Summary
In Ashcroft, the court confronted the question whether, in a case brought in federal district court challenging the constitutionality of a federal statute, issues of access to medical records were to be resolved in accordance with more stringent New York law. Ashcroft, 2004 WL 555701, at *1, *3. The court held that they were not, observing: "Here, HIPAA is at best ambiguous about the effect of more stringent state laws in areas controlled by federal law prior to HIPAA.
Summary of this case from In re Grand Jury ProceedingsOpinion
03 Civ. 8695 (RCC)
March 18, 2004.
MEMORANDUM ORDER
Now before the Court is Defendant's motion to enforce a subpoena against the New York and Presbyterian Hospital pursuant to Federal Rule of Civil Procedure 45(c)(2)(B). For the reasons stated below, the motion is GRANTED.
I. BACKGROUND
Plaintiffs, a group of physicians and medical providers, filed this action on November 4, 2003, to challenge the constitutionality of the Partial-Birth Abortion Ban Act of 2003 ("the Act"), 18 U.S.C. § 1531, which imposes criminal and civil sanctions on physicians who perform certain abortion procedures. This Court temporarily enjoined enforcement of the Act on November 6,2003, and set the matter for trial to commence March 29, 2004. Plaintiffs assert that the Act is unconstitutional, among other reasons, because it lacks an exception to protect a woman's health as required under the Supreme Court's decision in Stenberg v. Carhart, 530 U.S. 914 (2000).
During the discovery process, the Attorney General of the United States ("Defendant") issued subpoenas to a number of hospitals throughout the country seeking medical records of women on whom the plaintiff physicians performed certain abortion procedures. One of those hospitals is the New York and Presbyterian Hospital ("the Hospital").
On December 18, 2003, this Court issued an order that authorized, but did not require, the Hospital to produce the records. On December 22, Defendant served a subpoena on the Hospital, accompanied by the Court order, demanding production of "all medical records associated with those medical record numbers to be identified by plaintiffs Carolyn Westhoff, M.D. and Stephen Chasen, M.D. in response to the discovery demands served upon them in" this case. Drs. Westhoff and Chasen, both plaintiffs in this suit, are employed on the faculties of Columbia and Cornell medical schools, which are both affiliated with the Hospital. According to the Hospital, both are attending physicians at, but not employees of, the Hospital. (Memorandum of Law of Non-Party the New York and Presbyterian Hospital in Opposition to Defendant's Motion to Enforce Subpoena, at 2.)
Defendant also issued similar subpoenas to other hospitals. One such institution, Northwestern University Hospital in Illinois, moved to quash the subpoena in the United States District Court for the Northern District of Illinois. Chief Judge Charles P. Kocoras granted Northwestern's motion on February 4,2004. See Nat'l Abortion Fed'n v. Ashcroft, No. 04 C 55, 2004 WL 292079 (N.D. Ill. Feb. 4, 2004). In a parallel case challenging the Act, Judge Phyllis Hamilton of the Northern District of California denied Defendant's motion to compel discovery seeking similar medical records from health care providers in California and elsewhere. See Planned Parenthood Fed'n of Am. Inc. v. Ashcroft, No. C 03-4872, 2004 WL 432222 (N.D. Cal. Mar. 5, 2004). Defendant has appealed Judge Kocoras's decision to the Seventh Circuit Court of Appeals. The Court is unaware whether Defendant has also appealed Judge Hamilton's order to the Ninth Circuit.
The Court has been informed that the Seventh Circuit will hear oral argument on the appeal on March 23, 2004.
In this case, Defendant brought a motion to enforce the subpoena and compel production of the documents. By stipulation of the parties in this case, the Court issued a protective order on January 23, 2004, that requires redaction of individual identification material prior to disclosure. The Hospital argues that the protective order is insufficient under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. No. 104-191, §§ 261-264, 110 Stat. 1936 (Aug. 21, 1996), because HIPAA incorporates New York State law requiring patient consent before disclosure. Defendant responds that disclosure is required because the protective order complies with administrative regulations promulgated pursuant to HIPAA. See 45 C.F.R. § 164.512(e) (providing conditions for disclosure of protected health information in judicial proceedings).
II. DISCUSSION
This issue brings into conflict two profoundly important interests: respect for the sanctity of the physician-patient relationship, and the search for truth at the heart of the litigation process. Resolution of the issue requires careful attention to HIPAA and the regulatory framework promulgated to implement it.
A. The Statutory and Regulatory Framework
HIPAA is a complex piece of legislation that addresses the exchange of health-related information. Title II of HIPAA includes provisions entitled "Administrative Simplification." See 110 Stat. 1936, 2021-2034 (codified at 42 U.S.C. § 1320d-1320d-8). In one of the Administrative Simplification provisions, Congress delegated to the Secretary of Health and Human Services ("HHS") the authority to make final regulations concerning the privacy of individually identifiable health information. See HIPAA, § 264(b), (c)(1), 110 Stat. 1936,2033. Those regulations were to address, among other things, the rights of individuals with regard to their health information, the procedures by which individuals may exercise their rights, and the uses and disclosures of health information that may be authorized or required. Id. § 264(b).
HIPAA defines "individually identifiable health information" as any information collected from an individual that:
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and —
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.42 U.S.C. § 1320d(6) (codifying HIPAA, § 1171(6), 110 Stat. 1936, 2021-2023).
In accordance with this rulemaking authority, in February 2001, HHS promulgated regulations to protect the privacy of protected health information. See 45 C.F.R. § 164.500-.534; South Carolina Medical Ass'n v. Thompson, 327 F.3d 346, 349 (4th Cir. 2003). Protected health information means individually identifiable health information transmitted or maintained in any form or medium. 45 C.F.R. § 160.103. HHS explicitly addressed disclosure of protected health information during judicial or administrative proceedings. See id. § 164.512(e). That provision permits health care providers and other covered entities to disclose protected health information without patient consent: (1) in response to a court order, provided only the information specified in the court order is disclosed; or (2) in response to a subpoena or discovery request if the health care provider receives adequate assurance that the individual whose records are requested has been given sufficient notice of the request, or if reasonable efforts have been made to secure a protective order. Id. § 164.512(e)(1)(i), (ii). Protective orders must (1) prohibit use of the protected health information outside the litigation process; and (2) require the return or destruction of the records, including all copies made, at the conclusion of the litigation. Id. § 164.512(e)(1)(v).
The regulations also provide that health records are not considered individually identifiable, and thus not "protected health information," if certain information is redacted. HHS determined that "[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that information can be used to identify an individual is not individually identifiable health information." Id. § 164.514(a). The following identifiers must be removed to render medical records not individually identifiable: names; geographic subdivisions smaller than a state (including addresses and full zip codes); all dates except years; telephone and fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; license numbers; vehicle identifiers; device identifiers; internet addresses; biometric identifiers such as finger and voice prints; photographs of the individual's full face; and any other unique identifying number, characteristic, or code. Id. § 164.514(b)(2)(i). Records without this data are not considered to be individually identifiable, and therefore are not protected health information.
Recognizing that HIPAA's privacy provisions might differ from state regulations, Congress directed that all state laws contrary to the regulations promulgated by HHS be preempted, unless the state laws fall within the exception created by HIPAA section 264(c)(2). See 42 U.S.C. § 1320d-7(a)(2)(B). Section 264(c)(2) states: "PREEMPTION. — A regulation promulgated under . . . [HHS's rulemaking authority] shall not supercede a contrary provision of State law, if the State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the [HHS] regulation." 110 Stat. 1936, 2033-2034. This antipreemption exception is echoed in the implementing regulations:
A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. . . . except if . . . [t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [HIPAA]. . . .45 C.F.R. § 160.203. A state privacy standard is more stringent than the HHS regulations if the state law "prohibits or restricts a use or disclosure in circumstances upon which such use or disclosure otherwise would be permitted" under HIPAA. Id. § 160.202.
B. The Issues Before the Court
The fundamental disagreement between the parties to this dispute revolves around the meaning of HIPAA's antipreemption provision. The Hospital reads the antipreemption provision to incorporate "more stringent" state laws into federal law. Because New York law requires patient consent before disclosure and HIPAA provides for certain exceptions to that rule, New York law is more stringent. See N.Y. C.P.L.R. 4504(a). According to the Hospital's interpretation, the enforceability of the subpoena is therefore governed by New York law.
The Hospital also argues that production of the records would place an undue burden on it under Federal Rule of Civil Procedure 45(c), and that Judge Kocoras's decision bars Defendant's motion in this district under the principle of res judicata. The former is discussed below, the latter can be disposed of here. Under the doctrine of res judicata, "a valid, final judgment, rendered on the merits, constitutes an absolute bar to a subsequent action between the same parties, or those in privity with them, upon the same claim or demand . . ." Epperson v. Entm't Express. Inc., 242 F.3d 100, 108 (2d Cir. 2001). The action before Judge Kocoras involved a different hospital and different state law. Thus, res judicata does not apply.
Defendant cites American Tobacco Co. v. Mount Sinai School of Medicine, 880 F.2d 1520, 1528 (2d Cir. 1989), for the proposition that New York law permits disclosure of redacted medical records. However, that case dealt with the existence of a scholar's privilege under New York law, and did not once mention N.Y. C.P.L.R. 4504(a). It cannot be read to recognize an exception to the physician-patient privilege established in Rule 4504(a).
C.P.L.R. section 4504(a)'s physician-patient privilege applies to all state-court proceedings. See N.Y. C.P.L.R. 101. It provides in relevant part:
Unless the patient waives the privilege, a person authorized to practice medicine . . . shall not be allowed to disclose any information which he acquired in attending a patient in a professional capacity, and which was necessary to enable him to act in that capacity.Id. 4504(a). The statutory and common-law exceptions to the privilege would not apply to this case. See, e.g., id. § 4504(b) (exempting information indicating patient under sixteen was victim of crime); N.Y. Penal Law § 265.25 (obligating medical providers to report wounds from gunshots and sharp instruments which might result in death); id. § 265.26 (creating reporting requirement for serious burns); N.Y. Pub. Health Law § 2101(1) (creating disclosure requirement for communicable diseases); N.Y. Soc. Serv. Law § 413(1) (requiring reports of child abuse); In re Camperlango v. Blum, 436 N.E.2d 1299, 1301 (N.Y. 1982) (excepting disclosures for purpose of investigating Medicaid fraud); People v. Bhatt 611 N.Y.S.2d 447, 449 (Sup.Ct. 1994) (excepting disclosures for grand jury proceedings involving Medicare fraud).
Defendant argues that HIPAA's antipreemption clause does not provide for incorporation of more stringent state laws; rather the antipreemption clause simply permits more stringent state laws to retain the same force that they had before HIPAA was enacted, but no more. Because state medical privacy regulations lacked any effect on rules of discovery and evidence in federal court proceedings before HIPAA, Defendant contends that those state regulations have no such effect after HIPAA. Instead, he submits that the disclosure of health information in federal court proceedings is governed by Federal Rule of Evidence 501, and that the rule creates no physician-patient privilege that would protect the records from a subpoena.
C. The Purpose of HIPAA's Antipreemption Provision
The doctrine of preemption arises from the Supremacy Clause of the U.S. Constitution. See U.S. Const. art. VI, cl. 2; Allis-Chambers Corp. v. Lueck, 471 U.S. 202,208 (1985). "[T]he question whether a certain state action is pre-empted by federal law is one of congressional intent." Allis-Chambers, 471 U.S. at 208 (internal quotation marks omitted). In HIPAA, Congress expressly provided for preemption of inconsistent state medical privacy laws except when those laws are more stringent than the standards that HIPAA gives HHS the authority to promulgate. HIPAA § 264(c)(2), 110 Stat. 1936, 2033-2034.
There is a difference, however, between a federal law that does not preempt a state law and a federal law that incorporates a state rule of law. The latter gives the state law the force of federal law and makes it binding where it would not otherwise be; the former merely allows the state law to continue to operate in its sphere of influence, unaffected by the federal statute. The negative language in section 264(c)(2) does not equate to the positive power to create binding law in the federal domain — here, a case arising under federal law brought in federal court. See Blonder-Tongue Labs., Inc. v. Univ. of Ill. Found., 402 U.S. 313, 324 n. 12 (1971) ("In federal-question cases, the law applied is federal law.").
The Hospital quarrels with this reasoning, maintaining that HIPAA's antipreemption provision requires federal courts to apply more stringent state standards because, in effect, those state standards preempt the HHS regulations. Congress has been more explicit when it intended such a result. For example, the Occupational Safety and Health Act of 1970 ("OSHA"), 29 U.S.C. § 251 et seq., includes a provision that permits state standards to preempt federal law. See id. § 667(b); see also Gade v. Nat'l Solid Wastes Mgmt.Ass'n, 505 U.S. 88,97 (1992). That section is entitled, "Submission for state plan for development and enforcement of State standards to preempt applicable Federal standards." 29 U.S.C. § 667(b) (emphasis added).
Similarly, Congress has explicitly incorporated state standards into federal law when it so intends. See, e.g., Individuals with Disabilities in Education Act, 20 U.S.C. § 1401(8)(B) (defining "free appropriate public education" to include special education services that meet standards set by state educational agencies); Assimilative Crimes Act of 1948, 18 U.S.C. § 13 (making violations of state or local criminal laws federal crimes when committed on federal territory); Outer Continental Shelf Lands Act ("OCSLA"), 43 U.S.C. § 1333(a)(2)(A) ("[T]he civil and criminal laws of each adjacent State . . . are declared to be the law of the United States. . . .") (emphasis added).
No such language of incorporation is present in HIPAA. The language of section 264(c)(2) evinces no congressional intent to adopt state law as federal law, thereby placing the power of the Supremacy Clause behind more stringent state medical privacy laws.
In contrast, Defendant's interpretation of the antipreemption clause is in harmony with that of HHS. As part of the notice-and-comment process used by administrative agencies when Congress gives them rulemaking power, HHS interpreted section 264(c)(2), HIPAA's antipreemption provision. HHS stated:
We considered whether the preemption provision of section 264(c)(2) . . . would give effect to State laws that would otherwise be preempted by federal law. For example, we considered whether section 264(c)(2) could be read to make the Medicare program subject to State laws relating to information disclosures that are more stringent than the requirements proposed in this rule, where such laws are presently preempted by the Medicare statute. We also considered whether section 264(c)(2) could be read to apply such State laws to procedures and activities of federal agencies, such as administrative subpoenas and summons, that are prescribed under the authority of federal law. In general, we do not think that section 264(c)(2) would work to apply State law provisions to federal programs or activities with respect to which the State law provisions do not presently apply. Rather, the effect of section 264(c)(2) is to give preemptive effect to State laws that would otherwise be in effect, to the extent they conflict with and are more stringent than the requirements promulgated under the Administrative Simplification authority of HIPAA. Thus. we do not believe that it is the intent of section 264(c)(2) to give an effect to State law that it would not otherwise have in the absence of section 264(c)(2).
64 Fed. Reg. 59918, 6000 (Nov. 3, 1999) (emphasis added). Thus, HHS interpreted the antipreemption provision to merely maintain the status quo in states in which more stringent privacy regulations existed prior to HIPAA.
The Court must defer to HHS's reasonable interpretation of HIPAA. See Chevron USA. Inc. v. Natural Res. Def. Council, 467 U.S. 837, 843-44 (1984). In Chevron, the Supreme Court held that courts must defer to reasonable constructions of a statute, ambiguous or silent on an issue, made by the administrative agency responsible for administering it. Id. at 843. Here, HIPAA is at best ambiguous about the effect of more stringent state laws in areas controlled by federal law prior to HIPAA. HHS reasonably construed section 264(c)(2) not to give any more effect to state law than it would have had in the absence of HIPAA.
Under the Hospital's interpretation, on the other hand, HIPAA would give to state legislatures a sword when it really provides a shield. If not for HIPAA's antipreemption exception, the Supremacy Clause would sweep away all contrary state medical privacy regulations. Instead, Congress spared more stringent state statutes from preemptive effect. It did not, however, give more stringent state regulations the force of federal law. Thus, N.Y. C.P.L.R. 4504(a) remains the law in areas in which New York State has the authority to regulate, but it has not become the law in areas within the federal domain. Accordingly, New York law does not apply here.
D. Privilege of the Medical Records Under Federal Law
In cases arising under federal law such as this one, privileges against disclosure are governed by principles of federal law. See Von Bulow v. Von Bulow, 811 F.2d 136, 141 (2d Cir. 1987) (holding federal law of privileges applies in cases presenting a federal question); Ehrich v. Binghampton City Sch. Dist., 210 F.R.D. 17, 21 (2002) ("[W]hen a complaint asserts a federal question . . . the federal law of privilege applies."). Federal Rule of Civil Procedure 45(c)(3)(A)(iii) permits a court to quash or modify a subpoena that requires disclosure of privileged material. The Court must look to the Federal Rules of Evidence to determine when materials are privileged. See Memorial Hosp. v. Shadur, 664 F.2d 1058, 1061 (7th Cir. 1981). Rule 501 provides:
Except as otherwise required by the Constitution of the United States or provided by Act of Congress or in rules prescribed by the Supreme Court pursuant to statutory authority, the privilege of a witness, person, government, State, or political subdivision thereof shall be governed by the principles of the common law as they may be interpreted by the courts of the United States in the light of reason and experience. However, in civil actions and proceedings, with respect to an element of a claim or defense as to which State law supplies the rule of decision, the privilege of a witness, person, government, State, or political subdivision thereof shall be determined in accordance with State law.
Fed.R.Evid. 501 (emphasis added).
Defendant argues that HIPAA is not intended to affect the application of Rule 501, and therefore does not constitute an exception provided by Congress. However, this argument ignores the plain language of Rule 501 as well as provisions of the HHS regulations.
Rule 501's savings clause requires federal courts to fashion common law in the light of reason and experience only when the Constitution and federal statutes are silent on the issue. The Rule reflects the general principle that courts develop federal common law only "[w]hen Congress has not spoken to a particular issue." City of Milwaukee v. Illinois, 451 U.S. 304, 313 (1981). Congress has spoken on the privacy of medical records through HIPAA. Thus, this Court agrees with Judge Kocoras that "HIPAA and the regulations promulgated thereunder, not Federal Rule of Evidence 501, control the protections provided to patient medical records held by hospitals." Nat'l Abortion Fed'n, 2004 WL 292079, at *5. This conclusion is bolstered by the fact that the regulations include provisions specifically devoted to disclosure of patient health information during judicial proceedings. See 45 C.F.R. § 160.512(e). HIPAA, through its implementing regulations, speaks directly to the privilege asserted in this case.
The privacy provisions promulgated under HIPAA therefore control the enforceability of the subpoena. As explained above, the regulations permit disclosure of health information without patient consent pursuant to a qualified protective order. See 45 C.F.R. § 164.512(e)(ii), (v). The protective order in this case satisfies the HHS regulations because it permits the use of the health information solely for the purposes of this litigation and requires the destruction or return of the records, and all copies made, within sixty days of the resolution of the case. (Agreed Protective Order, Jan. 23, 2004 ["Prot. Order"] ¶¶ 7, 16.)
The protective order includes a provision permitting Defendant to retain a copy of records necessary to comply with the Federal Records Act, 44 U.S.C. § 3101, and its implementing regulations, 36 C.F.R. § 1222.38. (Prot. Order ¶ 16.) Such a provision may not be consistent with the HHS regulations requiring return or destruction of the protected health information, including all copies made, at the end of the litigation or proceeding. See 45 C.F.R. § 164.512(e)(v)(B). The protective order does require Defendant's counsel to notify in writing any entity that produces documents of which documents it intends to retain and the legal grounds for retaining them, as well as providing the entities the right to object to retention. (Prot. Order ¶ 16.) The Court will entertain any application to amend the protective order to eliminate this provision, or to order destruction or return of all records at the close of the case.
In addition, the protective order calls for redaction of at least the following identifying information:
[T]he patient's name; the name of any spouse, partner, child, and emergency contact (collectively 'patient relatives'); the birth date, social security number, address, telephone number, fax number, and e-mail address of the patient and any patient relative; the patient and any patient's relative's insurance policy number or group number, and any medical record or chart number.
(Id. ¶ 3.) The Hospital must also redact any other information that might reasonably lead to individual identification as provided in the HHS regulations on de-identification of individual health records. See 45 C.F.R. § 164.514(b)(2)(i). Once redacted, the records are not considered under the regulations to be individually identifiable, and thus can be produced by the Hospital even without a protective or court order. See id. HHS has determined that these redactions maintain the anonymity of patients and their families. This Court cannot impose an absolute privilege on health information when HHS, the federal agency which Congress has authorized to institute protections for the privacy of health information, has chosen a different course.
E. Undue Burden on the Hospital
The Hospital also argues that compelling production of the records places an undue burden on it under Federal Rule of Civil Procedure 45(c). According to the Hospital, the burdens that will unduly be placed upon it are dealing with the anger and mistrust of its patients, and damage to its reputation. However, production of the records will not be attributable to any misconduct or complicity by the Hospital, but is the direct result of this Court's order enforcing Defendant's subpoena. The Hospital's reputation as a provider of medical services will not be adversely affected by its compliance with a court order. In addition, the Court notes that the Hospital permitted Dr. Chasen to use the records in researching a study that he plans to publish in The American Journal of Obstetrics and Gynecology. Therefore, its arguments on undue burden are not persuasive.
III. CONCLUSION
For the foregoing reasons, Defendant's motion to enforce the subpoena is GRANTED.