University of Colorado Hosp. v. Denver Pub. Co., 340 F. Supp. 2d 1142 (D. Colo. 2004)

Paul F. Hultin, Wheeler, Trigg & Kennedy, Joseph J. Bronesky, Frederick Y. Yu, Sherman & Howard, Denver, CO, for Plaintiff.

Marc D. Flink, Baker & Hosteller, Denver, CO, for Defendant.

MILLER, District Judge.

This matter is before me on Defendant's Conditionally Submitted Motion to Dismiss First Amended Complaint Pursuant to Fed.R.Civ.P. 12(b) (6) and 12(b) (1), filed February 17, 2004. For the reasons that follow, the motion will be granted in part and this case will be remanded to the District Court of Adams County, Colorado.

Plaintiff University of Colorado Hospital Authority (University Hospital) filed this action in the District Court of Adams County, Colorado, seeking injunctive relief against defendant Denver Publishing Company (DPC). In its complaint, University Hospital sought an injunction (1) preventing DPC, which publishes the Rocky Mountain News, from publishing or using any of the information contained in a report prepared as part of a University Hospital peer review proceeding ("the Report"), which DPC had obtained from an unknown source, and (2) requiring DPC to return the copy of the Report. Because University Hospital alleged that DPC's use of the Report would violate the Health Insurance Portability and Accountability Act (HIPAA), specifically 42 U.S.C. § 1320d-6, DPC removed the case to this Court on October 6, 2003, pursuant to 28 U.S.C. §§ 1331 and 1441(b).

On October 10, 2003, after hearing oral argument from the parties, I denied University Hospital's motion for a temporary restraining order, which sought to prevent DPC from publishing information from the Report while this case was pending. Subsequently, DPC published articles using information from the Report and posted aiff. *1143 copy of the Report on DPC's website. (Amd. Compl., ¶ 21). Because this rendered University Hospital's original complaint largely moot, it tendered an amended complaint, which was accepted for filing on December 16, 2003.^[1](See March 24, 2004 Order denying Defendant's objections to Magistrate Judge Coan's December 16, 2003 minute order).

In its amended complaint, University Hospital asserts three claims: (1) DPC's publication of the Report violated 42 U.S.C. § 1320d-6 and Colo.Rev.Stat. §§ 12-36.5-104(13) and XX-X-XXXX (Amd. Compl., ¶ 24): (2) DPC's possession of the Report constitutes civil theft in violation of Colo.Rev.Stat. § 18-4-405 (Amd.Compl., ¶ ¶ 26-28); and (3) DPC's use of and refusal to return the Report constitutes trespass to chattels under Colorado state law (Amd.Compl., ¶ ¶ 35-36). University Hospital seeks actual damages, triple damages, attorneys fees, exemplary damages, and an order requiring DPC to return the Report. (Amd.Compl.¶ ¶ a-e). Although University Hospital's amended complaint makes no jurisdictional allegations, the case was removed to this Court on the grounds that its claim under HIPAA provided federal question jurisdiction, 28 U.S.C. § 1331.

A motion to dismiss is appropriate when it appears beyond doubt that the plaintiff could prove no set of facts entitling it to relief. The court must accept as true all well-pleaded facts and construe all reasonable allegations in the light most favorable to the plaintiff. United States v. Colorado Supreme Court, 87 F.3d 1161, 1164 (10th Cir. 1996).

DPC argues that University Hospital's claim asserted under 42 U.S.C. § 1320d-6 must be dismissed because even if DPC violated § 1320d-6, no private right of action exists under HIPAA. University Hospital responds that it has an implied right to redress under HIPAA.

The Supreme Court has stressed that "the fact that a federal statute has been violated and some person harmed does not automatically give rise to a private cause of action in favor of that person." Touche Ross & Co. v. Redington, 442 U.S. 560, 568, 99 S. Ct. 2479, 61 L. Ed. 2d 82 (1979). Rather, "private rights of action to enforce federal law must be created by Congress." Alexander v. Sandoval, 532 U.S. 275, 286, 121 S. Ct. 1511, 149 L. Ed. 2d 517 (2001). Where, as here, a statute does not expressly authorize a private right of action, such a right may be implied under some circumstances. Touche Ross, 442 U.S. at 569, 99 S. Ct. 2479.

Courts formerly determined whether a private right of action should be implied under the four-part test described in Cort v. Ash, 422 U.S. 66, 78, 95 S. Ct. 2080, 45 L. Ed. 2d 26 (1975).^[2] However, the Tenth Circuit has interpreted subsequent Supreme Court decisions as condensing the four-factors into a single inquiry: "whether Congress expressly or by implication, *1144 intended to create a private cause of action." Boswell v. Skywest Airlines, 361 F.3d 1263, 1267 (10th Cir.2004) (quoting Sonnenfeld v. City & County of Denver, 100 F.3d 744, 747 (10th Cir.1996)).

To make this determination, I hold first "look to the statutory text for `rights-creating' language." Love v. Delta Air Lines, 310 F.3d 1347, 1352 (11th Cir.2002) (quoting Sandoval 532 U.S. at 288, 121 S.Ct. 1511). Rights-creating language is that "explicitly conferring a right directly on a class of persons that includes the plaintiff....or language identifying the class for whose especial benefit the statute was enacted." Id. (internal quotations omitted). Statutory language "customarily found in criminal statutes and other laws enacted for the protection of the general public....provide[ ] far less reason to infer a private remedy in favor of individual remedies." Id, (quoting Cannon v. Univ. of Chicago, 441 U.S. 677, 690-693, 99 S. Ct. 1946, 60 L. Ed. 2d 560 (1979)). "Statutes that focus on the person regulated rather than the individuals protected create `no implication of an intent to confer rights on a particular class of persons.'" Sandoval, 532 U.S. at 289, 121 S. Ct. 1511 (quoting California v. Sierra Club, 451 U.S. 287, 294, 101 S. Ct. 1775, 68 L. Ed. 2d 101 (1981)).

Second, I am to examine "the statutory structure within which the provision in question is embedded. Love, 310 F.3d at 1353. If the statutory structure provides a discernable enforcement mechanism, I should not imply a private right of action. Id.See also Sandoval, 532 U.S. at 290, 121 S. Ct. 1511 ("[t]he express provision of one method of enforcing a substantive rule suggests that Congress intended to preclude others"). Finally, only if statutory text and structure have not conclusively resolved the issue may I turn to the legislative history and context within which a statute was passed. Love, 310 F.3d at 1353.

The statutory provision under which University Hospital seeks to hold DPC liable prohibits a person from knowingly obtaining or disclosing individually identifiable health information. 42 U.S.C. §§ 1320d-6(a) (2) & (3). The provision also establishes penalties for violations, ranging up to a $250,000 fine and ten years imprisonment when the offense is committed with "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm." 42 U.S.C. § 1320d-6(b) (3).^[3]

Neither § 1320d-6, nor any other section of HIPAA, contains any language conferring privacy rights upon, or identifying as the intended beneficiary of § 1320d-6, any specific class of persons (particularly one which would include healthcare providers such as University Hospital). Love, 310 F.3d at 1352. See also Schmeling v. *1145 NORDAM, 97 F.3d 1336, 1344 (10th Cir. 1996) (even congressional findings that FAA drug testing laws are meant in part to benefit aviation employees does not show that Congress intended employees to have a private right of action). § 1320d-6 does not focus on individuals whose privacy may be at risk, but instead on regulating persons who might have access to individuals' health information. See Sandoval, 532 U.S. at 289, 121 S. Ct. 1511. Additionally, the language in § 1320d-6 mirrors that customarily appearing in criminal statutes, and thus creates little reason to infer a private remedy. See Love, 310 F.3d at 1352. As a result, the statutory text displays no intent to create a private right of action under § 1320d-6.

The statutory structure of HIPAA likewise precludes implication of a private right of action. § 1320d-6 expressly provides a method for enforcing its prohibition upon use or disclosure of individual's health information-the punitive imposition of fines and imprisonment for violations. See Sandoval, 532 U.S. at 290, 121 S. Ct. 1511; Boswell, 361 F.3d at 1270 ("Congress's creation of specific means of enforcing the statute indicates that it did not intend to allow an additional remedy-a private right of action-that it did not expressly mention at all"). Consequently, I find "no evidence that Congress intended to create the right of action asserted by [University Hospital], and... conclude that such a right does not exist." See Schmeling, 97 F.3d at 1344.

My conclusion is buttressed by the fact that federal courts have consistently refused to find a private right of action under HIPAA, albeit when analyzing different provisions of the statute. See Wright v. Combined Ins. Co. of Am., 959 F. Supp. 356, 363 (N.D.Miss.1997) ("[i]n HIPAA, the undersigned cannot find any `manifest congressional intent' to create a new federal cause of action"); Means v. Ind. Life & Accident Ins. Co., 963 F. Supp. 1131, 1135 (M.D.Ala.1997) ("the court finds no evidence of congressional intent to create a private right of action under the HIPAA"); Brock v. Provident Am. Ins. Co., 144 F. Supp. 2d 652, 657 (N.D.Tex.2001); O'Donnell v. Blue Cross Blue Shield of Wyoming, 173 F. Supp. 2d 1176, 1180 (D.Wyo.2001). Furthermore, legal commentators appear to unanimously assume that there is no private right of action under HIPAA, including to enforce the "privacy rule" of § 1320d-6. See, e.g., A Craig Eddy, A Critical Analysis of Health and Humans Services' Proposed Health Privacy Regulations in Light of the Health Insurance Privacy and Accountability Act of 1996, 9 Annals Health L. 1, 32 (2000); Francoise Gilbert, Emerging Issues in Global Aids Policy; Preserving Privacy, 25 Whittier L.Rev. 273, 289 (2003); Joy L. Pritts, Altered States: State Health Privacy Latvs and the Impact of the Federal Health Privacy Rule, 2 Yale J. Health Pol'y L. & Ethics, 325, 343 (2002); Frederick Y. Yu, Medical Information Privacy under HIPAA: A Practical Guide, Colorado Lawyer, May 2003, at 22.

University Hospital, however, argues that I should focus on the "contemporary legal context" existent at the time HIPAA was passed. See Sonnenfeld, 100 F.3d at 747. In Sonnenfeld, the issue was whether Congress' amendment of the definition of "person" under the Securities Exchange Act to include local governments allowed private individuals to proceed under § 10(b) against local governments. Id. at 746. The court relied upon the "contemporary legal context;" i.e., the fact that Congress was acting in a statutory context where the existence of a private cause of action was established "beyond peradventure" to find that Congress intended to allow such private actions. Id. at 746^7. No such contemporary legal context exists here. Moreover, because I find that the *1146 statutory text and structure conclusively resolve whether a private right of action exists under HIPAA, I am not permitted to consider the statute's legislative history or context within which it was passed. Love, 310 F.3d at 1353.

University Hospital also argues that failure to recognize an implied right of action would "effectively frustrate" the purposes of enacting HIPAA. See Abrahamson v. Fleschner, 568 F.2d 862, 872 (2nd Cir. 1977). See also Beckett v. Atlas Air, Inc., No. CV 95-0480, 1995 WL 498703, at *3 (E.D.N.Y. Aug. 14, 1995) (unpublished decision) (private right of action should be implied under Railway Labor Act because its criminal sanctions are not enough to achieve the statute's objective). However, the Supreme Court recently emphasized that it is not the "duty of the courts to be alert to provide such remedies as are necessary to make effective the congressional purpose expressed by a statute." Sandoval, 532 U.S. at 287, 121 S. Ct. 1511. Consequently, absent a finding of statutory intent, courts may not imply a cause of action "no matter how desirable that might be as a policy matter, or how compatible with the statute." Id. at 286-87, 121 S. Ct. 1511. Because I find no such statutory intent in HIPAA, I may not imply a private right of action, and University Hospital's claim under HIPAA should be dismissed.

The HIPAA claim was the only federal claim asserted in University Hospital's complaint. University Hospital suggests that if I dismiss its HIPAA claim I should decline to exercise jurisdiction over the remaining state law claims under 28 U.S.C. § 1367 and remand the case to state court. (Univ. Hospital's Resp., at 3). I agree.

Although I have the discretion to try pendent state claims after dismissing the federal claim that established the court's original jurisdiction, I should exercise this discretion only "in those cases in which, given the nature and extent of pretrial proceedings, judicial economy, convenience, and fairness would be served by retaining jurisdiction." Thatcher Enter, v. Cache County Corp., 902 F.2d 1472, 1478 (10th Cir.1990). Here, pretrial proceedings have not been extensive. In fact, this case has been stayed since June 25, 2004, pending my determination of this motion. Most importantly, University Hospital's state law claims appear to raise novel and complex issues of state law, such as whether a private right of action exists under various state statutes and whether DPC's possession of a copy of the Report constitutes a trespass to chattel. Not only is the state court quite able to decide such state issues, it is really the most appropriate forum to do so. Anglemyer v. Hamilton County Hosp., 58 F.3d 533, 541 (10th Cir. 1995).

Remand is appropriate when it "best promote[s] the values of economy, convenience, fairness, and comity." Carnegie-Mellon Univ. v. Cohill, 484 U.S. 343, 353, 108 S. Ct. 614, 98 L. Ed. 2d 720 (1988). Given comity considerations and the extra time and expense the parties would incur were I to dismiss this case, I conclude that remand is appropriate. See id.

Accordingly, it is ordered:

1. Defendant's Motion to Dismiss, filed October 23, 2003 (Docket # 13), is denied as moot.

2. Defendant's Conditionally Submitted Motion to Dismiss, filed February 17, 2004 (Docket # 40), is granted in part.

3. Plaintiffs claim that Defendant's actions violated 42 U.S.C. § 1320d-6 is dismissed with prejudice. Plaintiffs state law claims remain pending.

*1147 4. This case shall be remanded to the District Court of Adams County, Colorado.

[1] DPC had filed a motion to dismiss the original complaint on October 23, 2003. However, the Court's acceptance of University Hospital's amended complaint on December 16, 2003 mooted this prior motion.

[2] The four factors were "whether: (1) the plaintiff is part of the class for whose benefit the statute was enacted; (2) there is any indication of legislative intent, explicit or implicit, either to create or to deny a private right of action; (3) it would be consistent with the underlying purpose of the legislative scheme to imply a private right of action; and (4) the cause of action is one traditionally relegated to state law, so that it would be inappropriate to infer a cause of action based solely on state law." Boswell v. Skywest Airlines, 361 F.3d 1263, 1267 (10th Cir.2004).

[3] In its entirety, 42 U.S.C. § 1320d-6 states:

(a)Offense

A person who knowingly and in violation of this part-

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection

(b) of this section,

(b) Penalties

A person described in subsection (a) of this section shall-

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.