An earlier version of the privacy regulations, which implement Title II of the Health Insurance Portability and Accountability Act of 1996, or HIPAA,² would have required covered entities to obtain a patient’s consent before using and disclosing that person’s identifiable health information for certain routine purposes. However, in response to requests from the American Dental Association and a number of other entities, the secretary of the U.S. Department of Health and Human Services, or HHS, amended the privacy regulations to allow covered health care entities to use and disclose the patients’ protected health information for purposes of treatment, payment and health care operations without the patients’ consent, provided that the covered entities meet other HIPAA requirements.

A group of plaintiffs—10 national and state associations, seven individuals and two individual intervenors—objected to the elimination of the consent requirement and filed a lawsuit challenging this amendment in the U.S. District Court for the Eastern District of Pennsylvania. In their lawsuit, the plaintiffs claimed that the HHS secretary violated the Administrative Procedure Act in promulgating the amended rule, and that the rule violated various constitutional rights.

As I discussed in a previous article,³ the HIPAA privacy regulations apply to dentists who are "covered entities" under the rules. A health care provider becomes a covered entity if he or she transmits certain protected health information electronically, either directly or indirectly through a billing service, using a standard transaction established by the HHS secretary. Electronic claims are the standard transactions most frequently used by dentists.

By way of background, the court began its opinion by discussing Title II of HIPAA. The court stated that the two goals of Title II were to prevent health care fraud and abuse and to reduce the costs and administrative burdens of health care by replacing the many nonstandard formats used nationally with a single set of electronic standards. In connection with this second goal, Subtitle F directed the HHS secretary to adopt standards for the electronic exchange of individually identifiable health information in connection with the delivery of, and payment for, health care services; to adopt standards for the security, integrity and confidentiality of electronically stored or transmitted health care information; and to submit to Congress, within 12 months of HIPAA’s enactment, recommendations on standards with respect to the privacy of health information. These recommendations, in turn, had to address the rights that an individual who is the subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized or required. HIPAA also directed the HHS secretary to enact privacy standards if Congress failed to do so within three years of HIPAA’s enactment.

Because Congress did not enact this privacy-related legislation within the allotted time, the HHS secretary issued a proposed rule on Nov. 3, 1999.⁴ Under the proposed rule, covered health care providers and health plans were prohibited from using or disclosing protected health information, except as provided for in the rule. The proposed rule defined protected health information as individually identifiable health information maintained in or transmitted in any form or media, including electronic media.

The proposed rule listed the purposes for which protected health information could be used or disclosed without authorization, as well as those purposes for which authorization was required. In particular, authorization was not required for routine uses and specific public policy purposes. In connection with the routine use provision, the proposed rule permitted covered entities to use or disclose individual health information without patient consent for treatment, payment and health care operations. The proposed rule also prohibited covered entities from seeking individual authorization for these routine purposes unless state or other applicable law required it. For any purpose not recognized by the rule, covered entities had to obtain authorization that included a description of to whom and for what purpose the information would be disclosed, as well as a statement informing individuals of their right to revoke the authorization.

Many covered entities were concerned about the delivery of timely health care under the original rule.

The HHS secretary published the original rule (as opposed to the previously proposed rule) on Dec. 28, 2000.⁵ The original rule kept the structure of the proposed rule, but differed in connection with the issue of consent. In particular, the HHS secretary adopted a consent requirement in the original rule for the routine use of health information. The rule stated that, aside from specific limited situations, a covered health provider had to obtain an individual’s consent prior to using or disclosing protected health information to carry out treatment, payment or health care operations. Covered entities had to comply with the original rule by April 14, 2003, and would be able to use or disclose health information created or obtained prior to that date based on consent previously received.

After publication of the original rule, the HHS secretary received many comments about the impact of the rule on numerous sectors of the health care industry regarding the rule’s complexity and practicability. On Feb. 28, 2001, the HHS secretary solicited additional comments to ensure that the privacy-related provisions would protect patients’ privacy without creating unanticipated consequences that might harm patients’ access to, or quality of, health care. Many of these comments discussed the potential adverse effects that the consent provisions would have.

Based on these comments, the HHS secretary proposed to amend the original rule.⁶ The proposed amended rule rescinded the consent requirement by granting covered entities permission to use health information for routine purposes without obtaining consent. Providers, however, would be permitted to seek consent if they chose. In connection with the comment period for the proposed amended rule, the HHS secretary received more than 11,000 comments primarily concerning the issue of consent. The HHS secretary found that many comments supported the outright elimination of the consent requirement. In particular, many covered entities were concerned about the delivery of timely health care under the original rule. In contrast, some comments adopted the opposing position, seeking an even stronger consent requirement than that contained in the original rule. Finally, other comments took a middle-road stance, requesting that the HHS secretary make targeted fixes to the consent requirement to address workability issues.

In light of all the comments that he received, the HHS secretary claimed that a global approach to resolving the problems raised by the consent requirement was consistent with one of the basic goals of the rule, specifically, to provide necessary flexibility for the standards to work for the entire health care system. Accordingly, the HHS secretary promulgated the amended rule,⁷ eliminating the consent requirement. The removal of this requirement would apply only to uses or disclosure of protected health information for treatment, payment or health care operations. While covered health care providers would not be required to obtain consent before using or disclosing protected health information for these purposes, they would be obligated to make a good-faith effort to obtain the patient’s acknowledgment of receipt of the provider’s Notice of Privacy Practices. The amended rule also would apply to health information created or obtained prior to the compliance date of April 14, 2003 (the same date as that of the original rule). This meant that such information could be used or disclosed after that date for routine purposes without prior consent. Aside from these changes, the amended rule retained essentially all of the other provisions contained in the original rule. Moreover, the amended rule made it clear that if applicable state laws provided greater protection for the privacy of patients’ health information, covered entities still would be obliged to comply with those state laws.

The parties filed cross motions for summary judgment. In the plaintiffs’ motion, the plaintiffs argued that the HHS secretary’s rescission of the consent requirement for routine uses was arbitrary and capricious, in excess of the secretary’s statutory authority, and violated various constitutional rights. The plaintiffs contended, among other things, that the secretary gave inadequate public notice of his intent to rescind the consent requirement, provided an insufficient comment period for the amended rule and improperly promulgated the rule in a retroactive manner by permitting the amended rule to apply to records created prior to the rule’s compliance date. The secretary contested each of these arguments.

The secretary found that the consent requirement caused unintended inefficiencies in the delivery of health care.

The court denied the plaintiffs’ motion for summary judgment, but granted the HHS secretary’s motion. The court first analyzed the plaintiffs’ contention that the secretary acted arbitrarily and capriciously by failing to adequately explain the rescission of the consent requirement, ignoring earlier findings and failing to respond to public comments. The court stated that an agency’s action may be set aside if it is arbitrary and capricious, and that an agency acts arbitrarily and capriciously if it rescinds a promulgated rule without providing a reasoned analysis for the change. A reasoned analysis requires the HHS secretary to examine the relevant data and articulate a satisfactory explanation that shows a rational connection between the facts found and the choice made.

According to the court, the HHS secretary explained that the consent requirement in the original rule was added in an attempt to strike a balance between privacy concerns and the need to use certain health information. Many comments had indicated that consent provided patients with a sense of control over how their information would be used, was expected by patients and was a current practice of health care providers. However, comments received after the original rule was promulgated revealed many unintended consequences of the consent requirement. In particular, comments indicated that the consent requirement represented a significant change in practice, and could substantially impair delivery of health care. Additionally, the consent requirement could have deprived providers and plans of information necessary for quality assurance and accreditation, as well as for fraud and waste detection. The secretary stated that eliminating the consent requirement solved problems caused by the requirement in the most efficient manner. Based on this record, the court stated that the secretary had sufficiently explained the justification for the rescission of the consent requirement.

The plaintiffs next contended that the HHS secretary ignored the agency’s earlier findings, and thus did not establish a rational connection between agency findings supporting the original rule and the decision to implement the amended rule. The court, however, stated that the secretary needed only to establish a rational connection between the most current findings and the changes to the original rule.

The court observed that the HHS secretary did use the agency’s current findings in explaining his rescission of the consent requirement. In reliance on the comments submitted in connection with the proposed amended rule, the secretary found that the consent requirement caused unintended inefficiencies in the delivery of health care. The court also noted that, even if the HHS secretary had to reconcile past findings with the amended rule, the rescission of the consent requirement was not so inconsistent with earlier findings as to render the change implausible. Contrary to the plaintiffs’ position, the agency never stated that the right to privacy was absolute when it implemented the original rule. Rather, the agency was to balance privacy concerns with the goal of improving efficiency of the health care system.

The court similarly rejected the plaintiffs’ argument that the HHS secretary failed to respond adequately to comments in the record. The court stated that the secretary had considered the relevant factors that Congress had instructed the agency to consider: efficiency and effectiveness of the health care system and the privacy of health information. The court noted that the secretary justified rescission of the consent requirement because the requirement impeded efficient delivery of health care. In addition, the secretary considered the privacy interests of patients by permitting health care providers to obtain prior consent.

The court also rejected the plaintiffs’ contention that the amended rule was retroactive in nature. The court stated that a rule is retroactive if it imposes new duties with respect to transactions already completed, or increases one’s liability for past conduct. However, the court continued that a rule is not retroactive merely because it upsets expectations based on prior law. According to the plaintiffs, individuals were vested with the right to give or withhold consent before their protected health information could be used for routine purposes once the original rule was implemented on April 14, 2001. However, the court stated that the original rule was amended before its April 14, 2003, compliance date. Accordingly, covered entities were never obligated to comply with the original rule’s consent requirement. As such, the original rule did not create rights that were subsequently eliminated by the amended rule.

The court lastly addressed the plaintiffs’ constitutional arguments, specifically that the amended rule violated due process rights and First Amendment rights to private physician-patient communications. The court held that because the amended rule did not compel anyone to use or disclose the plaintiffs’ health information for routine purposes without the plaintiffs’ consent, the amended rule did not violate the plaintiffs’ constitutional rights. Rather, according to the court, the amended rule was wholly permissive with respect to whether a covered entity should seek consent from a patient before using his or her information for routine purposes. The amended rule neither required nor prohibited that practice.

The effect of the court’s decision is to give health care providers, including dentists, greater flexibility with respect to their ability to treat their patients without worrying about first obtaining consent for the use and disclosure of the patients’ health information. However, because the court issuing its ruling was only a federal trial court, it remains to be seen whether the Court of Appeals for the Third Circuit will reach the same conclusion if the plaintiffs appeal the decision.

View larger version (140K): [in this window] [in a new window]   Mr. Sfikas is ADA chief counsel and an adjunct professor of law at Loyola University of Chicago School of Law. He has lectured and written on legal issues and is a fellow of the American College of Trial Lawyers. Address reprint requests to Mr. Sfikas at the ADA, 211 E. Chicago Ave., Chicago, Ill. 60611.