W. Va. Dept. of Health and Human Resources/Behavioral Health v. E.H., et al. (Separate)

Annotate this Case

Download PDF

No. 14-0965 - West Virginia Department of Health and Human Resources, Bureau for Behavioral Health and Health Facilities v. E.H., et al. FILED October 22, 2015 RORY L. PERRY II, CLERK SUPREME COURT OF APPEALS OF WEST VIRGINIA Davis, Justice, dissenting: In this proceeding, Legal Aid sought to force DHHR to continue to allow Legal Aid to have complete access to patient records, without patient consent, at the Bateman and Sharpe psychiatric facilities. Before this Court, DHHR argued that it was violating federal law, specifically HIPAA, when it previously authorized Legal Aid to have complete access to patient records without the consent of the patients. The circuit court and majority opinion disagreed with DHHR. The circuit court found that Legal Aid did not need patient consent to have unfettered access to patient records, because Legal Aid came under the following exceptions recognized by HIPAA: business associate, health oversight agency, health care operations, and legal requirement. The majority opinion correctly found that not one of the exceptions relied upon by the trial court applied to Legal Aid. Rather than stopping there and reversing the circuit court’s order, the majority opinion affirmed the circuit court on a different ground. With absolutely no legal analysis, the majority opinion determined that Legal Aid could have unfettered access to patient information because of the “more stringent” State law exception found under HIPAA. As I will demonstrate below, if the majority opinion had performed but a 1 scintilla of the legal analysis that is required to determine whether a State law is more stringent than HIPAA, it would have reversed the circuit court’s order. Consequently, for the reasons set out below, I dissent. The Majority Decision Authorizes Legal Aid to Violate Federal Law Because of the arrogant and complete disregard of federal law by the majority opinion, I must start my dissent with a review of some basic legal principles. To begin, it has been noted that “[t]he preemption doctrine has its origin in the Supremacy Clause of the United States Constitution[.]” Hartley Marine Corp. v. Mierke, 196 W. Va. 669, 673, 474 S.E.2d 599, 603 (1996). See also Harrison v. Skyline Corp., 224 W. Va. 505, 510, 686 S.E.2d 735, 740 (2009) (“[T]he preemption doctrine has its roots in the supremacy clause of the United States Constitution and is based on the premise that federal law can supplant inconsistent state law.”). The Supremacy Clause of the federal constitution provides that the laws of the United States “shall be the supreme law of the Land; . . . anything in the Constitution or laws of any state to the Contrary notwithstanding.” U.S. Const. Art. VI, Cl. 2. We have recognized that “[t]he Supremacy Clause of the United States Constitution, Article VI, Clause 2, invalidates state laws that interfere with or are contrary to federal law.” Syl. pt. 1, Cutright v. Metropolitan Life Ins. Co., 201 W. Va. 50, 491 S.E.2d 308 (1997). Pursuant to the Supremacy Clause, federal preemption of state law occurs if: (1) Congress expressly preempts state law; (2) Congress has completely supplanted state law in that field; (3) adhering to both state and federal law is not possible; or (4) state law impedes the 2 achievement of the objectives of Congress. See Crosby v. Nat’l Foreign Trade Council, 530 U.S. 363, 372, 120 S. Ct. 2288, 2293-94, 147 L. Ed. 2d 352 (2000). “Although Congressional intent is commonly the starting point for federal preemption analysis, the existence of an express preemption provision in a statute nullifies the need for further analysis.” Wade v. Vabnick-Wener, 922 F. Supp. 2d 679, 686 (internal citations omitted). See also Syl. pt. 4, Morgan v. Ford Motor Co., 224 W. Va. 62, 680 S.E.2d 77 (2009) (“When it is argued that a state law is preempted by a federal law, the focus of analysis is upon congressional intent. Preemption is compelled whether Congress’ command is explicitly stated in the statute’s language or implicitly contained in its structure and purpose.”). HIPAA sets out an express preemption provision; therefore, no further analysis is necessary to discern Congressional intent. See Cipollone v. Liggett Grp., Inc., 505 U.S. 504, 517, 112 S. Ct. 2608, 2618, 120 L. Ed. 2d 407 (1992) (“When Congress has considered the issue of pre-emption and has included in the enacted legislation a provision explicitly addressing that issue, and when that provision provides a reliable indicium of congressional intent with respect to state authority, there is no need to infer congressional intent to pre-empt state laws from the substantive provisions of the legislation. . . . Therefore, we need only identify the domain expressly pre-empted by each of those sections.” (internal quotations and citations omitted)). Congress enacted HIPAA in 1996, in part, to protect the privacy of individually identifiable health information. See Jennifer Guthrie, “Time Is Running Out–The Burdens 3 and Challenges of HIPAA Compliance: A Look at Preemption Analysis, the ‘Minimum Necessary’ Standard, and the Notice of Privacy Practices,” 12 Annals Health L. 143, 146 (2003) (“The main premise of HIPAA is to protect individually identifiable health information. This means that certain information will not be revealed without a patient’s express authorization, in an effort to contain important information to as few people as possible.”). For purposes of HIPAA, protected health information “is any health information, oral or recorded, that is individually identifiable and transmitted or maintained by a covered entity in any form or medium.” Holman v. Rasak, 486 Mich. 429, 435-36, 785 N.W.2d 98, 102 (2010). The Secretary of Health and Human Services was directed by Congress to promulgate regulations setting privacy standards for health information. See Northwestern Mem’l Hosp. v. Ashcroft, 362 F.3d 923, 924 (7th Cir. 2004) (“Section 264 of HIPAA, 42 U.S.C. § 1320d . . . , directs the Secretary of Health and Human Services to promulgate regulations to protect the privacy of medical records[.]”).1 In 2000, the Secretary responded by issuing the Standards for Privacy of Individually Identifiable Health Information, known as the “Privacy Rule” and codified at 45 C.F.R. 160, 164. See Smith v. Am. Home Prods. Corp. Wyeth-Ayerst Pharm., 372 N.J. Super. 105, 111 n.2, 855 A.2d 608, 612 n.2 (2003) (“On December 28, 2000, pursuant to a mandate under the ‘administrative simplification’ provisions of HIPAA, the Department of Health and Human Services issued 1 Actually, “HIPAA mandated the passage of comprehensive privacy legislation by Congress within three years, otherwise the Department of Health and Human Services was required to step in and create privacy regulations.” Guthrie, “Time Is Running Out,” 12 Annals Health L. at 144. 4 new standards for privacy of individually identifiable health information (IIHI) called ‘The Final Privacy Rule’ as published in the Federal Register.”).2 Rule was not required until 2003.3 Compliance with the Privacy See United States v. Sutherland, 143 F. Supp. 2d 609, 612 (W.D. Va. 2001) (“Although the Standards were effective April 14, 2001, compliance is not required until April 14, 2003.”). Specific to the case at hand, the Secretary promulgated a federal regulation on HIPAA’s preemptive effect. See Morgan v. Ford Motor Co., 224 W. Va. 62, 70, 680 S.E.2d 77, 85 (2009) (“[T]he U.S. Supreme Court has recognized that an agency regulation with the force of law can explicitly or implicitly preempt conflicting state regulations.”). This regulation states that “[a] standard, 2 It is important that I point out the significance of the year in which HIPAA was created, 1996, and the date the Privacy Rule was created, 2000, because this will help explain the initial broad authority DHHR gave to Legal Aid. When the litigation originally began in this case, 1981, HIPAA did not exist–no expansive patient privacy rights existed. It was in 1990, pre-HIPAA, that DHHR first contracted to have Legal Aid monitor patient health care services at Bateman and Sharpe. It was only after the creation of HIPAA that DHHR realized that, in order for Legal Aid to continue to have access to patient records without patient consent, Legal Aid had to come under an exception to HIPAA. It appears that, initially, DHHR believed that Legal Aid came under the “business associate” exception created by the Privacy Rule. The majority opinion acknowledged this fact in footnote 28. However, in 2014, an astute Privacy Officer at DHHR realized that it was permitting Legal Aid to violate HIPAA, because Legal Aid did not come under the “business associate” exception to the privacy requirements. It was only after this determination, which even the majority opinion conceded was correct, that DHHR began requiring Legal Aid comply with HIPAA by obtaining patient consent before it could review patient records. There was nothing sinister in this, as was suggested by the majority opinion. DHHR simply was trying to comply with federal law–something the majority believes is not necessary in spite of the Supremacy Clause. 3 For ease in understanding, I will refer to HIPAA and the Privacy Rule collectively as HIPAA. 5 requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law.” 45 C.F.R. § 160.203.4 See Nat’l Abortion Fed’n v. Ashcroft, No. 03 Civ. 8695(RCC), 2004 WL 555701, at *3 (S.D.N.Y. March 19, 2004) (“Recognizing that HIPAA’s privacy provisions might differ from state regulations, Congress directed that all state laws contrary to the regulations promulgated by HHS be preempted, unless the state laws fall within the exception created by HIPAA[.]”). It has been recognized that the regulations “restrict and define the ability of health plans, health care clearinghouses, and most health care providers to divulge patient medical records.” United States v. Sutherland, 143 F. Supp. 2d 609, 612 (W.D. Va. 2001). “[T]he intent of HIPAA is to ensure the integrity and confidentiality of patients’ [medical] information and to protect against unauthorized uses or disclosures of the information[.]” In re Antonia E., 838 N.Y.S.2d 872, 874-75 (2007) (internal quotations and citations omitted). Under HIPAA, the general rule is that a covered entity may not use or disclose protected health information without a written authorization from the individual. See 45 CFR 164.508. However, as recognized by the majority opinion, HIPAA enumerates several specific situations in which a covered entity may use or disclose protected health information without the written authorization of the individual. See Pal v. New York Univ., 4 The regulations define State law as “a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.” 45 C.F.R. § 160.202. See Crenshaw v. MONY Life Ins. Co., 318 F. Supp.2d 1015, 1028 (S.D. Cal.2004). 6 No. 06Civ.5892 (BSJ)(FM), 2007 WL 1522618, at *3 (S.D.N.Y. May 22, 2007) (“HIPAA permits the disclosure of ‘protected health information’ without a patient’s consent in a variety of circumstances.”). The majority opinion found that only one of HIPAA’s exceptions to the general privacy of health information applied to the facts of this case.5 That exception involves a State law that is “more stringent” than HIPAA. See 45 C.F.R. § 160.203(b) (“The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.”). That is, “courts have recognized that HIPAA does not preempt ‘more stringent’ privacy protections guaranteed under state law.” Pac. Radiation Oncology, LLC v. Queen’s Med. Ctr., 47 F. Supp. 3d 1069, 1081 (D. Haw. 2014). Accord Citizens for Health v. Leavitt, 428 F.3d 167, 174 (3d Cir. 2005). The majority opinion reached the conclusion that our State law was more stringent than HIPAA without performing any legal analysis of this complex issue. The majority opinion, in a rather awkward way, merely pointed out that DHHR had annually “conclud[ed] that our state laws set forth in 64 CSR § 59 are not preempted by HIPAA as our provisions are more stringent.” The majority opinion then went on to provide: 5 I previously noted that the majority opinion correctly found that the exceptions for business associate, health oversight agency, health care operations, and required by law did not apply. 7 From the record submitted in this case, the protections set forth in Title 64, Series 59 have been determined to be more stringent than those required by federal law. Accordingly, our state regulations set forth in Title 64, Series 59 are not preempted by HIPAA. This was the sum total of how and why the majority opinion determined that our State law was more stringent than HIPAA. This total lack of analysis makes no sense. It is illogical to rely on a general finding by DHHR that its regulations are more stringent than HIPAA, when DHHR already had realized its disclosures to Legal Aid violated HIPAA, and DHHR tried to correct the violation by asserting that no authority exists for Legal Aid to indiscriminately access patient information. More fundamentally, the yard stick used by the majority opinion to determine whether a State law is more stringent than HIPAA is absurd! Under the majority opinion’s mind-boggling yardstick, all that any state must do to get around HIPAA is unilaterally proclaim that its laws are more stringent than HIPAA. Surely Congress did not mean for HIPAA and the Supremacy Clause to be defeated in such a selfserving manner. Indeed, as I will demonstrate below, this absolutely was not what Congress intended. “[A] standard is more stringent if it provides greater privacy protection for the individual who is the subject of the individually identifiable health information than the standard set forth in the rules and regulations.” Bayne v. Provost, 359 F. Supp. 2d 234, 237-38 (N.D.N.Y. 2005) (internal quotations and citations omitted). See also Wade v. Vabnick-Wener, 922 F. Supp. 2d 679, 686 (“To meet the ‘more stringent’ requirement, a state 8 law must ‘provide greater protection for the individual who is the subject of the individually identifiable health information’ than the standard set forth by HIPAA and its regulations.”). More importantly, it has been recognized that, under federal law, “‘[m]ore stringent,’ as defined in 45 C.F.R.§ 160.202, means, that the state law meets any one of six criteria.” Law v. Zuckerman, 307 F. Supp. 2d 705, 709 (D. Md. 2004). See also Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1087 (9th Cir. 2007) (“‘More stringent’ laws are defined.”). The six criteria under HIPAA that define “more stringent,” have been summarized by the Fourth Circuit as follows: [1] the state law prohibits or restricts a use or a disclosure of information where HIPAA would allow it; [2] the state law provides an individual with greater rights of access or amendment to his medical information than provided under HIPAA; [3] the state law provides an individual with a greater amount of information about a use, a disclosure, rights and remedies; [4] [state law provides requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal permission of an individual to disclose information]; [5] the state law provides for the retention or reporting of more detailed information or for a longer duration; or [6] the state law provides greater privacy protection for the individual who is the subject of the individually identifiable health information. South Carolina Med. Ass’n v. Thompson, 327 F.3d 346, 355 (4th Cir. 2003). Accord In re Antonia E., 838 N.Y.S.2d 872, 876 (2007). Simply put, in order for a court to determine that a State law is more stringent than HIPAA, it must find that the State law satisfies one of the six definitions of “more stringent” contained under 45 C.F.R.§ 160.202. The majority opinion in this case literally 9 failed to even cite, let alone discuss, the mandatory six criteria set out under 45 C.F.R. §160.202. Ignoring the law, or pretending the law does not exist, should not be a license to manipulate and corrupt the law. My research revealed that other courts called upon to decide whether a State law was more stringent than HIPAA have complied with federal law and applied the six criteria under 45 C.F.R.§ 160.202. For example, a case which examined all six criteria under 45 C.F.R. § 160.202 is State v. La Cava, No. CR060128258S, 2007 WL 1599888 (Conn. Super. Ct. May 17, 2007). In La Cava, the court was asked to decide whether a Connecticut statute, which authorized disclosure of patient information in a judicial proceeding and in certain other circumstances, was more stringent than HIPAA. The Connecticut statute allowed: (1) any patient who has been treated in a private hospital, public hospital society or corporation receiving state aid to, upon the demand, examine and/or copy her hospital record, including the history, bedside notes, charts, pictures and plates kept in connection with her treatment and authorize her physician or attorney to do the same; (2) a hospital, society or corporation that is served with a subpoena issued by competent authority directing the production of a hospital record to deliver such record or a copy thereof to the clerk of such court where it will remain sealed except upon the order of a judge of the court concerned; (3) any and all parts of the hospital record or copy that is not otherwise inadmissible to be admitted in evidence without the necessity of having a witness from the hospital identity the records as ones kept in the usual course of business by the hospital. La Cava, 2007 WL 1599888, at *3. The decision in La Cava summarily applied the six 10 criteria under 45 C.F.R.§ 160.202 and determined that the Connecticut statute was not more stringent than HIPAA: In comparison to [HIPAA’s requirements for disclosures for judicial and administrative proceedings], [the state statute] does not: (1) prohibit or restrict a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under the federal rule; (2) permit greater rights of access or amendment to the individual who is the subject of the individually identifiable health information; (3) provide a greater amount of information to the individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies; (4) provide requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the need for express legal permission from the individual who is the subject of the individually identifiable health information with respect to the form, substance, or the need for express legal permission; (5) provide for the retention or reporting of more detailed information or for a longer duration with respect to recordkeeping or requirements relating to accounting of disclosures; and (6) provide greater privacy protection for the individual who is the subject of the individually identifiable health information with respect to any other matter. Accordingly, the state statute is not more stringent than the federal regulation. Because [the state statute] is a contrary state law that is not more stringent than the Privacy Rule, it is preempted in accordance with 45 C.F.R. § 160.203 (2007). La Cava, 2007 WL 1599888, at *3. In U.S. ex rel. Stewart v. Louisiana Clinic, No. CivA. 99-1767, 2002 WL 31819130 (E.D. La. Dec. 12, 2002), the defendants attempted to prevent disclosure of patient information in a judicial proceeding by invoking the protections of a Louisiana statute. The 11 disclosure was allowed under HIPAA, but was not allowed under Louisiana law. The opinion in Stewart framed the issue as follows: Defendants argue that HIPAA does not preempt Louisiana law concerning disclosure of nonparty patient records without patient consent. . . . Defendants focus solely on the “more stringent” element of this regulatory test and on paragraph (4) of the definition of “more stringent.” “More stringent” means a State law that meets one or more of the following criteria: . . . (4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable. Defendants argue that the Louisiana health care provider/patient privilege law is more stringent than the federal regulations. They contend that the Louisiana statute increases the privacy protections afforded to individual patients by requiring either patient consent for the disclosure or, in the absence of consent, that a “court shall, issue an order for the production and disclosure of a patient’s records . . . only: after a contradictory hearing with the patient . . . and after a finding by the court that the release of the requested information is proper.” Stewart, 2002 WL 31819130, at *4-5. The court in Stewart found that, based upon the defendants’ reliance solely on the fourth criterion of 45 C.F.R. § 160.202, Louisiana law was not more stringent than HIPAA: Defendants’ argument fails because this provision of Louisiana law does not address “the form, substance, or the need 12 for express legal permission from an individual,” as required by 45 C.F.R. § 160.202 for the exception to apply. Rather, the Louisiana statute provides a way of negating the need for such permission. In other words, although the individual patient may attend the contradictory hearing, the Louisiana provision states that the court shall issue an order for disclosure (despite the patient’s lack of consent), if the court finds that release of the information is proper. Because the Louisiana statute does not fit within the exception from preemption cited by defendants, it is preempted by the HIPAA regulations. Therefore, Louisiana law does not apply in this pure federal question case. Stewart, 2002 WL 31819130, at *5. A case which illustrates a State statute that was actually found to be more stringent than HIPAA is Wade v. Vabnick-Wener, 922 F. Supp. 2d 679. In Wade, the court was called upon to decide whether Tennessee’s privacy law, on ex parte communication with a plaintiff’s treating physician was more stringent than HIPPA. The opinion relied upon the sixth criterion of 45 C.F.R. § 160.202. That is, “a state law must ‘provide greater protection for the individual who is the subject of the individually identifiable health information’ than the standard set forth by HIPAA and its regulations.” Wade, 922 F. Supp. 2d at 686. The opinion determined that, based upon the sixth criterion, Tennessee’s law was more stringent than HIPAA: It is therefore clear that Tennessee law is more stringent than HIPAA’s privacy rules concerning ex parte communications with health care providers. Absent a plaintiff's express consent, Tennessee law prohibits informal communications with the plaintiff’s treating physician to obtain health information. On the contrary, HIPAA only bars such communications prior to the entry of a qualified protective 13 order. After the requisite protective order is entered, whether by consent or over the plaintiff’s objection, defendant is free to utilize informal discovery, including specifically ex parte interviews, under HIPAA. Accordingly, because the laws of Tennessee are more stringent than HIPAA concerning defense counsels ability to make use of informal discovery methods, HIPAA does not preempt Tennessee’s ban on ex parte communications with a plaintiff’s non-party treating physician. Wade, 922 F. Supp. 2d at 691-92. See Nat’l Abortion Fed’n v. Ashcroft, No. 04 C 55, 2004 WL 292079, at *4 (N.D. Ill. Feb. 6, 2004) (“Because we find that Illinois law is more stringent than HIPAA’s disclosure requirements and that it would be impossible for Northwestern to comply with both Judge Casey’s HIPAA-pursuant Order and various provisions of Illinois law, Illinois’s nonparty patient privacy laws are not preempted by HIPAA and its subsequent regulations.”); Pal v. New York Univ., 2007 WL 1522618, at *3 (“Because New York law requires patient consent before disclosure and HIPAA provides for certain exceptions to that rule, New York law is more stringent.”); Tyson v. Warden, No. CV064001202, 2007 WL 4171583, at *2 (Conn. Super. Ct. Nov. 5, 2007) (“It is clear to this court that § 52-146k and 52-146o prohibit disclosure where the HIPAA regulation relied upon by the petitioner would allow it. Sections 52-146k and 52-146o provide greater protection of the victim’s private health information and are therefore not preempted by HIPAA.”); In re Antonia E., 838 N.Y.S.2d 872, 876 (2007) (“Upon consideration of the physician-patient privilege and the broad provisions for court ordered disclosure under HIPAA, this Court finds that HIPAA provisions do not supersede New York law.”). 14 The above cases clearly demonstrate that a court cannot determine that a State statute is more stringent than HIPAA by relying solely on a state agency’s statement that a particular state law is more stringent than HIPAA. If that was true, as the majority opinion concludes, then there would have been no reason to define “more stringent” under 45 C.F.R. § 160.202. The term “more stringent” is defined for a purpose. That purpose, to me, is quite clear. The definition is designed to narrow the circumstances in which a state law may be categorized as more stringent than HIPAA. “[W]e are not free to rewrite HIPAA’s mandates; we are required to follow them.” Holman v. Rasak, 486 Mich. 429, 458, 785 N.W.2d 98, 114 (2010) (Hathaway, J., dissenting). The majority opinion in this case has made a mockery of the unambiguous and mandatory language contained in 45 C.F.R. § 160.202. I can surmise only that the majority opinion ignored the law as dictated under 45 C.F.R. § 160.202 because it wanted to reach a result that simply could not be reached by following the law. A cursory review of what the relevant state law allowed in this case clearly shows that it was not more stringent than HIPAA. What should be clearly understood is that, for purposes of the “more stringent” requirement of HIPAA, “any state law providing greater privacy protection for the individual who is the subject of the individually identifiable health information is a more stringent state law.” Natalie F. Weiss, “To Release or Not to Release: An Analysis of the HIPAA Subpoena Exception,” 15 Mich. St. U. J. Med. & L. 253, 260 (2011) (emphasis added). This point 15 needs to be emphatically understood–the “more stringent” requirement under HIPAA can never be satisfied by a State law that provides lesser privacy protection. In this case, the majority opinion has indicated that the applicable state law is found in 64 C.S.R. § 59-115.1.d, which provides: No written consent is necessary for employees of the department, comprehensive behavioral centers serving the client or advocates under contract with the department. In sum, this state regulation allows Legal Aid, as an “advocate,” to have complete access to patient information without the consent of the patient. On its face, it is clear that this law does not provide greater privacy protection. Instead, it exposes all patient information to a private legal entity in the absence of patient consent for either representation by the agency or the disclosure of their medical records to the agency. It has correctly been observed that “[i]f state law can force disclosure without a court order, or the patient’s consent, it is not ‘more stringent’ than the HIPAA regulations.” Law v. Zuckerman, 307 F. Supp. 2d 705, 711 (D. Md. 2004). Through a summary application of HIPAA’s six criteria, it is clear that the state regulation at issue in this matter does not: (1) prohibit or restrict a use or a disclosure of information where HIPAA would allow it; (2) provide an individual with greater rights of access or amendment to his medical information than provided under HIPAA; (3) provide an individual with a greater amount of information about a use, a disclosure, rights and remedies; (4) provide requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the 16 coercive effect of the circumstances surrounding the express legal permission of an individual to disclose information; (5) provide for the retention or reporting of more detailed information or for a longer duration; or (6) provide greater privacy protection for the individual who is the subject of the individually identifiable health information. Insofar as the state regulation does not satisfy any of the above six factors contained in 45 C.F.R. § 160.202, the state law is not more stringent than HIPAA. The majority knew this, and that is why its opinion completely ignored 45 C.F.R. § 160.202. See In re Funderburke, No. 6870026, 1988 WL 1607927, at *4 (S.D. Ga. Jan. 18, 1988) (“[T]he record shows that the [majority] did nothing except to assume the position of an ostrich with its head in the sand and ignore [the law] which [was] readily available to it.”). Finally, I wish to point out that the majority opinion conceivably has opened the floodgates for civil litigation, because of the unlawful access it has given Legal Aid to patient hospital information. This Court recently held that “[c]ommon-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by the Health Insurance Portability and Accountability Act of 1996.” Syl. pt. 3, R.K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 735 S.E.2d 715 (2012). If the majority opinion is not appealed to the United States Supreme Court, I have no doubt that civil law suits will follow in the wake of the misguided majority opinion. For the reasons so stated, I dissent. 17 18

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.