W. Va. Dep't of Health & Human Res. v. E.H.

Full title: WEST VIRGINIA DEPARTMENT OF HEALTH AND HUMAN RESOURCES, Bureau for…

Court: Supreme Court of Appeals ofWest Virginia.

Date published: Oct 15, 2015

236 W. Va. 279 (W. Va. 2015)

778 S.E.2d 728

Opinion

No. 14–0965.

10-15-2015

WEST VIRGINIA DEPARTMENT OF HEALTH AND HUMAN RESOURCES, Bureau for Behavioral Health and Health Facilities, Petitioners v. E.H., et al., Respondents.

Patrick Morrisey, Esq., Attorney General, Elbert Lin, Esq., Solicitor General, Julie Marie Blake, Esq., Assistant Attorney General, Charleston, WV for DHHR. Jennifer S. Wagner, Esq., Mountain State Justice, Inc., Clarksburg, WV, Lydia C. Milnes, Esq., Mountain State Justice, Inc., Charleston, WV, for Respondents.

LOUGHRY, Justice

Patrick Morrisey, Esq., Attorney General, Elbert Lin, Esq., Solicitor General, Julie Marie Blake, Esq., Assistant Attorney General, Charleston, WV for DHHR.

Jennifer S. Wagner, Esq., Mountain State Justice, Inc., Clarksburg, WV, Lydia C. Milnes, Esq., Mountain State Justice, Inc., Charleston, WV, for Respondents.

Opinion

LOUGHRY, Justice:

The West Virginia Department of Health and Human Resources, the Bureau for Behavioral Health and Health Facilities (“DHHR”), seeks to reverse the August 27, 2014, order of the Circuit Court of Kanawha County, through which the DHHR was directed to immediately restore access to patients and patient records to the patient advocates working at this state's two psychiatric hospitals.^{1 1} In challenging this ruling, the DHHR argues that the circuit court's order violates both the patients' constitutional rights to privacy and the Federal Health Insurance Portability and Accountability Act (“HIPAA”). The respondent advocates for patients at Sharpe and Bateman Hospitals (sometimes referred to as the “hospitals”) insist that the directives of the circuit court should be affirmed due to the clear lack of constitutional or HIPAA violations. Having reviewed the record in this case to verify the absence of constitutional infirmity as well as the lack of state or federal privacy law violations stemming from the access historically afforded to patient advocates at these facilities, we affirm the circuit court's decision to restore the access afforded to the patient advocates to the level they experienced prior to the abrupt change of course in June 2014. Given the lower court's partial reliance on certain HIPAA definitions and exclusions that we find to be wholly inapplicable, our decision to affirm is grounded solely on state law rather than an amalgam of state and federal law.^{2 2}

1 Mildred Mitchell Bateman (“Bateman”) and William R. Sharpe, Jr. (“Sharpe”).

1 Actually, “HIPAA mandated the passage of comprehensive privacy legislation by Congress within three years, otherwise the Department of Health and Human Services was required to step in and create privacy regulations.” Guthrie, “Time Is Running Out,” 12 Annals Health L. at 144.

2 See Syl. Pt. 3, Barnett v. Wolfolk, 149 W.Va. 246, 140 S.E.2d 466 (1965) (“This Court may, on appeal, affirm the judgment of the lower court when it appears that such judgment is correct on any legal ground disclosed by the record, regardless of the ground, reason or theory assigned by the lower court as the basis for its judgment.”).

2 It is important that I point out the significance of the year in which HIPAA was created, 1996, and the date the Privacy Rule was created, 2000, because this will help explain the initial broad authority DHHR gave to Legal Aid. When the litigation originally began in this case, 1981, HIPAA did not exist—no expansive patient privacy rights existed. It was in 1990, pre-HIPAA, that DHHR first contracted to have Legal Aid monitor patient health care services at Bateman and Sharpe. It was only after the creation of HIPAA that DHHR realized that, in order for Legal Aid to continue to have access to patient records without patient consent, Legal Aid had to come under an exception to HIPAA. It appears that, initially, DHHR believed that Legal Aid came under the “business associate” exception created by the Privacy Rule. The majority opinion acknowledged this fact in footnote 28. However, in 2014, an astute Privacy Officer at DHHR realized that it was permitting Legal Aid to violate HIPAA, because Legal Aid did not come under the “business associate” exception to the privacy requirements. It was only after this determination, which even the majority opinion conceded was correct, that DHHR began requiring Legal Aid comply with HIPAA by obtaining patient consent before it could review patient records. There was nothing sinister in this, as was suggested by the majority opinion. DHHR simply was trying to comply with federal law—something the majority believes is not necessary in spite of the Supremacy Clause.

I. Factual and Procedural Background

The underlying litigation had its genesis in 1981 with a petition for a writ of mandamus filed by a group of institutionalized individuals to address the civil rights of patients with mental disabilities.^{3 3} See E.H. v. Matin (known as “Hartley” or “Matin I ”), 168 W.Va. 248, 284 S.E.2d 232 (1981). This Court remanded the Hartley case to the Kanawha County Circuit Court to achieve the legislative mandate of providing appropriate care and treatment to those individuals who are involuntarily hospitalized. See W.Va.Code § 27–5–9 (2013). To that end, the West Virginia Behavioral Health System Plan (“BHSP”), a comprehensive mental health plan, which addressed the various standards, conditions, and facilities, was accepted by the circuit court in 1983.^{4 4} See E.H. v. Matin (“Matin II ”), 189 W.Va. 102, 104, 428 S.E.2d 523, 525 (1993). As part of the BHSP, the DHHR was required to establish a patient advocacy system within the state hospitals to protect the rights of institutionalized patients on an ongoing basis. Originally, the patient advocates were DHHR employees who maintained offices within the hospitals. Due to issues that arose in the late 1980s stemming from improper personal relationships between the patient advocates and the hospital administrators, the court monitor formally recommended that the DHHR be required to contract with an external entity to perform the patient advocacy services. No one objected to this proposal and the recommendation was adopted by order, entered on February 20, 1990 (the “1990 order”).^{5 5}

3 See W.Va.Code § 27–5–9 (2013) (providing, inter alia, that “[e]ach patient of a mental health facility ... shall receive care and treatment that is suited to his or her needs and administered in a skillful, safe and humane manner with full respect for his or her dignity and personal integrity”).

3 For ease in understanding, I will refer to HIPAA and the Privacy Rule collectively as HIPAA.

4 This plan, a 330–page document, was reached by agreement among the parties. See Matin II, 189 W.Va. at 104 n. 2, 428 S.E.2d at 525 n. 2.

4 The regulations define State law as “a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.” 45 C.F.R. § 160.202. See Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1028 (S.D.Cal.2004).

5 Pursuant to that order, the DHHR was directed to “contract with an entity outside State government for the provision of advocacy.”

5 I previously noted that the majority opinion correctly found that the exceptions for business associate, health oversight agency, health care operations, and required by law did not apply.

In accordance with its obligations under the 1990 order, the DHHR immediately contracted with Legal Aid of West Virginia (“Legal Aid”) to provide patient advocacy services. In this role, which it has occupied since its selection in 1990, Legal Aid assists with and investigates individual grievances, conducts abuse and neglect investigations, educates staff and patients about patient civil rights, and monitors Sharpe and Bateman for the purpose of ensuring compliance with this state's guarantee of patient civil rights. See W.Va.Code § 27–5–9. Legislative rules expressly designed to “establish[ ] the rights of clients of State-operated behavioral health facilities” were adopted in 1995.⁶ See 64 C.S.R. § 59–1.1. Those rules specify procedures that pertain to the mandated provision of patient advocacy services⁷ and delineate a litany of patient rights that the hospitals are required to observe, including confidentiality. See id. at §§ 59–1 to –20.

6 These rules were adopted under authority of West Virginia Code § 27–5–9(g).

7 “There shall be persons designated as client (or patient or resident) advocates who are independent of the facility management in every behavioral health facility.” 64 C.S.R. § 59–20.1.

Court monitoring of the Hartley case continued until 2002 when, by agreement of the parties, the case was removed from the active docket of the court.⁸ See E.H. v. Matin (“Matin III ”), 189 W.Va. 445, 432 S.E.2d 207 (1993) (approving continued circuit court monitoring). In that same year, the DHHR decided to create the Office of the Ombudsman (“Ombudsman”)-an office charged with overseeing compliance with the statutory duties related to operation of the state hospitals. As the direct result of the Ombudsman's July 3, 2008, report, documenting deplorable conditions and treatment of patients at Sharpe and Bateman, the circuit court reopened the Hartley case. See State ex rel. Matin v. Bloom (“Matin IV”), 223 W.Va. 379, 383–84, 674 S.E.2d 240, 244–45 (2009) (identifying issues of overcrowding, lack of privacy, and denial of patients' daily grooming and cleanliness needs).

8 Court monitoring was resumed in 2009 based on reports of both the conditions and treatment of patients at Sharpe and Bateman.

Systemic violations of patient rights, including the use of “chemical restraints,” were demonstrated during a two-day evidentiary hearing held before the circuit court in April 2009. At the conclusion of the hearing, the trial court ordered the parties to participate in mediation which resulted in an agreement between the parties covering multiple issues. Under that court-approved agreement, commonly referred to as the “2009 Agreed Order,” the Ombudsman is charged with the duty to oversee implementation of the specific terms of the agreement. Included in those terms is a provision requiring Sharpe and Bateman to fully comply with the state regulations that address issues of patient care and patient advocacy services. See 64 C.S.R. §§ 59–1 to –20. The 2009 Agreed Order requires that “[p]eriodic review shall be established for compliance with [specified] sections.”⁹ In recognition of this duty, the DHHR contracted with Legal Aid to “produce a report to inform Judge Bloom, [and] the Hartley Court Monitor ... of any progress or lack of progress in implementing areas of Legislative Rule Title 64 Code of State Rules (CSR) Series 59 ... within Sharpe and Bateman by the end of the grant period.”¹⁰

9 Those sections are 64 C.S.R. §§ 59–12, –13, –14, –15.1.7, –15.1.12, –15.2, –15.3, and –16.4.2.

10 This language appears in each of the annual grant documents in the record of this case. Those documents set forth the duties of Legal Aid in relation to the patient advocacy services and provide the necessary funding for such services.

On January 5, 2010, the parties agreed that the patient advocates would create an assessment tool for the hospital audits necessary to enable the DHHR to comply with the periodic review contemplated by the 2009 Agreed Order. On March 31, 2010, the DHHR agreed that quarterly audits should be conducted by providing the patient advocates with complete access to at least two patients from each unit independent of any actual grievances filed. On May 5, 2010, the parties agreed that the audit instrument was finalized and the patient advocates were instructed “to begin implementation.”

For more than a decade, the DHHR provided the patient advocates with full access to computerized patient records, to the patient wards, and other areas of the hospitals. Then, in June 2014, with no prior notice, the DHHR began requiring the patient advocates to obtain signed releases from each patient, the patient's guardian, and/or the person with the medical power of attorney before obtaining any information from or about the patient.¹¹ Under the altered procedures, a newly-executed release specifying the basis of inquiry was required each time the advocates sought to review a patient's records. Legal Aid stated that even if the inquiry pertained to a previously-authorized matter, a new release was required for each successive day a patient advocate sought access to a patient's records.¹² In addition to this novel procedure of requiring a release in advance of any records inspection, Legal Aid was denied access to the network of patient records—access required for conducting the systemic reviews or audits of the two facilities.

11 The decision to alter access was made by the DHHR's Privacy Officer, Lindsey McIntosh. Before making this change in tack, Ms. McIntosh acknowledged she did not investigate the role or needs of the advocates; she did not visit Bateman or Sharpe; she did not speak to Legal Aid; and she did not review any of the orders pertaining to this case.

12 According to the DHHR's representation in its response to the Motion for Emergency Relief, each authorization was good for 180 days.

In response to this abrupt change of policy regarding access to patient records, the patient advocates filed a motion for emergency relief with the circuit court and a hearing was held on August 1, 2014. After finding no violation of federal or state law, the circuit court directed the DHHR, by order of August 24, 2014, to immediately restore Legal Aid to the previous levels of access at Sharpe and Bateman. On August 29, 2014, the circuit court denied the DHHR's motion for stay of the August 27, 2014, amended ruling.¹³ By order of September 14, 2014, this Court stayed the lower court's order and granted the appeal filed by the DHHR.

13 Minor changes were made to the previous ruling. The only substantive amendments were to remove the reference to the patient advocates as having been created by both federal and state law (they were created solely under state law) and to recognize that grievances may be initiated independently by a patient advocate separate from a patient's allegation of abuse or assertion of a civil rights violation.

II. Standard of Review

12 Given our conclusion that the August 27, 2014, amended ruling constitutes a final order notwithstanding the trial court's contrary ruling,¹⁴ we review the subject order pursuant to our well-established standard of examining questions of law de novo while reversing factual determinations only upon a showing of clear error. See Syl. Pt. 2, Walker v. W.Va. Ethics Comm'n, 201 W.Va. 108, 492 S.E.2d 167 (1997). This Court recently dispelled any concerns with regard to its right to consider this matter by means of an appeal¹⁵ with our recent holding in syllabus point one of West Virginia Department of Health and Human Resources et al. v. E.H., ––– W.Va. ––––, 778 S.E.2d 643, Nos. 14–0664, 14–0845, 2015 WL 5928503 (Oct. 7, 2015), wherein we held that “[i]n the context of institutional reform litigation, this Court may choose to exercise its appellate jurisdiction over an order entered by the circuit court that it deems to approximate a final order by its nature and effect.” Accordingly, we proceed to determine whether the trial court erred in issuing the ruling under review.

14 By order entered on August 29, 2014, the circuit court refused to grant the DHHR's request to have the August 27, 2014, order deemed a final order. The rationale for its ruling is clear: the trial court was trying to prevent the DHHR from belatedly seeking relief from its previously unappealed 1990 Order. Because the court's ruling was not impelled by the need to address additional issues arising from reduced access (i.e. a lack of finality) and because there are no further issues to be resolved concerning access, we deem the August 27, 2014, ruling to be final for purposes of allowing this Court to address the issues before us through the subject appeal.

15 Cf. Syl. Pt. 5, Riffe v. Armstrong, 197 W.Va. 626, 477 S.E.2d 535 (1996).

III. Discussion

A. Constitutional Privacy Rights

In support of its position that the lower court's order improperly requires unfettered disclosure of patient records to the patient advocates, the DHHR maintains that the Fourteenth Amendment has been recognized to protect an individual's right to privacy with regard to avoiding disclosure of personal matters. See Whalen v. Roe, 429 U.S. 589, 599, 97 S.Ct. 869, 51 L.Ed.2d 64 (1977); accord Doe v. City of New York, 15 F.3d 264, 267 (2d Cir.1994) (“Extension of the right to confidentiality to personal medical information recognizes there are few matters that are quite so personal as the status of one's health, and few matters the dissemination of which one would prefer to maintain greater control over.”). Because the trial court failed to employ a balancing test to assess the reasonableness of the privacy intrusion that flows from the sweeping access mandated by the order at issue, the DHHR argues that the constitutional rights of patients at Sharpe and Bateman outweigh Legal Aid's interest in accessing patient files. See Nixon v. Adm'r of Gen'l Servs., 433 U.S. 425, 458–60, 97 S.Ct. 2777, 53 L.Ed.2d 867 (1977) (utilizing balancing test to measure privacy intrusion against reasonableness of governmental actions). Emphasizing the enhanced need to conduct this inquiry when a realistic probability of public disclosure exists as in this case, the DHHR posits that the circuit court erred by failing to consider the applicability of constitutionally-based protections for the health information contained in the patient records.

Legal Aid contends that the DHHR improperly seeks to inject constitutional error into this matter with an issue never addressed by the circuit court.¹⁶ Not only does Legal Aid concur with the tenets of privacy law articulated by the DHHR, but it fully agrees with the petitioners' statement that “the Fourteenth Amendment's right to informational privacy forbids the indiscriminate disclosure of state psychiatric records.” Legal Aid emphasizes that the patient advocates neither seek the indiscriminate disclosure of patient records nor do they conduct their advocacy services in a manner inconsistent with the patients' privacy rights. Dismissing the need for an extended discourse about the existence of privacy rights, Legal Aid states that the issue presented is simply whether the disclosure of patient records pursuant to state and federal laws enacted to protect patient rights runs afoul of those acknowledged rights. Or stated in the converse, do provisions of federal and/or state law permit the disclosure of patient records to the patient advocates under contract with DHHR to provide advocacy services at Bateman and Sharpe.

16 Legal Aid asserts that the DHHR did not raise the issue of constitutional error at the August 1, 2014, hearing. In response, the DHHR states that the evidentiary proceeding was not the forum in which to assert legal error. The record demonstrates that the DHHR advanced the issue of constitutional error in its response to Legal Aid's Motion for Emergency Relief. Citing Griswold v. Connecticut, 381 U.S. 479, 85 S.Ct. 1678, 14 L.Ed.2d 510 (1965), the DHHR asserted that unlimited access to patient records absent patient consent is a violation of the right to privacy judicially deemed to arise under the First Amendment.

At the outset, we observe that the constitutional concerns raised by the DHHR are confined to the previous longstanding practice of permitting the advocates to review patient records for purposes of assessing overall hospital conditions.¹⁷ The DHHR does not raise the possibility of constitutionally-based privacy violations with regard to individual grievances or complaints of abuse and neglect.¹⁸ What the DHHR challenges is the circuit court's directive that allows the advocates to have access to patient files unrelated to specific complaints or grievances. This access was authorized, consistent with past practice and the agreement of the parties, for purposes of discerning systemic issues related to the patient rights established by state regulation.¹⁹ See 64 C.S.R. §§ 59–1 to –20. Pursuant to the governing Grant Agreement that outlines the duties the DHHR requires of the patient advocates, an annual report reflecting the results of the systemic review is required to be tendered to the circuit court judge, court monitor, the DHHR, and Mountain State Justice.²⁰

17 It is difficult for this Court to avoid the conclusion that, while seeking to prevent access to the patient advocates under the guise of privacy concerns, the DHHR's true objective is to make the discovery of systemic problems more difficult for the advocates to identify.

18 Legal Aid asserts that the new policy implemented by the DHHR prevents Legal Aid from complying with the time constraints pertaining to the investigation of abuse and neglect complaints under state law. See 64 C.S.R. § 59–20.2.9 (requiring submission of written report by patient advocate “[w]ithin the next eight (8) regular working hours” of receipt of abuse or neglect grievance).

19 These periodic reviews, required by the 2009 Agreed Order, have been performed by the patient advocates. Additionally, as noted by the trial court in both its August 18 and 27, 2014, rulings, the “Respondents [DHHR] agreed to the Formal Recommendations [of the Court Monitor], which set forth that systemic advocacy will be pursued by LAWV [Legal Aid], without objection, thereby allowing them to take on the force of Court Order.”

20 During the evidentiary hearing held in this matter on August 1, 2014, the DHHR's privacy officer, Lindsey McIntosh, was questioned as to how the patient advocates were going to do the systemic audits “without access to records or patients or have conversations with staff without individual releases specifying specific grievances.” She answered the query by stating, “I don't know how you're going to conduct audits if you have to do that.”

Inherent in the DHHR's argument is a presumption that the systemic review of patients' records necessarily results in the wrongful disclosure of medical information. Given that the first and only complaint concerning an alleged violation of HIPAA was filed in 2014 by the DHHR—almost twenty years after the federal act became law—it is clear that inappropriate disclosure of patient information has not been taking place as implied by the DHHR. Not only have there been no complaints filed until the DHHR instituted one,²¹ but the state privacy officers whose responsibility it is to oversee these matters have failed to either independently identify or confirm the existence of any issues concerning the level of access historically afforded to the patient advocates.

21 Finding it to be baseless, the trial court ordered the DHHR to dismiss its complaint. A review of the complaint demonstrates that even the DHHR was dubious about the violation given its statement in the complaint that the “level of harm” was unclear.

In seeking to convince this Court that the provision of advocacy services over the past two decades has just recently become a matter of constitutional significance, the DHHR ignores the annual HIPAA training, the executed confidentiality agreements, and state law provisions all designed for the purpose of, and apparently successful at, imposing a high level of confidentiality upon the patient advocates with regard to their review of sensitive health information. As Legal Aid explained, the review undertaken by the patient advocates is conducted in confidence without public disclosure of any protected health information. Critically, there has never been any complaint filed by a Bateman or Sharpe patient, or the patient's representative, associated with the wrongful dissemination of confidential health information.²² Because the record in this case wholly fails to demonstrate the indiscriminate disclosure of confidential information by the patient advocates—let alone any disclosure of protected health information, we are not persuaded that a meritorious issue exists with regard to Legal Aid's dissemination of confidential health information.²³ Accordingly, we reject the DHHR's contention that the trial court erred in failing to address whether the access afforded to Legal Aid violates the constitutionally-based rights of privacy of patients at Sharpe and Bateman.

22 In contrast, there have been patient-initiated complaints since the DHHR imposed the new, limited access provisions. According to Legal Aid, the patients were frustrated by their inability to gain immediate access to the advocates, who were no longer permitted to freely roam the facilities where patients could easily seek them out when needed.

23 As Legal Aid observes, there is no greater risk posed by the patient advocates than by any of the Hospital employees who have access to patient records.

B. HIPAA

Pursuant to HIPAA's Privacy Rule (“Privacy Rule”), “[a] covered entity or business associate may not use or disclose²⁴ protected health information” barring either a regulatory exemption or written authorization from the subject of the information or his/her representative. 45 C.F.R. § 164.502(a) (2014) (footnote added). The DHHR argues that the patient advocates do not come within any exemptions provided under HIPAA that would eliminate the need to obtain patient consent before viewing medical records. Specifically, the DHHR disagrees with the trial court's decision that Legal Aid falls within the HIPAA definition for a “business associate,” a “health oversight agency,” or “health care operations.” The DHHR also objects to the trial court's reliance on the HIPAA exemption pertaining to disclosures “required by law.” Each of these HIPAA definitions and its respective applicability to the matter before us will be examined in turn.

24 Disclosure is “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103 (2014).

1. “Business Associate”

3 Under HIPAA, a “business associate” relates to and is defined in reference to a “covered entity.” The Privacy Rule's construct of a “covered entity” extends to: (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a covered transaction. See 45 C.F.R. § 160.103 (2014). As the circuit court correctly ruled in its August 27th order, both Bateman and Sharpe qualify as covered entities under HIPAA. With scant analysis,²⁵ the trial court and Legal Aid simply adopted the position that the patient advocates necessarily meet the HIPAA definition of a “business associate.” An examination of the pertinent regulations addressing the nature of a “business associate” clearly refutes this conclusion.

25 The trial court ruled that Legal Aid is a “business associate” as set forth in its contract with the DHHR and also due to its receipt of protected health information for quality assurance, patient safety, and other health care operations. As discussed infra, the DHHR'S description of Legal Aid as a “business associate” is neither controlling nor accurate. The review of protected health information as part of the provision of advocacy services at Sharpe and Bateman does not impel the conclusion that Legal Aid is a “business associate.”

Legal Aid repeatedly refers to itself as a “business associate” of the DHHR. Because the DHHR is not a “covered entity” under HIPAA, the relationship between Legal Aid and the DHHR is not controlling. To come within HIPAA's exclusionary language, Legal Aid must be a “business associate” of Sharpe and Bateman. In further explanation of what is necessary to qualify as a “business associate,” the regulations provide that it is a person who:

(i) On behalf of such covered entity ... but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 320, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation ..., management, administrative, accreditation, or financial services to or for such covered entity....

45 C.F.R. § 160.103.

The DHHR argues, and we agree, that the patient advocacy services performed at Bateman and Sharpe are not performed on behalf of either of those facilities within the meaning of the Privacy Rule. See id. In purveying the list of activities that constitute services typically performed by a “business associate” for a “covered entity,” patient advocacy is noticeably absent. Rather than serving the interests of the hospitals in terms of providing managerial assistance with their operations, the patient advocates serve the personal interests of the patients who reside at those facilities. From the beginning, the provision of patient advocacy services was created to protect the interests of individual patients. See W.Va.Code § 27–5–9; 64 C.S.R. § 59–20.1 (mandating patient advocates in every behavioral health facility who are independent of facility management). Despite the expanded role of the patient advocates with regard to systemic auditing, the primary objective in conducting these reviews is compliance with patient-oriented rights.²⁶

26 The fact that the institutions may benefit from the provision of these auditing services does not alter the wholly independent and individual-oriented nature of the advocacy actions at issue.

While it might be tempting to view the provision of patient advocacy services as improving the operations of the facilities under discussion, the pivotal inquiry is whether the advocacy services are being offered by Legal Aid on behalf of the hospitals. That Legal Aid is not operating on behalf of Sharpe and Bateman is easily demonstrated by considering the adversity inherent to the role the patient advocates occupy in relation to those facilities. Rather than advancing the hospitals' interests, the advocates are responsible for investigating individual grievances against the hospitals and identifying instances of the hospitals' failure to comply with the civil rights afforded to institutionalized patients under state law. By design, the patient advocates operate independently of the hospitals' interests and, most decidedly, not on their behalves. We further observe that the improper characterization of Legal Aid as “business associates” in the Grant Agreement does not serve to repair the underlying definitional disconnect.²⁷ As the DHHR properly acknowledges, its identification of Legal Aid as a “business associate,” in an admitted and overly-expansive attempt to comply with HIPAA,²⁸ has no corresponding ability to make the characterization a reality under the law. Based on the foregoing, we conclude that the trial court erred in finding that Legal Aid is a “business associate” of a “covered entity” under HIPAA.

27 The Grant Agreement makes clear that “Business Associate shall have the meaning given to such term in 45 CFR § 160.103.”

28 The DHHR stated that boilerplate business associate addendums were regularly attached to all grant agreements, even when unnecessary, in an effort to comply with HIPAA's “stern mandate to have an agreement in place with any business associate.”

2. “Health Oversight Agency”

4 Cherry picking parts of the HIPAA definition of a “health oversight agency,”²⁹ the trial court concluded that Legal Aid is such an agency because it “is authorized by law to oversee the health care system ... or government programs ... or to enforce civil rights laws for which health information is relevant.” The DHHR argues that no state law invests Legal Aid, a private entity, with public oversight authority. The individualized advocate role that Legal Aid performs, emphasizes the DHHR, is not on par with the public health concerns that a health oversight agency is charged to superintend. With regard to the auditing function that Legal Aid performs, that duty is similarly not authorized by state law. Furthermore, Legal Aid has no enforcement power with regard to the civil rights of the patients.

29 A “health oversight agency” is defined asan agency or authority of the United States, a State, ... or a person or entity acting under a grant of authority from or contract with such public agency, ... that is authorized by law to oversee the health care system ... or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.45 C.F.R. § 164.501 (2014).

From the list of agencies recognized to engage in health oversight activities, such as state insurance commissions, state health professional licensure agencies, state Medicaid fraud control units, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights,³⁰ it is clear that Legal Aid does not qualify as such an agency. Inherent to the concept of a “health oversight agency” is a charge by law to oversee matters involving public health or for which public health information is intrinsic to the public-oriented duties at hand. Here, the advocacy duties Legal Aid provides do not have at their core a concern for public health or a need to review public health information for eligibility purposes. See 45 C.F.R. § 164.512(d) (2014) (approving disclosure to health oversight agency of protected health information to determine eligibility for government benefit programs).

30 See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462–01, 82492.

While state regulations authorize patient advocates to investigate and ensure compliance with civil rights guaranteed by West Virginia Code § 27–5–9, that authority does not imbue Legal Aid with health oversight authority within the meaning of HIPAA. See 64 C.S.R. § 59–20. Unlike the United States Department of Justice, the HHS Office for Civil Rights, and the United States Equal Employment Opportunity Commission, Legal Aid has no enforcement powers pertinent to the patient civil rights it is charged with overseeing. See 65 Fed. Reg. 82462–01, 82492 (identifying entities with civil rights enforcement powers). In the instance of a civil rights violation, Legal Aid lacks authority to sua sponte correct the deficiencies giving rise to the violation or to impose sanctions or penalties. Consequently, we conclude that the trial court committed error in ruling that Legal Aid comes within the definition of a “health oversight agency” under HIPAA.

3. “Health Care Operations”

5 An additional HIPAA provision that the trial court found applicable is the exemption which permits a “covered entity” to “use or disclose protected health care information for its own treatment, payment, or health care operations.” 45 C.F.R. § 164.506(c)(1) (2014) (emphasis added). Because “health care operations” are defined to include “[c]onducting quality assessment,” “auditing functions, including ... abuse detection and compliance programs,” and “[r]esolution of internal grievances,” the trial court ruled that the advocacy and auditing services provided by Legal Aid are part of the hospitals' covered health care operations. See 45 C.F.R. § 164.501 (2014).

Once again, the trial court has deemed a HIPAA exemption to apply based on a flawed interpretation of the subject definition. Reading from the bottom up, the trial court simply concludes that because auditing and compliance functions are part of “health care operations,” then the services performed by Legal Aid must necessarily be covered by this exemption. What the trial court overlooks is the critical distinction, similar to the limitation imposed on a “business associate,” that these services, by definition, are those that are performed at the direction of or on behalf of the facility as part of its own internal operating procedures. “[H]ealth care operations are the listed activities undertaken by the covered entity that maintains the protected health information.” 65 Fed. Reg. 82462–01, 82490 (emphasis supplied). The auditing and compliance functions performed by an independent entity such as Legal Aid-an entity charged by law to uncover violations of patient rights by the facilities rather than to assist a facility with the management of its operations—do not fall within the meaning of “health care operations” as that term is defined by HIPAA. See 45 C.F.R. § 164.501.

Further distinguishing between the activities that constitute “health care operations” and those that do not, the DHHR explains that a hospital can access patient records within the meaning of the subject exemption to resolve internal grievances. In contrast, the initiation of a grievance by Legal Aid is an activity external to the facility and thus beyond the scope of the exemption. In the same vein, a facility may access patient records for its own internal audits, but external audits such as those performed by Legal Aid fall outside the scope of the facility's operations and thus the applicability of the exemption. Accordingly, we find that the trial court erred in reasoning that the “health care operations” exemption under HIPAA is available to Legal Aid.

4. “Required by Law”

6 In generalized fashion, the trial court relied upon the HIPAA exemption that permits disclosure without written consent where “such use or disclosure is required by law.” 45 C.F.R. § 164.512(a). For more specific support, the trial court cited the provision of HIPAA that permits a covered entity to disclose protected health information to a government authority when the covered entity reasonably believes that the information pertains to a victim of abuse or neglect.³¹ See id. at § 164.512(c). Seeking further authority for its ruling, the trial court concluded that “the disclosure may be made in response to an express authorization by court order.” See 45 C.F.R. § 164.512(e)(1)(i).

31 The trial court looked additionally to the subsection permitting disclosure in the instance of incapacity when awaiting consent would materially and adversely impact an immediate enforcement activity. See 45 C.F.R. § 164.512(c)(1)(iii)(B).

As the DHHR clarifies, the exemption laced to a legal directive both contemplates and requires “a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information ... that is enforceable in a court of law.” 65 Fed. Reg. 82462–01, 82497. Application of this exemption is specifically constrained by the requirement that “the use or disclosure complies with and is limited to the relevant requirements of such law.” 45 C.F.R. § 164.512(a). The DHHR contends that this exemption does not apply because there is no state law that requires the hospitals to disclose patient records in the unfettered fashion decreed by the trial court. We agree. While state regulations authorize patient advocates to gain access to patient records in the process of investigating grievances without express consent, there is no state-enacted law or regulation that expansively directs facilities such as Bateman and Sharpe to disclose all patient records to Legal Aid without consent. See 64 C.S.R. § 59–11.5.1.d. The abuse and neglect provision is similarly inapplicable as it concerns disclosure to a governmental authority rather than to a private entity such as Legal Aid.

In its reach to come within the parameters of the “required by law” exemption, the trial court suggests that HIPAA's requirements may be avoided with the entry of a court order. Not only is this deduction erroneous but it ignores the additional requirement that a court-directed disclosure applies only to “expressly authorized” disclosures made “in the course of any judicial or administrative proceeding.” 45 C.F.R. § 164.512(e)(1)(i). A ruling that seeks to broadly sanction disclosure not expressly linked to a specific judicial or administrative matter falls outside the framework of the HIPAA exemption which permits disclosure pursuant to judicial authorization. See id. Moreover, as HIPAA makes clear, the provision for directives issued in the course of specific judicial and administrative proceedings “do[es] not supersede other provisions of this section that otherwise permit or restrict use or disclosure of protected health information. 45 C.F.R. § 164.512(e)(2). We have little difficulty concluding that the HIPAA exemption premised on a judicial ruling has no application to the prospective disclosures contemplated by the August 27th decree as such disclosures would be made outside the framework of an ongoing proceeding. Accordingly, we find that the trial court erred in its reliance on the HIPAA exemptions pertaining to legal mandates or rulings. See 45 C.F.R. §§ 164.512(a), 512(e)(1)(i).

C. State Law

Having determined that federal law does not provide the necessary authority for disclosure of patients' records to Legal Aid without consent, we proceed to determine if our state law provides an independent basis to support the lower court's ruling. As the DHHR acknowledges, HIPAA's preemption clause provides that the federal act “shall supersede any contrary provision of State law,” unless state law is more stringent or if one of several other exceptions applies. 42 U.S.C. § 1320d–7 (2012); 45 C.F.R. §§ 160.202,–203 (2014) (listing exceptions to preemption). If no exception applies, “State laws are contrary to HIPAA if: (1) it would be impossible for the health care provider to comply simultaneously with HIPAA and the state directive; or (2) the state provision stands as an obstacle to the accomplishment of the full objectives of HIPAA.” Wade v. Vabnick–Wener, 922 F.Supp.2d 679, 686 (W.D.Tenn.2010).

7 From the record of this case, it is clear that this state undertakes to examine our codified law on an annual basis to analyze whether our state laws are more stringent than HIPAA's for preemption purposes.³² Because the HIPAA Privacy Rule is viewed as a floor of privacy protections for individuals, state laws may provide greater or more stringent protections. In those instances where state law is determined to be more stringent because it imposes enhanced or more detailed protections, the state law is not preempted by HIPAA. From the record submitted in this case, the protections set forth in Title 64, Series 59 have been determined to be more stringent than those required by federal law.³³ Accordingly, our state regulations set forth in Title 64, Series 59 are not preempted by HIPAA. See 45 C.F.R. §§ 160.202, –203.

32 This annual analysis is required by HIPAA.

33 Analyses completed in 2013 and 2014 entitled West Virginia Health Care Privacy Laws and HIPPA Preemption Analysis for the DHHR conclude that our state regulations set forth in 64 C.S.R. § 59 are not preempted by HIPPA as our provisions are more stringent. The 2015 analysis reached the same conclusion.

8 Within our state regulations that were adopted to provide “skillful, safe and humane” care to incarcerated patients with mental health issues, the confidentiality of patient records is addressed at length. W.Va.Code § 27–5–9. The regulations specify in detail what information is deemed confidential and when a patient's records may be disclosed. See 64 C.S.R. § 59–11.1. While a patient may authorize the release of his or her records to any person or entity, those records may also be obtained by the “providers of health, social, or welfare services involved in caring for or rehabilitating the client.” 64 C.S.R. § 59–11.5.1.d. Under this same provision, it is provided that “[n]o written consent is necessary for employees of the department, comprehensive behavioral health centers serving the client or advocates under contract with the department.” Id. (emphasis supplied).

In an obvious attempt to thwart legislative intent, the DHHR denies that it has a contract with Legal Aid. The DHHR maintains that the Grant Agreement pursuant to which it employs Legal Aid on an annual basis to provide advocacy services for the patients at Sharpe and Bateman does nothing but address the exchange of money. Our review of the record demonstrates quite the opposite. In the initial sixteen pages of the Grant Agreement, standard contractual matters such as scope, term, cancellation, remedies, and assignment are addressed. Through a separate but expressly incorporated, ten-page document, the services and activities required of Legal Aid are delineated. A review of the Grant Exhibit, along with the multiple attached exhibits, wholly disproves the DHHR's position that the document fails to address the legal obligations of the parties. As a result, we hold that a written agreement between the DHHR and the provider of patient advocacy services that specifies the legal obligations of the parties, including the manner of payment and the duties associated with the provision of patient advocacy services, constitutes a contract within the meaning of 64 C.S.R. § 59–11.5.1.d. for purposes of permitting patient advocates to access records without the written consent of individuals hospitalized with mental health issues in state facilities. This conclusion is specifically premised on the fact that the DHHR is required by the 1990 Order to employ external patient advocates for purposes of complying with the mandate contained in West Virginia Code § 27–5–9.

9 Returning to the trial court's ruling, we affirm the lower court's ruling that the DHHR's revocation of patient advocate access to patients, staff, and patient records absent express written consent violates state law. The long term practice of providing unlimited record access to the patient advocates, agreed to by the parties and sanctioned by the court through the 2009 Agreed Order, has become part of the rule of this case. See generally Keller v. Norfolk & W. Ry. Co., 113 W.Va. 286, 167 S.E. 448 (1932). Thus, for the DHHR to act in violation of that established practice was contrary to the rule of law which governs this case. Furthermore, the policy adopted by the DHHR is not required by HIPAA as this state's laws set forth in 64 C.S.R. § 59–1 to –20 are more stringent than those set forth in HIPAA.³⁴ As a result, we are convinced that the confidentiality protections, including the annual training that the patient advocates undergo along with hospital staff, all combine as designed to protect the interests of the patients at Sharpe and Bateman.

34 See supra note 33.

We further affirm the trial court's ruling that the patient advocates shall have access to patient records without limitation except when patients expressly request limitations on the disclosure of their individual, identifiable health information. There is a clear need for non-grievance related review of patient records to identify systemic issues of noncompliance with the regulations that address issues of patient care. Furthermore, the inclusion of language in the Grant Agreement that requires the preparation and submission of a report to both the circuit court judge and the court monitor, as well as the parties, documents the duty imposed on Legal Aid to review patient records independent of specific grievances. A common thread that exists in both West Virginia § 27–5–9 and HIPAA is the improvement of the quality of health care.³⁵ That objective was undeniably blocked when the DHHR instituted wholly unwarranted roadblocks in the path of the patient advocates. Without unrestricted access to patient records, access that the Legislature expressly approved, the patient advocates were effectively blocked from discovering violations of the patients' civil rights. HIPAA was never intended to serve as a hindrance to patient services or civil rights; it was designed to prevent the inappropriate use or dissemination of protected health information.³⁶ In the case before us, the DHHR has failed to demonstrate that Legal Aid has disseminated any protected health information in violation of federal or state law.

35 See 65 Fed. Reg. 82462–01, 82463.

36 See supra note 35.

IV. Conclusion

Based on the foregoing, the August 27, 2014, order of the Circuit Court of Kanawha County is affirmed with regard to its multiple directives concerning the restoration of access without limitation by patient advocates to patients at Sharpe and Bateman.³⁷

37 Consistent with the trial court's directives, that access is subject to the right of patients to place limitations on the disclosure of their health information.

Affirmed.

DAVIS, Justice, dissenting:

In this proceeding, Legal Aid sought to force DHHR to continue to allow Legal Aid to have complete access to patient records, without patient consent, at the Bateman and Sharpe psychiatric facilities. Before this Court, DHHR argued that it was violating federal law, specifically HIPAA, when it previously authorized Legal Aid to have complete access to patient records without the consent of the patients. The circuit court and majority opinion disagreed with DHHR. The circuit court found that Legal Aid did not need patient consent to have unfettered access to patient records, because Legal Aid came under the following exceptions recognized by HIPAA: business associate, health oversight agency, health care operations, and legal requirement. The majority opinion correctly found that not one of the exceptions relied upon by the trial court applied to Legal Aid. Rather than stopping there and reversing the circuit court's order, the majority opinion affirmed the circuit court on a different ground. With absolutely no legal analysis, the majority opinion determined that Legal Aid could have unfettered access to patient information because of the “more stringent” State law exception found under HIPAA.

As I will demonstrate below, if the majority opinion had performed but a scintilla of the legal analysis that is required to determine whether a State law is more stringent than HIPAA, it would have reversed the circuit court's order. Consequently, for the reasons set out below, I dissent.

The Majority Decision Authorizes Legal Aid to Violate Federal Law

Because of the arrogant and complete disregard of federal law by the majority opinion, I must start my dissent with a review of some basic legal principles. To begin, it has been noted that “[t]he preemption doctrine has its origin in the Supremacy Clause of the United States Constitution[.]” Hartley Marine Corp. v. Mierke, 196 W.Va. 669, 673, 474 S.E.2d 599, 603 (1996). See also Harrison v. Skyline Corp., 224 W.Va. 505, 510, 686 S.E.2d 735, 740 (2009) ( “[T]he preemption doctrine has its roots in the supremacy clause of the United States Constitution and is based on the premise that federal law can supplant inconsistent state law.”). The Supremacy Clause of the federal constitution provides that the laws of the United States “shall be the supreme law of the Land; ... anything in the Constitution or laws of any state to the Contrary notwithstanding.” U.S. Const. Art. VI, Cl. 2. We have recognized that “[t]he Supremacy Clause of the United States Constitution, Article VI, Clause 2, invalidates state laws that interfere with or are contrary to federal law.” Syl. pt. 1, Cutright v. Metropolitan Life Ins. Co., 201 W.Va. 50, 491 S.E.2d 308 (1997). Pursuant to the Supremacy Clause, federal preemption of state law occurs if: (1) Congress expressly preempts state law; (2) Congress has completely supplanted state law in that field; (3) adhering to both state and federal law is not possible; or (4) state law impedes the achievement of the objectives of Congress. See Crosby v. Nat'l Foreign Trade Council, 530 U.S. 363, 372, 120 S.Ct. 2288, 2293–94, 147 L.Ed.2d 352 (2000). “Although Congressional intent is commonly the starting point for federal preemption analysis, the existence of an express preemption provision in a statute nullifies the need for further analysis.” Wade v. Vabnick–Wener, 922 F.Supp.2d 679, 686 (internal citations omitted). See also Syl. pt. 4, Morgan v. Ford Motor Co., 224 W.Va. 62, 680 S.E.2d 77 (2009) (“When it is argued that a state law is preempted by a federal law, the focus of analysis is upon congressional intent. Preemption is compelled whether Congress' command is explicitly stated in the statute's language or implicitly contained in its structure and purpose.”). HIPAA sets out an express preemption provision; therefore, no further analysis is necessary to discern Congressional intent. See Cipollone v. Liggett Grp., Inc., 505 U.S. 504, 517, 112 S.Ct. 2608, 2618, 120 L.Ed.2d 407 (1992) (“When Congress has considered the issue of pre-emption and has included in the enacted legislation a provision explicitly addressing that issue, and when that provision provides a reliable indicium of congressional intent with respect to state authority, there is no need to infer congressional intent to pre-empt state laws from the substantive provisions of the legislation.... Therefore, we need only identify the domain expressly pre-empted by each of those sections.” (internal quotations and citations omitted)).

Congress enacted HIPAA in 1996, in part, to protect the privacy of individually identifiable health information. See Jennifer Guthrie, “Time Is Running Out–The Burdens and Challenges of HIPAA Compliance: A Look at Preemption Analysis, the ‘Minimum Necessary’ Standard, and the Notice of Privacy Practices,” 12 Annals Health L. 143, 146 (2003) (“The main premise of HIPAA is to protect individually identifiable health information. This means that certain information will not be revealed without a patient's express authorization, in an effort to contain important information to as few people as possible.”). For purposes of HIPAA, protected health information “is any health information, oral or recorded, that is individually identifiable and transmitted or maintained by a covered entity in any form or medium.” Holman v. Rasak, 486 Mich. 429, 435–36, 785 N.W.2d 98, 102 (2010). The Secretary of Health and Human Services was directed by Congress to promulgate regulations setting privacy standards for health information. See Northwestern Mem'l Hosp. v. Ashcroft, 362 F.3d 923, 924 (7th Cir.2004) ( “Section 264 of HIPAA, 42 U.S.C. § 1320d ..., directs the Secretary of Health and Human Services to promulgate regulations to protect the privacy of medical records[.]”).¹ In 2000, the Secretary responded by issuing the Standards for Privacy of Individually Identifiable Health Information, known as the “Privacy Rule” and codified at 45 C.F.R. 160, 164. See Smith v. Am. Home Prods. Corp. Wyeth–Ayerst Pharm., 372 N.J.Super. 105, 111 n. 2, 855 A.2d 608, 612 n. 2 (2003) (“On December 28, 2000, pursuant to a mandate under the ‘administrative simplification’ provisions of HIPAA, the Department of Health and Human Services issued new standards for privacy of individually identifiable health information (IIHI) called ‘The Final Privacy Rule’ as published in the Federal Register.”).² Compliance with the Privacy Rule was not required until 2003.³ See United States v. Sutherland, 143 F.Supp.2d 609, 612 (W.D.Va.2001) (“Although the Standards were effective April 14, 2001, compliance is not required until April 14, 2003.”). Specific to the case at hand, the Secretary promulgated a federal regulation on HIPAA's preemptive effect. See Morgan v. Ford Motor Co., 224 W.Va. 62, 70, 680 S.E.2d 77, 85 (2009) (“[T]he U.S. Supreme Court has recognized that an agency regulation with the force of law can explicitly or implicitly preempt conflicting state regulations.”). This regulation states that “[a] standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law.” 45 C.F.R. § 160.203.⁴ See Nat'l Abortion Fed'n v. Ashcroft, No. 03 Civ. 8695 (RCC), 2004 WL 555701, at *3 (S.D.N.Y. March 19, 2004) (“Recognizing that HIPAA's privacy provisions might differ from state regulations, Congress directed that all state laws contrary to the regulations promulgated by HHS be preempted, unless the state laws fall within the exception created by HIPAA[.]”). It has been recognized that the regulations “restrict and define the ability of health plans, health care clearinghouses, and most health care providers to divulge patient medical records.” United States v. Sutherland, 143 F.Supp.2d 609, 612 (W.D.Va.2001).

“[T]he intent of HIPAA is to ensure the integrity and confidentiality of patients' [medical] information and to protect against unauthorized uses or disclosures of the information[.]” In re Antonia E., 16 Misc.3d 637, 838 N.Y.S.2d 872, 874–75 (2007) (internal quotations and citations omitted). Under HIPAA, the general rule is that a covered entity may not use or disclose protected health information without a written authorization from the individual. See 45 CFR 164.508. However, as recognized by the majority opinion, HIPAA enumerates several specific situations in which a covered entity may use or disclose protected health information without the written authorization of the individual. See Pal v. New York Univ., No. 06Civ.5892(BSJ)(FM), 2007 WL 1522618, at *3 (S.D.N.Y. May 22, 2007) (“HIPAA permits the disclosure of ‘protected health information’ without a patient's consent in a variety of circumstances.”). The majority opinion found that only one of HIPAA's exceptions to the general privacy of health information applied to the facts of this case.⁵ That exception involves a State law that is “more stringent” than HIPAA. See 45 C.F.R. § 160.203(b) (“The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.”). That is, “courts have recognized that HIPAA does not preempt ‘more stringent’ privacy protections guaranteed under state law.” Pac. Radiation Oncology, LLC v. Queen's Med. Ctr., 47 F.Supp.3d 1069, 1081 (D.Haw.2014). Accord Citizens for Health v. Leavitt, 428 F.3d 167, 174 (3d Cir.2005).

The majority opinion reached the conclusion that our State law was more stringent than HIPAA without performing any legal analysis of this complex issue. The majority opinion, in a rather awkward way, merely pointed out that DHHR had annually “conclud[ed] that our state laws set forth in 64 CSR § 59 are not preempted by HIPAA as our provisions are more stringent.” The majority opinion then went on to provide:

From the record submitted in this case, the protections set forth in Title 64, Series 59 have been determined to be more stringent than those required by federal law. Accordingly, our state regulations set forth in Title 64, Series 59 are not preempted by HIPAA.

This was the sum total of how and why the majority opinion determined that our State law was more stringent than HIPAA. This total lack of analysis makes no sense. It is illogical to rely on a general finding by DHHR that its regulations are more stringent than HIPAA, when DHHR already had realized its disclosures to Legal Aid violated HIPAA, and DHHR tried to correct the violation by asserting that no authority exists for Legal Aid to indiscriminately access patient information. More fundamentally, the yard stick used by the majority opinion to determine whether a State law is more stringent than HIPAA is absurd! Under the majority opinion's mind-boggling yardstick, all that any state must do to get around HIPAA is unilaterally proclaim that its laws are more stringent than HIPAA. Surely Congress did not mean for HIPAA and the Supremacy Clause to be defeated in such a self-serving manner. Indeed, as I will demonstrate below, this absolutely was not what Congress intended.

“[A] standard is more stringent if it provides greater privacy protection for the individual who is the subject of the individually identifiable health information than the standard set forth in the rules and regulations.” Bayne v. Provost, 359 F.Supp.2d 234, 237–38 (N.D.N.Y.2005) (internal quotations and citations omitted). See also Wade v. Vabnick–Wener, 922 F.Supp.2d 679, 686 (“To meet the ‘more stringent’ requirement, a state law must ‘provide greater protection for the individual who is the subject of the individually identifiable health information’ than the standard set forth by HIPAA and its regulations.”). More importantly, it has been recognized that, under federal law, “ ‘[m]ore stringent,’ as defined in 45 C.F.R. § 160.202, means, that the state law meets any one of six criteria.” Law v. Zuckerman, 307 F.Supp.2d 705, 709 (D.Md.2004). See also Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1087 (9th Cir.2007) ( “ ‘More stringent’ laws are defined.”). The six criteria under HIPAA that define “more stringent,” have been summarized by the Fourth Circuit as follows:

[1] the state law prohibits or restricts a use or a disclosure of information where HIPAA would allow it; [2] the state law provides an individual with greater rights of access or amendment to his medical information than provided under HIPAA; [3] the state law provides an individual with a greater amount of information about a use, a disclosure, rights and remedies; [4] [state law provides requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal permission of an individual to disclose information]; [5] the state law provides for the retention or reporting of more detailed information or for a longer duration; or [6] the state law provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

South Carolina Med. Ass'n v. Thompson, 327 F.3d 346, 355 (4th Cir.2003). Accord In re Antonia E., 838 N.Y.S.2d 872, 876 (2007).

Simply put, in order for a court to determine that a State law is more stringent than HIPAA, it must find that the State law satisfies one of the six definitions of “more stringent” contained under 45 C.F.R. § 160.202. The majority opinion in this case literally failed to even cite, let alone discuss, the mandatory six criteria set out under 45 C.F.R. § 160.202. Ignoring the law, or pretending the law does not exist, should not be a license to manipulate and corrupt the law.

My research revealed that other courts called upon to decide whether a State law was more stringent than HIPAA have complied with federal law and applied the six criteria under 45 C.F.R. § 160.202. For example, a case which examined all six criteria under 45 C.F.R. § 160.202 is State v. La Cava, No. CR060128258S, 2007 WL 1599888 (Conn.Super.Ct. May 17, 2007). In La Cava, the court was asked to decide whether a Connecticut statute, which authorized disclosure of patient information in a judicial proceeding and in certain other circumstances, was more stringent than HIPAA. The Connecticut statute allowed:

(1) any patient who has been treated in a private hospital, public hospital society or corporation receiving state aid to, upon the demand, examine and/or copy her hospital record, including the history, bedside notes, charts, pictures and plates kept in connection with her treatment and authorize her physician or attorney to do the same; (2) a hospital, society or corporation that is served with a subpoena issued by competent authority directing the production of a hospital record to deliver such record or a copy thereof to the clerk of such court where it will remain sealed except upon the order of a judge of the court concerned; (3) any and all parts of the hospital record or copy that is not otherwise inadmissible to be admitted in evidence without the necessity of having a witness from the hospital identity the records as ones kept in the usual course of business by the hospital.

La Cava, 2007 WL 1599888, at *3. The decision in La Cava summarily applied the six criteria under 45 C.F.R. § 160.202 and determined that the Connecticut statute was not more stringent than HIPAA:

In comparison to [HIPAA's requirements for disclosures for judicial and administrative proceedings], [the state statute] does not: (1) prohibit or restrict a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under the federal rule; (2) permit greater rights of access or amendment to the individual who is the subject of the individually identifiable health information; (3) provide a greater amount of information to the individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies; (4) provide requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the need for express legal permission from the individual who is the subject of the individually identifiable health information with respect to the form, substance, or the need for express legal permission; (5) provide for the retention or reporting of more detailed information or for a longer duration with respect to recordkeeping or requirements relating to accounting of disclosures; and (6) provide greater privacy protection for the individual who is the subject of the individually identifiable health information with respect to any other matter. Accordingly, the state statute is not more stringent than the federal regulation.

Because the state statute is a contrary state law that is not more stringent than the Privacy Rule, it is preempted in accordance with 45 C.F.R. § 160.203 (2007).

La Cava, 2007 WL 1599888, at *3.

In U.S. ex rel. Stewart v. Louisiana Clinic, No. CivA. 99–1767, 2002 WL 31819130 (E.D.La. Dec. 12, 2002), the defendants attempted to prevent disclosure of patient information in a judicial proceeding by invoking the protections of a Louisiana statute. The disclosure was allowed under HIPAA, but was not allowed under Louisiana law. The opinion in Stewart framed the issue as follows:

Defendants argue that HIPAA does not preempt Louisiana law concerning disclosure of nonparty patient records without patient consent....

Defendants focus solely on the “more stringent” element of this regulatory test and on paragraph (4) of the definition of “more stringent.” “More stringent” means a State law that meets one or more of the following criteria: ...

(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.

Defendants argue that the Louisiana health care provider/patient privilege law is more stringent than the federal regulations. They contend that the Louisiana statute increases the privacy protections afforded to individual patients by requiring either patient consent for the disclosure or, in the absence of consent, that a “court shall, issue an order for the production and disclosure of a patient's records ... only: after a contradictory hearing with the patient ... and after a finding by the court that the release of the requested information is proper.”

Stewart, 2002 WL 31819130, at *4–5. The court in Stewart found that, based upon the defendants' reliance solely on the fourth criterion of 45 C.F.R. § 160.202, Louisiana law was not more stringent than HIPAA:

Defendants' argument fails because this provision of Louisiana law does not address “the form, substance, or the need for express legal permission from an individual,” as required by 45 C.F.R. § 160.202 for the exception to apply. Rather, the Louisiana statute provides a way of negating the need for such permission. In other words, although the individual patient may attend the contradictory hearing, the Louisiana provision states that the court shall issue an order for disclosure (despite the patient's lack of consent), if the court finds that release of the information is proper. Because the Louisiana statute does not fit within the exception from preemption cited by defendants, it is preempted by the HIPAA regulations. Therefore, Louisiana law does not apply in this pure federal question case.

Stewart, 2002 WL 31819130, at *5.

A case which illustrates a State statute that was actually found to be more stringent than HIPAA is Wade v. Vabnick–Wener, 922 F.Supp.2d 679. In Wade, the court was called upon to decide whether Tennessee's privacy law, on ex parte communication with a plaintiff's treating physician was more stringent than HIPPA. The opinion relied upon the sixth criterion of 45 C.F.R. § 160.202. That is, “a state law must ‘provide greater protection for the individual who is the subject of the individually identifiable health information’ than the standard set forth by HIPAA and its regulations.” Wade, 922 F.Supp.2d at 686. The opinion determined that, based upon the sixth criterion, Tennessee's law was more stringent than HIPAA:

It is therefore clear that Tennessee law is more stringent than HIPAA's privacy rules concerning ex parte communications with health care providers. Absent a plaintiff's express consent, Tennessee law prohibits informal communications with the plaintiff's treating physician to obtain health information. On the contrary, HIPAA only bars such communications prior to the entry of a qualified protective order. After the requisite protective order is entered, whether by consent or over the plaintiff's objection, defendant is free to utilize informal discovery, including specifically ex parte interviews, under HIPAA.

Accordingly, because the laws of Tennessee are more stringent than HIPAA concerning defense counsels ability to make use of informal discovery methods, HIPAA does not preempt Tennessee's ban on ex parte communications with a plaintiff's non-party treating physician.

Wade, 922 F.Supp.2d at 691–92. See Nat'l Abortion Fed'n v. Ashcroft, No. 04 C 55, 2004 WL 292079, at *4 (N.D.Ill. Feb. 6, 2004) (“Because we find that Illinois law is more stringent than HIPAA's disclosure requirements and that it would be impossible for Northwestern to comply with both Judge Casey's HIPAA-pursuant Order and various provisions of Illinois law, Illinois's nonparty patient privacy laws are not preempted by HIPAA and its subsequent regulations.”); Pal v. New York Univ., 2007 WL 1522618, at *3 (“Because New York law requires patient consent before disclosure and HIPAA provides for certain exceptions to that rule, New York law is more stringent.”); Tyson v. Warden, No. CV064001202, 2007 WL 4171583, at *2 (Conn.Super.Ct. Nov. 5, 2007) (“It is clear to this court that § 52–146k and 52–146o prohibit disclosure where the HIPAA regulation relied upon by the petitioner would allow it. Sections 52–146k and 52–146o provide greater protection of the victim's private health information and are therefore not preempted by HIPAA.”); In re Antonia E., 838 N.Y.S.2d 872, 876 (2007) ( “Upon consideration of the physician-patient privilege and the broad provisions for court ordered disclosure under HIPAA, this Court finds that HIPAA provisions do not supersede New York law.”).

The above cases clearly demonstrate that a court cannot determine that a State statute is more stringent than HIPAA by relying solely on a state agency's statement that a particular state law is more stringent than HIPAA. If that was true, as the majority opinion concludes, then there would have been no reason to define “more stringent” under 45 C.F.R. § 160.202. The term “more stringent” is defined for a purpose. That purpose, to me, is quite clear. The definition is designed to narrow the circumstances in which a state law may be categorized as more stringent than HIPAA. “[W]e are not free to rewrite HIPAA's mandates; we are required to follow them.” Holman v. Rasak, 486 Mich. 429, 458, 785 N.W.2d 98, 114 (2010) (Hathaway, J., dissenting). The majority opinion in this case has made a mockery of the unambiguous and mandatory language contained in 45 C.F.R. § 160.202.

I can surmise only that the majority opinion ignored the law as dictated under 45 C.F.R. § 160.202 because it wanted to reach a result that simply could not be reached by following the law. A cursory review of what the relevant state law allowed in this case clearly shows that it was not more stringent than HIPAA.

What should be clearly understood is that, for purposes of the “more stringent” requirement of HIPAA, “any state law providing greater privacy protection for the individual who is the subject of the individually identifiable health information is a more stringent state law.” Natalie F. Weiss, “To Release or Not to Release: An Analysis of the HIPAA Subpoena Exception,” 15 Mich. St. U.J. Med. & L. 253, 260 (2011) (emphasis added). This point needs to be emphatically understood—the “more stringent” requirement under HIPAA can never be satisfied by a State law that provides lesser privacy protection. In this case, the majority opinion has indicated that the applicable state law is found in 64 C.S.R. § 59–11.5.1.d, which provides:

No written consent is necessary for employees of the department, comprehensive behavioral centers serving the client or advocates under contract with the department.

In sum, this state regulation allows Legal Aid, as an “advocate,” to have complete access to patient information without the consent of the patient. On its face, it is clear that this law does not provide greater privacy protection. Instead, it exposes all patient information to a private legal entity in the absence of patient consent for either representation by the agency or the disclosure of their medical records to the agency.

It has correctly been observed that “[i]f state law can force disclosure without a court order, or the patient's consent, it is not ‘more stringent’ than the HIPAA regulations.” Law v. Zuckerman, 307 F.Supp.2d 705, 711 (D.Md.2004). Through a summary application of HIPAA's six criteria, it is clear that the state regulation at issue in this matter does not: (1) prohibit or restrict a use or a disclosure of information where HIPAA would allow it; (2) provide an individual with greater rights of access or amendment to his medical information than provided under HIPAA; (3) provide an individual with a greater amount of information about a use, a disclosure, rights and remedies; (4) provide requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal permission of an individual to disclose information; (5) provide for the retention or reporting of more detailed information or for a longer duration; or (6) provide greater privacy protection for the individual who is the subject of the individually identifiable health information. Insofar as the state regulation does not satisfy any of the above six factors contained in 45 C.F.R. § 160.202, the state law is not more stringent than HIPAA. The majority knew this, and that is why its opinion completely ignored 45 C.F.R. § 160.202. See In re Funderburke, No. 687–0026, 1988 WL 1607927, at *4 (S.D.Ga. Jan. 18, 1988) (“[T]he record shows that the [majority] did nothing except to assume the position of an ostrich with its head in the sand and ignore [the law] which [was] readily available to it.”).

Finally, I wish to point out that the majority opinion conceivably has opened the floodgates for civil litigation, because of the unlawful access it has given Legal Aid to patient hospital information. This Court recently held that “[c]ommon-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by the Health Insurance Portability and Accountability Act of 1996.” Syl. pt. 3, R.K. v. St. Mary's Med. Ctr., Inc., 229 W.Va. 712, 735 S.E.2d 715 (2012). If the majority opinion is not appealed to the United States Supreme Court, I have no doubt that civil law suits will follow in the wake of the misguided majority opinion.

For the reasons so stated, I dissent.