual health information, without patient authorization or consent, for treatment, payment and health care operations. This was in part because treatment and payment were considered core functions of the health care system for which people expect their health information will be used. Health care operations were deemed to be activities directly related to the core functions of treatment and payment, such as quality assurance, reviews of health care providers, underwriting, auditing, fraud detection, or legal proceedings.*fn5 Id. at 59,924, 59,933-59,934, 59,940, 60,052-60,054.

  The proposed rule prohibited covered entities from seeking individual authorization for these routine purposes, unless state or other applicable law required it. The Secretary reasoned that authorizations for these purposes could not provide meaningful privacy protections or individual control and could cause individuals to misunderstand what their rights and protections actually were. Id. at 59,941. The Proposed Original Rule would have given individuals the right to receive from covered entities a notice of information practices, informing them about the permitted uses and disclosures the entities intended to make of the information. Covered entities would have been required to limit their uses or disclosures to those reflected in their notices. Id. at 59,926, 59,945, 59,978.

  According to the Secretary, the notice was also meant to advise individuals of their right under the rule to request restrictions on the uses or disclosures of their health information. A covered entity would not have been required to agree to such a request, but if it did so, it would have to abide by the agreed to limitations. Id.

  The standards in the Proposed Original Rule were described as creating "a federal floor of privacy protection." That is, they were not meant to supercede state or other applicable laws that provide more stringent privacy protections. Id. at 59,926.

  2. The Original Rule

  The Original Rule kept the structure of the proposed rule.*fn6 The most significant difference between the Proposed Original Rule and the Original Rule concerned consent. Consent for the use and disclosure of health information drew the most comments.*fn7 65 Fed. Reg. at 82,472. The Secretary adopted a consent requirement in the Original Rule for the routine uses of health information as follows:

(a) Standard: Consent Requirement. (1) Except as provided in paragraph (a)(2) or (a)(3) of this section, a covered health care provider must obtain the individual's consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations.
65 Fed. Reg. at 82,810 (text of former 45 C.F.R. § 164.506(a)(1)).

  The forms used to obtain consent had to: (1) include a general statement that protected health information may be used for routine purposes; (2) refer patients to the provider's notice of privacy practices; (3) inform patients of their right to request restrictions on the use and disclosure of their health information; and (4) inform individuals of their right to revoke this consent at any time. Covered health providers could refuse to treat patients who refused to give their consent in these situations. 65 Fed. Reg. at 82,810 (text of former 45 C.F.R. § 164.506(b)-(c)).

  Subsection (a)(2) permitted certain covered health care providers to use health information for routine purposes without consent: providers who had an indirect treatment relationship with the patient; and those who created or received the health information in the course of treating an inmate patient. Id. (text of former 45 C.F.R. § 164.506(a)).

  Subsection (a)(3) provided three other situations under which covered health care providers did not have to obtain consent from a patient before a routine use or disclosure of the patient's protected health information. First, no prior consent was needed in emergency treatment situations so long as consent was sought as soon as reasonably practicable after the emergency treatment. Second, consent was not required if the provider was required by law to treat the individual and had attempted, but was unable, to obtain his or her consent. Third, prior consent was unnecessary if the provider attempted to obtain consent of the patient, was unable to do so because of "substantial barriers to communicating," and, in the professional judgment of the provider, the patient's consent could clearly be inferred from the circumstances.*fn8 Id. Covered health care providers had to comply with the Original Rule by April 14, 2003.*fn9 Covered providers would have been permitted to use or disclose health information created or obtained prior to the compliance date based on consent obtained prior to that date. This was true even where the consent did not meet the formal requirements of the Original Rule. In the absence of pre-existing consent, use of health information created or obtained prior to April 14, 2003, would be prohibited. 65 Fed. Reg. at 82,828 (text of former 45 C.F.R. § 164.532(a)-(b)).

  As with the Proposed Original Rule, the Original Rule preempted contrary state law only to the extent that the rule provided more privacy protections than the state law. 65 Fed. Reg. at 82,800-82,801 (text of former 45 C.F.R. § 160.203(b)).

  3. The Proposed Amended Rule

  After publication of the Original Rule, the Secretary received many inquiries and unsolicited comments about the impact and operation of the Original Rule on numerous sectors of the health care industry regarding the rule's complexity and practicability. On February 28, 2001, the Secretary solicited additional public comment on the Original Rule. A purpose for the additional comment period was "to ensure that the provisions of the Privacy Rule would protect patients' privacy without creating unanticipated consequences that might harm patients' access to health care or quality of health care. . . ." 2002 NPRM, 67 Fed. Reg. at 14,777; see also Request for Comments, 66 Fed. Reg. 12,738 (Feb. 28, 2001).

  Many of the comments received discussed the potential adverse effects that the consent provisions would have on access to, and delivery of, health care services. The NCVHS also held public hearings that elicited public testimony on certain provisions, including consent. According to the Secretary, these comments and testimony prompted him to propose several modifications to the Original Rule, including the consent requirement. 2002 NPRM, 67 Fed. Reg. at 14,777.

  On March 27, 2002, the Secretary proposed to amend the Original Rule. The Proposed Amended Rule rescinded the consent requirement by granting covered entities regulatory permission to use health information for routine purposes. Covered entities would no longer be required to obtain consent before using health information for treatment, payment, or health care operations. Providers, however, would be permitted to seek consent if and in any manner they chose. Additionally, the Amended Rule would require direct treatment providers to make good-faith efforts to obtain patients' written acknowledgment that they received the notice of privacy practices. Id. at 14,777, 14,780, 14,783.

  The comment period on the Proposed Amended Rule ran from March 27, 2002 to April 26, 2002. During that period the Secretary received over 11,400 comments which were primarily devoted to the subject of consent. 67 Fed. Reg. at 53,183.

  The Secretary found that many comments supported the elimination of the consent requirement. Many other comments urged the Secretary to require consent, but to "make targeted fixes to address workability issues." Some comments sought a stronger consent requirement. Id. at 53,210.

  According to the Secretary, many covered entities were concerned about, or had experienced significant practical problems with, the delivery of timely health care under the Original Rule. Pharmacists, for example, were concerned that they would be unable to fill prescriptions, search for potential drug interactions, determine eligibility or verify coverage before an individual arrived to pick up a prescription if the individual had not already provided consent. Hospitals would not have been able to use information from referring doctors to schedule and prepare procedures before the patient arrived there. Emergency medical providers were concerned that attempting to seek consent prior to treatment in some situations was inconsistent with appropriate emergency care. The requirement that they seek consent as soon as reasonably practicable after an emergency greatly increased their administrative burden and could be viewed as harassment by the individuals. For the most part, these commenters supported rescission of the consent requirement. Id. at 53,209.

  Some commenters were concerned that the Proposed Amended Rule would eliminate an important consumer protection, and that rescission of the consent requirement was too radical. They suggested targeted fixes to the practical problems caused by the requirement. Id. at 53,210-53,211. For example, some suggested to allow certain uses and disclosures prior to first patient encounters. Others suggested expanding the definition of health care providers with indirect treatment relationships to include pharmacists. Others proposed permitting oral or telephonic consent. Id. at 53,211-53,212.

  A few commenters urged the Secretary to strengthen the consent requirement. For example, some commenters suggested that health plans as well as health care providers be covered by the requirement. Id. at 53,212.

  4. The Amended Rule

  The Secretary decided that, in light of the record, incorporating targeted fixes would require adding additional complexity to the rule. The Secretary claimed that a global approach to resolving the problems raised by the consent requirement was consistent with one of the basic goals of the rule, namely, to provide necessary flexibility for the standards to work for the entire health care system. The Secretary therefore promulgated the Amended Rule with the provisions that he had proposed, thereby eliminating the consent requirement. Id.

  The removal of the consent requirement applied only to uses or disclosures for treatment, payment or health care operations. Section 164.506, the provision that formerly contained the consent requirement, now reads in relevant part as follows:

(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) [relating to psychotherapy notes] and (3) [relating to marketing], a covered entity may use or disclose protected health information for treatment, payment, or health care operations . . . provided that such use or disclosure is consistent with other applicable requirements of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.
(2) Consent under paragraph (b) of this section, shall not be effective to permit use or disclosure of protected health information when an authorization . . . is required or when another condition must be met for such use and disclosure to be permitted under this subpart.
45. C.F.R. § 164.506. The Amended Rule otherwise retained almost all the other protections and provisions of the Original Rule. In particular, authorization is still required for any uses not otherwise permitted by the Amended Rule. Individuals retain their right to request additional restrictions, and covered plans or providers that agree to these restrictions are still required to abide by those restrictions. Covered entities are still required to ensure that their business associates are under contract to abide by the same restrictions as they are. Provisions regarding uses and disclosures of identifiable health information for public-policy-related purposes were unaffected by the rescission of the consent requirement, because consent for such uses was not required by the Original Rule. See 67 Fed. Reg. at 53,211; 45 C.F.R. § 164.504, 164.508, 164.522(a).

  Like the Original Rule, the Amended Rule generally preempts contrary State law. State law, however, will not be preempted if it provides a more stringent standard for protecting the privacy of individually identifiable health information. 45 C.F.R. § 160.203.

  The compliance date of the Amended Rule was April 14, 2003, the same as that of the Original Rule. 45. C.F.R. § 164.534. Unlike the Original Rule, however, the Amended Rule applies to health information created or obtained prior to the compliance date. This means that health information created or obtained prior to April 14, 2003, may be used and disclosed after that date for routine purposes without prior consent. 67 Fed. Reg. at 53,211.

  C. The Plaintiffs

  The plaintiffs consist of nine individuals, including two intervenors, and ten organizations. Of the nine individuals, four are health care consumers and five are practicing mental health care providers some of whom are also health care consumers. Of the ten organizational plaintiffs, three are primarily health care consumer organizations with over 600,000 members collectively, another three are primarily mental health care provider organizations with over 5,000 members in total, and four are coalitions of health care providers, consumers and advocates. Am. Compl. ¶¶ 18-27.

  The plaintiffs claim that the Secretary violated the Administrative Procedure Act ("APA") in promulgating the Amended Rule. They also claim that, to the extent it rescinds or eliminates the consent requirement regarding use and disclosure of an individual's health information for routine purposes, the Amended Rule violates: privacy and property rights guaranteed by the Fourth, Fifth, and Ninth Amendments of the United States Constitution; rights protected by the First Amendment of the United States Constitution; and the federal common-law therapist-patient privilege. The plaintiffs do not challenge other amendments to the rule, or those portions of the rule that have not been amended.

  D. The Motions

  In their motion for summary judgment, the plaintiffs argue that the Secretary's rescission of the consent requirement for routine uses was "arbitrary and capricious," was in excess of his statutory authority, and violated various constitutional rights. The plaintiffs also argue that the Secretary gave inadequate public notice of his intent to rescind the consent requirement, provided an insufficient comment period for the Amended Rule, and promulgated an impermissibly retroactive rule by permitting the Amended Rule to apply to records created prior to the rule's compliance date.

  The defendant contests all of these claims, and also argues that the plaintiffs do not have standing.

  In support of their motion, the plaintiffs submitted selected comments from the administrative record, over twenty affidavits and supplemental affidavits, numerous privacy notices sent pursuant to the Amended Rule, and excerpts from HIPAA, the Federal Register, and miscellaneous policy statements.

  In their affidavits, the plaintiffs allege various injuries caused by the Amended Rule's rescission of the consent requirement: (1) an elimination of the ability to know of and prevent or limit routine use and disclosure of health information necessary for current or future care; (2) an elimination of the ability to know of and prevent or limit routine use of health care information already in the hands of covered entities; (3) an erosion of patient's trust in health care providers; (4) a chilling effect on communications between patients and health care providers; and (5) an impairment of health care providers' ability to deliver effective psychotherapy services.

  The Secretary provided the Court with a copy of the administrative record compiled in connection with the promulgation of the Amended Rule. This record includes: (1) forty-eight volumes of hard copy comments submitted in response to the 2002 NPRM; (2) a CD-ROM containing public comments filed via email in response to 2002 NPRM; and (3) a CD-ROM containing public comments filed in response to the February 28, 2001, request for comments after the Original Rule had been adopted. The Secretary also submitted three volumes of excerpts from the administrative record.

 II. Discussion

  The Court cannot reach the merits of the plaintiffs' arguments if they do not have standing. ACLU-NJ v. Township of Wall, 246 F.3d 258, 261 (3d Cir. 2001). The Court, therefore, shall address this issue first. Because the Court finds that at least one of the plaintiffs has standing, the Court will then examine the plaintiffs' claims that the Secretary violated the APA by acting in an arbitrary and capricious manner in rulemaking and by failing to provide adequate notice that the Original Rule would be rescinded. The Court will also consider whether the Secretary violated the scope of authority granted by HIPAA, and whether the Amended rule was retroactive. Finally, the Court will examine the plaintiffs' constitutional claims.

  A. Standing

  There are three constitutional requirements that a plaintiff must meet in order to have standing to sue. First, the plaintiff must demonstrate an injury in fact. Second, there must be a causal connection between the plaintiff's injury and the defendant's conduct. Third, the relief requested must be likely to redress the injury suffered by the plaintiff.*fn10 See Vt. Agency of Natural Res. v. United States ex rel. Stevens, 529 U.S. 765, 771 (2002); Luian v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992).

  The plaintiffs have submitted numerous affidavits, asserting that they have suffered various injuries as a result of the Amended Rule and that rescission of the rule will redress those injuries.*fn11 The Court concludes that at least Dr. Deborah Peel has standing. Because the Court may reach the merits of the case if at least one plaintiff has standing, the Court will not examine the standing of the other plaintiffs.

  Dr. Peel, an intervenor, is a practicing psychiatrist who alleges harm to herself and her family as health care consumers. She submitted three affidavits to the Court. She listed ten providers from which she and/or her family received privacy notices after the April 14, 2003, compliance date. The privacy notices are not identical. Some state that the practice "uses and discloses" health information for routine purposes. Others state that the practice "may use and disclose" that information for routine purposes without a patient's authorization. Others state that the practice "will use and disclose" health information for routine purposes. All of the notices stated that Dr. Peel had the right to request additional restrictions on the use and disclosure of her protected health information.

  Dr. Peel requested such restrictions from a variety of these health care providers. She specifically lists three pharmacies that have refused her request not to disclose or use her information without her consent. No provider has acted favorably on any of her requests yet. She states that prior to April 14, 2003, she had been able to obtain restrictions on the use of her information.

  Dr. Peel and her family are now limiting what information they give to their health care providers. She will avoid medical care for herself and her family except in dire situations. Dr. Peel states that these measures, however, cannot protect information that she and her family have disclosed in the past.

  As a practitioner psychiatrist, Dr. Peel now has several patients who refuse to take their medications in an effort to shield their information from being used and disclosed by pharmacies. She believes that many more patients will avoid needed psychiatric care.

  1. Injury in Fact

  To have Article III standing, Dr. Peel must first demonstrate that she has suffered an injury in fact. This injury must be concrete and particularized, and actual or imminent, as opposed to conjectural or hypothetical. Defenders of Wildlife, 504 U.S. at 560. "The injury must affect the plaintiff in a personal and individual way." Id. at 561 n.1.

  Dr. Peel has demonstrated a personal stake in the outcome of this litigation. Three health care providers have refused to grant her request to limit disclosure of the health information of her and her family. Others have not responded to her request; but, the notices they sent state that they will routinely disclose her health information.

  The Secretary argued that Dr. Peel has not suffered injury in fact as to either information that she gave to providers prior to the effective date of the rule or information that she may be asked to provide in the future. As to information provided in the past, the Secretary argued that Dr. Peel has not shown any specific disclosure of her health information. As to the future, the Secretary contends that Dr. Peel can limit what information she gives to providers or can cease treatment altogether with providers who will not agree to seek her consent before disclosing her health information for routine purposes. The Court is not persuaded by these arguments.

  As to information provided in the past, a plaintiff does not have to show that the injury has occurred. It is enough to show that injury is imminent or highly likely to occur. See Defenders of Wildlife, 504 U.S. at 564 n.2. Dr. Peel has shown that here. She has received many notices from providers telling her that they are using her health information for routine purposes. On April 14, 2003, she received a notice that stated: "This practice uses and discloses health information about you for treatment, to obtain payment for treatment, for administrative purposes, and to evaluate the quality of care you receive." Notice of Privacy Practices, Austin Internal Medicine Associates, L.L.P., Peel Aff. I. This language indicates that such information has already been, or will imminently be, disclosed without her consent. Under these circumstances, Dr. Peel has demonstrated injury in fact.

  Even as to future health information, Dr. Peel has made a strong argument for injury in fact. It is true that, in the future, patients can limit what information they give to their providers or can cease treatment altogether with providers who will not agree not to disclose their information without their consent. It is also true that under the Original Rule, providers had the right to refuse to give treatment if the patient would not consent to disclosure for routine purposes. The Court, however, does not agree with the defendant that these facts negate any injury. The Amended Rule has changed the landscape established by the Original Rule for the disclosure of health information for routine purposes. That fact does not mean that the change is in violation of law. But it does mean that Dr. Peel can challenge that change.

  2. Causation

  The next question is whether Dr. Peel's injury in fact is causally connected and traceable to an action of the defendant. See Pitt News v. Fisher, 215 F.3d 354, 360 (3d Cir. 2000) (citing Doe v. Nat'l Bd. of Med. Exam'rs, 199 F.3d 146, 152-53 (3d Cir. 1999)). The defendant argues that there is no causation and traceability because Dr. Peel's injuries are the result of independent choices made by third parties not before the Court — health care providers. The defendant is correct that when, as here, the allegedly unlawful rule regulates the conduct of someone other than the plaintiff, the plaintiff will not have standing if his injury is the result of unfettered or independent choices of "third parties not before the court." Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976); see Bennett, 520 U.S. at 169. There is causation, however, if the injury is "produced by determinative or coercive effect upon the action of someone else." Bennett, 520 U.S. at 169; see Pitt News, 215 F.3d at 360-61.

  It is true that the providers are permitted by the rule to seek consent before using or disclosing Dr. Peel's health information. They have chosen not to do so. There is causation, however, because the Amended Rule has a sufficiently determinative or coercive effect on the action of the providers.

  The impact of the Amended Rule on providers must be considered in the context of the Original Rule. The plaintiffs allege that the amendment of the Original Rule was illegal. They seek to have the Original Rule reinstated. Under the Original Rule, Dr. Peel's health care provider would have had to seek her consent before using her health information for routine purposes. Under the Amended Rule, it no longer does. The Amended Rule has changed the landscape established by the Original Rule in which decisions will be made by providers as to whether they will seek consent or agree to patients' demands for consent. In this situation, there is causation. See Bennett, 520 U.S. at 169 (finding causation and, thus, that the plaintiffs had standing to sue a government agency that issued the non-binding opinion relied upon by a different government agency to enact regulations that injured the plaintiffs); see also Pitt News, 215 F.3d at 360-61 (finding causation, and standing, when a newspaper sued the Attorney General for enforcing a law intended to encourage third party activity that harmed the newspapers).

  3. Redressability

  The third requirement for Article III standing is that "it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 181 (2000). Dr. Peel has demonstrated that it is not "merely speculative" that vacating the Amended Rule and reinstating the Original Rule would redress Dr. Peel's alleged injury. The Original Rule prohibited covered entities from using or disclosing protected health information for routine purposes without patient consent.

  The Court finds that Dr. Peel does have Article III standing. B. APA Claims

  The plaintiffs argue that the Secretary's rulemaking was arbitrary and capricious, and that the Secretary failed to provide adequate notice of the rescission of the Original Rule.

  1. The Arbitrary and Capricious Claim

  The plaintiffs argue that the Secretary acted arbitrarily and capriciously by failing adequately to explain the rescission of the consent requirement, ignoring earlier findings, and failing to respond to public comments. An agency's action in promulgating standards may be set aside if it is "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law." 5 U.S.C. § 706(2)(a); see Motor Vehicle Mfrs. Ass'n, Inc. v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 41 (1983). This standard also applies to the rescission of an existing regulatory standard.

  An agency acts arbitrarily and capriciously if it rescinds a promulgated rule without providing a "reasoned analysis" for the change. Id. at 41-42; see Fertilizer Inst. v. Browner, 163 F.3d 774, 778 (3d Cir. 1998). A reasoned analysis requires the Secretary to examine the relevant data and articulate a satisfactory explanation that shows a "rational connection between the facts found and the choice made." Motor Vehicles, 463 U.S. at 43 (quoting Burlington Truck Lines, Inc. v. United States, 371 U.S. 156, 168 (1962)). The Court is not supposed to substitute its own judgment for that of the Secretary. If the agency action is rational, based on a consideration of relevant factors, and within the scope of the statutory delegation of power, it may not be set aside. Id. at 42-43.

  a. The Secretary's Explanation

  The Secretary explained that the consent requirement in the Original Rule was added in an attempt to strike a balance between privacy concerns and the need to use certain health care information.*fn12 The Secretary stated that the consent requirement in the Original Rule responded to comments that consent provides individuals with a sense of control over how their information will be used, was a current practice of health care providers, and was expected by many patients. 2002 NPRM, 67 Fed. Reg. at 14,779.

  According to the Secretary, comments and inquiries received after the Original Rule was implemented revealed many unintended consequences of the consent requirement. The comments received after the Amended Rule was proposed indicated that the consent requirement represented a significant change in practice and could substantially impair delivery of health care. The consent requirement could have also deprived providers and plans of information necessary for quality assurance, accreditation, and fraud and waste detection. 67 Fed. Reg. at 53,214.

  The Secretary then explained that rescinding the consent requirement solved the identified health care delivery problems caused by the requirement in the most efficient manner. According to the Secretary, incorporating targeted fixes as suggested by some commenters would make the rule even more complex, without solving all of the problems. Id. at 53,212.

  The Secretary added that all the other protections were left in place. In addition, the notice of privacy practices provision was strengthened to preserve the intended benefit of the consent requirement, that is, to provide patients with an opportunity to discuss privacy practices and concerns and to request restrictions on use and disclosure. Id. at 53,209, 53,211.

  The plaintiffs rely on two cases in arguing that the Secretary's explanation is inadequate. In Motor Vehicle, 463 U.S. at 2864, the National Highway Traffic Safety Administration ("NHTSA") rescinded a regulation requiring new cars to be equipped with passive restraints, defined as either automatic seatbelts or airbags. The NHTSA determined that detachable automatic seatbelts would not be effective in attaining its safety goals, and so it rescinded the passive restraint requirement. The Supreme Court held that the NHTSA did not adequately explain the rescission. The NHTSA did not question that passive restraints were important to safety, but it never addressed why airbags, as one of the passive restraint options, could not serve the same safety functions. Id. at 2869. In short, there was no discussion of any alternatives available to the agency.

  In Action on Smoking and Health v. Civil Aeronautics Bd., 699 F.2d 1209, 1216 (D.C. Cir. 1983), the Civil Aeronautics Board ("Board") rescinded and modified parts of a rule regulating smoking on aircraft. The Board's explanation of the rescission was contained in one brief paragraph that only concluded that carriers should have discretion with respect to smoking on flights. The court held that the explanation was "palpably inadequate" because there was no reason for the Board's conclusion. Id.

  The explanation of the rescission provided in the case at hand was much more detailed and is distinguishable from Action on Smoking and Health and Motor Vehicle. The Board in Action on Smoking and Health did not explain its reasons for rescinding the smoking regulations. The Secretary here, however, explained the rescission of the consent requirement in detail, as discussed above. With respect to the holding of Motor Vehicle, and in contrast to the explanation provided by the NHTSA in that case, the Secretary discussed possible alternatives and the reasons for the rescission. He determined that the rescission was the most efficient means to achieving the purposes set forth in HIPAA, § 261. The Secretary also explained why the alternative solutions would not be effective, or work at all. For these reasons, the Court finds that the Secretary's explanation was adequate and provided a reasoned analysis for the change.

  b. Examination of the Relevant Data

  The plaintiffs argue that the Secretary ignored the agency's earlier findings and thus did not establish a rational connection between agency findings supporting the Original Rule and the choice made in the Amended Rule. The Secretary, however, need only establish a rational connection between the most current findings and the changes to a rule. See United States Air Tour Ass'n. v. Fed. Aviation Admin., 298 F.3d 997, 1007-08 (D.C. Cir. 2002).

  The Court reviewed the administrative record and finds that the Secretary used the agency's current findings in explaining his rescission of the consent requirement. Based on the comments submitted during the comment period for the Proposed Amended Rule, the Secretary found that the consent requirement caused unintended inefficiencies in the delivery of health care. The Court's review of the record revealed that even some commenters who did not favor rescission acknowledged that there were unintended consequences that could hamper effective delivery of health care. See, e.g., Comments of the Amer. Counseling Ass'n, Pls.' Reply Br., App. II, at Tab 12. Even if the Secretary had to reconcile past findings with the Amended Rule, the rescission of the consent requirement is not so inconsistent with earlier findings as to render the change so implausible that it could not be ascribed to a difference in viewpoint or the product of agency expertise. Contrary to the plaintiffs' suggestion, the agency never stated that the right to privacy was absolute when it implemented the Original Rule. Privacy concerns were always to be balanced against the goal of improving efficiency of the health care system. See 65 Fed. Reg. at 82,464.

  Indeed, the very findings that supported the Original Rule had supported the initial proposal to prohibit consent. According to the Secretary, the prohibition in the Proposed Original Rule was based on the undisputed finding that patient consent was frequently uninformed and involuntary. See 1999 NPRM, 64 Fed. Reg. at 59,940-59,941. Consent in the Original Rule was required to provide patients with the opportunity to discuss privacy practices and request further restrictions. The Secretary explained that, far from ignoring the need to provide patients with this opportunity, the Amended Rule achieves the same goal through its more stringent notice requirements. 67 Fed. Reg. at 53,256.

  The Court finds that the Secretary examined the relevant data and the Secretary's explanation shows more than a mere rational connection between the facts and the choice to rescind the consent requirement. He found that the requirement was impeding the ability of different sets of health care providers for different reasons. He considered alternatives to rescission but found that none of the alternatives would fix the problems for all health care providers. His decision to rescind was reasonable given these findings.

  c. The Secretary's Response to Public Comments

  The plaintiffs' argument that the Secretary failed adequately to respond to comments in the record is also unpersuasive. Agencies do not have to address every comment. They need only respond in a reasoned manner to comments raising significant problems. A failure to respond to comments is significant only insofar as it demonstrates that the decision was not based on relevant factors. See City of Waukesha v. EPA, 320 F.3d 228, 257 (D.C. Cir. 2003).

  The Secretary's response to the comments revealed that he considered the relevant factors Congress intended the agency to consider. The two factors referred to in Subtitle F of HIPAA are the efficiency and effectiveness of the health care system, and the privacy of health information. See HIPAA § 261.

   The Secretary justified the rescission of the consent requirement primarily because the requirement impeded efficient delivery of health care. The Secretary also took the privacy interests of patients into account by permitting health care providers to obtain prior consent, in contrast with the Proposed Original Rule. He just balanced the factors in a way with which the plaintiffs disagree. The Secretary, in any event, responded to many comments that did not support rescission of the consent requirement, including those similar to the plaintiffs' argument that targeted fixes instead of rescission should be implemented. See 67 Fed. Reg. at 53,211-53,214.

   2. Notice of Rulemaking

   The plaintiffs argue that the Secretary violated the APA because his notice of rulemaking did not adequately inform the public of his intention to rescind the consent requirement. A notice of proposed rulemaking must include either: (I) "the terms or substance of the proposed rule or;" (ii) "a description of the subjects and issues involved." 5 U.S.C. § 553(b)(3).

   The Secretary's notice for the Amended Rule did both. The notice of proposed rulemaking for the Amended Rule provided the text of the proposed amendments. See 2002 NPRM, 67 Fed. Reg. at 14,810-14,815. The notice also described the proposed modification in detail, including the proposal to make consent optional for routine uses. See id. at 14,780-14,781. C. Scope of Authority Granted by HIPAA

   The plaintiffs argue that the Secretary exceeded the scope of authority granted to him by HIPAA in two ways. First, they claim that HIPAA authorizes the defendant to promulgate only regulations that enhance privacy. Second, they argue that the Amended Rule is retroactive in violation of HIPAA and the APA.

   1. Reasonable Relationship of the Amended Rule to Statute

   A regulation falls within the scope of statutory authority as long as it is reasonably related to the purposes of the enabling legislation. Mourning v. Family Publ'ns Serv., Inc., 411 U.S. 356, 369 (1973). Subtitle F of HIPAA Title II states that its purpose is "to improve . . . the efficiency and effectiveness of the health care system . . . through the establishment of standards and requirements for the electronic transmission of certain health information." HIPAA § 261.

   Although HIPAA also required the Secretary to protect the privacy of health information, the Court finds nothing in the statute requiring the Secretary to maximize privacy interests over efficiency interests. His mandate is to balance privacy protection and the efficiency of the health care system — not simply to enhance privacy.

   The Court finds that the amendments to the Original Rule embodied in the Amended Rule are reasonably related to the legislative purpose of Subtitle F. The Secretary explained that he rescinded the consent requirement because it caused practical problems that interfered with the efficient delivery of health care. The Amended Rule kept all the other protections of the Original Rule and did nothing to remove more stringent protections afforded by state or other applicable law.

   2. Retroactivity

   A rule is retroactive if it impairs the rights already possessed when a person acted, or increases one's liability for past conduct, or imposes new duties with respect to transactions already completed. Landgraf v. USI Film Prod., 511 U.S. 244, 269-70, 280 (1994); see also Avila-Macias v. Ashcroft, 328 F.3d 108, 113 (3d Cir. 2003) (holding that the application of a new immigration act to a deportee who was removed before the passage of act, but who reentered after the passage of act, was not retroactive).

   A rule is not retroactive just because it upsets expectations based on prior law. A new zoning regulation, for example, may upset the reasonable expectations that prompted the property owners to purchase the property. Likewise, a new law banning gambling may harm the person who had begun to construct a casino before the law's enactment. See Landgraf, 511 U.S. at 270 n.24.

   According to the plaintiffs, individuals were vested with the right to give or withhold consent before their protected health information could be used for routine purposes once the Original Rule was implemented on April 14, 2001. The Original Rule, however, was amended before its April 14, 2003, compliance date. Covered entities were never under a legal obligation to comply with the Original Rule's consent requirement. Under these circumstances, the Original Rule did not create rights that were subsequently eliminated by the Amended Rule.

   The plaintiffs also argue that the Amended Rule eliminates their reasonable expectations "based on federal and state law, standards of medical ethics and established standards of practice" that their health information created prior to the Amended Rule's compliance date would not be used for routine purposes without consent. But the Amended Rule does not impair any stricter privacy rights created by state law, ethical codes or standards of practice. The Amended Rule is not retroactive.

   C. Constitutional Claims

   The plaintiffs claim that the Amended Rule violates Due Process rights to medical privacy, and First Amendment rights to private physician-patient communications. Because the Amended Rule does not compel anyone to use or disclose the plaintiffs' health information for routine purposes without the plaintiffs' consent, the Court finds that the Amended Rule does not violate the plaintiffs' constitutional rights. The Due Process Clause forbids the government from depriving individuals of life, liberty, or property without due process of law. Generally, the clause does not "impose an affirmative obligation on the State to ensure that those interests do not come to harm through other means." DeShaney v. Winnebago County Soc. Servs. Dep't, 489 U.S. 189, 195 (1989).

   The First Amendment right to free speech is similarly framed. See Alston v. Redman, 34 F.3d 1237, 1247 (3d Cir. 1994). The government cannot place obstacles in the path of an individual's exercise of free speech, but it does not have to act to eliminate obstacles that it did not create. Regan v. Taxation With Representation, 461 U.S. 540, 549-50 (1983) (citing Harris v. McRae, 448 U.S. 297, 316 (1980)).

   Even assuming that the plaintiffs have a constitutional right to privacy over their medical records and to patient-health care provider communications, the Amended Rule does not violate those rights.*fn13 The Amended Rule is wholly permissive with respect to whether a covered entity should seek consent from a patient before using his or her information for routine purposes. The Amended Rule neither requires nor prohibits that practice.

   Nor does the Amended Rule place obstacles in the paths of patients seeking to have confidential communications with their health care providers. The Amended Rule does not require doctors to do anything with respect to routine uses of health care information. Because the Amended Rule is not compulsory in nature, it does not affirmatively interfere with any right.*fn14

   To the extent the Amended Rule mandates any actions, it protects the plaintiffs' putative rights. For example, the Amended Rule prohibits covered entities from disclosing and using health information for reasons unrelated to health care without proper authorization.

   In essence, the plaintiffs challenge the Amended Rule because the Secretary decided not to compel covered entities to obtain prior consent. The Constitution, however, does not command the Secretary to act affirmatively to protect such rights. See DeShaney, 489 U.S. at 195; Alston, 34 F.3d at 1247.

   The plaintiffs have directed the Court's attention to recent cases that involve the attempts of the United States' Department of Justice ("DOJ") to subpoena or otherwise compel health care providers to produce the medical records of their patients who had undergone abortions. The DOJ has subpoenaed or sought court orders compelling the production of these medical records in connection with a law suit challenging a federal law banning so-called "partial-birth abortions." See, e.g., Northwestern Mem'l Hosp. v. Ashcroft, No. 04-1379, 2004 U.S. App, LEXIS 5724 (3d Cir. Mar. 26, 2004).

   The plaintiffs claim that these cases support their argument that the Amended Rule violates fundamental privacy rights. The Northwestern decision and the other DOJ cases cited by the plaintiff have no bearing on the plaintiffs' narrow challenge here. Those cases do not involve the disclosure of protected health information for routine purposes. They involve the disclosure of protected health information for other, nonroutine purposes. These disclosures are governed by provisions of the Amended Rule that the plaintiffs have not challenged.*fn15

   An appropriate Order follows.


   AND NOW, this 2nd day of April, 2004, upon consideration of the defendant's Motion for Summary Judgment (Docket No. 13), the plaintiffs' Motion for Summary Judgment (Docket No. 24), as well as all responses and replies thereto, and following oral argument on December 10, 2003, IT IS HEREBY ORDERED that the defendant's motion is GRANTED and the plaintiffs' motion is DENIED for the reasons stated in a memorandum of today's date. Judgment is entered in favor of the defendant and against the plaintiffs.

Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.