Third Circuit Issues Important HIPAA Decision
Client Alert | 4 min read | 11.30.05
By Chandra Westergaard Snyder
In an important decision impacting the protection of individuals' private health information, the U.S. Court of Appeals for the Third Circuit recently rejected a constitutional challenge to the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. parts 160 and 164 (subparts A and E) (“Privacy Rule”) issued under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”). See Citizens for Health v. HHS. In 2003, a coalition of privacy advocates filed suit against the Secretary of the Department of Health and Human Services (“Secretary”), arguing that the HIPAA Privacy Rule violates individuals' Fifth Amendment due process rights and First Amendment privacy rights. In October 2005, the Third Circuit affirmed the district court's grant of summary judgment to the Secretary, albeit under a different theory. The Third Circuit held that because the alleged privacy violations could not be attributed to the federal government, the Privacy Rule does not implicate constitutional concerns.
Background
Through HIPAA, Congress required the Secretary to develop standards regarding the privacy of individually identifiable health information, which would provide a federal baseline for health privacy protection. The Secretary first promulgated final privacy regulations in December 2000 (“Original Rule”). These regulations would have required, among other things, “covered entities” (including most physicians and hospitals) to seek an individual's consent before using or disclosing protected health information for “routine” uses and disclosures (e.g., treatment or payment). Before the regulations published in the Original Rule became enforceable, the health industry raised significant concerns with the Secretary regarding the practicality of the mandatory consent rule. The Secretary responded by promulgating revised final regulations in 2002 (“Amended Rule”). The Amended Rule introduced a “routine use” exception that permitted covered entities to use and disclose protected health information for treatment, payment, and “health care operations” (e.g., quality assessment, business planning) without obtaining patient consent. The Amended Rule left unchanged an individual's right to request restrictions on the use and disclosure of protected health information. As in the Original Rule, the Amended Rule also left more stringent state privacy protections intact. The Privacy Rule, as amended, became enforceable in April 2003.
It was the “routine use” exception to the consent requirement in the Amended Rule that formed the basis of Citizens' complaint.
No Constitutional Violations Without Government Action
Citizens' most significant challenges to the Privacy Rule came under the Fifth and First Amendments. Citizens argued that the Fifth Amendment grants individuals the right not to have “personal and identifiable health information made public or disclosed to numerous government employees in routine situations.” The Third Circuit accepted the premise that a right to medical privacy is legally cognizable under the Fifth Amendment, but also emphasized that any violation of that right rises to the level of a constitutional claim only when the violation can be attributed to the government. The court characterized the question before it as whether “the nonconsensual use or disclosure of individual health information by private parties, as permitted by the Amended Rule” could be legally attributed to the Secretary. To answer this question, the Court asked itself another question: whether the Amended Rule could be read to require or compel the disclosure of protected health information without an individual's consent. The Court concluded that because the Privacy Rule's language was permissive, it did not compel any behavior by covered entities and did not authorize activity that was previously prohibited; thus, it could not provide the “mantel” of government authority that would justify attributing the activities of covered entities to the Secretary. Without such government action, the court held, Citizens' Fifth Amendment claim failed.
Citizens' First Amendment claim failed on the same grounds. Citizens argued that the Amended Rule impermissibly infringed individuals' right to confidential communications with health care providers, and that the Amended Rule effectively “chilled” speech between individuals and their health care providers. Again, the Court found that any chilling effect created by the rule could not be attributed to government action, since the “chilling” of patients' rights came from the “independent decisions of private parties.” Without any government action, the Third Circuit concluded, Citizens had no basis for a constitutional challenge under the First Amendment.
Claims under the APA and HIPAA
The court summarily addressed Citizens' challenges to the Amended Rule under the Administrative Procedure Act (“APA”) and HIPAA itself. It found that the rule was a reasonable exercise of agency authority and that the agency had complied with the federal procedural requirements for rulemaking in a satisfactory manner. The court also held that, since the Original Rule was amended before its compliance date, the Amended Rule did not retroactively eliminate any rights given under the Original Rule.
Analysis
The Citizens for Health complaint likely represents the last major challenge to implementation of the HIPAA Privacy Rule, at least in its current form. For better or worse, the health care community has adapted to the new reality of conducting business in a HIPAA-regulated environment. Calls for regulatory reform, however, will no doubt continue, particularly as the health industry moves to adoption of electronic health records and new privacy issues emerge.
Insights
Client Alert | 3 min read | 12.13.24
New FTC Telemarketing Sales Rule Amendments
The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR.
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1