SOUTH CAROLINA MEDICAL ASSOCIATION; Physicians Care Network; J. Capers Hiott, M.D.; John R. Ross, M.D.; Gordon E. Pennebaker, M.D.; Carol S. Nichols, M.D.; Dannette F. McAlhaney, M.D.; Herbert Moskow, M.D.; Louisiana State Medical Society, Plaintiffs-Appellants, v. Tommy G. THOMPSON, sued as Secretary of the U.S. Department of Health and Human Services; U.S. Department Of Health & Human Services, Defendants-Appellees.
Appellants, South Carolina Medical Association, Physicians Care Network, and several individual doctors, filed suit seeking to have declared unconstitutional several provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub.L. No. 104-191, 110 Stat.1936 (1996). Because Congress laid out an intelligible principle in HIPAA to guide agency action, we reject appellants' claim that the statute impermissibly delegates the legislative function. We also conclude that regulations promulgated pursuant to HIPAA are not beyond the scope of the congressional grant of authority, and that neither the statute nor the regulations are impermissibly vague. Accordingly, we affirm.
Recognizing the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems, Congress passed HIPAA in August 1996. HIPAA's Administrative Simplification provisions,1 sections 261 through 264 of the statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information in connection with such transactions. The preamble to the Administrative Simplification provisions clarifies this goal:
It is the purpose of this subtitle to improve the Medicare program ․, the medicaid program ․, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.
HIPAA § 261, 110 Stat. 2021.
To this end, Congress instructed the United States Department of Health and Human Services (“HHS”) to adopt uniform standards “to enable health information to be exchanged electronically.” 42 U.S.C.A. § 1320d-2(a)(1). Congress directed HHS to adopt standards for unique identifiers to distinguish individuals, employers, health care plans, and health care providers across the nation, see 42 U.S.C.A. § 1320d-2(b)(1), as well as standards for transactions and data elements relating to health information, see 42 U.S.C.A. § 1320d-2(a), (c) & (f), the security of that information, see 42 U.S.C.A. § 1320d-2(d), and verification of electronic signatures, see 42 U.S.C.A. § 1320d-2(e).
Within the Administrative Simplification section, Congress included another provision-section 264-outlining a two-step process to address the need to afford certain protections to the privacy of health information maintained under HIPAA. First, section 264(a) directed HHS to submit to Congress within twelve months of HIPAA's enactment “detailed recommendations on standards with respect to the privacy of individually identifiable health information.” HIPAA § 264(a), 110 Stat.2033. Second, if Congress did not enact further legislation pursuant to these recommendations within thirty-six months of the enactment of HIPAA, HHS was to promulgate final regulations containing such standards. Specifically, section 264(c)(1) provided:
If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).
HIPAA § 264(c)(1), 110 Stat.2033. The subjects Congress directed HHS to cover in promulgating privacy regulations included the following: “(1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required.” HIPAA § 264(b), 110 Stat.2033. Through individual provisions of HIPAA, Congress outlined whom the regulations were to cover, see 42 U.S.C.A. § 1320d-1(a); what information was to be covered, see 42 U.S.C.A. § 1320d(6) (defining “individually identifiable health information”); what types of transactions were to be covered, see 42 U.S.C.A. § 1320d-2(a)(2); what penalties would accrue for violations of HIPAA, see 42 U.S.C.A. §§ 1320d-5, 1320d-6; and what time lines and standards would govern compliance with the Act, see 42 U.S.C.A. §§ 1320d-3, 1320d-4.
Finally, section 264(c)(2) provided that the privacy regulations promulgated by HHS “shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” HIPAA § 264(c)(2), 110 Stat.2033-34 (emphasis added).
Pursuant to Congress's mandate, HHS submitted recommendations for protecting the privacy of individually identifiable health information in September 1997. Several detailed and comprehensive medical privacy bills were thereafter introduced; however, Congress did not pass any additional legislation. For its part, HHS followed Congress's directive and drafted regulations that appeared in a November 1999 Notice of Proposed Rulemaking. The proposed regulations drew more than 50,000 comments from affected parties. After several further proposals and amendments were published, HHS promulgated final regulations in February 2001, collectively the “Privacy Rule.” Although the effective date of the Privacy Rule was set for April 14, 2001, entities covered by the regulations were given until April 14, 2003, to comply, while some smaller entities were granted an additional year.
Appellants sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS. The district court dismissed the action and this appeal followed. Appellants argue that 1) HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress; 2) the Privacy Rule exceeds the scope of authority granted to HHS under HIPAA; and 3) HIPAA's non-preemption of “more stringent” state privacy laws is unconstitutionally vague, in violation of the Due Process Clause of the Fifth Amendment. We address each of these issues in turn.
The first issue is whether HIPAA violates the non-delegation doctrine. “In a delegation challenge, the constitutional question is whether the statute has delegated legislative power to [an] agency” of the executive branch. Whitman v. American Trucking Ass'ns, Inc., 531 U.S. 457, 472, 121 S.Ct. 903, 149 L.Ed.2d 1 (2001). The doctrine is “rooted in the principle of separation of powers that underlies our tripartite system of government.” Mistretta v. United States, 488 U.S. 361, 371, 109 S.Ct. 647, 102 L.Ed.2d 714 (1989). The first lines of the Constitution set forth that “[a]ll legislative Powers herein granted shall be vested in a Congress of the United States.” U.S. Const. art. I, § 1. Thus, from our nation's earliest days, “the integrity and maintenance of the system of government ordained by the Constitution [has] mandate[d] that Congress generally cannot delegate its legislative power to another Branch.” Mistretta, 488 U.S. at 371-72, 109 S.Ct. 647 (citation omitted).
In tension with this constitutional directive is the practical requirement that Congress turn to the other branches of government for assistance in carrying out its general legislative policies: “[O]ur jurisprudence has been driven by a practical understanding that in our increasingly complex society, replete with ever changing and more technical problems, Congress simply cannot do its job absent an ability to delegate power under broad general directives.” Id. at 372, 109 S.Ct. 647; see also American Power & Light Co. v. S.E.C., 329 U.S. 90, 105, 67 S.Ct. 133, 91 L.Ed. 103 (1946) (acknowledging that the “legislative process would frequently bog down if Congress were constitutionally required to appraise beforehand the myriad situations to which it wishes a particular policy to be applied and to formulate specific rules for each situation”).
The Supreme Court has outlined an approach to determining the difference between prohibited delegation and necessary cooperation between coordinate branches: “In determining what [Congress] may do in seeking assistance from another branch, the extent and character of that assistance must be fixed according to common sense and the inherent necessities of the governmental coordination.” J.W. Hampton, Jr. & Co. v. United States, 276 U.S. 394, 406, 48 S.Ct. 348, 72 L.Ed. 624 (1928). This approach dictates that where Congress “lay[s] down by legislative act an intelligible principle to which the person or body authorized to [exercise the assigned duty] is directed to conform, such legislative action is not a forbidden delegation of legislative power.” Id. at 409, 48 S.Ct. 348 (emphasis added). The Court has held that a delegation of legislative power will be found “constitutionally sufficient if Congress clearly delineates the general policy, the public agency which is to apply it, and the boundaries of this delegated authority.” Mistretta, 488 U.S. at 372-73, 109 S.Ct. 647 (internal quotation marks omitted). These three factors make up the test for determining whether an intelligible principle lies behind the conferral of authority from Congress to an agency.
The government does not bear an onerous burden in demonstrating the existence of an intelligible principle. Since A.L.A. Schechter Poultry Corp. v. United States, 295 U.S. 495, 55 S.Ct. 837, 79 L.Ed. 1570 (1935), and Panama Refining Co. v. Ryan, 293 U.S. 388, 55 S.Ct. 241, 79 L.Ed. 446 (1935), the Supreme Court has not struck down a statute for an impermissible delegation. See American Trucking Ass'ns, 531 U.S. at 474, 121 S.Ct. 903 (“In the history of the Court we have found the requisite ‘intelligible principle’ lacking in only two statutes, one of which [Panama Refining ] provided literally no guidance for the exercise of discretion, and the other of which [A.L.A. Schechter ] conferred authority to regulate the entire economy on the basis of no more precise a standard than stimulating the economy by assuring ‘fair competition.’ ”). Rather, Congress has been able to delegate authority under “broad standards.” Mistretta, 488 U.S. at 373, 109 S.Ct. 647; see, e.g., Lichter v. United States, 334 U.S. 742, 785-86, 68 S.Ct. 1294, 92 L.Ed. 1694 (1948) (upholding delegation of authority to determine excessive profits); American Power, 329 U.S. at 105-06, 67 S.Ct. 133 (upholding delegation to SEC to prevent unfair or inequitable distribution of voting power among security holders); Yakus v. United States, 321 U.S. 414, 426-27, 64 S.Ct. 660, 88 L.Ed. 834 (1944) (upholding delegation to price administrator to fix commodity prices that would be fair and equitable); National Broadcasting Co. v. United States, 319 U.S. 190, 225-26, 63 S.Ct. 997, 87 L.Ed. 1344 (1943) (upholding delegation to FCC to regulate broadcast licensing as public interest, convenience, or necessity require). The only limiting factor in each case has been the presence of an intelligible principle behind the congressional delegation.
In light of this guidance, we conclude that HIPAA also contains the requisite intelligible principle necessary to survive a non-delegation challenge. Specifically, there are at least three sources within HIPAA that provide intelligible principles outlining and limiting the Congressional conferral of authority on HHS. First, the language of the statute mandates that HHS implement regulations addressing three particular subjects: “(1) [t]he rights that an individual who is a subject of individually identifiable health information should have”; “(2) [t]he procedures that should be established for the exercise of such rights”; and “(3) [t]he uses and disclosures of such information that should be authorized or required.” HIPAA § 264, 110 Stat.2033. The question is whether these amount to a statement of “general policy” by Congress. We believe that they do, particularly when read in connection with the second source-namely section 261, the preamble to the statute-which sets forth the general purpose of HIPAA as “improv[ing] the Medicare program ․, the medicaid program ․, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” HIPAA § 261, 110 Stat.2021. Section 262 further refines this goal by requiring that the Privacy Rule “be consistent with the objective of reducing the administrative costs of providing and paying for health care.” HIPAA § 262, 110 Stat.2023 (codified at 42 U.S.C.A. § 1320d-1(b)). The third source of an intelligible principle is Congress's limitation of the Privacy Rule to communications of listed information by particular covered entities. As noted above, individual provisions of HIPAA outline whom the Privacy Rule was to cover, see 42 U.S.C.A. § 1320d-1(a); what information was to be covered, see § 1320d(6) (defining “individually identifiable health information”); what types of transactions were to be covered, see § 1320d-2(a)(2); what penalties would accrue for violations of HIPAA, see §§ 1320d-5, 1320d-6; and what time lines and standards would govern compliance with HIPAA, see §§ 1320d-3, 1320d-4. We agree with the district court that, taken together, the provisions of HIPAA provide a general policy, describe the agency in charge of applying that policy, and set boundaries for the reach of that agency's authority-all in keeping with the intelligible principle test. See American Power, 329 U.S. at 105, 67 S.Ct. 133 (holding a statute is “constitutionally sufficient” if it meets these three requirements). Thus, we conclude that HIPAA is “well within the outer limits of our nondelegation precedents.” American Trucking Ass'ns, 531 U.S. at 474, 121 S.Ct. 903.
Although appellants argue that the present case is indistinguishable from Panama Refining, one of only two cases in which the Supreme Court has invalidated a statute on the basis of an unconstitutional delegation, we disagree. In Panama Refining, the Court found that the challenged portion of the statute at issue, section 9(c) of the National Industrial Recovery Act (“NIRA”), did not provide the President with any mandate, but rather authorized him to pass a prohibitory law. See Panama Refining, 293 U.S. at 405-412, 55 S.Ct. 241. That is, the Court found that Congress had offered no guidance in NIRA as to whether the President should or should not prohibit the transportation of excess petroleum and petroleum products, so-called “hot oil,” in interstate commerce. Rather, the Court noted that “[s]o far as this section is concerned, it gives to the President an unlimited authority to determine the policy and to lay down the prohibition, or not to lay it down, as he may see fit.” Id. at 415, 55 S.Ct. 241. Finding no limit on executive discretion in this substantive provision of NIRA, the Court also looked to the preamble of the statute and, once again, found no guidance as to whether “hot oil” was good or bad. See id. at 416-18, 55 S.Ct. 241. Thus, NIRA “provided literally no guidance for the exercise of discretion.” American Trucking Ass'ns, 531 U.S. at 474, 121 S.Ct. 903. By contrast, in the case before us we have a clear mandate from Congress directing HHS to act in accordance with the intelligible principles set forth in HIPAA. Further, there are clear limits upon the scope of that authority and the type of entities whose actions are to be regulated.
Finally, we find unavailing appellants' position that Congress unconstitutionally relinquished its lawmaking function by mandating that final regulations governing standards with respect to the privacy of individually identifiable health information be promulgated within thirty-six months of HIPAA's enactment if no further legislation on the subject were enacted. We do not agree that this approach amounts to an abdication. Rather, the procedures outlined by Congress establish a more explicit oversight mechanism than usually accompanies a rulemaking mandate imposed upon an agency. In conveying rulemaking authority, Congress always reserves the right-indeed, never relinquishes the right-to engage in further lawmaking. As described above, Congress did not abdicate its legislative responsibility in passing HIPAA, but outlined a broad set of principles to guide HHS action. See Yakus, 321 U.S. at 426, 64 S.Ct. 660 (“Only if we could say that there is an absence of standards for the guidance of the Administrator's action ․ would [we] be justified in overriding its choice of means for effecting its declared purpose.”). Animated by these principles, HHS was directed first to offer recommendations within a year of HIPAA's enactment. That Congress did not enact additional measures in light of these recommendations indicates the legislature's satisfaction with HHS's proposed approach to protecting the privacy of individually identifiable health information. This decision did not, and does not, limit Congress's ability to revisit the issue, change the direction or scope of the statute or rules, or wholly undo the regulatory scheme HHS has established pursuant to HIPAA.
For these reasons, we conclude that HIPAA does not violate the non-delegation doctrine.
Appellants' second argument is that section 264(c) of HIPAA limits HHS to regulating only electronic records transmitted in connection with section 1173(a) of the Social Security Act, see 42 U.S.C.A. § 1320d-2(a), yet HHS impermissibly expanded HIPAA's scope to cover not only electronic transactions, but “every form of information for all Americans held by covered entities.” Appellants' Brief at 7. The government responds that neither section 264(c), nor other portions of the Administrative Simplification section to which it refers, limits HHS's authority to regulating purely electronic information. The government also contends that during the rulemaking process HHS decided that protecting only electronic information would not adequately safeguard patient privacy and that it would be burdensome and ultimately unworkable to distinguish the same information in various stages and formats that could be kept in electronic or non-electronic form.
The disputed section includes a broad grant of authority from Congress to HHS as to the regulation of medical information. Section 264(c)(1) states in pertinent part as follows:
If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by Section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000].
HIPAA § 264(c)(1), 110 Stat.2033. In describing what kind of information is to be protected, Congress expressly defined “health information” to include any information, “whether oral or recorded in any form or medium.” 42 U.S.C.A. § 1320d(4) (emphasis added). The definition of “individually identifiable health information”-a subset of “health information”-contains no language limiting its reach to electronic media.2 Thus, the plain language of HIPAA indicates that HHS could reasonably determine that the regulation of individually identifiable health information should include non-electronic forms of that information.
Although appellants argue that the reference in HIPAA § 264(c)(1) to information “transmitted in connection with section 1173(a)” limits the scope of the regulations solely to electronic transactions, another reasonable reading is that section 1173(a) directs HHS to develop “standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically.” 42 U.S.C.A. § 1320d-2(a)(1) (emphasis added). Thus, the focus is on enabling electronic portability, not simply on regulating purely electronic activity. This reading is bolstered by the fact that transactions listed in connection with section 1173(a) are not described in terms that limit their scope to electronic media, but rather include transactions with respect to “[e]nrollment and disenrollment in a health plan,” “[h]ealth care payment and remittance advice,” and “[h]ealth plan premium payments”-terms that do not invite the limitation to a purely electronic scheme. 42 U.S.C.A. § 1320d-2(a)(2)(C), (E) and (F).
The validity of a regulation promulgated by an agency pursuant to a congressional mandate is to be sustained so long as it is “reasonably related to the purposes of the enabling legislation under which it was promulgated.” Thorpe v. Housing Auth. of the City of Durham, 393 U.S. 268, 280-81, 89 S.Ct. 518, 21 L.Ed.2d 474 (1969); see Chevron U.S.A., Inc. v. Natural Res. Def. Council, Inc., 467 U.S. 837, 844, 104 S.Ct. 2778, 81 L.Ed.2d 694 (1984). Regulating non-electronic as well as electronic forms of health information effectuates HIPAA's intent to promote the efficient and effective portability of health information and the protection of confidentiality. If coverage were limited to electronic data, there would be perverse incentives for entities covered by the rule to avoid the computerization and portability of any medical records. Such a development would utterly frustrate the purposes of HIPAA. HHS's interpretation of the scope of the grant of authority given by Congress is not inconsistent with the language of the statute and is reasonably related to the larger purposes of HIPAA. The agency reasonably determined that regulating health information in such a way as to foster effective and efficient electronic transmission requires that the rule encompass paper records.
Appellant's final argument is that HIPAA's non-preemption provision, which provides for the preemption of state laws unless they are “more stringent” than HIPAA, is impermissibly vague because it necessarily calls for subjective judgments on the part of health care providers, who face jail or fines for incorrect determinations. Contending that it fails to provide fair notice or minimal guidelines to covered entities and individuals, appellants argue that the statute violates the Due Process Clause of the Fifth Amendment.3
The Court has stated that “[i]t is a basic principle of due process that an enactment is void for vagueness if its prohibitions are not clearly defined.” Grayned v. City of Rockford, 408 U.S. 104, 108, 92 S.Ct. 2294, 33 L.Ed.2d 222 (1972). A challenged statutory provision will survive scrutiny “unless it is so unclear with regard to what conduct is prohibited that it may trap the innocent by not providing fair warning, or it is so standardless that it enables arbitrary and discriminatory enforcement.” Greenville Women's Clinic v. South Carolina Dep't of Health & Envtl. Control, 317 F.3d 357, 366 (4th Cir.2002) (internal quotation marks omitted).
The disputed preemption provision is found in section 264(c)(2) and states as follows:
A regulation promulgated under paragraph (1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.
HIPAA § 264(c)(2), 110 Stat.2033-34 (emphasis added). In order to determine what state laws will be preempted under HIPAA, we look to the regulations promulgated pursuant to the non-preemption provision. See Village of Hoffman Estates v. Flipside, Hoffman Estates, Inc., 455 U.S. 489, 504, 102 S.Ct. 1186, 71 L.Ed.2d 362 (1982) (holding that “administrative regulation will often suffice to clarify a standard with an otherwise uncertain scope”).
According to the regulations promulgated by HHS, a state law is “more stringent” than HIPAA if it “provides greater privacy protection for the individual who is the subject of the individually identifiable health information.” 45 C.F.R. § 160.202 (2002). To further clarify this standard, the regulation explains that a state law is “more stringent” where it meets one or more of the following criteria: the state law prohibits or restricts a use or a disclosure of information where HIPAA would allow it; the state law provides an individual with “greater rights of access or amendment” to his medical information than provided under HIPAA; the state law provides an individual with a “greater amount of information” about “a use, a disclosure, rights, and remedies”; the state law provides for the retention or reporting of more detailed information or for a longer duration; or the state law “provides greater privacy protection for the individual who is the subject of the individually identifiable health information.” 45 C.F.R. § 160.202. These criteria will doubtless call for covered entities to make some common sense evaluations and comparisons between state and federal laws, but this does not mean they are either vague or constitutionally infirm. Because the regulations are sufficiently definite to give fair warning as to what will be considered a “more stringent” state privacy law, we affirm the district court's decision on this issue as well.4
For the foregoing reasons, the judgment of the district court granting the motion to dismiss is hereby affirmed.
1. Subtitle F of Title II of HIPAA consists of sections 261 through 264. HIPAA § 262 amends Title XI of the Social Security Act, 42 U.S.C. § 1301 et seq., to add a Part C, entitled “Administrative Simplification,” with sections 1171-1179, codified at 42 U.S.C.A. § 1320d through § 1320d-8 (West Supp.2002). Section 261 is found as a note to 42 U.S.C.A. § 1320d. Section 264 is found as a note to 42 U.S.C.A. § 1320d-2. Section 263 amends the Public Health Service Act, at 42 U.S.C.A. § 242k(k) (West Supp.2002).
2. The phrase “individually identifiable health information” refers to information that:(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and-(i) identifies the individual; or(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.42 U.S.C.A. § 1320d(6)(B).
3. The government contends that the vagueness challenge is unripe because “the non-preemption provision has not been applied to plaintiffs in any concrete way that would permit a fair assessment of its clarity in the proper context.” Brief of Appellees at 31. See Lyng v. Northwest Indian Cemetery Protective Ass'n, 485 U.S. 439, 445, 108 S.Ct. 1319, 99 L.Ed.2d 534 (1988) (holding that courts should “avoid reaching constitutional questions in advance of the necessity of deciding them”); Commonwealth of Virginia v. Browner, 80 F.3d 869, 881 n. 6 (4th Cir.1996) (holding that a constitutional challenge to sanctions in the Clean Air Act was not ripe for review because the threat of sanctions had not been felt by plaintiffs “in a concrete way” (internal quotation marks omitted)). We disagree. “Ripeness depends on the fitness of the issues for judicial decision and the hardship to the parties of withholding court consideration.” Bituminous Coal Operators' Ass'n v. Secy. of Interior, 547 F.2d 240, 244 (4th Cir.1977) (internal quotation marks omitted). We believe both requirements are met here.
4. We summarily dispense with appellants' argument that the Privacy Rule will chill patients' rights of free speech, as we find this claim to be without merit.
Affirmed by published opinion. Judge TRAXLER wrote the opinion, in which Chief Judge WILKINS and Judge GREGORY joined.