HIPAA 2004

In South Carolina Medical Association v. Thompson, 327 F.3d 346, 2003 U.S. App. LEXIS 7940 (4th Cir. 2003) (cert. denied 2003 U.S. LEXIS 8010 (U.S., Nov. 3, 2003)), the appellant health care providers attempted to have provisions of HIPAA declared unconstitutional on the basis that it was vague and impermissibly delegated congressional authority to the executive branch. Appellants also argued that HIPAA authorized privacy protections only for electronic health care records, so rules promulgated by the U.S. Department of Health and Human Services (HHS) to cover all health care records were impermissibly inclusive. The district court dismissed and the appellate court affirmed.

Background

The case involved HIPAA's Administrative Simplification provisions, sections 261 through 264 of the statute, which were designed to improve the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information in connection with such transactions. The preamble to the Administrative Simplification provisions clarifies this goal: “It is the purpose of this subtitle to improve the Medicare program … the medicaid program … and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” HIPAA ' 261, 110 Stat. 2021.

To this end, Congress instructed HHS to adopt uniform standards for exchanging health information electronically. HHS was instructed by Congress to adopt standards for securely sending information and verifying electronic signatures and for creating unique identifiers to distinguish individuals, employers, health care plans, and health care providers.

Within the Administrative Simplification section, Congress included ' 264, a provision outlining a two-step process to address the need to afford certain protections to the privacy of health information maintained under HIPAA. First, ' 264(a) directed HHS to submit to Congress within twelve months of HIPAA's enactment “detailed recommendations on standards with respect to the privacy of individually identifiable health information.” HIPAA ' 264(a), 110 Stat. 2033. Second, if Congress did not enact further legislation pursuant to these recommendations within 36 months of the enactment of HIPAA, HHS was to promulgate final regulations containing such standards. The subjects Congress directed HHS to cover in promulgating privacy regulations included these: 1) The rights that an individual who is a subject of individually identifiable health information should have; 2) The procedures that should be established for the exercise of such rights; and 3) The uses and disclosures of such information that should be authorized or required. HIPAA ' 264(b), 110 Stat. 2033. Through individual provisions of HIPAA, Congress outlined whom the regulations were to cover (see 42 U.S.C.A. ' 1320d-1(a)); what information was to be covered (see 42 U.S.C.A. ' 1320d(6) (defining “individually identifiable health information”)); what types of transactions were to be covered (see 42 U.S.C.A. ' 1320d-2(a)(2)); what penalties would accrue for violations of HIPAA (see 42 U.S.C.A. ” 1320d-5, 1320d-6); and what time lines and standards would govern compliance with the act (see 42 U.S.C.A. ” 1320d-3, 1320d-4). Finally, ' 264(c)(2) provided that the privacy regulations promulgated by HHS “shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” HIPAA ' 64(c)(2), 110 Stat. 2033-34 (emphasis added).

Pursuant to Congress' mandate, HHS submitted recommendations for protecting the privacy of individually identifiable health information in September 1997. Several detailed and comprehensive medical privacy bills were introduced thereafter, but Congress failed to pass any additional legislation. In the meantime, HHS followed Congress's directive and drafted regulations that appeared in a November 1999 “Notice of Proposed Rulemaking.” The proposed regulations drew more than 50,000 comments from affected parties. After several further proposals and amendments were published, HHS promulgated final regulations in February 2001, collectively the “Privacy Rule.” Although the effective date of the Privacy Rule was set for April 14, 2001, entities covered by the regulations were given until April 14, 2003, to comply, while some smaller entities were granted an additional year.

Appellants in South Carolina Medical Assoc. sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS, arguing that 1) HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress; 2) the Privacy Rule exceeds the scope of authority granted to HHS under HIPAA; and 3) HIPAA's non-pre-emption of “more stringent” state privacy laws is unconstitutionally vague, in violation of the Due Process Clause of the Fifth Amendment. The district court dismissed the action and this appeal followed.

Non-Delegation Doctrine

Appellants in South Carolina Medical Assoc. sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS, arguing that HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress. The non-delegation doctrine, rooted in the principles of the separation of powers, holds that Congress may not delegate its legislative powers to the executive or judicial branches of the government. Therefore, the question became, did HIPAA constitute a prohibited delegation rather than necessary cooperation between coordinate government branches?

The U.S. Court of Appeals for the Fourth Circuit stated: “In determining what [Congress] may do in seeking assistance from another branch, the extent and character of that assistance must be fixed according to common sense and the inherent necessities of the governmental co-ordination.” The court then discussed the “intelligible principle” concept: “This approach dictates that where Congress lays down by legislative act an intelligible principle to which the person or body authorized to [exercise the assigned duty] is directed to conform, such legislative action is not a forbidden delegation of legislative power.”

Applying the U.S. Supreme Court's test for constitutionally sufficient delegation set out in Mistretta v. U.S., 488 U.S. 361, 371, 102 L. Ed. 2d 714, 109 S. Ct. 647 (1989), the Fourth Circuit asked whether the HIPAA statute 1) provided a general policy; 2) described the agency in charge of applying that policy; and 3) set boundaries for the reach of that agency's authority. These three factors make up the test for determining whether an “intelligible principle” lies behind the conferral of authority from Congress to an agency.

The court found sources within HIPAA that provided intelligible principles, and concluded that these principles constituted a general policy of Congress. (Note: It is rare in this author's analysis of countless Supreme Court cases over a decade that the court does not find an “intelligible principle” to federal Congressional legislation.) Individual provisions of HIPAA outline whom the Privacy Rule is to cover, what information is covered, and what types of transactions are to be covered; what penalties are involved for violations, and time lines and standards that will govern compliance.

Finally, the court was not persuaded that Congress unconstitutionally relinquished its lawmaking function by mandating that final regulations governing standards with respect to the privacy of individually identifiable health information be promulgated within 36 months of HIPAA's enactment if no further legislation on the subject were enacted. This provision, ' 264(c)(1) (42 U.S.C.S. ' 1320d-2 n. (c)(1)), was a more explicit oversight mechanism than usual, in the court's opinion, because HHS was given a broad set of principles to guide it in formulating regulations. Armed with these principles, HHS was instructed to offer its recommendations to Congress. That Congress did not enact additional measures in light of these recommendations indicated the legislature's satisfaction with HHS's proposed approach, the court found. In addition, Congress retains the ability to revisit the issue, change the direction or scope of the statute or rules, or wholly undo the regulatory scheme HHS has established pursuant to HIPAA. For the foregoing reasons, the Fourth Circuit concluded that HIPAA did not violate the non-delegation doctrine.

Electronic Records

Appellants' second argument was that ' 264(c) of HIPAA limits HHS to regulating only electronic records transmitted in connection with section 1173(a) of the Social Security Act, see 42 U.S.C.A. ' 1320d-2(a), yet HHS impermissibly expanded HIPAA's scope to cover not only electronic transactions, but “every form of information for all Americans held by covered entities.” Appellants' Brief at 7.

Does HIPPA cover only electronic records or is the act's aegis more broad? The Fourth Circuit noted that ' 264(c)(1) provides a broad grant of power from Congress to HHS concerning regulation of medical information. In that section of the code, Congress expressly defined “health information” to include any information, “whether oral or recorded in any form or medium.” 42 U.S.C.A. ' 1320d-4. The act, at 42 U.S.C.A. ' 1320d-6(b) defines “individually identifiable health information” as information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and 1) identifies the individual or 2) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. This definition of “individually identifiable health information” doesn't limit its reach to electronic media. Therefore, the court found that the plain language of HIPAA indicated that HHS could reasonably determine that the regulation of individually identifiable health information should include non-electronic forms of that information.

In addition, regulating non-electronic forms of information helps to put into effect HIPAA's intent to promote portability of health information and its confidentiality. If only electronic forms of such information were covered, the court stated, “There would be perverse incentives for entities covered by the rule to avoid the computerization and portability of any medical records. Such a development would utterly frustrate the purposes of HIPPA.” Thus the rule enunciated in Thorpe v. Housing Auth. Of the City of Durham, 393 U.S. 268, 280-81, 21 L. Ed. 2d 474, 89 S. Ct. 518 (1969), which holds that a congressional mandate should be sustained as long as it is “reasonably related to the purpose of the enabling legislation under which it is promulgated,” is best served by an interpretation of “individually identifiable health information” that includes non-electronic means of holding such information.

HIPAA's Pre-Emption Provision

Appellant's final argument was that HIPAA's non-pre-emption provision, which provides for the pre-emption of state laws unless they are “more stringent” than HIPAA, is impermissibly vague because it necessarily calls for subjective judgments on the part of health care providers, who face jail or fines for incorrect determinations. Contending that HIPAA fails to provide fair notice or minimal guidelines to covered entities and individuals, appellants argued that the statute violated the Due Process Clause of the Fifth Amendment.

The provision in question, ' 264(c)(2) says, “A regulation promulgated under paragraph 1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” State law would be defined as more stringent if it provides greater privacy protection for the individual who is the subject of the individually identifiable health information. In affirming the district court's decision, the Fourth Circuit concluded that the regulations were “sufficiently definite … to give fair warning as to what will be considered a 'more stringent' state privacy law.” The court commented that these regulations will “doubtless call for covered entities to make some common sense evaluations and comparisons between state and federal laws, but this does not mean they are either vague or constitutionally infirm.”

In last month's newsletter, we noted the dearth of significant case law with respect to the Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936 (1996) (HIPAA), save for three cases. In the first installment of this article, we looked at the case of Northwestern Memorial Hospital v. Ashcroft, 2004 U.S. App. LEXIS 5724 (7th Cir. 2004), in which the U.S. Court of Appeals for the Seventh Circuit rejected the notion that HIPAA created a new federal privilege regarding abortion medical records. That court ultimately quashed the subpoena that would have required the hospital to turn over to the U.S. government the abortion records sought, but on different grounds.

This month, we take a look at a case that challenged the constitutionality of the HIPAA regulations themselves.

South Carolina Medical Association v. Thompson

In South Carolina Medical Association v. Thompson , 327 F.3d 346, 2003 U.S. App. LEXIS 7940 (4th Cir. 2003) (cert. denied 2003 U.S. LEXIS 8010 (U.S., Nov. 3, 2003)), the appellant health care providers attempted to have provisions of HIPAA declared unconstitutional on the basis that it was vague and impermissibly delegated congressional authority to the executive branch. Appellants also argued that HIPAA authorized privacy protections only for electronic health care records, so rules promulgated by the U.S. Department of Health and Human Services (HHS) to cover all health care records were impermissibly inclusive. The district court dismissed and the appellate court affirmed.

Background

The case involved HIPAA's Administrative Simplification provisions, sections 261 through 264 of the statute, which were designed to improve the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information in connection with such transactions. The preamble to the Administrative Simplification provisions clarifies this goal: “It is the purpose of this subtitle to improve the Medicare program … the medicaid program … and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” HIPAA ' 261, 110 Stat. 2021.

To this end, Congress instructed HHS to adopt uniform standards for exchanging health information electronically. HHS was instructed by Congress to adopt standards for securely sending information and verifying electronic signatures and for creating unique identifiers to distinguish individuals, employers, health care plans, and health care providers.

Within the Administrative Simplification section, Congress included ' 264, a provision outlining a two-step process to address the need to afford certain protections to the privacy of health information maintained under HIPAA. First, ' 264(a) directed HHS to submit to Congress within twelve months of HIPAA's enactment “detailed recommendations on standards with respect to the privacy of individually identifiable health information.” HIPAA ' 264(a), 110 Stat. 2033. Second, if Congress did not enact further legislation pursuant to these recommendations within 36 months of the enactment of HIPAA, HHS was to promulgate final regulations containing such standards. The subjects Congress directed HHS to cover in promulgating privacy regulations included these: 1) The rights that an individual who is a subject of individually identifiable health information should have; 2) The procedures that should be established for the exercise of such rights; and 3) The uses and disclosures of such information that should be authorized or required. HIPAA ' 264(b), 110 Stat. 2033. Through individual provisions of HIPAA, Congress outlined whom the regulations were to cover (see 42 U.S.C.A. ' 1320d-1(a)); what information was to be covered (see 42 U.S.C.A. ' 1320d(6) (defining “individually identifiable health information”)); what types of transactions were to be covered (see 42 U.S.C.A. ' 1320d-2(a)(2)); what penalties would accrue for violations of HIPAA (see 42 U.S.C.A. ” 1320d-5, 1320d-6); and what time lines and standards would govern compliance with the act (see 42 U.S.C.A. ” 1320d-3, 1320d-4). Finally, ' 264(c)(2) provided that the privacy regulations promulgated by HHS “shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” HIPAA ' 64(c)(2), 110 Stat. 2033-34 (emphasis added).

Pursuant to Congress' mandate, HHS submitted recommendations for protecting the privacy of individually identifiable health information in September 1997. Several detailed and comprehensive medical privacy bills were introduced thereafter, but Congress failed to pass any additional legislation. In the meantime, HHS followed Congress's directive and drafted regulations that appeared in a November 1999 “Notice of Proposed Rulemaking.” The proposed regulations drew more than 50,000 comments from affected parties. After several further proposals and amendments were published, HHS promulgated final regulations in February 2001, collectively the “Privacy Rule.” Although the effective date of the Privacy Rule was set for April 14, 2001, entities covered by the regulations were given until April 14, 2003, to comply, while some smaller entities were granted an additional year.

Appellants in South Carolina Medical Assoc. sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS, arguing that 1) HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress; 2) the Privacy Rule exceeds the scope of authority granted to HHS under HIPAA; and 3) HIPAA's non-pre-emption of “more stringent” state privacy laws is unconstitutionally vague, in violation of the Due Process Clause of the Fifth Amendment. The district court dismissed the action and this appeal followed.

Non-Delegation Doctrine

Appellants in South Carolina Medical Assoc. sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS, arguing that HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress. The non-delegation doctrine, rooted in the principles of the separation of powers, holds that Congress may not delegate its legislative powers to the executive or judicial branches of the government. Therefore, the question became, did HIPAA constitute a prohibited delegation rather than necessary cooperation between coordinate government branches?

The U.S. Court of Appeals for the Fourth Circuit stated: “In determining what [Congress] may do in seeking assistance from another branch, the extent and character of that assistance must be fixed according to common sense and the inherent necessities of the governmental co-ordination.” The court then discussed the “intelligible principle” concept: “This approach dictates that where Congress lays down by legislative act an intelligible principle to which the person or body authorized to [exercise the assigned duty] is directed to conform, such legislative action is not a forbidden delegation of legislative power.”

Applying the U.S. Supreme Court's test for constitutionally sufficient delegation set out in Mistretta v. U.S. , 488 U.S. 361, 371, 102 L. Ed. 2d 714, 109 S. Ct. 647 (1989), the Fourth Circuit asked whether the HIPAA statute 1) provided a general policy; 2) described the agency in charge of applying that policy; and 3) set boundaries for the reach of that agency's authority. These three factors make up the test for determining whether an “intelligible principle” lies behind the conferral of authority from Congress to an agency.

The court found sources within HIPAA that provided intelligible principles, and concluded that these principles constituted a general policy of Congress. (Note: It is rare in this author's analysis of countless Supreme Court cases over a decade that the court does not find an “intelligible principle” to federal Congressional legislation.) Individual provisions of HIPAA outline whom the Privacy Rule is to cover, what information is covered, and what types of transactions are to be covered; what penalties are involved for violations, and time lines and standards that will govern compliance.

Finally, the court was not persuaded that Congress unconstitutionally relinquished its lawmaking function by mandating that final regulations governing standards with respect to the privacy of individually identifiable health information be promulgated within 36 months of HIPAA's enactment if no further legislation on the subject were enacted. This provision, ' 264(c)(1) (42 U.S.C.S. ' 1320d-2 n. (c)(1)), was a more explicit oversight mechanism than usual, in the court's opinion, because HHS was given a broad set of principles to guide it in formulating regulations. Armed with these principles, HHS was instructed to offer its recommendations to Congress. That Congress did not enact additional measures in light of these recommendations indicated the legislature's satisfaction with HHS's proposed approach, the court found. In addition, Congress retains the ability to revisit the issue, change the direction or scope of the statute or rules, or wholly undo the regulatory scheme HHS has established pursuant to HIPAA. For the foregoing reasons, the Fourth Circuit concluded that HIPAA did not violate the non-delegation doctrine.

Electronic Records

Appellants' second argument was that ' 264(c) of HIPAA limits HHS to regulating only electronic records transmitted in connection with section 1173(a) of the Social Security Act, see 42 U.S.C.A. ' 1320d-2(a), yet HHS impermissibly expanded HIPAA's scope to cover not only electronic transactions, but “every form of information for all Americans held by covered entities.” Appellants' Brief at 7.

Does HIPPA cover only electronic records or is the act's aegis more broad? The Fourth Circuit noted that ' 264(c)(1) provides a broad grant of power from Congress to HHS concerning regulation of medical information. In that section of the code, Congress expressly defined “health information” to include any information, “whether oral or recorded in any form or medium.” 42 U.S.C.A. ' 1320d-4. The act, at 42 U.S.C.A. ' 1320d-6(b) defines “individually identifiable health information” as information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and 1) identifies the individual or 2) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. This definition of “individually identifiable health information” doesn't limit its reach to electronic media. Therefore, the court found that the plain language of HIPAA indicated that HHS could reasonably determine that the regulation of individually identifiable health information should include non-electronic forms of that information.

In addition, regulating non-electronic forms of information helps to put into effect HIPAA's intent to promote portability of health information and its confidentiality. If only electronic forms of such information were covered, the court stated, “There would be perverse incentives for entities covered by the rule to avoid the computerization and portability of any medical records. Such a development would utterly frustrate the purposes of HIPPA.” Thus the rule enunciated in Thorpe v. Housing Auth. Of the City of Durham , 393 U.S. 268, 280-81, 21 L. Ed. 2d 474, 89 S. Ct. 518 (1969), which holds that a congressional mandate should be sustained as long as it is “reasonably related to the purpose of the enabling legislation under which it is promulgated,” is best served by an interpretation of “individually identifiable health information” that includes non-electronic means of holding such information.

HIPAA's Pre-Emption Provision

Appellant's final argument was that HIPAA's non-pre-emption provision, which provides for the pre-emption of state laws unless they are “more stringent” than HIPAA, is impermissibly vague because it necessarily calls for subjective judgments on the part of health care providers, who face jail or fines for incorrect determinations. Contending that HIPAA fails to provide fair notice or minimal guidelines to covered entities and individuals, appellants argued that the statute violated the Due Process Clause of the Fifth Amendment.

The provision in question, ' 264(c)(2) says, “A regulation promulgated under paragraph 1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” State law would be defined as more stringent if it provides greater privacy protection for the individual who is the subject of the individually identifiable health information. In affirming the district court's decision, the Fourth Circuit concluded that the regulations were “sufficiently definite … to give fair warning as to what will be considered a 'more stringent' state privacy law.” The court commented that these regulations will “doubtless call for covered entities to make some common sense evaluations and comparisons between state and federal laws, but this does not mean they are either vague or constitutionally infirm.”