R.K., Plaintiff Below, Petitioner v. ST. MARY'S MEDICAL CENTER, INC., d/b/a St. Mary's Medical Center, Defendant Below, Respondent.
R.K.,1 plaintiff below/petitioner, seeks reversal of a circuit court order dismissing numerous state-law claims he had asserted against St. Mary's Medical Center, Inc., defendant below/respondent (hereinafter referred to as “St. Mary's”). The circuit court granted St. Mary's 12(b)(6) motion to dismiss based upon its conclusion that R.K.'s state-law claims were preempted by the federal Health Insurance Portability and Accountability Act of 1996 (hereinafter referred to as “HIPAA”).
In addition, St. Mary's asserts a cross assignment of error arguing that the circuit court erred by finding that R.K.'s claims did not fall under the West Virginia Medical Professional Liability Act (hereinafter referred to as “the MPLA”) and concluding, therefore, that R.K. was not required to file a notice of claim and screening certificate of merit.
FACTUAL AND PROCEDURAL HISTORY
In March of 2010, while R.K. was in the midst of divorce proceedings, he was admitted to St. Mary's as a psychiatric patient. During his hospitalization, and to further his treatment, R.K. disclosed confidential personal information that he had not previously disclosed to anyone, including his estranged wife. R.K. did not authorize the disclosure of information regarding his psychiatric condition or his hospitalization to his estranged wife or to anyone else. Nevertheless, during R.K.'s hospitalization, St. Mary's employees improperly accessed his medical records, which contained his psychological information, and informed R.K.'s estranged wife and her divorce lawyer of R.K.'s hospitalization and disclosed to them other confidential medical and psychological information pertaining to R.K.
In May of 2010, when R.K. learned that his confidential medical and psychological information had been improperly accessed, he contacted St. Mary's and requested an audit of his records. As a result, R.K. was subsequently contacted by a St. Mary's representative and advised that St. Mary's investigation of the matter concluded that there had been “an inappropriate access to his medical record.” Although R.K. was informed that appropriate action had been taken, no details regarding the “appropriate action” were provided.
On September 21, 2010, R.K. filed suit against St. Mary's asserting claims for negligence, outrageous conduct, intentional infliction of emotional distress, negligent infliction of emotional distress, negligent entrustment, breach of confidentiality, invasion of privacy, and punitive damages. St. Mary's responded with a motion to dismiss for failure to state a claim pursuant to Rule 12(b)(6) of the West Virginia Rules of Civil Procedure asserting that R.K.'s claims were preempted by HIPAA. In the alternative, St. Mary's requested a more definite statement pursuant to West Virginia Rule of Civil Procedure 12(e). Finally, St. Mary's argued that R.K.'s claims came under the MPLA, and they should, therefore, be dismissed due to his failure to file the required notice of claim and screening certificate of merit.
Following a hearing on St. Mary's motion, by order entered May 9, 2011, the circuit court concluded that HIPAA completely preempted R.K.'s claims and dismissed the suit in its entirety. Nevertheless, the circuit court additionally ruled that R.K.'s claims had not been filed pursuant to the MPLA, and, therefore, denied St. Mary's motion to dismiss insofar as it alleged R.K.'s failure to comply therewith, and further denied St. Mary's motion for a more definite statement finding that R.K. had alleged sufficient facts to support his claims .2 It is from this order that R.K. appeals and St. Mary's asserts its cross assignment of error.
STANDARD OF REVIEW
In this appeal, R.K. asks this Court to review the circuit court's order granting St. Mary's motion to dismiss. It is well established that “[a]ppellate review of a circuit court's order granting a motion to dismiss a complaint is de novo.” Syl. pt. 2, State ex rel. McGraw v. Scott Runyan Pontiac–Buick, Inc., 194 W. Va. 770, 461 S.E.2d 516 (1995). Additionally, St. Mary's, by way of a cross assignment of error, asks this Court to review the circuit court's ruling that R.K.'s allegations are not governed by the MPLA. This issue presents a purely legal question that involves the interpretation of a statute. Thus, St. Mary's cross appeal is likewise governed by a de novo standard of review. “Interpreting a statute or an administrative rule or regulation presents a purely legal question subject to de novo review.” Syl. pt. 1, Appalachian Power Co. v. State Tax Dep't, 195 W. Va. 573, 466 S.E.2d 424 (1995). See also Syl. pt. 1, Chrystal R.M. v. Charlie A.L., 194 W. Va. 138, 459 S.E.2d 415 (1995) (“Where the issue on an appeal from the circuit court is clearly a question of law or involving an interpretation of a statute, we apply a de novo standard of review.”). With due consideration for these appellate standards, we will consider the issues raised in this appeal.
In this appeal, we are asked to resolve two issues. First, R.K. argues that the circuit court erred in dismissing his lawsuit based upon its finding that his claims are preempted by HIPAA. In addition, by cross-assignment of error, St. Mary's asks this court to find that the circuit court erred in finding that the claims asserted by R.K. are not governed by the MPLA and, therefore, are not subject to the MPLA pre-suit requirements. We address each of these issues in turn.
A. R.K.'s State Law Claims and HIPAA
In granting St. Mary's Rule 12(b)(6) motion to dismiss R.K.'s complaint, the circuit court relied upon the fact that HIPAA does not provide for a private cause of action. The circuit court observed that there is little authority on the issue of HIPAA's preemption of state-law claims and dismissed the claims simply because “they involve the disclosure of health information.”3 The court concluded that R.K.'s causes of action would afford him “remedies under state law that are not permitted by ․ and are rejected by HIPAA.”
R.K. argues, in his single assignment of error, that the circuit court erred in dismissing his private causes of action based upon HIPAA preemption because he did not assert any claim under HIPAA. R .K. argues that all of his claims were based on state-law causes of action. Therefore, he asserts, HIPAA preemption does not apply. R.K. submits that a HIPAA preemption analysis applies only if a claim under HIPAA is asserted.4
St. Mary's responds that West Virginia courts are not bound by the labels of the drafter of a complaint when applying the applicable law. St. Mary's asserts that, even though R.K.'s complaint was artfully drafted to not specifically assert claims labeled HIPAA, the circuit court properly looked beyond the labels used by R.K. and correctly determined that the complaint did indeed assert HIPAA claims. See, e.g., Blankenship v. Ethicon, Inc., 221 W. Va. 700, 656 S.E.2d 451 (2007) (dismissing claim for failure to comply with MPLA even though MPLA claim not expressly asserted). Accordingly, St. Mary's argues, the circuit court properly found R.K .'s claims were preempted.
St. Mary's further contends that HIPAA's preemption analysis applies to the current litigation and preempts R.K.'s state common-law causes of action. St. Mary's asserts that R.K.'s claims are contrary to, and less stringent than, standards adopted by Sections 1320d–1 through 1320d–3 of HIPAA5 and, therefore, are preempted.
1. HIPAA generally. HIPAA was adopted by Congress in 1996. It has been explained that
HIPAA's purpose is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” HIPAA, Pub.L. No. 104–191, 110 Stat.1936l; U.S. v. Jones, 471 F.3d 478 (3d Cir.2006). The statute authorizes the Secretary of Health and Human Services to “adopt standards” that will “enable health information to be exchanged electronically, ․ consistent with the goals of improving the operation of the health care system and reducing administrative costs,” and that will “ensure the integrity and confidentiality of [individuals' health] information [and protect against] ․ unauthorized uses or disclosures of the information.” 42 U.S.C. § 1320d–2.
Ruder v. Pequea Valley Sch. Dist., 790 F.Supp.2d 377, 403 (E .D.Pa.2011). See also Morgan v. Sebelius, 694 F.3d 535, 538 (4th Cir. June 14, 2012) (“Congress enacted the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’) ․ ‘to combat waste, fraud, and abuse in health insurance and health care delivery.’ Pub.L. No. 104–191, 110 Stat.1936, 1936 (1996).”).
HIPAA includes a
“Privacy Rule,” codified at 45 C.F.R. §§ 160 and 164, [which] provides national standards to protect the confidentiality of an individual's medical records and personal health information. HIPAA thus “restricts and defines the ability of health plans, health care clearinghouses, and most health care providers to divulge patient medical records.” 194 A.L.R. Fed. 133.
Tavares v. Lawrence & Mem'l Hosp., No. 3:11–CV–770 (CSH), 2012 WL 4321961, at *11 n.24 (D.Conn. Sept. 20, 2012).
Relevant to the instant appeal, HIPAA also contains a preemption provision titled “Effect on State law,” which provides, in relevant part, as follows:
(a) General effect
(1) General rule
Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall not supersede a contrary provision of State law, if the provision of State law—
(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
42 U.S.C. § 1320d–7 (1996) (emphasis added).
Regulations promulgated to enforce the foregoing provision are found at 45 C.F.R. § 160.203(b), and state, in relevant part:
A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:
(b) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.
2. State–Law Claims not preempted by HIPAA. While the circuit court and the parties correctly have observed the absence of a plethora of precedent on the issue of HIPAA preemption of state-law claims, we have located sufficient authority to clearly demonstrate that HIPAA does not preempt state-law causes of action for the wrongful disclosure of health care information.
In Yath v. Fairview Clinics, N.P., 767 N.W.2d 34 (Minn.Ct.App .2009), the plaintiff sought medical testing at the defendant's clinic for sexually-transmitted diseases because she had a new sex partner. A medical assistant, who happened to be related to Yath's husband, accessed Yath's medical file and subsequently shared sensitive medical information with others. The information was eventually disclosed to Yath's husband, from whom she was separated. After receiving a complaint, the clinic investigated and learned that Yath's medical file had been improperly accessed. Yath sued for the wrongful disclosure of her medical information. She asserted a variety of theories including the violation of a Minnesota statute7 by improperly disclosing information from her medical file. The trial court awarded the clinic summary judgment with regard to the statutory violation based upon its conclusion that the statute was preempted by HIPAA. The Court of Appeals of Minnesota disagreed and concluded that the statute was not preempted. In so finding, the appeals court reasoned as follows:
The general statutory rule is that HIPAA supersedes or preempts any “contrary” provision of state law. 42 U.S.C. § 1320d–7(a)(1). [Defendant clinic] Fairview argued, and the district court agreed, that Minnesota Statutes section 144.335 is “contrary” to HIPAA because section 144.335 provides for a private cause of action for the wrongful disclosure of an individual's medical records while HIPAA does not. But just because a distinction exists does not make the Minnesota provision “contrary” to HIPAA.
A state law is “contrary” to HIPAA if a health care provider “would find it impossible to comply with both the State and federal requirements” or if the state law is “an obstacle to the accomplishment and execution of the full purposes” of HIPAA. 45 C.F.R. § 160.202. It would not be impossible for [defendants] Fairview or Phat to comply with both HIPAA and Minnesota Statutes section 144.335 because both laws, in complementary rather than contradictory fashion, discourage a person from wrongfully disclosing information from another person's health record. See 42 U.S.C. § 1320d–6(a)(3) (providing that “[a] person who knowingly ․ discloses individually identifiable health information to another person, shall be punished” by a fine of not more than $50,000 or imprisonment of not more than one year, or both); Minn.Stat. § 144.335, subd. 3a(a) (“A provider ․ may not release a patient's health records to a person without a signed and dated consent ․ unless the release is specifically authorized by law.”). The goals of the two laws are similar. Both protect the privacy of an individual's health care information. The difference in remedy is functional only, in that a HIPAA violation subjects a person to criminal penalties while section 144.335 exposes a person to compensatory damages in a civil action. See Minn.Stat. § 144.335, subd. 3a(e) (“A person who negligently or intentionally releases a health record in violation of this subdivision ․ is liable to the patient for compensatory damages caused by [the] unauthorized release, plus costs and reasonable attorney's fees.”). Although the penalties under the two laws differ, compliance with section 144.355 does not exclude compliance with HIPAA.
Section 144.335 also is not “an obstacle to the accomplishment and execution of the full purposes” of HIPAA. The stated purpose of HIPAA is to improve the Medicare and Medicaid programs and “the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” Health Insurance Portability and Accountability Act, P.L. 104–191 § 261, 110 Stat.1936, 2021 (1996). To accomplish that purpose, HIPAA requires entities that maintain or transmit health care information to establish safeguards “to ensure the integrity and confidentiality” of an individual's health care information and “to protect against any reasonably anticipated ․ unauthorized uses or disclosures of the information.” 42 U.S.C. § 1320d–2(d)(2). If a person wrongfully discloses health care information, that person may be subject to criminal penalties, including fines or imprisonment. 42 U.S.C. § 1320d–6. Rather than creating an “obstacle” to HIPAA, Minnesota Statutes section 144.335 supports at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record. We hold that Minnesota Statutes section 144.335 is not a contrary state law preempted by HIPAA.
Yath v. Fairview Clinics, N.P., 767 N.W.2d at 49–50.
Although Yath involved a codified state law, we note that other courts have, subsequent to the adoption of HIPAA, allowed common-law actions for the wrongful disclosure of medical information to go forward in state court. For example, in Fanean v. Rite Aid Corporation of Delaware, Inc., 984 A.2d 812 (Del.Super .Ct.2009), Fanean's third amended complaint asserted various claims against Rite Aid based upon the wrongful disclosure to third parties of confidential medical information. Fanean's claims included: intentional infliction of emotional distress, negligent infliction of emotional distress, negligence, and breach of confidentiality.8 The court, without discussing even the possibility of HIPAA preemption, denied the defendant's motion to dismiss with regard to plaintiff's common-law claims, even though those claims were based upon the alleged wrongful disclosure of medical information.9 We believe the court's failure to discuss HIPAA in this context demonstrates that it was obvious to the court and to the parties that HIPAA simply did not preempt common-law claims based on wrongful disclosure of medical information. Other courts have similarly allowed common-law claims alleging wrongful disclosure of medical information. See Baum v. Keystone Mercy Health Plan, 826 F.Supp.2d 718, 721 (E.D.Pa.2011) (remanding to state court a case asserting claims including negligence and negligence per se based upon improper handling of personal health information, and commenting “[i]n spite of the fact that the personal data at the heart of this case is protected by HIPAA, this is a fairly straightforward state-law tort case”); Doe v. Southwest Cmty. Health Ctr., No. FSTCV085008345S, 2010 WL 3672342 (Conn.Super.Ct. Aug. 25, 2010) (denying summary judgment on negligence claim alleging failure to safeguard adequately the confidentiality of the plaintiff's protected health care information pursuant to duty imposed by common law and by HIPAA); Randi A.J. v.. Long Island Surgi–Ctr., 46 A.D.3d 74, 842 N.Y.S.2d 558 (2007) (finding punitive damages proper in suit for wrongful disclosure of confidential medical information); Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 401, 715 N.E.2d 518, 523 (1999) (holding that, “in Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of non-public medical information that a physician or hospital has learned within a physician-patient relationship”);10 Fairfax Hosp. By and Through INOVA Health Sys. Hosps., Inc. v. Curtis, 254 Va. 437, 442, 492 S.E.2d 642, 645 (1997) (holding “in the absence of a statutory command to the contrary, or absent a serious danger to the patient or others, a health care provider owes a duty to the patient not to disclose information gained from the patient during the course of treatment without the patient's authorization, and that violation of this duty gives rise to an action in tort”).
Finally, we note that, contrary to finding state common-law claims preempted by HIPAA, several courts have found that a HIPAA violation may be used either as the basis for a claim of negligence per se, or that HIPAA may be used to supply the standard of care for other tort claims. See, e.g., I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at *2 (E.D. Mo. June 14, 2011) (“[T]he Court finds that Count III may stand as a state claim for negligence per se despite its exclusive reliance upon HIPAA.”); K .V. v. Women's Healthcare Network, LLC, No. 07–0228–CV–W–DW, 2007 WL 1655734, (W.D. Mo. June 6, 2007) (concluding that negligence per se claim based on HIPAA violation was a state-law claim); Harmon v. Maury County, TN, No. 1:05 CV 0026, 2005 WL 2133697, at *3, *4 (M.D.Tenn. Aug. 31, 2005) (remanding case asserting negligence per se based on HIPAA violation to state court, observing that “HIPAA's provisions do not completely preempt state law and expressly preserve state laws that are not inconsistent with its terms,” and concluding that “Plaintiffs' claims fall within that broad class of state law claims based on federal regulations in the state court․ Thus, the Plaintiffs' motion to remand should be granted.”); Doe v. Southwest Cmty. Health Ctr., No. FSTCV085008345S, 2010 WL 3672342 (denying summary judgment on negligence claim alleging failure to safeguard adequately the confidentiality of the plaintiff's protected health care information pursuant to duty imposed by common law and by HIPAA); Acosta v. Byrum, 180 N.C.App. 562, 568, 638 S.E.2d 246, 251 (2006) ( “Here, defendant has been placed on notice that plaintiff will use ․ HIPAA to establish the standard of care. Therefore, plaintiff has sufficiently pled the standard of care in her complaint.”).
Based upon the foregoing authority, we conclude that state common-law claims for the wrongful disclosure of medical or personal health information are not inconsistent with HIPAA. Rather, as observed by the court in Yath, such state-law claims compliment HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance. Accordingly, we now hold that common-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by the Health Insurance Portability and Accountability Act of 1996.
The instant action was dismissed pursuant to St. Mary's 12(b)(6) motion. It is well established that “[t]he trial court, in appraising the sufficiency of a complaint on a Rule 12(b)(6) motion, should not dismiss the complaint unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief. Conley v. Gibson, 355 U.S. 41, 45–46[, 78 S.Ct. 99, 102, 2 L.Ed.2d 80, 84] (1957).” Syl. pt. 3, Chapman v. Kane Transfer Co., Inc., 160 W. Va. 530, 236 S.E.2d 207 (1977). Because we find that R.K.'s state law claims for the wrongful disclosure of his medical and personal health information are not preempted by HIPAA, the dismissal of his claims on preemption grounds was in error. Thus, we reverse the circuit court's order insofar as it dismissed R.K.'s claims.
B. St. Mary's Cross Appeal and The Medical Professional Liability Act
St. Mary's asserts a cross-appeal claiming that the trial court incorrectly concluded that R.K.'s allegations fell outside the Medical Professional Liability Act (hereinafter “the MPLA”), and, therefore, R.K. was not required to comply with the MPLA pre-suit requirements of a notice of claim and screening certificate of merit .11
In denying St. Mary's motion to dismiss based on R.K.'s failure to comply with the MPLA, the circuit court observed that
just because a cause of action involves a health care provider or facility does not make the MPLA the exclusive remedy. “The West Virginia Medical Professional Liability Act applies only to claims resulting from death or injury of a person for any tort or breach of contract based on health care services rendered, or which should have been rendered, by a health care provider or health care facility to a patient. It does not apply to other claims that may be contemporaneous to or related to the alleged act of medical professional liability.” [Syl. pt. 3, Boggs v. Camden–Clark Mem'l Hosp. Corp., 216 W. Va. 656, 609 S.E.2d 917 (2004) ].
“The Legislature has granted special protection to medical professionals while they are acting as such. This protection does not extend to intentional torts or acts outside the scope of ‘health care services.’ “ [Boggs, 216 W. Va. at 662–63, 609 S.E.2d at 923–24]. “Where, however, the action in question was outside the realm of the provision of [‘health care’] the statute does not apply .” [Blankenship v. Ethicon, Inc., 221 W. Va. 700, 707, 656 S.E.2d 451, 458 (2007) ].
The Court finds that Plaintiff's claims are not covered by the MPLA and thus there was no need to follow its pre-suit requirements. The conduct in question is unrelated to providing medical care or health care, and therefore the Court will not dismiss the complaint for failure to comply with the MPLA.
St. Mary's contends that R.K.'s claims clearly fall within the definition of “health care” pursuant to W. Va.Code § 55–7B–2(e) (2006) (Repl.Vol.2008).12 In this regard, notes St. Mary's, R.K. has alleged that, while he was hospitalized at St. Mary's, certain employees “inappropriately accessed” his “medical records” and then “disseminated and disclosed such information.” St. Mary's submits that the gathering, utilization, and protection of medical records has always been an integral part of health care, and, therefore, R.K.'s claims fall squarely within the MPLA.
R.K. responds that the circuit court correctly found that the MPLA does not govern his claims. He submits that the alleged disclosure and dissemination of his confidential information does not fall within the meaning of “health care,” and, therefore, the MPLA does not apply.
This Court previously has held that,
[t]he West Virginia Medical Professional Liability Act, codified at W. Va.Code § 55–7B–1 et seq., applies only to claims resulting from the death or injury of a person for any tort or breach of contract based on health care services rendered, or which should have been rendered, by a health care provider or health care facility to a patient. It does not apply to other claims that may be contemporaneous to or related to the alleged act of medical professional liability.
Syl. pt. 3, Boggs v. Camden–Clark Mem'l Hosp. Corp., 216 W. Va. 656, 609 S.E.2d 917 (2004) (finding claims of fraud, spoliation of evidence, or negligent hiring were not related to “medical professional liability” or “health care services,” and, thus, not MPLA claims).
The Court's holding in Boggs was revisited in Syllabus point 4 of Gray v. Mena, wherein the Court held:
This Court's opinion in Boggs v. Camden–Clark Memorial Hospital Corp., 216 W. Va. 656, 609 S.E.2d 917 (2004), is clarified by recognizing that the West Virginia Legislature's definition of medical professional liability, found in West Virginia Code § 55–7B–2(i) (2003) (Supp.2005), includes liability for damages resulting from the death or injury of a person for any tort based upon health care services rendered or which should have been rendered. To the extent that Boggs suggested otherwise, it is modified.
218 W. Va. 564, 625 S.E.2d 326 (2005). In Gray, the circuit court dismissed the action based upon the plaintiff's failure to follow the pre-suit requirements of the MPLA. This Court agreed that the MPLA applied, and noted that the defendant physician would “most certainly argue that his actions were necessary to a complete diagnosis and investigation of the complaints presented to him by [Plaintiff Gray].” Gray, 218 W. Va. at 570, 625 S.E.2d at 332. Nevertheless, this Court found dismissal was a disproportionately harsh sanction under the particular circumstances presented. Consequently, the case was remanded for the lower court to require compliance with MPLA.
Most recently, this Court held the following with regard to the issue of whether the MPLA applied to a certain cause of action:
The failure to plead a claim as governed by the Medical Professional Liability Act, W. Va.Code § 55–7B–1, et seq., does not preclude application of the Act. Where the alleged tortious acts or omissions are committed by a health care provider within the context of the rendering of “health care” as defined by W. Va.Code § 55–7B–2(e) (2006) (Supp.2007), the Act applies regardless of how the claims have been pled.
Syl. pt. 4, Blankenship v. Ethicon, Inc., 221 W. Va. 700, 656 S.E.2d 451 (2007).
Pursuant to W. Va.Code § 55–7B–2(e) (2006) (Supp.2007), “health care” is defined as “any act or treatment performed or furnished, or which should have been performed or furnished, by any health care provider for, to or on behalf of a patient during the patient's medical care, treatment or confinement.”
Syl. pt. 5, id. In Blankenship, the plaintiffs filed suit for injuries caused by the implantation of contaminated sutures but did not expressly assert an MPLA claim or comply with the pre-suit requirements thereof. The circuit court dismissed their claims due to the plaintiffs' failure to comply with the pre-suit requirements of the MPLA. This Court agreed that the MPLA applied, regardless of the fact that it was not expressly pled.13
Examining the factual circumstances in which this Court has found the MPLA to apply, we agree with the circuit court that the allegations asserted in the instant case, which pertain to the improper disclosure of medical records, does not fall within the MPLA's definition of “health care,” and, therefore, the MPLA does not apply. Accordingly, we affirm the circuit court's order insofar as it refused St. Mary's motion to dismiss for failure to comply with the pre-suit requirements of the MPLA.
For the reasons stated in the body of this opinion, we reverse the order of the Circuit Court of Cabell County, entered May 9, 2011, insofar as it granted St. Mary's 12(b)(6) motion to dismiss based upon its conclusion that R.K.'s state-law claims were preempted by the federal Health Insurance Portability and Accountability Act of 1996. However, we affirm the order to the extent that it found that R.K.'s claims did not fall under the West Virginia Medical Professional Liability Act.
Reversed, in part; Affirmed, in part; and Remanded.
I believe the plaintiff's causes of action are preempted by HIPAA.
There is no doubt that HIPAA preempts state laws that are inconsistent with its provisions, other than laws that provide more stringent protections than HIPAA. Laws that create obstacles to HIPAA's purposes are also preempted. See 42 U.S.C.A. § 1320d–7. West Virginia has not adopted any standards or factors to be used in determining whether a cause of action, based on State statute or common law, creates an obstacle to, or is less stringent than, HIPAA.
Reviewing how other jurisdictions have approached this issue, I would adopt the standards set forth in Smith v. American Home Products Corp. Wyeth–Ayerst Pharmaceutical, 372 N.J.Super. 105, 855 A.2d 608 (2003). After exploring the HIPAA statutes and regulations, the superior court set forth five factors that courts should examine:
When evaluating whether a state law is more stringent, courts should examine certain considerations-whether the state law: 1) prohibits or restricts a use or disclosure more so than the Privacy Rule; 2) permits greater rights of access to or amendment of information; 3) provides the individual with a greater amount of information; 4) narrows the scope or duration of an authorization or consent, expands the criteria necessary for an authorization or consent, or reduces the coercive effect of the circumstances surrounding an authorization or consent; or 5) requires longer or more detailed retention or reporting of disclosures. 45 C.F.R. § 160.202.
Smith, 372 N.J.Super. at 128, 855 A.2d at 622.
Applying these factors to the causes of action alleged in the plaintiff's complaint, I find that they are inconsistent with HIPAA. HIPAA specifically provides for penalties, punishment and an administrative mechanism for compensation for privacy violations. See e.g., 42 U.S.C.A. § 1320d–5 and 45 C.F.R. § 160.404. A lawsuit for damages under our statutes or common law creates an obstacle to the purposes and objectives of HIPAA. Such lawsuits are, therefore, preempted by HIPAA.
I respectfully dissent.
1. Due to the sensitive nature of the facts underlying this case, the plaintiff is referred to by his initials. See, e.g., In re Cesar L., 221 W. Va. 249, 252 n.1, 654 S.E.2d 373, 376 n.1 (2007) (“In light of the sensitive nature of the facts at issue in this proceeding, we follow our prior practice in similar cases and refer to the parties by their last initials. See In re Clifford K., 217 W. Va. 625, 630, n.1, 619 S.E.2d 138, 143 n.1 (2005), and cases cited therein.”).
2. No issues pertaining to the denial of St. Mary's motion for a more definite statement have been included in this appeal.
3. The circuit court stated that it found the case of Fisher v. Yale University, No. X10NNHCV044003207S, 2006 WL 1075035 (Conn.Super.Ct. Apr. 3, 2006), to be instructive by analogy. The plaintiff in Fisher brought a Connecticut Unfair Trade Practices Act (CUPTA) claim, and expressly alleged a violation of HIPAA as support for a violation of CUTPA. In light of the authority discussed in the body of this opinion, we decline to follow Fisher .
4. R.K. concedes that every court that has considered the issue has concluded that HIPAA does not create a private cause of action for a violation thereof. This statement is accurate. See Doe v. Board of Trs. of Univ. of Ill., 429 F.Supp.2d 930, 944 (N.D.Ill.2006) (“Every court to have considered the issue ․ has concluded that HIPAA does not authorize a private right of action”); Slue v. New York Univ. Med. Ctr., 409 F.Supp.2d 349, 373 (S.D.N.Y.2006) (“Federal courts have found that Congress did not intend for HIPAA to create a private cause of action for individuals.”); Valentin Munoz v. Island Fin. Corp., 364 F.Supp.2d 131, 136 (D. Puerto Rico 2005) (“[C]ourts have consistently found that HIPAA does not provide an implied private cause of action.”); Harmon v. Maury Cnty., TN, No. 1:05 CV 0026, 2005 WL 2133697, at *2 (M.D.Tenn. Aug. 31, 2005) (observing that “ ‘[n]o federal court reviewing the matter has ever found that Congress intended HIPAA to create a private right of action.’ “ (quoting Dominic J. v. Wyoming Valley W. High Sch., 362 F.Supp.2d 560, 572 (M.D.Pa.2005)) (additional citations omitted)); Bonney v. Stephens Mem'l Hosp., 17 A.3d 123, 127 (Me.2011) (“[A]ll courts that have decided this question have concluded that HIPAA does not provide a private cause of action.”). R.K. contends, however, that he did not claim a private action for a violation of HIPAA. Instead, he asserted state-law claims.
5. See 42 U.S.C. § 1320d–1 (1996) (2006 ed.) (titled “General requirements for adoption of standards,” and describing the entities to whom HIPAA standards shall apply, the role of standard setting organizations, special rules applicable to the Secretary of Health and Human Services, etc.); 42 U.S.C. § 1320d–2 (1996) (2006 ed.) (titled “Standards for information transactions and data elements,” and providing, in general, that the Secretary of Health and Human Services “shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically ․”); and 42 U.S.C. § 1320d–3 (1996) (2006 ed.) (titled “Timetables for adoption of standards,” and establishing a time frame within which the Secretary of Health and Human Services is to implement 42 U.S.C. § 1320d–2). Insofar as the foregoing sections generally pertain to standards for the electronic exchange of health information, they differ significantly from the common-law claims asserted by R.K. for the harm he allegedly suffered from the improper disclosure of his mental health care records.
6. Pursuant to 45 C.F.R. 160.202,For purposes of this subpart, the following terms have the following meanings:Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:(1) A covered entity would find it impossible to comply with both the State and federal requirements; or(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of Public Law 104–191, or section 13402 of Public Law 111–5, as applicable.More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or(ii) To the individual who is the subject of the individually identifiable health information.(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.Relates to the privacy of individually identifiable health information means, with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.
7. Minnesota Statutes section 144.335 (2006).
8. The plaintiff had also brought a negligence per se claim based on a violation of HIPAA. The viability of the negligence per se claim had been previously addressed by the court when it granted the defendant's motion to dismiss that claim from the plaintiff's second amended complaint. In granting the defendant's motion to dismiss the negligence per se claim, the court commented “[f]rankly, what I think I am down to is whether there can be a negligence per se claim under ․ HIPAA. And I'm satisfied that there can be no separate cause of action under HIPAA.” Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812, 817 (Del.Super.Ct.2009). Based upon that earlier finding, the court, when addressing the motion to dismiss the negligence per se claim in relation to the third amended complaint, granted dismissal based on law-of-the-case grounds. Although it appears that the court dismissed the negligence per se claim based upon HIPAA preemption, as discussed below in this opinion, federal courts have reached the opposite conclusion and found that HIPAA may be the basis for a negligence per se claim.
9. Some claims were dismissed, but on grounds other than HIPAA preemption.
10. Although it pre-dates the enactment of HIPAA, West Virginia has likewise adopted a cause of action for breach of confidentiality against a physician who wrongfully discloses confidential information. See Syl. pt. 4, Morris v. Consolidation Coal Co., 191 W. Va. 426, 446 S.E.2d 648 (1994) (“A patient does have a cause of action for the breach of the duty of confidentiality against a treating physician who wrongfully divulges confidential information.”).
11. See W. Va.Code § 55–7B–6(b) (2003) (Repl.Vol.2008) (requiring generally that notice of claim and screening certificate of merit be served on health care provider at least thirty days prior to filing of medical professional liability action).
12. W. Va.Code § 55–7B–2(e) (2006) (Repl.Vol.2008) states:(e) “Health care” means any act or treatment performed or furnished, or which should have been performed or furnished, by any health care provider for, to or on behalf of a patient during the patient's medical care, treatment or confinement.The definition of the term “health care” is relevant because the MPLA “applies only to ‘medical professional liability actions.’ “ Gray v. Mena, 218 W. Va. 564, 568, 625 S.E.2d 326, 330 (2005). The statutory definition of “medical professional liability” utilizes the phrase “health care” as follows:“Medical professional liability” means any liability for damages resulting from the death or injury of a person for any tort or breach of contract based on health care services rendered, or which should have been rendered, by a health care provider or health care facility to a patient.W. Va.Code § 55–7B–2(i) (2006) (Repl.Vol.2008) (emphasis added).
13. As with Gray, the Court concluded that dismissal was too harsh a remedy and remanded the case to afford the plaintiffs an opportunity to amend their complaint and otherwise comply with the MPLA.
Justice McHUGH, deeming himself disqualified, did not participate. Judge MARKS, sitting by temporary assignment. Chief Justice KETCHUM dissents and reserves the right to file a dissenting opinion.