UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT
October 31, 2005
CITIZENS FOR HEALTH; AMERICAN ASSOCIATION FOR HEALTH FREEDOM; AMERICAN ASSOCIATION OF PRACTICING PSYCHIATRISTS; AMERICAN MENTAL HEALTH ALLIANCE-USA; AMERICAN PSYCHOANALYTIC ASSOCIATION; NATIONAL COALITION OF MENTAL HEALTH PROFESSIONALS AND CONSUMERS; NEW HAMPSHIRE CITIZENS FOR HEALTH FREEDOM; SALLY SCOFIELD; TED KOREN, DC; MICHAELE DUNLAP, PSY.D.; MORTON ZIVAN, PH.D.; CALIFORNIA CONSUMER HEALTHCARE COUNCIL; CONGRESS OF CALIFORNIA SENIORS; HEALTH ADMINISTRATION RESPONSIBILITY PROJECT; DANIEL S. SHRAGER; EUGENE B. MEYER; JANE DOE; JANIS CHESTER; DEBORAH PEEL, APPELLANTS
*MICHAEL O. LEAVITT, SECRETARY U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
*AMENDED PER COURT'S ORDER DATED 2/4/05
PURSUANT TO F.R.A.P. 43(C)(2)
Appeal from the United States District Court for the Eastern District of Pennsylvania (D.C. Civil No. 03-cv-02267). District Judge: Honorable Mary A. McLaughlin.
The opinion of the court was delivered by: Rendell, Circuit Judge.
Argued March 9, 2005
Before: McKEE, RENDELL and NYGAARD*fn1, Circuit Judges.
OPINION OF THE COURT
Appellant Citizens for Health, along with nine other national and state associations and nine individuals (collectively "Citizens"), brought this action against the Secretary of the United States Department of Health and Human Services ("HHS" or "Agency") challenging a rule promulgated by the Agency pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub. L. 104-191, 110 Stat. 1936. Citizens allege that the "Privacy Rule"--officially titled "Standards for Privacy of Individually Identifiable Health Information"--is invalid because it unlawfully authorizes health plans, health care clearinghouses, and certain health care providers to use and disclose personal health information for so-called "routine uses" without patient consent. The relevant part of the specific offending provision of the Privacy Rule reads:
(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) [relating to psychotherapy notes] and (3) [relating to marketing], a covered entity may use or disclose protected health information for treatment, payment, or health care operations . . . provided that such use or disclosure is consistent with other applicable requirements of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.
(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.
45 C.F.R. § 164.506 (emphasis added). Citizens challenge subsection (a) as authorizing disclosures that, they contend, violate individual privacy rights.
The District Court granted summary judgment to the Secretary on all of Citizens' claims based on its conclusions that the promulgation of the Privacy Rule did not violate the Administrative Procedure Act, that the Secretary did not exceed the scope of authority granted to him by HIPAA, and that, insofar as the Privacy Rule is permissive and does not compel any uses or disclosures of personal health information by providers, it does not affirmatively interfere with any right protected by the First or Fifth Amendments. Because we reason to the same conclusions reached by the District Court, albeit under a slightly different analysis, we will affirm.
The objectionable provision is only one aspect of a complex set of regulations that is the last in a series of attempts by HHS to strike a balance between two competing objectives of HIPAA--improving the efficiency and effectiveness of the national health care system and preserving individual privacy in personal health information.
HIPAA was passed by Congress in August 1996 to address a number of issues regarding the national health care and health insurance system. The statutory provisions relevant to the issues in this case are found in Subtitle F of Title II.*fn2 Aimed at "administrative simplification," HIPAA Sections 261 through 264 provide for "the establishment of standards and requirements for the electronic transmission of certain health information." § 261, 110 Stat. at 2021. More specifically, these provisions direct the Secretary to adopt uniform national standards for the secure electronic exchange of health information. § 262, 110 Stat. at 2021-26.
Section 264 prescribes the process by which standards regarding the privacy of individually identifiable health information were to be adopted. § 264(a), 110 Stat. at 2033. This process contemplated that, within a year of HIPAA's enactment, the Secretary would submit detailed recommendations on such privacy standards, including individual rights concerning individually identifiable health information, procedures for exercising such rights, and the "uses and disclosures of such information that should be authorized or required," to Congress. § 264(a)-(b), 110 Stat. at 2033. If Congress did not enact further legislation within three years of HIPAA's enactment, the Secretary was directed to promulgate final regulations implementing the standards within 42 months of HIPAA's enactment. § 264(c)(1), 110 Stat. at 2033. The Act specified that any regulation promulgated pursuant to the authority of Section 264 would provide a federal baseline for privacy protection, but that such regulations would "not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." § 264(c)(2), 110 Stat. at 2033-34.*fn3
B. The Privacy Rule
Because Congress did not enact privacy legislation by its self-imposed three-year deadline, the Secretary promulgated the privacy standards contemplated in Section 264 through an administrative rulemaking process. During this process, the Rule went through four iterations: the Proposed Original Rule, the Original Rule, the Proposed Amended Rule, and the Amended Rule.*fn4 The Original Rule required covered entities to seek individual consent before using or disclosing protected health information for routine uses. Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,810 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164 (2002)). Before the Original Rule could take effect, however, the Secretary was inundated with unsolicited criticism, principally from health care insurers and providers, warning that the Original Rule's mandatory consent provisions would significantly impact the ability of the health care industry to operate efficiently.*fn5 Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776, 14,777 (Mar. 27, 2002). He responded by reopening the rulemaking process. Id. at 14,776. The final result was the Amended Rule--the currently effective, codified version of the Privacy Rule, see generally 45 C.F.R. pts. 160 & 164, which is the subject of Citizens' challenge here.*fn6
The Amended Rule retains most of the Original Rule's privacy protections. It prohibits "covered entities"*fn7 --defined as health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by the regulations--from using or disclosing an individual's "protected health information"--defined as individually identifiable health information maintained in or transmitted in any form or media including electronic media--except as otherwise provided by the Rule. See 45 C.F.R. §§ 160.103 (defining "covered entities" and "protected health information"), 164.502(a) ("A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter."). Covered entities must seek authorization from individuals before using or disclosing information unless a specific exception applies. Id. § 164.508(a)(1) ("Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section."). Uses and disclosures that the Amended Rule allows must be limited to the "minimum necessary" to accomplish the intended purpose. Id. § 164.502(b).
The Amended Rule departs from the Original Rule in one crucial respect. Where the Original Rule required covered entities to seek individual consent to use or disclose health information in all but the narrowest of circumstances,*fn8 the Amended Rule allows such uses and disclosures without patient consent for "treatment, payment, and health care operations"--so-called "routine uses." Id. §§ 164.506 (providing routine use exception). "Health care operations," the broadest category under the routine use exception, refers to a range of management functions of covered entities, including quality assessment, practitioner evaluation, student training programs, insurance rating, auditing services, and business planning and development. Id. § 164.501. The Rule allows individuals the right to request restrictions on uses and disclosures of protected health information and to enter into agreements with covered entities regarding such restrictions, but does not require covered entities to abide by such requests or to agree to any restriction. Id. § 164.522(a). The Rule also permits, but does not require, covered entities to design and implement a consent process for routine uses and disclosures. Id. § 164.506; see also Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53,182, 53,211 (Aug. 14, 2002).
Importantly, the Rule contains detailed preemption provisions, which are consistent with HIPAA Sections 1178(a)(2)(B) and 264(c)(2). These provisions establish that the Rule is intended as a "federal floor" for privacy protection, allowing state law to control where a "provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [the Privacy Rule]." 45 C.F.R. § 160.203 (emphasis added).*fn9
II. Procedural History
Citizens filed this action on April 10, 2003. In its Amended Complaint, Citizens alleged that the Secretary violated the APA and Sections 261 through 264 of HIPAA in promulgating the Amended Rule, and that, to the extent that the Amended Rule rescinded or eliminated the need for consent for the use and disclosure of individually identifiable health information for "routine uses," the Amended Rule violated privacy rights protected by the Fifth Amendment and free speech rights protected by the First Amendment of the United States Constitution. Citizens for Health v. Thompson, No. 03-2267, 2004 U.S. Dist. LEXIS 5745, at *22 (E.D. Pa. Apr. 2, 2004). Both parties moved for summary judgment, and, after a hearing on December 10, 2003, the District Court granted summary judgment in favor of the Secretary. Id. at *2.
On Citizens' APA claims, the Court concluded that the Secretary had adequately informed the public regarding the proposed rulemaking, examined the relevant data, responded to public comments, and provided a reasoned analysis that rationally connected the facts with the decision to rescind the consent requirement in the Amended Rule. Id. at *33-43. Regarding Citizens' claims alleging violations of HIPAA, the Court concluded that the changes in the Amended Rule were reasonably related to the legislative purpose of Subtitle F of the Act, and, because the Amended Rule was promulgated before the Original Rule took effect, the Amended Rule did not eliminate any "rights" created under the Original Rule. Id. at *43-46. Finally, regarding Citizens' constitutional claims, the Court concluded that because (1) neither the First Amendment nor the Fifth Amendment places an affirmative obligation on the State to protect individuals' rights from harm by third parties and (2) the Amended Rule is wholly permissive as to whether covered entities seek consent from an individual before using or disclosing personal health information for routine uses, the Amended Rule did not violate individual rights under either Amendment. Id. at *46-50.
III. Jurisdiction and Standard of Review
The District Court had jurisdiction under 28 U.S.C. § 1331, and we have jurisdiction to review the final decision of the District Court under 28 U.S.C. § 1291. We exercise plenary review over the District Court's grant of summary judgment, applying the same test as the District Court. Goodman v. Mead Johnson & Co., 534 F.2d 566, 573 (3d Cir. 1976). To affirm the grant of summary judgment, we must be convinced that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law when the facts are viewed in the light most favorable to the nonmoving party. Fed. R. Civ. P. 56(c).
On appeal, Citizens reassert the claims they made before the District Court, that the Secretary, by promulgating the Privacy Rule, (1) unlawfully infringed Citzens' fundamental rights to privacy in personal health information under due process principles of the Fifth Amendment of the United States Constitution; (2) unlawfully infringed Citzens' rights to communicate privately with their medical practitioners under the First Amendment of the Constitution; (3) contravened Congress's intent in enacting HIPAA by eliminating Citizens' reasonable expectations of medical privacy; and (4) violated the APA by arbitrarily and capriciously reversing a settled course of behavior and adopting a policy that he had previously rejected.
Before addressing Citizens' claims on the merits, we note that we raised the issue of justiciability at oral argument, and asked the parties for separate briefing on this issue. Our concern was that, in their complaint, the party plaintiffs do not recount specific instances of violations of their privacy rights traceable to the regulation, but, instead, complain of the regulation's general effect. After reviewing the parties' responses to our questions, however, we are satisfied that these specific instances do, in fact, exist, notwithstanding the general allegations in the complaint.*fn10 We therefore proceed to address each of Citizens' that "it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 181 (2000). According to Citizens' affidavits, at least one individual plaintiff had successfully restricted the use of her health information before the Privacy Rule took effect on April 14, 1003. Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *27. Accepting these facts as true, as we must at this stage in the litigation, it follows that invalidating the Privacy Rule is likely to redress her alleged injury by restoring the status quo ante.
With respect to the "traceability" prong of the justiciability requirement, we conclude that Citizens' alleged injury is traceable to the promulgation of the Privacy Rule for two reasons. First, notices that plaintiffs received from covered entities such as Kaiser Permanente, Eckerd Drugs and Genovese Drugs, and Blue Cross/Blue Shield of Delaware explain the entities' intent to use and disclose plaintiffs' health information without consent (i.e., the sources of the alleged injury at the heart of this case) using language lifted directly from the Privacy Rule itself. Second, plaintiff's statement in her affidavit that her ability to restrict the use and disclosure of her health information changed after April 14, 2003, the Privacy Rule's effective date, Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *28-30, implies that the Rule is a "cause in fact" of her alleged injury.
We emphasize that, as justiciability is a "threshold" matter, The Pitt News, 215 F.3d at 360, our analysis for these purposes is distinct from our analysis of the merits of plaintiffs' claims. As a result, our determination that Citizens' alleged injuries are "fairly traceable" to the Secretary's promulgation of claims in turn.
A. Fifth Amendment Substantive Due Process Claim
In discussing Citizens' Fifth Amendment claim, the District Court noted that substantive due process bars the government from depriving individuals of life, liberty, or property without due process of law, but it does not "'impose an affirmative obligation on the State to ensure that those interests do not come to harm through other means.'" Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *46-47 (quoting DeShaney v. Winnebago County Soc. Servs. Dep't, 489 U.S. 189, 195 (1989)). Applying this principle to the case at hand, the Court reasoned that, even assuming that individuals have a constitutional right to medical privacy, the Amended Rule is "wholly permissive with respect to whether a covered entity should seek consent from a patient before using his or her information for routine purposes. The Amended Rule neither requires nor prohibits that practice." Id. at *47-48. In short, "[b]ecause the Amended Rule is not compulsory in nature, it does not affirmatively interfere with any right." Id. We agree with the District Court that Citizens' constitutional claims should ultimately be resolved based on the nature of the state's involvement in light of the Amended Rule's permissive character. However, we think that the District Court's analysis does not go far enough, and that its reliance on DeShaney does not fully explain why Citizens cannot succeed here.
We begin our analysis with the premise that the right to medical privacy asserted by Citizens is legally cognizable under the Due Process Clause of the Fifth Amendment, although, as Citizens themselves concede, its "boundaries . . . have not been exhaustively delineated." (Appellants' Br. at 12.)*fn11 Whatever those boundaries may be, it is undisputed that a violation of a citizen's right to medical privacy rises to the level of a constitutional claim only when that violation can properly be ascribed to the government. The Constitution protects against state interference with fundamental rights. It only applies to restrict private behavior in limited circumstances. Because such circumstances are not present in this case, and because the "violations" of the right to medical privacy that Citizens have asserted, if they amount to violations of that right at all, occurred at the hands of private entities, the protections of the Due Process Clause of the Fifth Amendment are not implicated in this case. We will accordingly affirm the District Court's finding that the Secretary did not violate Citizens' constitutional rights when he promulgated the Amended Rule.
"The Constitution structures the National Government, confines its actions, and, in regard to certain individual liberties and other specified matters, confines the actions of the States. With a few exceptions, . . . constitutional guarantees of individual liberty and equal protection do not apply to the actions of private entities." Edmonson, 500 U.S. at 619. Indeed, it is well established that the substantive component of due process, embodied in both the Fifth and Fourteenth Amendments,*fn12 "'provides heightened protection against government interference with certain fundamental rights and liberty interests.'" Troxel v. Granville, 530 U.S. 57, 65 (2000) (quoting Washington v. Glucksberg, 521 U.S. 702, 720 (1997)) (emphasis added); see also Reno v. Flores, 507 U.S. 292, 301 (1993). As explained in DeShaney, the Due Process Clauses of the Fifth and Fourteenth Amendments were intended to prevent federal and state governments "'from abusing [their] power, or employing it as an instrument of oppression.'" 489 U.S. at 196 (quoting Davidson v. Cannon, 474 U.S. 344, 348 (1986)). Their "purpose was to protect the people from the State, not to ensure that the State protected them from each other." Id.
At first glance, the posture of this case seems different from that of most state action cases. The issue of state action usually arises where plaintiffs assert that their rights have been violated by private parties who, they claim, are acting on behalf of the state. E.g., Jackson v. Metro. Edison Co., 419 U.S. 345 (1974) (customer suing private utility company for violation of procedural due process on the theory that the utility was a "state actor" by virtue of a state-granted monopoly and extensive state regulation). In this case, by contrast, the action that Citizens challenge--the promulgation of the Amended Rule by the Secretary--is clearly government conduct. As noted above, however, the injury that Citizens allege is that their "personal health information" is being "used and disclosed, without their permission and against their will" by third parties. (Appellants' Br. at 2.) To support their claims, Citizens point to privacy notices that they received from private health care providers and pharmacies. See Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *27-28. Citizens did not challenge any use or disclosure by the Secretary himself, or urge that the third parties were somehow acting on the Secretary's behalf, before the District Court.*fn13 The relevant question, then, is whether the Secretary, as a state actor, was sufficiently involved in producing the harm Citizens assert to satisfy the Constitution's state action requirement.
As noted above, the District Court touched on the state action issue when it applied DeShaney's holding that due process does not impose an affirmative obligation on the State to protect individuals' interests in life, liberty, or property from harm inflicted by private actors. See 489 U.S. at 195. But the District Court's analysis in this respect was incomplete. Although the fundamental principle that due process protections apply only to prevent injury attributable to conduct of the State underlies the discussion in DeShaney, the Supreme Court's analysis in that case did not focus on "state action" as such. There, the Court was presented with a claim against a local government for its failure to prevent a father from physically abusing his son to the point of permanent injury where the local social services agency knew of the abuse but failed to remove the child from the father's custody. Id. at 191. Plaintiffs argued that the State was "categorically obligated" to protect the child from abuse and that, given this obligation, the State's failure to act was a proper basis for a due process challenge. Id. at 195.
The Court's analysis thus sought to determine whether due process imposed a "duty" or "obligation" on the State to protect individuals from private harm, not "whether the State was sufficiently involved [in the privately caused harm] to treat that decisive conduct as state action." Tarkanian, 488 U.S. at 192.
In this case, DeShaney helps resolve a preliminary question: Was the Secretary obliged to prohibit any and all disclosures without consent in order to protect privacy rights across the board? We think the District Court appropriately relied on DeShaney to answer that question in the negative. But DeShaney does not reach the specific question before us: Is the nonconsensual use or disclosure of individual health information by private parties, as permitted by the Amended Rule, legally attributable to the Secretary? We conclude that it is not.
To answer this question, we must determine "whether there is a sufficiently close nexus between the State and the challenged action of the regulated entity [--the private party--] so that the action of the latter may fairly be treated as that of the State itself." Jackson, 419 U.S. at 351. Where, as here, plaintiff argues that the State has "authorized" or "empowered" a private entity to act in a way that directly brings about the alleged injury, our inquiry focuses on "whether the State provided a mantle of authority that enhanced the power of the harm-causing individual actor." Tarkanian, 488 U.S. at 192. Unfortunately, there is no "infallible test" to employ in this analysis. Reitman v. Mulkey, 387 U.S. 369, 378 (1967). Rather, it is "'[o]nly by sifting facts and weighing circumstances' on a case-by-case basis [that] a 'nonobvious involvement of the State in private conduct [can] be attributed its true significance.'" Id. (quoting Burton v. Wilmington Parking Auth., 365 U.S. 715, 722 (1961)).
The Supreme Court provided guidance as to what satisfies the Constitution's state action requirement in Adickes v. S.H. Kress & Co., 398 U.S. 144 (1970). In that case, the Court explained that actions challenged on constitutional grounds fall somewhere along a continuum, with direct action by the State on one side and action by a "private party not acting against a backdrop of state compulsion or involvement" on the other. Id. at 168. Whereas the former meets the state action requirement for constitutional claims, the latter does not (although it could form the basis for a claim on statutory or common law grounds, depending on the alleged violation). The Court further elaborated that, along this continuum, the enactment of a state law "requiring" violation of individual rights, and "enforcement" of such a law establish the requisite state action. Id. at 170. "[A] State is responsible for the discriminatory act of a private party when the State, by its law, has compelled the act" or when the State has "commanded" a particular result. Id. (emphasis added) (citing Peterson v. City of Greenville, 373 U.S. 244, 248 (1963); Robinson v. Florida, 378 U.S. 153 (1964); Lombard v. Louisiana, 373 U.S. 267 (1963); Shuttlesworth v. Birmingham, 373 U.S. 262 (1963)).
The first inquiry, then, is whether the Amended Rule can fairly be read to "require," "compel," or "command" routine use disclosures without consent. We conclude that it cannot. The fact that subsection (b) of the Rule expressly permits covered entities to obtain consent belies such an interpretation. See 45 C.F.R. § 164.506(b)(1) ("A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.") (emphasis added). Thus, the Amended Rule does not directly "provide a mantle of authority that enhance[s] the power of" health care providers and other entities, Tarkanian, 488 U.S. at 192.
Citizens argue that the Amended Rule's grant of "regulatory permission" to make the challenged uses and disclosures, see, e.g., 67 Fed. Reg. at 53,209, 53,211, 53,212 (discussing Amended Rule), indirectly provides the requisite "mantle of authority". To demonstrate a link between the Amended Rule and private parties' use and disclosure of Citizens' health information without their consent, Citizens point to two sources: (1) changes in the privacy policies of covered entities, and (2) evidence that some entities have begun ignoring applicable state privacy laws. On the first point, Citizens have identified at least one covered entity that has adopted a blanket policy of refusing all requests for restrictions on uses and disclosures of health information since the promulgation of the Amended Rule.*fn14 They further assert that some covered entities have simply ignored applicable, more restrictive, state laws in making such uses and disclosures.*fn15
Our reading of the case law discussed below, however, leads us to the conclusion that the fact that a private party changed its behavior in response to a law does not give the law the coercive quality upon which the state action inquiry depends unless the law itself suddenly authorized something that was previously prohibited. Citizens' argument assumes (1) that covered entities were previously prohibited from making nonconsensual uses or disclosures for routine uses and (2) that the Amended Rule's "authorization" somehow permits uses or disclosures that were previously "unauthorized". But there is no authority for either proposition. Citizens have not shown that federal law prohibited nonconsensual uses or disclosures of health information before the Rule was promulgated.*fn16 And the preemption provisions of HIPAA and the Amended Rule expressly provide that any state statutes that prohibited such uses and disclosures before the Amended Rule was promulgated remain in effect.*fn17 Because there is no indication that the nonconsensual uses and disclosures permitted by the Amended Rule were prohibited before the Rule went into effect, we have difficulty understanding how the Amended Rule "authorizes" covered entities to take action that they could not have otherwise taken. In the words of the Tarkanian test, Citizens have not shown how, by promulgating the Amended Rule, the Secretary "enhanced the power" of the covered entities to use or disclose health information without patients' consent; covered entities had this power already.
By way of analogy, assume that Congress were to pass legislation permitting private cinema operators, at their discretion, to search all moviegoers for any reason, without any showing of probable cause or reasonable suspicion. Although the Fourth Amendment would preclude the federal government from conducting such a search, private cinema operators are not bound by the Fourth Amendment, and absent any other law prohibiting it, private cinema operators were already "permitted" to conduct such a search before the new legislation took effect. To the extent that this new legislation changes the legal landscape at all, then, it only codifies a power that cinema operators had already. The codification does not transform the private exercise of the codified power into "state action." Similarly, although the codification itself is clearly government action, it seems insufficient to endow a moviegoer's challenge to a search by a cinema operator with constitutional significance given that the codification has neither enhanced nor diminished the individual moviegoer's rights.
None of the cases that Citizens or amici cite supports the view that a government authorization of conduct that was already legally permissible satisfies the constitutional state action requirement. It is true that these cases find state action based on the enactment of statutes that permit private parties to infringe the constitutional rights of others.*fn18 But the laws that the Supreme Court has struck down in these cases allowed private parties to take some action (usually discrimination based on race) where they would otherwise have been prohibited from doing so. In other words, the Court found that the state, by enacting these laws, had "empowered" private parties to act in ways that would have been prohibited but for the enactment of the law. As we explained above, that is not the case here.
The Supreme Court's decision in Reitman v. Mulkey, 387 U.S. 369 (1967), illustrates this point. That case involved a constitutional challenge to an amendment to the California Constitution that allowed private persons absolute discretion to refuse to sell, lease, or rent property to another. The amendment effectively nullified California statutes that prohibited racial discrimination in private housing transactions. Id. at 374. The California Supreme Court reasoned that, because the State had taken affirmative action designed to make private discrimination legally possible--changing the situation from one in which private discrimination was restricted by statute to one in which it was encouraged--the State was at least a partner in the challenged discrimination. Id. at 375. The Court noted that the State could maintain a neutral position regarding private discrimination and was not bound by the Federal Constitution to forbid it. But once the State acted in a way that encouraged private discrimination, even if it stopped short of mandating such action, it crossed the constitutional line. Id.
The United States Supreme Court affirmed the judgment of the California Supreme Court. The Court rejected petitioners' argument that the state court's reasoning was flawed because it meant that the mere repeal of a statute that prohibited private racial discrimination could be said to "authorize" or "encourage" discrimination simply because it permitted that which was formerly proscribed, pointing out that the challenged state action in case was not "the mere repeal" of prior anti-discrimination laws. Id. at 376. Rather, the offensive action was the state's authorization and "constitutionalization" (under the state constitution) of the previously forbidden private right to discriminate. Id. Consequently, the amendment had a much broader impact than the mere repeal of existing statutes:
Private discriminations in housing were now not only free from [the previously enacted anti-discrimination statutes] but they also enjoyed a far different status than was true before the passage of those statutes. The right to discriminate, including the right to discriminate on racial grounds, was now embodied in the State's basic charter, immune from legislative, executive, or judicial regulation at any level of the state government. Those practicing racial discriminations need no longer rely solely on their personal choice. They could now invoke express [state] constitutional authority, free from censure or interference of any kind from official sources.
Id. at 380-81 (emphasis added).*fn19 In other words, the amendment was constitutionally offensive not only because it now permitted conduct that was previously prohibited, but also because it affirmatively protected such conduct under the state constitution.
The Reitman Court elaborated on this principle by referring to its ruling in Nixon v. Condon, 286 U.S. 73 (1932). It noted that, in Nixon, the Court was faced with a statute empowering the executive committee of a political party to prescribe the qualifications of its members for voting or for other participation, but containing no directions with respect to the exercise of that power. This was authority which the committee otherwise might not have had and which was used by the committee to bar Negroes from voting in primary elections. Reposing this power in the executive committee was said to insinuate the State into the self-regulatory, decision-making scheme of the voluntary association; the exercise of the power was viewed as an expression of state authority contrary to the Fourteenth Amendment.
Reitman, 387 U.S. at 379 (discussing Nixon) (emphasis added). As in Reitman, then, the Nixon Court found that the enactment of the statute satisfied the state action requirement because the challenged law provided the committee with a power that it "otherwise might not have had." Id. Because the Amended Rule does not endow covered entities with any power that they did not have otherwise, the action of the Secretary that Citizens challenge does not fit the Reitman / Nixon mold.
The Amended Rule has not enhanced covered entities' power, under federal or state law, to use or disclose confidential health information without patients' consent. The Rule does not "compel" or "command" or "require" that private entities use information without patients' consent. See Adickes, 398 U.S. at 170. Nor has the Rule changed the situation from one in which nonconsensual routine uses and disclosures were prohibited to one in which they are now encouraged, see Reitman, 387 U.S. 369, or conferred authority on health care providers that they might not have had otherwise. See Nixon, 286 U.S. 73. Accordingly, we conclude that the Secretary's promulgation of the Amended Rule does not satisfy the Constitution's state action requirement.
The fact that covered entities are construing the "may use" language as constituting a new federal seal of approval, and may be ignoring state laws regarding protections to be afforded to such information, is regrettable and disquieting. That routine requests for privacy are apparently being ignored by covered entities is even more unfortunate. But our task here is to determine the constitutionality of the Amended Rule, not the propriety of covered entities' actions under state or common law. Because, for all of the reasons stated above, the covered entities' actions that Citizens challenge do not implicate the federal government, we reject Citizens' Fifth Amendment claim.
B. First Amendment Claim
Citizens' First Amendment claim is that the Amended Rule infringes individuals' right to confidential communications with health care practitioners, i.e., a right to refrain from public speech regarding private personal health information. Citizens argue that the effect of the Amended Rule is to chill speech between individuals and their health care practitioners because the possibility of nonconsensual disclosures makes individuals less likely to participate fully in diagnosis and treatment and more likely to be evasive and withhold important information. Further, because the Rule applies to "health information . . . whether oral or recorded in any form or medium . . . ," 45 C.F.R. § 160.103, Citizens argue that the Rule is a content-based regulation reviewable under strict scrutiny.
We believe that a First Amendment claim is an ill-suited challenge to the Amended Rule. Cf. South Carolina Med. Ass'n v. Thompson, 327 F.3d 346, 355 n.4 (4th Cir. 2003) ("We summarily dispense with appellants' argument that the Privacy Rule will chill patients' rights of free speech, as we find this claim to be without merit."). The cases on which Citizens rely are not authoritative on the precise issue before us. See Bartnicki v. Vopper, 532 U.S. 514, 533 (2001) (suggesting that "the fear of public disclosure of private conversations might well have a chilling effect on private speech," but ultimately holding that any such interest was outweighed in that case by the media's countervailing First Amendment interest in publishing truthful information of public concern); Jaffee v. Redmond, 518 U.S. 1, 11-12 (1996) (citing the "public interest" in confidential communications between a psychotherapist and her patient as justification for recognizing a psychotherapist-patient privilege in federal courts). And, more to the point, Citizens' First Amendment claim fails on the same grounds as their Fifth Amendment claim: the potential "chilling" of patients' rights to free speech derives not from any action of the government, but from the independent decisions of private parties with respect to the use and disclosure of individual health information. For all of the reasons enumerated above, the decisions of the private parties to use or disclose private health information in reliance on the Amended Rule, which may or may not "chill" expression between health care providers and their patients, does not implicate the government in a way that gives rise to a constitutional claim. We will therefore affirm the District Court's grant of summary judgment to the Secretary on Citizens' First Amendment claim.
C. Claims Alleging Violations of HIPAA
In claims based on HIPAA's statutory language, Citizens argue (1) that the Secretary exceeded the regulatory authority delegated by HIPAA because the Act only authorizes the Secretary to promulgate regulations that enhance privacy and (2) that the Amended Rule impermissibly retroactively rescinded individual rights created by the Original Rule and disturbed Citizens' "settled expectations" in the privacy of their health information. We find the District Court's analysis of these statutory claims to be cogent. Citizens argue that the Secretary has eliminated their reasonable expectations of medical privacy retroactively and prospectively and that such action is inconsistent with Congress's intent in enacting HIPAA. However, Citizens' argument that the controlling policy underlying HIPAA is medical privacy and that the Amended Rule wholly sacrifices this interest to covered entities' interests in efficiency and flexibility ignores the Act's stated goals of "simplify[ing] the administration of health insurance," HIPAA pmbl., 110 Stat. at 1936, and "improv[ing] the efficiency and effectiveness of the health care system," HIPAA § 261 (stating purpose of Subtitle F). As the District Court aptly explained, HIPAA requires the Secretary to "balance privacy protection and the efficiency of the health care system--not simply to enhance privacy." Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *43. We thus conclude that Citizens' first HIPAA claim lacks merit.
We also agree with the District Court's finding that the Amended Rule does not retroactively eliminate rights that Citizens enjoyed under the Original Rule or under various laws or standards of practice that existed before the Amended Rule went into effect. Because the Original Rule was amended before its compliance date, "[c]overed entities were never under a legal obligation to comply with the Original Rule's consent requirement." Id. at *45-46. Citizens, therefore, never enjoyed any rights under the Original Rule at all. Nor does the Amended Rule retroactively eliminate Citizens' reasonable expectations based on state law, standards of medical ethics and established standards of practice because the Amended Rule does not disturb any preexisting, "more stringent" state law privacy rights. See id. at *45-46. See also Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53,182, 53,212 (Aug. 14, 2002) ("State laws that are more stringent [than the Privacy Rule] remain in place. In order not to interfere with such laws and ethical standards, this Rule permits covered entities to obtain consent. Nor is the Privacy Rule intended to serve as a 'best practices' standard. Thus, professional standards that are more protective of privacy retain their vitality." (emphasis added)). Accordingly, we reject Citizens' second HIPPA claim as well, and will affirm the grant of summary judgment to the Secretary on these claims.
D. APA Claims
Lastly, Citizens challenge the rulemaking process under the APA, contending that (1) the Secretary's rulemaking was arbitrary and capricious, in violation of 5 U.S.C. § 706(2)(A), and (2) the Secretary failed to provide adequate notice of the rescission of the consent requirement of the Original Rule, a violation of 5 U.S.C. § 553(b)(3). Citizens argue that the Secretary acted arbitrarily and capriciously by failing to adequately explain the rescission of the consent requirement, ignoring earlier findings, and failing to respond to public comments.
We dispose of Citizens' argument that the Secretary did not provide adequate notice to the public of his intention to rescind the consent requirement first. On this point, the District Court correctly pointed out that the APA requires a notice to provide either "the terms or substance of the proposed rule" or "a description of the subjects and issues involved." Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *42-43 (quoting 5 U.S.C. § 553(b)(3)). In this case, the Notice for Proposed Rulemaking did both. See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 14,776, 14,810-14,815 (Mar. 27, 2002) (setting forth the language of the Proposed Amended Rule); id. at 14,778-14,783 (describing the subjects and issues involved in the proposed modification). We will therefore affirm the District Court's grant of summary judgment to the Secretary on this claim.
We also reject Citizens' claim that the Secretary acted arbitrarily and capriciously in promulgating the Amended Rule. Citizens argue that the Secretary acted arbitrarily and capriciously in promulgating the Amended Rule by improperly reversing a "settled course of behavior" established in the Original Rule and adopting a policy that he had previously rejected. When an agency rejects a "settled course of behavior," however, it need only supply a "reasoned analysis" for the change to overcome any presumption that the settled rule best carries out the policies committed to the agency by Congress. Motor Vehicle Mfrs. Ass'n v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 41-42 (1983) (quoting Atchison, T. & S. F. R. Co. v. Wichita Bd. of Trade, 412 U.S. 800, 807-08 (1973)). Such an analysis requires the agency to "examine the relevant data and articulate a satisfactory explanation for its action including a 'rational connection between the facts found and the choice made.'" Id. at 43 (quoting Burlington Truck Lines, Inc. v. United States, 371 U.S. 156, 168 (1962)).
Here, the Secretary examined the relevant data, see Citizens for Public Health, 2004 U.S. Dist. LEXIS 5745, at *39-41, and gave adequate consideration to the large volume of public comments that HHS received during the rulemaking process. Id. at *41-42. The Secretary considered other alternatives and explained why they were unworkable. Id. at *35-38. The Secretary also considered Congress's dual goals in devising the privacy standards, i.e., protecting the confidentiality of personal health information and improving the efficiency and effectiveness of the national health care system. Id. at *41-42.
In sum, the Secretary's decision to respond to the unintended negative effects and administrative burdens of the Original Rule by rescinding the consent requirement for routine uses and implementing more stringent notice requirements was explained in a detailed analysis that rationally connected the decision to the facts. "Normally, an agency rule would be arbitrary and capricious if the agency has relied on factors which Congress has not intended it to consider, entirely failed to consider an important aspect of the problem, offered an explanation for its decision that runs counter to the evidence before the agency, or is so implausible that it could not be ascribed to a difference in view or the product of agency expertise." Id. at *43. The Secretary has not failed in any of these respects, and, hence, we agree with the District Court's analysis and conclusion that the Secretary's decision was reasonable given the findings and that the Secretary did not act arbitrarily and capriciously in violation of the APA. Accordingly, we will affirm the grant of summary judgment to the Secretary on these claims.
For the reasons set forth above, we will AFFIRM the judgment of the District Court.