Final Government Brief
No. 04-2550
IN THE UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
CITIZENS FOR HEALTH, et al.,
Plaintiff-Appellants,
v.
TOMMY G. THOMPSON, SECRETARY, UNITED STATES
DEPARTMENT OF HEALTH & HUMAN SERVICES,
Defendant-Appellee.
ON APPEAL FROM THE UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF PENNSYLVANIA
BRIEF FOR APPELLEE
OF COUNSEL:
PETER D. KEISLER
Assistant Attorney General
ALEX M. AZAR II
General Counsel
PATRICK L. MEEHAN
EDWIN WOO
United States
Attorney
Acting Associate
General Counsel
MARK B. STERN
LOUIS ALTARESCU
(202)
514-5089
Attorney
CHARLES W. SCARBOROUGH
United States Department
(202) 514-1927
of Health and Human Services Attorneys,
Appellate Staff
Civil Division, Room 7244
Department of Justice
950 Pennsylvania Ave., N.W.
Washington, D.C. 20530-3001
TABLE OF CONTENTS
Page
STATEMENT OF JURISDICTION 1
STATEMENT OF THE ISSUES 1
STATEMENT OF THE CASE 2
STATEMENT OF FACTS 3
A. Statutory Framework 3
B. The Evolution Of The Privacy Rule
6
1. The Proposed Original Privacy Rule
6
2. The Original Privacy Rule 9
3. The Proposed Amended Privacy Rule
13
4. The Final Amended Privacy Rule 17
C. Proceedings In This Case 21
SUMMARY OF ARGUMENT 27
STATEMENT OF RELATED CASES AND PROCEEDINGS 31
STANDARD OF REVIEW 32
ARGUMENT 33
I. HHS ACTED WELL WITHIN ITS DISCRETION
UNDER HIPAA AND PROVIDED A REASONED
EXPLANATION FOR ITS DECISION NOT TO
INCLUDE A CONSENT REQUIREMENT FOR
ROUTINE USES IN THE FINAL PRIVACY RULE 33
II. HHS’S DECISION NOT TO INCLUDE
A CONSENT REQUIREMENT FOR ROUTINE USES IN THE FINAL PRIVACY RULE DID
NOT VIOLATE PLAINTIFFS’ CONSTITUTIONAL RIGHTS 48
CONCLUSION 53
CERTIFICATE OF COMPLIANCE
CERTIFICATE OF SERVICE
TABLE OF AUTHORITIES
Cases:
CK v. New Jersey Dep't of Health and Human
Servs., 92 F.3d 171 (3d Cir. 1996) 32
City of Waukesha v. EPA, 320 F.3d 228 (D.C.
Cir. 2003) 40
DeShaney v. Winnebago County Soc. Servs.
Dep't, 489 U.S. 189 (1989) 50, 51
Fertilizer Institute v. Browner, 163 F.3d 774
(3d Cir. 1998) 32
Frisby v. HUD, 755 F.2d 1052 (3d Cir. 1985)
32, 40, 46
Motor Vehicle Mfrs. Ass'n v. State Farm Mut.
Ins. Co., 463 U.S. 29 (1983) 32, 46
Mourning v. Family Publications Serv., Inc.,
411 U.S. 356 (1973) 25
National Organization for Women, Inc. v.
Scheidler, 510 U.S. 249 (1994) 23
Northwestern Memorial Hosp. v. Ashcroft, 362
F.3d 923 (7th Cir. 2004) 45
In re: Paoli Railroad Yard PCB Litigation,
221 F.3d 449 (3d Cir. 2000) 35
South Carolina Medical Ass'n v. Thompson,
327 F.3d 346 (4th Cir. 2003) 35
United States Constitution:
First Amendment 2, 21, 27, 47
Statutes:
Public Health Service Act:
42 U.S.C. § 242(k) 4, 6
Health Insurance Portability and Accountability
Act of 1996:
§ 261 4, 33, 37
§ 262 4, 6, 33
§ 262(a) 6
§ 263 4
§ 264 4
§ 264(a) 5, 33
§ 264(b) 5, 33
§ 264(c)(1) 5, 6
§ 264(c)(2) 6, 34, 44
§ 264(d) 6, 15
§ 264(4)(D) 6
Social Security Act:
42 U.S.C. § 1178(b) 6
42 U.S.C. § 1178(c) 6
42 U.S.C. § 1301 et seq 4
42 U.S.C. § 1320d 4
42 U.S.C. § 1320d-2 4
5 U.S.C. § 801(a)(1) 13
28 U.S.C. § 1291 1
28 U.S.C. § 1331 1
Regulations:
45 C.F.R. § 160.203 34
45 C.F.R. § 160.203(b) 18, 44
45 C.F.R. § 164.422(a) 9
45 C.F.R. § 164.502(a) 7
45 C.F.R. § 164.506(a) 16
45 C.F.R. § 164.506(a)(1) 10, 12
45 C.F.R. § 164.506(a)(2) 12
45 C.F.R. § 164.506(a)(3) 12
45 C.F.R. § 164.506(a)(1)(i) 7, 51
45 C.F.R. § 164.506(b) 34, 35
45 C.F.R. § 164.506(b)(1) 12, 37, 51
45 C.F.R. § 164.508 8, 9, 21, 34, 49
45 C.F.R. § 164.508(a)(2)(iv) 9, 37
45 C.F.R. § 164.510 8
45 C.F.R. § 164.520(c)(2)(ii) 21, 34
45 C.F.R. § 164.522(a) 21, 34
45 C.F.R. § 164.534 13
Federal Register:
64 Fed. Reg. 59918 (Nov. 13, 1999) 6, 7
64 Fed. Reg. 59923 8
64 Fed. Reg. 59924 7
64 Fed. Reg. 59926 9, 10
64 Fed. Reg. 59927 7
64 Fed. Reg. 59933 8
64 Fed. Reg. 59940 8, 9, 37
64 Fed. Reg. 59940-41 9
64 Fed. Reg. 59945 9
64 Fed. Reg. 59977-79 9
64 Fed. Reg. 59978 9, 10
64 Fed. Reg. 60053 7
64 Fed. Reg. 60056-59 8
65 Fed. Reg. 82462 (Dec. 28, 2000) 10, 13
65 Fed. Reg. 82473 10, 43
65 Fed. Reg. 82474 11, 38
65 Fed. Reg. 82498 11
65 Fed. Reg. 82648 36
65 Fed. Reg. 82800-01 14
65 Fed. Reg. 82810 10, 12
65 Fed. Reg. 82828 13
66 Fed. Reg. 12434 (Feb. 26, 2001) 13
66 Fed. Reg. 12738 (Feb. 28, 2001) 14, 46, 48
66 Fed. Reg. 12739 14
67 Fed. Reg. 14776 (Mar. 27, 2002) 16, 48
67 Fed. Reg. 14779 16
67 Fed. Reg. 14780 16
67 Fed. Reg. 14790 17
67 Fed. Reg. 14781 16, 17
67 Fed. Reg. 53182 (Aug. 14, 2002) 17
67 Fed. Reg. 53208 40
67 Fed. Reg. 53209 39
67 Fed. Reg. 53209-10 38, 39
67 Fed. Reg. 53209-12 43
67 Fed. Reg. 53210 18, 38, 39
67 Fed. Reg. 53211 20, 21, 33, 35, 36
67 Fed. Reg. 53212 19, 20, 24, 42, 44
67 Fed. Reg. 53213 21, 38
67 Fed. Reg. 53239-40 21
Rules:
Fed. R. Evid. 501 45
Legislative Materials:
H.R. Rep. No. 496, 104th Cong., 2d Sess. 1,
reprinted in 1996 U.S.C.C.A.N. 1865 5
IN THE UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
No. 04-2550
CITIZENS FOR HEALTH, et al.,
Plaintiff-Appellants,
v.
TOMMY G. THOMPSON, SECRETARY, UNITED STATES
DEPARTMENT OF HEALTH & HUMAN SERVICES,
Defendant-Appellee.
ON APPEAL FROM THE UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF PENNSYLVANIA
STATEMENT OF JURISDICTION
Plaintiffs invoked the jurisdiction of the district court under 28
U.S.C. § 1331. The court issued its decision and entered a
final judgment on April 2, 2004. JA 1-15. Plaintiffs filed
a timely notice of appeal on May 27, 2004. JA 16. This
Court has jurisdiction pursuant to 28 U.S.C. § 1291.
STATEMENT OF THE ISSUES
As required by the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), the Department of Health and
Human Services (“HHS”) promulgated comprehensive standards for the
privacy of individually identifiable health information, known
collectively as the Privacy Rule. The present Privacy Rule,
unlike an earlier version, does not require certain health care
providers to obtain patients’ consent before disclosing protected
health information for routine uses. The questions presented on
this appeal are:
1. Whether HHS acted within its discretion under HIPAA and
provided a reasoned explanation for its decision not to include a
requirement that certain health care providers obtain patients’ consent
before using or disclosing protected health information for routine
purposes.
2. Whether the agency’s decision not to include a consent
requirement violates plaintiffs’ constitutional right to privacy or a
First Amendment right to confidential physician-patient communications.
STATEMENT OF THE CASE
This case concerns a challenge to the final Privacy Rule
promulgated by HHS to protect the privacy of individually identifiable
health information under the new regulatory framework established under
HIPAA. Plaintiffs contend that HHS violated both the
Administrative Procedure Act and the Constitution by failing to require
that certain health care providers obtain patients’ consent before
using or disclosing identifiable health information for certain
“routine uses,” i.e., treatment, payment, or health care
operations. Because an earlier version of the Privacy Rule
contained a consent requirement for such routine uses, plaintiffs
assert that HHS lacked authority later to eliminate that requirement,
even after the agency received thousands of comments demonstrating that
the consent requirement would give rise to a host of unintended
consequences that could substantially impair and delay the delivery of
health care.
After an exhaustive review of the administrative record, the district
court found no basis for concluding that the final regulation was
arbitrary, capricious or contrary to law. The court held that HHS
had provided a reasoned explanation for its decision not to impose a
consent requirement for routine uses and had adequately examined and
responded to the relevant data and public comments. The court
further held that HIPAA gives HHS wide latitude in setting privacy
standards and nowhere requires the agency to maximize privacy interests
over efficiency in the health care system and other legitimate
concerns. Finally, the court rejected plaintiffs’ constitutional
claims on the ground that the Privacy Rule does not compel anyone to
use or disclose health information for routine uses without patients’
consent and does not interfere with any existing rights under state law
or other standards.
STATEMENT OF FACTS
A. Statutory Framework.
The provisions of the Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936, at issue in this
case, Subtitle F of Title II, seek to improve “the efficiency and
effectiveness of the health care system, by encouraging the development
of a health information system through the establishment of standards
and requirements for the electronic transmission of certain health
information.” HIPAA § 261 (JA 27). To accomplish
this goal, Congress directed HHS, among other things, to adopt uniform
standards “to enable health information to be exchanged
electronically.” Id. § 262 (JA 31). Congress
instructed HHS to adopt standards for unique identifiers to identify
individuals, employers, health care plans, and health care providers
across the nation, and to adopt standards for transactions and data
elements relating to health information, the security of that
information, and verification of electronic signatures. Id. (JA
31-32).
Congress recognized that the new regulatory scheme posed risks to
the privacy of confidential patient information by eroding practical
barriers that historically had acted as safeguards against improper
access to that information. See H.R. Rep. No. 496, 104th Cong.,
2d Sess. 1, 99-100, reprinted in 1996 U.S.C.C.A.N. 1865, 1900.
Thus, Congress directed HHS to submit “detailed recommendations on
standards with respect to the privacy of individually identifiable
health information” within one year of the statute’s enactment.
HIPAA § 264(a). Congress specified that those
recommendations should address “at least” three areas: (1)“[t]he rights
that an individual who is a subject of individually identifiable health
information should have,” (2) “[t]he procedures that should be
established for the exercise of such rights,” and (3) “[t]he uses and
disclosures of such information that should be authorized or required.”
Id. § 264(b).
Congress also provided that, if it did not enact legislation covering
these matters within three years, HHS would be required to “promulgate
final regulations containing such standards” no later than 42 months
after HIPAA’s enactment. HIPAA § 264(c)(1). Congress
specified that the privacy regulations adopted by HHS
shall not supercede a contrary provision of State law, if the provision
of State law imposes requirements, standards, or implementation
specifications that are more stringent than the requirements,
standards, or implementation specifications imposed under the
regulation.
Id. § 264(c)(2). Congress directed HHS to
consult with both the Attorney General, HIPAA § 264(d), and the
National Committee on Vital and Health Statistics (“NCVHS”) – a federal
advisory committee established under the Public Health Service Act, 42
U.S.C. § 242(k), that was charged with providing advice on HIPAA’s
implementation, HIPAA § 263(4)(D).
B. The Evolution Of The Privacy Rule.
As mandated by Congress, HHS submitted recommendations for protecting
the privacy of individually identifiable health information on
September 11, 1997. Congress did not act by August 21, 1999, and,
under Section 264(c)(1) of HIPAA, HHS thereby became obligated to
promulgate privacy regulations.
1. The Proposed Original Privacy Rule.
In 1999, HHS issued a notice of proposed rulemaking, entitled
“Standards for Privacy of Individually Identifiable Health
Information,” 64 Fed. Reg. 59918 (Nov. 13, 1999). In that
proposed rule, HHS explained that the purpose of the Privacy Rule was
to “improve the efficiency and effectiveness” of health care services
“by providing enhanced protections for individually identifiable health
information.” Id. at 59918. At the same time, however, HHS
emphasized that “[i]ndividuals’ right to privacy in information about
themselves is not absolute.” Id. at 60008 (noting that privacy
rights must, for example, be balanced against law enforcement needs and
the reporting of public health information such as communicable
diseases). Thus, HHS sought to achieve “a balance,” allowing
important uses of such information while protecting the privacy of
individuals. Id. at 59927.
To achieve the proper balance, the proposed rule prohibited
covered health care providers from using or disclosing protected health
information except as provided by the rule. See 64 Fed. Reg. at
59924 (text of proposed 45 C.F.R. § 164.502(a)). Among
other things, the proposed rule allowed covered entities to use or
disclose individual health information without patient authorization
“to carry out treatment, payment, or health care operations,” JA 40A
(proposed 45 C.F.R. § 164.506(a)(1)(i)), and also permitted uses
and disclosures for certain public policy purposes, including research,
health oversight, and law enforcement, 64 Fed. Reg. at 60056-59
(proposed 45 C.F.R. § 164.510). However, for any purposes
not recognized by the rule, covered entities would have to obtain
specific authorizations before using or disclosing an individual’s
information. JA 41 (proposed 45 C.F.R. § 164.508).
In the proposed rule, HHS explained that the provision allowing uses
and disclosures of protected information without prior consent for
treatment, payment or health care operations – the “routine use”
provision at issue in this case – was necessary for the efficient
operation of the health care system. HHS observed that treatment
and payment “are the core functions of the health care system” for
which persons seeking medical care “expect their health information
will be used.” 64 Fed. Reg. at 59940. Likewise, “health
care operations” are routine activities directly related to the core
functions of treatment and payment, such as quality assurance,
performance reviews, underwriting, auditing, fraud detection, or legal
proceedings. Id. at 59933. As a result, HHS noted, allowing
disclosures for certain public policy purposes and for these routine
purposes without patients’ prior consent was “necessary for the smooth
operation of the health care system and for promoting key public goals
such as research, public health, and law enforcement.” Id. at
59923.
Notably, the proposed rule did not merely allow covered entities
to disclose protected health information for routine uses without
obtaining patients’ consent; it prohibited providers from seeking
consent to make disclosures for routine uses unless applicable law
required such consent. Id. at 59940-41; see also JA 41 (text of
proposed 45 C.F.R. § 164.508(a)(2)(iv)). HHS explained that
consent for these purposes could not provide meaningful privacy
protections because:
these authorizations provide individuals with little actual control
over their health information. When an individual is required to
sign a blanket authorization at the point of receiving care or
enrolling for coverage, that consent is often not voluntary because the
individual must sign the form as a condition of treatment or payment
for treatment.
64 Fed. Reg. at 59940. In lieu of consent for routine uses, the
proposed rule gave individuals the right to receive notices of
information practices from covered entities, detailing the permitted
uses and disclosures they intended to make of protected health
information. Id. at 59926, 5977-79. These notices were
intended to advise patients of their rights to request that a covered
entity restrict its uses or disclosures of their information, see 45
C.F.R. § 164.422(a), and to require covered entities to comply
with disclosure practices stated in the notices. 64 Fed. Reg. at
59945, 59978.
Finally, the proposed rule was not intended to supersede more
stringent state law or other privacy protections; it simply created “a
federal floor of privacy protection.” Id. at 59926.
2. The Original Privacy Rule.
Over a year later, after receiving over 52,000 public comments on the
proposed Privacy Rule, HHS promulgated a final version of the Privacy
Rule. See 65 Fed. Reg. 82462 (Dec. 28, 2000) (JA 333-358).
The “Original Rule” maintained the structure of the proposed rule, but
made a significant change by adopting a requirement that direct
treatment providers obtain prior consent for the use or disclosure of
health information for routine uses. JA 42; 65 Fed. Reg. at 82810
(former 45 C.F.R. § 164.506(a)(1)).
In adopting a consent requirement, HHS reiterated concerns it had
expressed in the proposed rule “about the coerced nature of consents
currently obtained by providers and plans relating to the use and
disclosures of health information.” JA 344 (65 Fed. Reg. at
82473). Despite the continuing validity of these concerns,
however, HHS acknowledged that it had received many public comments
indicating “that both patients and practitioners believe that patient
consent is an important part of the current health care system and
should be retained.” Ibid.
For example, HHS noted comments “that the approach proposed in
the NPRM actually reduced patient protections by eliminating the
opportunity for patients to agree to how their confidential information
would be used and disclosed.” JA 344. Although HHS
continued to “believe that the provisions in the NPRM that provided for
detailed notice to the patient and the right to request restrictions
would have provided an opportunity for patients and providers to
discuss and negotiate over information,” it acknowledged “that many
practitioners and patients believe the approach proposed in the NPRM is
not an acceptable replacement for the patient providing consent.”
Ibid. Thus, HHS believed at the time that the consent requirement
“could accommodate both the covered entity’s need to use or disclose
protected health information for treatment, payment and health care
operations and also the individual’s interests in understanding and
acquiescing to such uses and disclosures.” 65 Fed. Reg. at
82498. Accordingly, HHS altered the approach taken in the
proposed rule, stating that its “goal” in so doing was “to provide an
opportunity for and to encourage more informed discussions between
patients and providers about how protected health information will be
used and disclosed within the health care system.” JA 345 (65
Fed. Reg. at 82474).
The Original Rule required covered health care providers to
obtain patients’ consent “prior to using or disclosing protected health
information to carry out treatment payment, or health care operations,”
JA 42; 65 Fed. Reg. at 82810 (text of former 45 C.F.R. §
164.506(a)(1)), although even this requirement was qualified by a
number of important exceptions. The rule provided exceptions for
any provider who has “an indirect treatment relationship” with a
patient and for those offering treatment to prison inmates. 45
C.F.R. § 164.506(a)(2). And, the rule provided
exceptions in three other limited sets of circumstances, including
emergency treatment situations – so long as consent was sought as soon
as reasonably practicable after emergency treatment was provided.
Id. § 164.506(a)(3).
The rule also stated that the forms used to obtain patients’
consent must: (1) include a general statement that protected health
information may be used to carry out treatment, payment or health care
operations, (2) refer patients to the provider’s notice of privacy
practices, (3) inform patients of their right to request restrictions
on the use and disclosure of their protected health information, and
(4) inform patients of their right to revoke consent at any time.
JA 42 (65 Fed. Reg. at 82810). The Original Rule further provided
that “covered health care providers may condition treatment on the
provision by the individual of a consent under this section.” JA
42 (text of former 45 C.F.R. § 164.506(b)(1)).
Compliance with the Privacy Rule was not required until April 14,
2003. Thus, the rule conferred no immediate right on
patients to stop uses or disclosures of protected health information
without their consent. Moreover, the Original Rule allowed health
care providers that provide direct treatment to use or disclose
individual health information created or obtained prior to the
compliance date based on patient consent obtained prior to that date,
even if the pre-existing consent did not meet the formal requirements
of the rule. 65 Fed. Reg. at 82828. Absent such consent,
direct treatment providers were prohibited from using or disclosing
protected health information obtained prior to April 14, 2003 for
routine uses as of that date. Ibid.
Finally, like the proposed rule, the Original Rule did not
preempt state law or other provisions that provided more stringent
privacy protections for individually identifiable health
information. 65 Fed. Reg. at 82800-01.
3. The Proposed Amended Privacy Rule.
After publication of the Original Rule, HHS received numerous inquiries
and comments raising questions and concerns about the impact and
operation of the rule on various sectors of the health care industry,
focusing primarily on the rule’s complexity and workability. As a
result, in February 2001, HHS solicited additional public comments on
the rule “to ensure that the provisions of the Privacy Rule would
protect patients’ privacy without creating unanticipated consequences
that might harm patients’ access to [quality] health care.” 66
Fed. Reg. 12738, 12739 (Feb. 28, 2001). During the thirty-day
comment period that followed, HHS received approximately 11,000
additional comments on the Original Rule. Many of these comments
identified potential adverse effects that the consent requirement for
routine uses would have on access to, and the delivery of, health care
services. See generally JA 367-830 (selected comments raising
concerns about consent requirement).
For example, many pharmacists explained that the consent
requirement would prevent them from filling prescriptions, searching
for potential drug interactions, or verifying coverage if an individual
had not already provided consent before arriving to pick up a
prescription and that this problem would be exacerbated in the case of
patients too ill or elderly to pick up their own prescriptions.
See, e.g., JA 371, 373, 377, 649, 820. Likewise, hospital
representatives explained that the consent requirement would prevent
them from using information from referring physicians to schedule and
prepare for procedures before a patient arrives for treatment.
See, e.g., JA 542, 670-71, 497, 520-21, 818, 866. Finally,
emergency medical providers expressed concerns over what circumstances
would qualify for the “emergency treatment” exception to the consent
requirement, and explained that compliance with the requirement that
they seek consent as soon as reasonably practicable after an emergency
would significantly increase their administrative burdens and divert
their resources from responding to other emergencies. See, e.g.,
JA 408-12, 418-23, 719. See also JA 930-31 (summarizing public
comments in proposed rule).
As a result of these and numerous other comments – including a
report by the General Accounting Office, JA 815-25, and an August 2001
hearing held by the NCVHS, JA 833-917 (the advisory committee Congress
directed HHS to consult with in promulgating privacy standards, see
HIPAA § 264(d)) – HHS proposed several modifications to the
Original Privacy Rule, including elimination of the consent requirement
for routine uses. See 67 Fed. Reg. 14776 (Mar. 27, 2002)
(excerpts at JA 927-934).
HHS proposed to replace the consent requirement in the Original Rule
with a new provision, 45 C.F.R. § 164.506(a),
that would provide regulatory permission for covered entities to use or
disclose protected health information for treatment, payment, and
health care operations, and a new provision at § 164.506(b) that
would allow covered entities to obtain consent if they choose to, and
make clear that such consent may not permit a use or disclosure of
protected health information not otherwise permitted by the Privacy
Rule.
67 Fed. Reg. at 14781. In addition, in order to enhance the
opportunities for individuals to discuss privacy practices with their
health care providers, HHS proposed to strengthen the requirements
regarding notices of privacy practices, by requiring direct treatment
providers to make good faith efforts to obtain patients’ written
acknowledgments that they have received the notices. Id. at 14780
(JA 931).
As HHS explained in the Proposed Amended Rule, these modifications were
responsive to numerous public comments raising “issues and serious
concerns that the consent requirements will impede access to, and the
delivery of, quality health care.” Id. at 14779 (JA 930).
Summarizing a few of the comments from pharmacists, hospitals, and
emergency treaters outlined above, HHS stated that
many covered entities described an array of circumstances when
they need to use or disclose protected health information for
treatment, payment, or health care operations purposes prior to the
initial face-to-face contact with the patient, and therefore prior to
obtaining consent.
Ibid. In light of these and other comments, including a
recommendation from the NCVHS that HHS should “consider circumstances
in which protected health information could be used and disclosed
without an individual’s prior written consent,” id. at 14790 (JA 931);
see JA 918-23, HHS proposed to eliminate the consent requirement for
routine uses. At the same time, HHS proposed to add a new
provision to the Privacy Rule that would allow covered entities to
obtain consent if they chose to, and would “make clear that such
consent may not permit a use or disclosure of health information not
otherwise permitted or required by the Privacy Rule.” JA 932 (67
Fed. Reg. at 14781).
4. The Final Amended Privacy Rule.
After considering over 11,400 comments received during the
thirty-day period following publication of the proposed rule, HHS
promulgated a Final Amended Privacy Rule eliminating the consent
requirement contained in the Original Rule. See 67 Fed. Reg.
53182 (Aug. 14, 2002) (JA 1376-87). The Final Amended Rule
allowed covered entities to seek consent to use or disclose information
for routine uses if they chose to, and retained virtually all the other
privacy protections contained in the Original Rule, including the
requirement to obtain authorization for any uses or disclosures not
permitted by the rule. JA 1381. Like earlier versions of
the rule, the final rule also expressly provided that state law will
not be preempted if it provides more stringent standards for protecting
the privacy of individually identifiable health information. 45
C.F.R. § 160.203(b).
In explaining its rationale for eliminating the consent requirement for
routine uses, HHS reiterated the primary concern expressed in the
proposed rule: that the consent requirement would “result in
unintended consequences that impede the provision of health care in
many critical circumstances.” JA 1380 (67 Fed. Reg. at
53210). In addition, HHS noted that it was “also concerned that
other such unintended consequences may exist which have yet to be
brought to our attention.” Ibid. HHS then reviewed the
voluminous public comments relating to the issue of consent and offered
detailed responses. JA 1380-85.
HHS first noted that “almost all of the commenters that discussed
consent acknowledged that there are unintended consequences of the
consent requirement that would interfere with treatment.” JA 1380
(67 Fed. Reg. at 53210). HHS explained that the comments offered
two potential approaches to fixing these problems: “adopting a
single solution that would address most or all of the concerns,” or
“adopting changes targeted to each specific problem.” Ibid.
One goal in making modifications to the Privacy Rule was “to simplify,
rather than add complexity to, the Rule,” and another was “to assure
that the Privacy Rule does not hamper necessary treatment.” For
both of these reasons, HHS was concerned with adopting different
changes for different issues related to consent, and thus explained
that the options that it “most seriously considered were those that
would provide a global fix to the consent problem.” Ibid.
Nonetheless, after carefully considering the various global options
proposed, HHS concluded that “each had some flaw or failed to address
all of the treatment-related concerns brought to our attention.”
JA 1382 (67 Fed. Reg. at 53212).
For example, HHS rejected comments suggesting “that the Rule be
modified to require a good faith effort to obtain consent at first
service delivery,” because they “failed to explain how that approach
would provide additional protection than the approach we
proposed.” JA 1382. Likewise, HHS
decided against eliminating the consent requirement only for uses and
disclosures for treatment, or only for uses of protected health
information but not for disclosures because these options fall short of
addressing all of the problems raised. Scheduling appointments
and surgeries, and conducting many pre-admission activities are health
care operations activities, not treatment.
Ibid. Similarly, HHS explained that “[r]etaining the
consent requirement for payment would be problematic because, in cases
where a provider, such as a pharmacist or hospital, engages in a
payment activity prior to face-to-face contact with the individual, it
would prohibit the provider from contacting insurance companies to
obtain pre-certification or to verify coverage.” Ibid.
Given the flaws in these and other global approaches proposed, and the
“substantial amount of support from commenters for the approach taken
in the NPRM” (including support from the NCVHS, JA 1380), HHS concluded
that eliminating the consent requirement “makes the most sense and
meets the goals of not interfering with access to quality health care
and of providing a single standard that works for the entire
industry.” JA 1382 (67 Fed. Reg. at 53212).
At the same time, however, HHS continued to recognize the
importance of preserving patients’ opportunities “to discuss privacy
practices” with their medical providers, and to be involved “in
decisions related to the use and disclosure of protected health
information.” JA 1380 Accordingly, the Final Amended Rule
“strengthen[ed] the notice requirements to preserve the opportunity for
individuals to discuss privacy practices and concerns with providers,”
JA 1381 (67 Fed. Reg. at 53211), by requiring direct treatment
providers to make good-faith efforts to obtain their patient’s written
acknowledgment that they have received the provider’s notice of privacy
practices, 67 Fed. Reg. at 53239-40 (45 C.F.R. §
164.520(c)(2)(ii)).
Finally, HHS emphasized that the Final Amended Rule retained several
other provisions critical to the protection of privacy, including the
requirement that covered entities must obtain a patient’s
authorization, under 45 C.F.R. § 164.508, for any uses or
disclosures of protected health information not otherwise permitted
under the rule, and the right of patients to request additional
restrictions on the use or disclosure of their health information,
pursuant to 45 C.F.R. § 164.522(a), which would then bind covered
entities that agreed to such restrictions. See JA 1381 (67 Fed.
Reg. at 53211).
C. Proceedings In This Case.
Plaintiffs, a group of health care providers, individuals, and
health care organizations, filed suit in district court challenging
HHS’s decision not to require consent for routine uses in the Final
Amended Privacy Rule. Plaintiffs argued: (1) that HHS violated
the APA by failing to provide a reasoned explanation for its decision
to eliminate the consent requirement for routine uses, (2) that HHS
exceeded its authority under the HIPAA by eliminating that requirement,
and (3) that HHS’s decision not to require consent for routine uses in
the Final Amended Privacy Rule violated plaintiffs’ constitutional
rights, including their right to privacy and a First Amendment right to
confidential physician-patient communications.
On cross-motions for summary judgment, the district court upheld
the Final Amended Privacy Rule in all respects. JA 1-15.
After describing the applicable regulatory framework and the evolution
of the Privacy Rule, the court first held that at least one of the
plaintiffs, Dr. Deborah Peel, had standing to challenge the rule.
The court concluded that Dr. Peel had demonstrated “injury in fact”
because the Final Amended Rule “changed the legal landscape established
by the Original Rule for the disclosure of health information for
routine purposes,” JA 9, and also held that there was sufficient
causation for standing purposes “because the Amended Rule has a
sufficiently determinative or coercive effect on the action of the
providers,” JA 10. Moreover, the court held that Dr. Peel
had demonstrated redressability because “it is not ‘merely speculative’
that vacating the Amended Rule and reinstating the Original Rule would
redress Dr. Peel’s alleged injury.” Ibid.
Turning to plaintiffs’ APA claim, the district court held that
HHS had provided a reasoned explanation for its decision to eliminate
the consent requirement and had adequately examined and responded to
the relevant data and public comments. JA 11-13. Among
other things, the court noted that HHS had properly relied on numerous
public comments which “indicated that the consent requirement
represented a significant change in practice and could substantially
impair delivery of health care,” and stated that HHS had adequately
“explained that rescinding the consent requirement solved the
identified health care delivery problems caused by the requirement in
the most efficient manner.” JA 11. The court also
emphasized HHS’s findings that “incorporating targeted fixes as
suggested by some commenters would make the rule even more complex,
without solving all of the problems.” JA 11 (citing 67 Fed. Reg.
at 53212).
Likewise, the court held that HHS had examined the relevant data and
had not taken any action inconsistent with its previous findings.
Among other things, the court found that HHS “never stated that the
right to privacy was absolute when it implemented the Original Rule,”
and emphasized that “[p]rivacy concerns were always to be balanced
against the goal of improving efficiency of the health care
system.” JA 12. “Indeed,” the court noted, “the very
findings that supported the Original Rule had supported the initial
proposal to prohibit consent.” Ibid. The court stated that
“[c]onsent in the Original rule was required to provide patients with
the opportunity to discuss privacy practices and request further
restrictions,” and noted HHS’s explanation that “the Amended Rule
achieves the same goal through its more stringent notice
requirements.” Ibid. As a result, the court held that “the
Secretary examined the relevant data and the Secretary’s explanation
shows more than a mere rational connection between the facts and the
choice to rescind the consent requirement.” Ibid.
In addition, the court held that HHS had adequately responded to
public comments because it “considered the relevant factors Congress
intended the agency to consider,” such as the efficiency and
effectiveness of the health care system and the privacy of health
information. JA 12-13. In the end, the court concluded, the
Secretary “just balanced the factors in a way with which the plaintiffs
disagree.” JA 13.
With respect to plaintiffs’ claim that HHS had exceeded the scope of
its authority under the HIPAA, the district court first noted that “[a]
regulation falls within the scope of statutory authority as long as it
is reasonably related to the purposes of the enabling
legislation.” JA 13 (citing Mourning v. Family Publications
Serv., Inc., 411 U.S. 356, 369 (1973)). The court found that the
regulation easily satisfied this standard because the agency’s “mandate
is to balance privacy protection and the efficiency of the health care
system – not simply to enhance privacy.” JA 13.
In addition, the court held that the Final Amended Privacy Rule
was not impermissibly retroactive in any respect. Although the
Original Rule became effective on April 14, 2001, covered entities were
not required to comply with that rule – including the consent
requirement – for two years. Because “[c]overed entities were
never under a legal obligation to comply with the Original Rule’s
consent requirement,” the court held that “the Original Rule did not
create rights that were subsequently eliminated by the Amended
Rule.” JA 14. Likewise, relying on the non-preemption
provisions in both HIPAA and the Privacy Rule itself, the court also
held that “the Amended rule does not impair any stricter privacy rights
created by state law, ethical codes or standards of practice.” JA
13.
Finally, the court rejected plaintiffs’ argument that HHS’s
decision to eliminate the consent requirement for routine uses in the
Final Amended Privacy Rule violates their constitutional rights.
Assuming, without deciding, “that the plaintiffs have a constitutional
right to privacy over their medical records and to patient-health care
provider communications,” the court held that the final Privacy Rule
does not violate those rights because it “is wholly permissive with
respect to whether a covered entity should seek consent from a patient
before using his or her information for routine purposes.” JA
14. Because the rule does not “place obstacles in the paths of
patients seeking to have confidential communications with their health
care providers,” and “does not require doctors to do anything with
respect to routine uses of health care information,” the court
concluded that “it does not affirmatively interfere with any
right.” Ibid. Indeed, the court noted, “[t]o the extent the
Amended Rule mandates any actions, it protects plaintiffs’ putative
rights” by, for example, prohibiting “covered entities from disclosing
and using health information for reasons unrelated to health care
without proper authorization.” JA 15. Thus, characterizing
plaintiffs’ claim as a challenge to HHS’s decision “not to compel
covered entities to obtain prior consent,” the court concluded that the
Constitution “does not command the Secretary to act affirmatively to
protect such rights.” Ibid.
SUMMARY OF ARGUMENT
In enacting HIPAA, Congress sought to improve the efficiency of the
nation’s health care system by promoting standards for the electronic
transmission of health information. Recognizing that increased
transmission of medical information could increase the risk that
confidential information might be improperly disclosed, Congress also
directed HHS to promulgate standards to protect patient privacy.
The final Privacy Rule issued by HHS reflects a balance between HIPAA’s
two primary goals: promoting efficiency and cost-savings in the
delivery of health care services, and protecting the privacy of
individual medical information. The Privacy Rule prohibits the
use or disclosure of individually identifiable health information
except as specifically permitted under the rule, and it does not
displace any state law or other provisions that provide more stringent
privacy protections.
Where not superseded by provisions of state law providing “more
stringent” privacy protections, the Privacy Rule also permits the
limited use and disclosure of individually identifiable health
information for certain “routine uses” (i.e., treatment, payment, or
health care operations) without patients’ prior consent. That is
because such uses and disclosures are critical to the timely and
efficient delivery of health care and because numerous public comments
received by HHS during the extensive rulemaking proceedings for the
Privacy Rule demonstrated that imposing a consent requirement in this
context would give rise to a host of unintended consequences that could
substantially impair and delay the delivery of health care.
In promulgating the final Privacy Rule, HHS explained that the
difficulties created by a consent requirement in the routine use
context would not be offset by a significant gain in privacy
protections. As the agency consistently recognized throughout the
rulemaking process, consent, which is frequently involuntary, would not
provide significant additional privacy protections in the context of
routine uses, because medical providers could always refuse treatment
absent consent to their disclosure practices. Thus, although a
consent requirement could provide an opportunity for patients to
discuss disclosure practices with their providers, HHS reasonably
concluded that functionally equivalent benefits could be realized by
strengthening the provisions governing notice of privacy practices.
Plaintiffs contend that HHS’s decision to eliminate the consent
requirement for routine uses in the final version of the Privacy Rule
violated the Administrative Procedure Act, exceeded the scope of HHS’s
authority under HIPAA, and violated their constitutional right to
privacy in their medical records and their First Amendment rights to
confidential physician-patient communications. As the district
court correctly held, each of these arguments is without merit.
I. As noted, HIPAA does not mandate the imposition of a consent
requirement in the context of routine uses. To the contrary, the
statute expressly recognizes the need to balance efficiency in the
delivery of health care with privacy interests and delegates to HHS the
task of promulgating a Privacy Rule reflecting a proper balance between
these competing considerations. As the district court correctly
observed, nothing in the statute’s broad delegation of authority to HHS
requires the agency “to maximize privacy interests over efficiency
interests.” JA 13.
Throughout the extensive rulemaking proceedings, HHS at no time
believed that a consent requirement for routine uses was statutorily
compelled. To the contrary, at every stage in the process, the
agency recognized the need to strike a balance between gains in
efficiency and gains in privacy. And, at every stage, HHS
provided a reasoned explanation for the balance it struck. The
agency consistently recognized that the consent requirement would
provide only marginal added privacy protections in the routine use
context. Thus, when numerous public comments underscored the
adverse consequences that would likely flow from imposing a consent
requirement, HHS modified the Privacy Rule to make consent for routine
uses optional, while simultaneously strengthening the notice provisions
of the rule to ensure that patients would have an adequate opportunity
to discuss disclosure practices with their providers.
Plaintiffs do not seriously contend that HHS acted unreasonably
in assessing the adverse impact that would result from a consent
requirement. Instead, plaintiffs argue primarily that HHS failed
to draw the proper conclusions from the public comments and failed
adequately to consider “more targeted” alternative approaches to
eliminating the consent requirement. At bottom, however, these
arguments do not demonstrate that HHS acted unreasonably; they reflect
plaintiffs’ preference for a different approach than the one HHS
adopted. But neither plaintiffs nor the courts may substitute
their judgment for that of the agency charged by Congress to evaluate
competing policy considerations and strike the proper balance between
privacy concerns and efficiency in the delivery of health care.
Because HHS examined the relevant evidence and provided a rational
explanation for the facts found and the choices made, its decision to
eliminate the consent requirement in the final Privacy Rule must be
sustained.
II. Plaintiffs’ constitutional claims do not advance their
argument. Even assuming (as the district court did) that
plaintiffs have a constitutional right to privacy regarding their
health information and medical records, the Privacy Rule promulgated by
HHS to enhance the protection of that right does not violate the
Constitution. The Privacy Rule does not diminish otherwise
existing privacy protections, and the Constitution clearly does not
require the agency to enact new protections meeting plaintiffs’
preferred standards. As the district court recognized, “[b]ecause
the Amended Rule does not compel anyone to use or disclose the
plaintiffs’ health information for routine purposes without the
plaintiffs’ consent,” JA 14-15, it does not even implicate, much less
violate, their constitutional rights.
STATEMENT OF RELATED CASES AND PROCEEDINGS
This case has not previously been before this Court, and we are unaware
of any related proceeding before this Court or any other court of
appeals.
STANDARD OF REVIEW
An agency’s decision to rescind or modify a regulation is reviewed
under the same “arbitrary or capricious” standard that the APA applies
to the initial promulgation of a rule. See Motor Vehicle Mfrs.
Ass’n v. State Farm Mut. Ins. Co., 463 U.S. 29, 41 (1983). Under
this deferential standard, a court may not “substitute its judgment for
that of the agency.” Id. at 43. Judicial review is instead
limited to determining whether the agency has articulated a “rational
connection between the facts found and the choice made . . . whether
the decision was based on a consideration of the relevant factors and
whether there has been a clear error of judgment.” Ibid.
(internal quotations and citations omitted). So long as the
agency provides a reasoned explanation for its action, it must be
upheld. See Fertilizer Institute v. Browner, 163 F.3d 774, 778
(3d Cir. 1998); CK v. New Jersey Dep’t of Health and Human Servs., 92
F.3d 171, 182 (3d Cir. 1996); Frisby v. HUD, 755 F.2d 1052, 1055 (3d
Cir. 1985).
Questions of law, such as the scope of HHS’s authority under the HIPAA
and the constitutionality of the agency’s actions, are subject to de
novo review.
ARGUMENT
I. HHS ACTED WELL WITHIN ITS DISCRETION UNDER HIPAA
AND PROVIDED A REASONED EXPLANATION FOR ITS DECISION NOT TO INCLUDE A
CONSENT REQUIREMENT FOR ROUTINE USES IN THE FINAL PRIVACY RULE.
In enacting HIPAA, Congress sought to improve “the efficiency and
effectiveness of the health care system,” by developing “standards and
requirements for the electronic transmission of certain health
information.” HIPAA § 261 (JA 27). To accomplish this
goal, Congress directed HHS, among other things, to adopt uniform
standards “to enable health information to be exchanged
electronically.” Id. § 262 (JA 31). Congress also
instructed HHS to submit “detailed recommendations on standards with
respect to the privacy of individually identifiable health information”
within one year of the statute’s enactment. HIPAA §
264(a). Congress specified that those recommendations should
address “at least” three areas: (1) “[t]he rights that an
individual who is a subject of individually identifiable health
information should have,” (2) “[t]he procedures that should be
established for the exercise of such rights,” and (3) “[t]he uses and
disclosures of such information that should be authorized or required.”
Id. § 264(b) (JA 39).
The final Privacy Rule adopted by HHS provides a panoply of
protections for the privacy of individually identifiable health
information. See generally JA 1381 (67 Fed. Reg. at 53211).
It prohibits the use or disclosure of protected health information
except as expressly permitted by the rule, and it requires covered
entities to obtain a patient’s authorization for uses or disclosures
not otherwise permitted. See 45 C.F.R. § 164.508. It
permits, but does not require, covered entities to obtain patients’
consent for routine uses of their protected health information, and it
also makes clear that such consent does not constitute authorization
for uses or disclosures other than routine uses. Id. §
164.506(b). It allows individuals to request restrictions on the
use and disclosure of their protected health information, id. §
164.522(a), and allows individuals and covered entities to enter
agreements reflecting such restrictions. It requires covered
entities to make good-faith efforts to obtain their patients’ written
acknowledgment that they have received the provider’s notice of privacy
practices, id. § 164.520(c)(2)(ii). And, it does not
displace “more stringent” privacy protections under state law or other
provisions. HIPAA § 264(c)(2); 45 C.F.R. § 160.203.
Plaintiffs here challenge that aspect of the final Privacy Rule
that deals with disclosures of medical information for treatment,
payment, or health care operations. In promulgating that rule,
HHS concluded that very real threats to efficiency created by the
imposition of a consent requirement would not be offset by meaningful
gains in privacy protection. Accordingly, the agency did not
require advance consent in these circumstances and, instead,
strengthened the requirement for covered health care providers who
provide direct treatment to distribute notices of privacy practices “to
preserve the opportunity for individuals to discuss privacy practices
and concerns with their providers.” JA 1381 (67 Fed. Reg. at
53211). Moreover, the final Privacy Rule expressly allows such
providers to seek consent in this context if they choose to do
so. 45 C.F.R. § 164.506(b).
As the district court recognized, the final Privacy Rule in no sense
contravenes any specific statutory command. To the contrary, as
the language quoted above demonstrates, HIPAA confers broad rulemaking
authority on HHS to promulgate privacy standards. As the
district court observed, HHS’s modifications to the final Privacy Rule
fall well within that grant of authority because they “are reasonably
related to the legislative purpose of Subtitle F.” JA 13.
Relying on snippets of legislative history from HIPAA, plaintiffs
contend that “[t]here is no evidence of Congressional intent to
sacrifice the public’s medical privacy to the interests of covered
entities in efficiency and ‘flexibility’ as the Secretary as done in
the Amended Rule.” Pl. Br. 39. This rhetorical declaration
mischaracterizes both the content of the Privacy Rule and the
requirements of HIPAA. As explained above, the final Privacy Rule
establishes comprehensive protections for the privacy of individually
identifiable health information. See JA 1381 (67 Fed. Reg. at
53211). The agency’s decision not to impose a consent requirement
for routine uses thus by no means “eliminates medical
privacy.” It is simply a modification to one component of
the many provisions of the Privacy Rule that provide new federal
protections for the overall privacy of medical records and information.
At no point in the extensive rulemaking history did HHS believe
that the particular requirement sought by plaintiffs was statutorily
compelled. From the time of its first proposed rule, HHS
recognized that the task before it was to create privacy protections
that would not undermine the enhanced efficiency that is an express
goal of the HIPAA. See JA 27 (HIPAA § 261) (noting that
purpose of administrative simplification provisions is to improve “the
efficiency and effectiveness of the health care system”). Indeed,
the initial version of the Privacy Rule HHS proposed would have
prohibited covered entities from seeking consent to make disclosures
for routine uses. See JA 41 (text of proposed 45 C.F.R. §
164.508(a)(2)(iv)).
The agency’s reluctance to impose a consent requirement in the
context of routine uses reflects a consistent recognition that such a
requirement would likely provide little meaningful privacy protection
or offer patients any real control over the use of their health care
information. Because physicians could simply refuse to provide
treatment absent consent, the consent process would inevitably include
a strong element of coercion. See 64 Fed. Reg. at 59940; JA 351
(65 Fed. Reg. at 82648). The primary virtue of a consent
requirement would be “to provide an opportunity for and to encourage
more informed discussions between patients and providers about how
protected health information will be used and disclosed within the
health care system,” JA 345 (65 Fed. Reg. 82474).
Ultimately, HHS concluded, consistent with its original proposed rule,
that the benefits of a consent requirement could be achieved in other
ways, such as by strengthening the requirement to distribute notices of
privacy practices and thus enhancing opportunities for patients to
discuss those practices with their providers. In reaching this
conclusion, HHS analyzed public comments, testimony, and the expert
recommendations of the NCVHS (the advisory committee Congress directed
HHS to consult with in promulgating the Privacy Rule) demonstrating
that the consent requirement would substantially impede the delivery of
health care services, resulting in delay and inconvenience for patients
and, in certain critical situations, threatening the health or
well-being of persons in need of medical treatment. See JA
1379-80 (67 Fed. Reg. at 53209-10) (summarizing public comments).
For example, the consent requirement would likely have interfered
with patients’ timely access to prescription drugs, see JA 371, 373,
377, 649, 820, delayed or interfered with treatment by specialists and
hospitals receiving referrals from other physicians, see JA 542,
670-71, 497, 520-21, 818, 866, and interfered with treatment by
emergency medical providers, see JA 408-12, 418-23, 719. As HHS
summarized,
The most troubling, pervasive problem was that health care providers
would not have been able to use or disclose protected health
information for treatment, payment, or health care operations purposes
prior to their initial face-to-face contact with the patient, something
which is routinely done today to provide patients with timely access to
quality health care.
JA 1379 (67 Fed. Reg. 53209).
Plaintiffs do not seriously dispute that the public comments
identified significant adverse impacts on patients’ access to health
care. JA 1380 (67 Fed. Reg. at 53210) (noting that “almost all of
the commenters that discussed consent acknowledged that there are
unintended consequences of the consent requirement that would interfere
with treatment”). Nor could they, as a wide range of individuals
and institutions – including the NCVHS, JA 919-21, and the GAO, JA
822-24 – expressed serious concerns about the likely negative impact of
that requirement. Indeed, the NCVHS supported eliminating the
consent requirement in the context of routine uses, noting that HHS’s
revision “strikes the proper balance between the benefits of informing
and empowering patients and the burdens of requiring covered entities
to have patients complete additional paperwork.” JA 935.
Instead, plaintiffs argue that HHS failed to address various comments
and alternatives with sufficient specificity. As the district
court recognized, however, these arguments reveal not a flaw in the
rulemaking but a disagreement with HHS’s conclusion.
Plaintiffs assert that 5,000 comments urged HHS to retain the consent
requirement while 4,000 comments urged HHS to revoke that requirement,
and that 3,000 of the “anti-consent” comments “were submitted by
hospitals, health facilities and insurers, and many were form letters
generated by a few large insurance companies and health system.”
Pl. Br. 56. However, the issue is not the sheer volume of
comments on side or another of a specific question, but whether the
agency considered the relevant factors as revealed by “the policy,
purpose, and goals set forth in the applicable statute.” Frisby,
755 F.2d at 1057. See also City of Waukesha v. EPA, 320 F.3d 228,
257 (D.C. Cir. 2003).
Even a cursory examination of the final Privacy Rule demonstrates
that HHS “balanced the privacy implications of uses and disclosures for
treatment, payment, and health care operations and the need for these
core activities to continue.” JA 1378 (67 Fed. Reg. at
53208). Among other things, HHS took privacy interests into
account by allowing health care providers to obtain consent for routine
uses of protected medical information (in contrast with the Proposed
Rule’s prohibition on consent), and by strengthening the notice
provisions requiring providers to obtain a written acknowledgment of
receipt of the notice – thereby enhancing opportunities for patients to
discuss disclosure practices with their providers. Thus, as the
district court recognized, plaintiffs’ claim was not that HHS ignored
the relevant factors but that it “balanced the factors in a way with
which the plaintiffs disagree.” JA 13.
Contrary to plaintiffs’ assumption, HHS was not required to
specifically address all comments and proposed alternatives.
Although plaintiffs identify a variety of specific comments HHS
allegedly “failed to address,” Pl. Br. 57, plaintiffs’ own description
of HHS’s responses in many cases demonstrates not that HHS ignored
comments but that the agency responded in a way that plaintiffs believe
was insufficiently attuned to their views of the best ways to protect
privacy.
For example, plaintiffs contend that HHS “summarily dismissed”
concerns raised by the American Medical Association that optional
consent, combined with a broad definition of “health care operations,”
would compel patients to permit a broad range of uses and disclosures.
Pl. Br. 57. However, plaintiffs acknowledge (as they must) that
HHS specifically responded to the AMA’s comments by stating “that
narrowing the definition of ‘health care operations’ would place
serious burdens on covered entities and impair their ability to conduct
legitimate business and management functions.” JA 1382 (67 Fed.
Reg. at 53212). Plaintiffs’ stated belief that “[t]his response
ignored the thrust of the comment that the loss of medical privacy
would compel patients to allow their health information to be used
against their will,” Pl. Br. 57, does not demonstrate that HHS ignored
the AMA’s comments; it shows only that plaintiffs disagree with how HHS
chose to address these comments.
Likewise, plaintiffs criticize HHS for not citing “a single
example where access to quality health care actually had been delayed
due to obtaining patient permission for the use and disclosure of
health information.” Pl. Br. 47. But this charge is highly
misleading because, as noted, HHS eliminated the consent requirement
long before health care providers ever had to comply with it.
And, although plaintiffs suggest that examples of negative impacts from
a consent requirement for routine uses should have been available
because “consent has been required throughout the nation’s history by
federal and state statutory and common law and standards of medical
practice,” Pl. Br. 48, the administrative record demonstrates that it
is not standard practice among health care providers to obtain prior
written consent before using or disclosing protection health
information for many routine uses. See e.g., JA 344 (65 Fed. Reg.
at 82473) (examining state laws and noting that, “[u]nder these
exceptions, providers can disclose health information without any
consent or authorization from the patient”).
HHS also provided a reasoned explanation for its decision not to rely
on piecemeal solutions to specific problems. Because the
treatment-related obstacles and other problems identified by commenters
were numerous and varied – and even more problems could reasonably be
anticipated after compliance with the Privacy Rule was required – HHS
was concerned that individual fixes would simply add complexity to an
already-complex rule, while still overlooking important problems.
JA 1379-82 (67 Fed. Reg. at 53209-12). HHS thus explored the
“global approaches” proposed by various commenters, but explained that
“each had some flaw or failed to address all of the treatment-related
concerns brought to our attention.” JA 1382.
In the end, plaintiffs largely ignore the explanations HHS
provided for its actions while faulting the agency for not providing
more complete responses to other comments. But the focus and
extent of HHS’s responses to comments and proposed alternatives reflect
the agency’s expert judgment concerning the relative importance of
different issues. Although plaintiffs clearly disagree with the
manner in which HHS chose to address the voluminous administrative
record before it, their belief that the explanations HHS gave for
rejecting various alternatives were inadequate – no matter how strongly
held – does not demonstrate that the agency failed to respond
adequately to public comments. Because HHS adequately considered
the most significant concerns raised by public comments and responded
in detail to those it concluded were the most important, the agency
fully satisfied the “reasoned decision-making” requirement under the
APA.
In a different vein, plaintiffs also argue that HHS did not adequately
address comments suggesting that the Privacy Rule would effectively
supersede more stringent state law and ethical standards, Pl. Br.
51-53. But both the Privacy Rule and HIPAA expressly state that
“more stringent” state privacy protections will not be preempted.
See 45 C.F.R. § 160.203(b); HIPAA § 264(c)(2) (JA
39-40). HHS thus responded to these comments by noting that the
“Privacy Rule provides a floor of privacy protection” and does not
displace any more stringent state laws or ethical standards. JA
1382 (67 Fed. Reg. at 53212).
Plaintiffs contend that this response is “misleading” because the
government has “successfully argued that state statutes and
common laws which require consent or afford a physician-patient
privilege are overridden by the Amended Rule in federal question
cases.” Pl. Br. 52 (citing Northwestern Memorial Hosp. v.
Ashcroft, 362 F.3d 923 (7th Cir. 2004)). As a careful reading of
the Seventh Circuit’s decision in Northwestern Memorial demonstrates,
however, the government argued solely that the evidentiary privileges
established under Fed. R. Evid. 501 are not displaced by HIPAA.
362 F.3d at 925 (“we agree with the government that the HIPAA
regulations do not impose state evidentiary privileges on suits to
enforce federal law”). The government has never taken the
position that the Privacy Rule overrides more stringent state or
ethical privacy standards. Under the plain terms of both HIPAA
and the Privacy Rule itself, state laws providing more stringent
privacy standards remain applicable. In addition, “professional
standards that are more protective of privacy retain their
vitality.” JA 1382.
Plaintiffs also seek to minimize the deference accorded to HHS’s
regulation by arguing that it “reverses a ‘settled course of
action.’” Pl. Br. 43 (citing cases). But an agency is
entitled to deference so long as it provides a reasoned explanation for
its actions and articulates “a rational connection between the facts
found and the choices made.” State Farm, 463 U.S. at 41-42;
Frisby, 755 F.2d at 1055.
In any event, the consent requirement adopted in an earlier version of
the Privacy Rule was far from settled. The inclusion of a consent
requirement in the Original Rule was a departure from the Proposed
Original Rule, see JA 1379 (noting that consent requirement “was a
significant change” from the proposed rule), and within two months of
its adoption in December 2000, HHS reopened the rulemaking process to
reconsider that requirement, after receiving numerous unsolicited
comments raising concerns about the adverse consequences that it would
likely have on the delivery of health care. See 66 Fed. Reg.
12738 (Feb. 28, 2001). Because the consent requirement was thus
called into question almost immediately upon its promulgation – and
long before covered entities were ever required to comply with it – the
inclusion of that requirement in the Original Rule cannot reasonably be
deemed a settled course of action triggering a presumption that
subsequent changes are unreasonable.
Finally, plaintiffs’ contention that HHS exceeded its rulemaking
authority by engaging in retroactive rulemaking, Pl. Br. 40-41, is
wholly without merit. As the district court explained, the final
Privacy Rule did not eliminate any vested rights. JA 14.
Compliance with the Original Privacy Rule (which contained the consent
requirement for routine uses) was not required until April 14, 2003,
but the final Privacy Rule (eliminating the consent requirement) was
promulgated well before that date, on August 14, 2002. JA
1376. Thus, because “[c]overed entities were never under a legal
obligation to comply with the Original Rule’s consent requirement . . .
the Original Rule did not create rights that were subsequently
eliminated by the Amended Rule.” JA 14.
Ignoring the timing of the modifications to the Privacy Rule
outlined above, plaintiffs contend that they “have ‘settled
expectations’ that information placed in their medical records prior to
the compliance date of the Amended Rule would not be used or disclosed
in routine situations without their consent.” Pl. Br.
40-41. On its face, this assertion makes no sense; information
placed in medical records prior to the compliance date of the Original
Rule could, by definition, be disclosed without consent until the
compliance date for the new rule. Thus, HHS’s decision to
eliminate the consent requirement clearly did not attach any new
consequences to plaintiffs’ conduct.
II. HHS’S DECISION NOT TO INCLUDE A CONSENT
REQUIREMENT FOR ROUTINE USES IN THE FINAL PRIVACY RULE DID NOT VIOLATE
PLAINTIFFS’ CONSTITUTIONAL RIGHTS.
When HHS eliminated the consent requirement under the Privacy Rule, it
did not deprive anyone of any fundamental constitutional rights.
To the contrary, the sole effect of the agency’s action was to refrain
from exercising the regulatory authority of the federal government to
prevent certain covered health care providers from using or disclosing
protected health information for treatment, payment, or health care
operations without first obtaining their consent. As the district
court recognized, “[b]ecause the Amended Rule does not compel anyone to
use or disclose the plaintiffs’ health information for routine purposes
without the plaintiffs’ consent,” it does not violate their
constitutional rights. JA 14-15.
Plaintiffs devote a significant portion of their brief to arguing
that individuals have a fundamental right to privacy in their medical
records and that laws affecting such a right are subject to heightened
scrutiny. See Pl. Br. 10-26. Plaintiffs also spend
considerable energy arguing that the First Amendment protects
confidential physician-patient communications and that the exercise of
this right can be chilled by inadequate protections for the privacy of
medical records and health information. See Pl. Br. 26-32.
However, even assuming plaintiffs have constitutionally protected
rights in the privacy of their medical records and in confidential
physician-patient communications (as the district court assumed), the
final Privacy Rule does not impair those rights.
As explained in detail above, the Privacy Rule provides enhanced
federal protections for the privacy of protected health information by
prohibiting health care providers from using or disclosing such
information except as authorized and by requiring that providers obtain
a patient’s authorization for uses and disclosures not otherwise
permitted. See 45 C.F.R. § 164.508. Moreover, the
Privacy Rule does not supersede or displace “more stringent” privacy
protections provided under state law or any ethical or other
standards. As such, the Privacy Rule does not interfere in any
way with patients’ exercise of their privacy rights. Whatever
rights patients had to prevent the use and disclosure of their
protected medical information before the promulgation of the Privacy
Rule are either retained or enhanced under that rule. The Privacy
Rule simply adds an additional panoply of federal protections for the
privacy of medical records, creating a federal “floor” of privacy in
recognition of potential risks to privacy in the new regulatory scheme
governing medical records established under the HIPAA.
On appeal, plaintiffs persist in arguing that the final Privacy Rule
violates the Constitution because HHS did not go far enough in
protecting privacy – specifically, by not including a consent
requirement for routine uses in the final rule. As the district
court correctly held, however, the Constitution “does not command the
Secretary to act affirmatively to protect such rights.” JA 15
(citing DeShaney v. Winnebago County Soc. Servs. Dep’t, 489 U.S. 189,
195 (1989)).
Recognizing (as they must) that the Constitution imposes no
affirmative duty on the government to protect privacy rights,
plaintiffs contend that the Privacy Rule nonetheless interferes with
their rights because it has a “determinative or coercive effect” on the
actions of health care providers. Pl. Br. 34. As noted
above, however, the Privacy Rule does not displace “more stringent”
privacy protections, and, unlike the 1999 Proposed Rule, it does not
prohibit providers from seeking patient consent for routine uses or
disclosures. See 45 C.F.R. § 164.506(b)(1) (allowing covered
entities to seek consent). As such, the Privacy Rule has no
“coercive effect” whatsoever; it simply provides express authority for
health care providers to do what they have always been free to do,
absent independent prohibitions under state law (which the Privacy Rule
expressly preserves). Thus, despite plaintiffs’ efforts to
distinguish DeShaney on the ground that the government would have had a
duty to protect the child in that case “if the state had rendered the
child more vulnerable to the damage or had played a part in creating
it,” Pl. Br. 35, the fact remains that the Privacy Rule has not
rendered patients “more vulnerable” to privacy violations because that
rule has not eliminated any pre-existing rights patients may have had
to protect their privacy.
In the end, plaintiffs’ insistence that “the Amended Rule has
eliminated [their] ability to protect their medical privacy by
withholding consent,” Pl. Br. 38, boils down to their argument that the
final version of the Privacy Rule did not go far enough in protecting
their constitutional rights because it did not include a consent
requirement for routine uses. The irony of this argument is that,
if the government’s failure to “do more” to protect a constitutional
right can itself give rise to a constitutional claim, the government
will be significantly less likely to attempt to enact legislation or
promulgate regulations to enhance the protections of constitutional
rights – as the Privacy Rule undoubtedly enhanced patients’ privacy
protections here – for fear that the new statutes or regulations will
be subject to constitutional challenges on the ground that they did not
go far enough. Thus, allowing plaintiffs to challenge HHS’s
alleged failure to provide what they believe were adequate protections
for the privacy of medical information would have the perverse effect
of deterring the government from ever attempting to provide enhanced
protections for other constitutionals rights.
In sum, because it was plainly constitutional for the government
to have taken no action to impose a federal requirement that health
care providers obtain patients’ consent before releasing individually
identifiable medical information for routine uses prior to promulgation
of the Privacy Rule, HHS’s decision not to impose such a requirement in
the final version of the Privacy Rule likewise violates no
constitutional rights.
CONCLUSION
For the foregoing reasons, the district court’s decision should be
affirmed.
Respectfully submitted,
OF COUNSEL:
PETER D. KEISLER
Assistant Attorney General
ALEX M. AZAR II
General Counsel
PATRICK L. MEEHAN
EDWIN WOO
United States
Attorney
Acting Associate
General Counsel
MARK B. STERN
LOUIS ALTARESCU
(202)
514-5089
Attorney
CHARLES W. SCARBOROUGH
United States Department
(202) 514-1927
of Health and Human Services Attorneys,
Appellate Staff
Civil Division, Room 7244
Department of Justice
950 Pennsylvania Ave., N.W.
Washington, D.C. 20530-3001
OCTOBER 2004
CERTIFICATE OF COMPLIANCE
In accordance with Fed. R. App. P. 32(a)(7)(C), I hereby certify that
the foregoing Brief for the Appellee is monospaced in courier font of
10 characters per inch. Exclusive of the portions exempted by
Fed. R. App. P. 32(a)(7)(B)(iii), this brief contains 11,401 words,
according to Corel WordPerfect 9, the word-processing program used to
prepare this brief.
________________________ CHARLES W. SCARBOROUGH
CERTIFICATE OF SERVICE
I hereby certify that on this 22nd day of October, 2004, I caused
copies of the foregoing Brief for Appellee to be served by hand upon:
James C. Pyles
Powers, Pyles, Sutter & Verville
1875 Eye Street, N.W.
Twelfth Floor
Washington, DC 20036
(202) 466-6550
and by first-class United States mail upon:
Peter D. Winebrake
Trujillo Rodriguez & Richards, LLC
The Penthouse
226 Rittenhouse Square
Philadelphia, PA 19103
(215) 731-9004
Robert N. Feltoon
Conrad, O’Brien, Gellman & Rohn, P.C.
1515 Market Street, 16th Floor
Philadelphia, PA 19102
(215) 864-8064
James P. Joseph
Arnold & Porter, LLP
555 Twelfth Street, N.W.
Washington, D.C. 20004
David P. Felsher
488 Madison Avenue, 11th Floor
New York, NY 10022
Susan L. Burke
Montgomery, McCracken, Walker & Rhoads, LLP
123 South Broad Street
Philadelphia, PA 19109
M. Duncan Grant
Pepper Hamilton LLP
3000 Two Logan Square
18th & Arch Streets
Philadelphia, PA 19103
Sharon J. Arkin
Robinson, Calcagnie & Robinson
620 Newport Center Drive, 7th Floor
Newport Beach, CA 92660
Sheri Joy Nasya Tolliver
Texas Civil Rights Porgect
1405 Montopolis Drive
Austin, TX 78741
____________________________
CHARLES W. SCARBOROUGH
