Appeal from the United States District Court for the Eastern District of Pennsylvania (D.C. Civil No. 03-cv-02267). District Judge: Honorable Mary A. McLaughlin.
The opinion of the court was delivered by: Rendell, Circuit Judge.
Before: McKEE, RENDELL and NYGAARD*fn1, Circuit Judges.
Appellant Citizens for Health, along with nine other national and state associations and nine individuals (collectively "Citizens"), brought this action against the Secretary of the United States Department of Health and Human Services ("HHS" or "Agency") challenging a rule promulgated by the Agency pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub. L. 104-191, 110 Stat. 1936. Citizens allege that the "Privacy Rule"--officially titled "Standards for Privacy of Individually Identifiable Health Information"--is invalid because it unlawfully authorizes health plans, health care clearinghouses, and certain health care providers to use and disclose personal health information for so-called "routine uses" without patient consent. The relevant part of the specific offending provision of the Privacy Rule reads:
(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) [relating to psychotherapy notes] and (3) [relating to marketing], a covered entity may use or disclose protected health information for treatment, payment, or health care operations . . . provided that such use or disclosure is consistent with other applicable requirements of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.
(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.
45 C.F.R. § 164.506 (emphasis added). Citizens challenge subsection (a) as authorizing disclosures that, they contend, violate individual privacy rights.
The District Court granted summary judgment to the Secretary on all of Citizens' claims based on its conclusions that the promulgation of the Privacy Rule did not violate the Administrative Procedure Act, that the Secretary did not exceed the scope of authority granted to him by HIPAA, and that, insofar as the Privacy Rule is permissive and does not compel any uses or disclosures of personal health information by providers, it does not affirmatively interfere with any right protected by the First or Fifth Amendments. Because we reason to the same conclusions reached by the District Court, albeit under a slightly different analysis, we will affirm.
The objectionable provision is only one aspect of a complex set of regulations that is the last in a series of attempts by HHS to strike a balance between two competing objectives of HIPAA--improving the efficiency and effectiveness of the national health care system and preserving individual privacy in personal health information.
HIPAA was passed by Congress in August 1996 to address a number of issues regarding the national health care and health insurance system. The statutory provisions relevant to the issues in this case are found in Subtitle F of Title II.*fn2 Aimed at "administrative simplification," HIPAA Sections 261 through 264 provide for "the establishment of standards and requirements for the electronic transmission of certain health information." § 261, 110 Stat. at 2021. More specifically, these provisions direct the Secretary to adopt uniform national standards for the secure electronic exchange of health information. § 262, 110 Stat. at 2021-26.
Section 264 prescribes the process by which standards regarding the privacy of individually identifiable health information were to be adopted. § 264(a), 110 Stat. at 2033. This process contemplated that, within a year of HIPAA's enactment, the Secretary would submit detailed recommendations on such privacy standards, including individual rights concerning individually identifiable health information, procedures for exercising such rights, and the "uses and disclosures of such information that should be authorized or required," to Congress. § 264(a)-(b), 110 Stat. at 2033. If Congress did not enact further legislation within three years of HIPAA's enactment, the Secretary was directed to promulgate final regulations implementing the standards within 42 months of HIPAA's enactment. § 264(c)(1), 110 Stat. at 2033. The Act specified that any regulation promulgated pursuant to the authority of Section 264 would provide a federal baseline for privacy protection, but that such regulations would "not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." § 264(c)(2), 110 Stat. at 2033-34.*fn3
Because Congress did not enact privacy legislation by its self-imposed three-year deadline, the Secretary promulgated the privacy standards contemplated in Section 264 through an administrative rulemaking process. During this process, the Rule went through four iterations: the Proposed Original Rule, the Original Rule, the Proposed Amended Rule, and the Amended Rule.*fn4 The Original Rule required covered entities to seek individual consent before using or disclosing protected health information for routine uses. Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,810 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164 (2002)). Before the Original Rule could take effect, however, the Secretary was inundated with unsolicited criticism, principally from health care insurers and providers, warning that the Original Rule's mandatory consent provisions would significantly impact the ability of the health care industry to operate efficiently.*fn5 Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776, 14,777 (Mar. 27, 2002). He responded by reopening the rulemaking process. Id. at 14,776. The final result was the Amended Rule--the currently effective, codified version of the Privacy Rule, see generally 45 C.F.R. pts. 160 & 164, which is the subject of Citizens' challenge here.*fn6
The Amended Rule retains most of the Original Rule's privacy protections. It prohibits "covered entities"*fn7 --defined as health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by the regulations--from using or disclosing an individual's "protected health information"--defined as individually identifiable health information maintained in or transmitted in any form or media including electronic media--except as otherwise provided by the Rule. See 45 C.F.R. §§ 160.103 (defining "covered entities" and "protected health information"), 164.502(a) ("A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter."). Covered entities must seek authorization from individuals before using or disclosing information unless a specific exception applies. Id. § 164.508(a)(1) ("Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section."). Uses and disclosures that the Amended Rule allows must be limited to the "minimum necessary" to accomplish the intended purpose. Id. § 164.502(b).
The Amended Rule departs from the Original Rule in one crucial respect. Where the Original Rule required covered entities to seek individual consent to use or disclose health information in all but the narrowest of circumstances,*fn8 the Amended Rule allows such uses and disclosures without patient consent for "treatment, payment, and health care operations"--so-called "routine uses." Id. §§ 164.506 (providing routine use exception). "Health care operations," the broadest category under the routine use exception, refers to a range of management functions of covered entities, including quality assessment, practitioner evaluation, student training programs, insurance rating, auditing services, and business planning and development. Id. § 164.501. The Rule allows individuals the right to request restrictions on uses and disclosures of protected health information and to enter into agreements with covered entities regarding such restrictions, but does not require covered entities to abide by such requests or to agree to any restriction. Id. § 164.522(a). The ...