Citizens for Health v. Leavitt

428 F.3d 167 (2005)
Download Judgment: English

This case concerned a challenge to a rule promulgated by the United States Department of Health and Human Services pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The original privacy rule “required covered entities to seek individual consent to use or disclose health information in all but the narrowest of circumstances.” By contrast, the Amended Privacy Rule (the effective, codified version of the Privacy Rule) allowed such uses and disclosures without consent for “routine uses”―defined as “treatment, payment and health care operations” (§ 164.506).

The Amended Privacy Rule granted individuals the right to request restrictions on uses and disclosures of protected health information and to enter into agreements with covered entities regarding such restrictions, but it did not require covered entities to abide by such requests or to agree to any restriction (§ 164.522(a)). The Amended Privacy Rule also permitted, but did not require, covered entities to design and implement a consent process for “routine uses” and disclosures (§ 164.506).

Citizens for Health (Citizens) alleged that subsection (a) of § 164.506 of the Amended Privacy Rule (titled “Standards for Privacy of Individually Identifiable Health Information”) was invalid, alleging that it authorized disclosures that violated individual privacy rights.

The court held that the “routine uses” exception to HIPAA’s Amended Privacy Rule was constitutionally valid. The court declared that the protections afforded by the due process clause of the Fifth Amendment, which are directed against State interference with fundamental rights, were not implicated in this case because no violation could be properly ascribed to the State.

The court held that the Amended Privacy Rule could not fairly be read to “require,” “compel,” or “command” routine use disclosures without an individual’s consent because “a covered entity [could] obtain consent of the individual to use or disclose protected health information” for routine uses under § 164.506(b)(1). The court also rejected the contention that the Amended Privacy Rule’s “grant of regulatory permission to make the challenged uses and disclosures indirectly provid[ed] the requisite mantle of authority.” The court stated:

[T]he fact that a private party changed its behavior in response to a law does not give the law the coercive quality upon which the state action inquiry depends unless the law itself suddenly authorized something that was previously prohibited.

The court added that “the fact that covered entities [were] construing the ‘may use’ language as constituting a new federal seal of approval, and may be ignoring state laws regarding protections to be afforded to such information, [was] regrettable and disquieting.”

The further held that the Amended Privacy Rule did not conflict with the legislative purpose of HIPAA. The court rejected the argument that medical privacy was HIPAA’s controlling policy and that this was ignored by the Amended Privacy Rule due to its focus on efficiency and flexibility interests of covered entities. The court held that the argument ignored HIPAA’s stated purpose of “simplify[ing] the administration of health insurance,” and "improv[ing] the efficiency and effectiveness of the health care system"; medical privacy concerns had to be balanced with HIPAA’s intended purpose.

The court upheld the District Court’s finding that the Amended Privacy Rule did not retroactively eliminate rights that citizens enjoyed under the original privacy rule because the rule was amended before its effective compliance date. Furthermore, the court held that the Amended Privacy Rule did not retroactively eliminate citizens’ “reasonable expectations based on state law, medical ethics and established standards of practice” because it “[did] not disturb any preexisting, more stringent state law privacy rights.”

“The right to medical privacy asserted by Citizens is legally cognizable under the Due Process Clause of the Fifth Amendment, although, as Citizens themselves concede, its ‘boundaries ... have not been exhaustively delineated.’ . . . Whatever those boundaries may be, it is undisputed that a violation of a citizen's right to medical privacy rises to the level of a constitutional claim only when that violation can properly be ascribed to the government. The Constitution protects against state interference with fundamental rights. It only applies to restrict private behavior in limited circumstances. Because such circumstances are not present in this case, and because the ‘violations’ of the right to medical privacy that Citizens have asserted, if they amount to violations of that right at all, occurred at the hands of private entities, the protections of the Due Process Clause of the Fifth Amendment are not implicated in this case.”  428 F.3d, pp. 177-78.