MENORAH PARK CENTER FOR SENIOR LIVING, APPELLANT, v. ROLSTON, APPELLEE.
No. 2019-0939
SUPREME COURT OF OHIO
December 15, 2020
Slip Opinion No. 2020-Ohio-6658
Submitted August 4, 2020. APPEAL from the Court of Appeals for Cuyahoga County, No. 107615, 2019-Ohio-2114.
[Until this opinion appears in the Ohio Official Reports advance sheets, it may be cited as Menorah Park Ctr. for Senior Living v. Rolston, Slip Opinion No. 2020-Ohio-6658.]
NOTICE
This slip opinion is subject to formal revision before it is published in an advance sheet of the Ohio Official Reports. Readers are requested to promptly notify the Reporter of Decisions, Supreme Court of Ohio, 65 South Front Street, Columbus, Ohio 43215, of any typographical or other formal errors in the opinion, in order that corrections may be made before the opinion is published.
SLIP OPINION NO. 2020-OHIO-6658
[Until this opinion appears in the Ohio Official Reports advance sheets, it may be cited as Menorah Park Ctr. for Senior Living v. Rolston, Slip Opinion No. 2020-Ohio-6658.]
Torts—Medical providers—Disclosure of patients’ confidential health information—Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and HIPAA Privacy Rule—HIPAA does not preclude a claim for breach of physician-patient confidentiality when the limited disclosure of medical information was part of a court filing for the purpose of obtaining past-due payment on an account for medical services—There is an exception to liability when a medical provider makes a reasonable effort to limit the disclosure of the patient‘s medical information to the minimum amount necessary to file a successful complaint for the recovery of unpaid charges for medical services—Court of appeals’ judgment reversed and cause remanded to trial court.
{¶ 1} In this appeal from a judgment of the Eighth District Court of Appeals, we address the interplay between the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“),
{¶ 2} However, we also hold that there is an exception to liability under our decision in Biddle when a medical provider makes a reasonable effort to limit the disclosure of the patient‘s medical information to the minimum amount necessary to file a successful complaint for the recovery of unpaid charges for medical services. We conclude that a provider of medical services acts reasonably to limit the release of health information to the minimum amount necessary to file a successful complaint for payment on a past-due account for medical services when the medical provider attaches to the complaint, pursuant to
{¶ 3} Because the medical provider in this case limited its disclosure of information to the minimum amount necessary for it to assert a cause of action to recover from the patient payment for unpaid medical bills, the patient has failed to state a claim under our decision in Biddle. Therefore, we reverse the judgment of the court of appeals on that claim.
I. FACTUAL AND PROCEDURAL BACKGROUND
{¶ 4} Appellant, Menorah Park Center for Senior Living (“Menorah Park“), filed a small-claims complaint against appellee, Irene Rolston, in the Shaker Heights Municipal Court on March 21, 2018. Menorah Park alleged that Rolston had failed to pay a debt in the amount of $463.53 “for therapy services [that] were provided by Menorah Park” when Rolston “was at Menorah Park for rehabilitation.” Attached to Menorah Park‘s complaint were copies of two billing statements.
{¶ 5} The billing statements included a description of the medical services that Menorah Park had provided to Rolston, the dates on which the services were provided, medical-procedure codes, charges and credits, balances on Rolston‘s account, and the names and addresses of Menorah Park and Rolston. On the billing statements, the descriptions of the services provided to Rolston included “PT EVALUATION MOD COMPLEX,” “PT-MANUAL THERAPY,” “PT PHYSICAL PERFORMANCE TE,” and “PT THERAPEUTIC PROC-AQUATI[C].” (Capitalization sic.)
{¶ 6} Rolston successfully moved for the case to be transferred to the municipal court‘s regular docket and on May 1, 2018,
a physician-patient relationship.” Menorah Park moved to dismiss the counterclaim under
{¶ 7} In responding to the motion to dismiss, Rolston countered that Menorah Park‘s disclosure of her medical information was not authorized under HIPAA, because HIPAA provides that when a medical provider seeks payment the provider is required to make reasonable efforts to limit the disclosure of information to the minimum amount necessary to obtain payment. Rolston also argued that HIPAA does not preclude a common-law claim under our decision in Biddle, in which this court recognized that “an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship,” 86 Ohio St.3d 395, 715 N.E.2d 51, at paragraph one of the syllabus.
{¶ 8} The trial court granted Menorah Park‘s motion to dismiss Rolston‘s counterclaim, determining that “th[e] claim does not fall under the tort law claim established in Biddle * * * and the Defendant cannot sue on HIPAA grounds.” In a nunc pro tunc entry, the trial court determined that its judgment dismissing Rolston‘s counterclaim was a final, appealable order and that there was no just cause for delay.
{¶ 9} The Eighth District reversed the trial court‘s judgment, holding that Rolston had not failed to state a claim upon which relief can be granted. Construing the allegations in Rolston‘s complaint in her favor, the court concluded that Rolston had a potential claim under Biddle and that HIPAA does not preempt such a state common-law claim. 2019-Ohio-2114, 137 N.E.3d 682, ¶ 23.
{¶ 10} This court accepted Menorah Park‘s jurisdictional appeal on two propositions of law:
1. The Health Insurance Portability & Accountability Act (HIPAA) preempts a common law claim brought under Biddle v. Warren Gen. Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), for disclosure of protected health information where the limited disclosure was for the purpose of obtaining payment on a past due account, which is an ”authorized disclosure” under HIPAA regulations.
2. A claimant‘s reliance on a HIPAA regulation to determine whether the release of protected health information was “unauthorized” for the purpose of pursuing a common law claim under Biddle would allow private enforcement of HIPAA regulations, which is contrary to overwhelming legal authority that HIPAA does not provide a private right of action for improper disclosures of medical information but rather provides civil and criminal penalties which must be enforced by the Department of Health and Human Services.
{¶ 11} After oral argument, this court sua sponte ordered the parties to brief the following issue:
Should this court overturn or modify the holding in Biddle v. Warren Gen. Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), in light of the enactment of Health Insurance Portability and Accountability Act of 1996 (“HIPAA“),
Pub.L. No. 104-191 , 110
Stat. 1936, and the subsequent promulgation of the HIPAA Privacy Rule,
45 C.F.R. Parts 160 and164 ?
See 159 Ohio St.3d 1405, 2020-Ohio-3206, 146 N.E.3d 582.
II. LAW AND ANALYSIS
A. Standard of Review
{¶ 12} This court applies a de novo standard of review to orders granting a
B. Biddle v. Warren Gen. Hosp.
{¶ 13} In Biddle, this court recognized an independent tort for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital obtained from a physician-patient relationship. 86 Ohio St.3d 395, 715 N.E.2d 51, at paragraph one of the syllabus. In Biddle, the hospital had given its patients’ medical information to a law firm so that the firm could determine whether the hospital‘s patients who had unpaid medical bills could be eligible for Supplemental Security Income disability benefits, meaning that their unpaid medical bills could possibly be paid by the Social Security Administration. Id. at 395-396. The firm informed the hospital that in order to perform that service and screen the patients, it would be necessary for the hospital to provide four pieces of information: name, telephone number, age,
and medical condition. Id. at 396. The firm then contacted the patients to inform them of their potential rights in regard to disability coverage. Id.
{¶ 14} The plaintiffs in Biddle were people whose hospital-registration forms had been provided to the law firm by the hospital without prior authorization. Id. They alleged several causes of action from that same factual root—mainly that the arrangement between the hospital and the law firm constituted a breach of physician-patient confidentiality—which included claims of invasion of privacy, intentional infliction of emotional distress, and negligence. Id. at 397. This court noted that it had long been the law in Ohio that a physician could be held liable for the unauthorized disclosure of medical information, but it also noted that courts in Ohio and elsewhere had failed to provide “a legal identity for an actionable breach of patient confidentiality.” Id. at 400. This court recognized that in an effort to establish a civil remedy for such an evident wrongdoing, courts had
{¶ 15} Although we recognized that specific cause of action, this court was quick to add that there are exceptions to liability for disclosure. As we pointed out
Biddle * * * addressed liability for unauthorized disclosure and stressed the utmost importance of the patient‘s right to confidentiality of medical communications. * * * However, paragraph two of the syllabus in Biddle addressed the defenses to the tort of unauthorized disclosure of confidential medical information—i.e., the circumstances under which a physician or hospital may release confidential medical records in the absence of a waiver without incurring tort liability.
(Emphasis sic.)
{¶ 16} We have therefore explained that the duty to maintain confidentiality recognized in Biddle is not absolute and that in some instances the privilege exists for a medical provider to disclose medical information. In Biddle, this court identified particular instances in which the disclosure of confidential medical information is privileged, because statutes require the reporting of diseases that are infectious, contagious, or dangerous to public health,
{¶ 17} Still, this court in Biddle did not limit the privilege to disclose medical information to instances when a physician or hospital has a statutory duty to disclose; “the privilege to disclose is not necessarily coextensive with a duty to disclose.” Id. at 402. A breach of confidentiality is actionable ” ‘only if it is wrongful, that is to say, without justification or excuse.’ ” Id., quoting MacDonald v. Clinger, 446 N.Y.S.2d 801, 805, 84 A.D.2d 482 (1982). The duty of
confidentiality must yield in appropriate circumstances when there is a countervailing public interest. Id. “[S]pecial situations may exist where the interest of the public, the patient, the physician, or a third person are of sufficient importance to justify the creation of a conditional or qualified privilege to disclose in the absence of any statutory mandate or common-law duty.” Id. Therefore, we held:
In the absence of prior authorization, a physician or hospital is privileged to disclose otherwise confidential medical information in
those special situations where disclosure is made in accordance with a statutory mandate or common-law duty, or where disclosure is necessary to protect or further a countervailing interest which outweighs the patient‘s interest in confidentiality.
Id. at paragraph two of the syllabus.
{¶ 18} Whether the ability of medical providers to disclose confidential information when seeking payment through legal action is a “countervailing interest which outweighs the patient‘s interest in confidentiality,” id., and is therefore an exception to a Biddle claim, is the focus of this case. But first we must address whether HIPAA regulations, which were enacted after our decision in Biddle, preempt all common-law claims under Biddle.
C. HIPAA
{¶ 19} HIPAA has several purposes, including making improvements to the portability and continuity of health-insurance coverage, combatting healthcare fraud and healthcare abuse, and simplifying the administration of health insurance. Tovino, A Timely Right to Privacy, 104 Iowa L.Rev. 1361, 1367 (2019). HIPAA established patient-privacy protection—it stated that if Congress failed to enact comprehensive privacy legislation within three years of HIPAA‘s enactment in
1996, the United States Department of Health and Human Services (“HHS“) would be required to issue regulations protecting the privacy of individually identifiable health information. Id. at 1368. Less than two months after this court‘s decision in Biddle, HHS issued a proposed privacy rule on November 3, 1999, regulating the uses and disclosures of protected health information. See id. After modifications, a final rule went into effect in December of 2000. Id. Further changes were made to the rule in 2002, id., and again in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health Act,
{¶ 20} The HIPAA Privacy Rule provides to patients certain rights regarding their protected health information. They have a right to receive a notice of privacy practices, a right to request additional privacy protections, a right to access their protected health information, a right to request an amendment of that protected health information, and a right to receive accounting disclosures regarding their protected health information. Id. at 1371. The Privacy Rule includes use and disclosure requirements that apply to “covered entities,” which include health plans, healthcare clearinghouses, and “health care provider[s] who transmit[] any health information in electronic form in connection with [standard] transaction[s].”
{¶ 21} The authorization required to disclose or use a patient‘s protected health information depends on the nature of the use. For some purposes, such as
including a patient in a directory of individuals in a facility, the covered entity must inform the patient in advance and give the patient the opportunity to agree to or prohibit or restrict
{¶ 22} But in certain instances, the HIPAA Privacy Rule allows covered entities to use and disclose protected health information without first obtaining authorization from the patient. Pursuant to
Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
{¶ 23} “The remedies available to patients who believe their privacy and security rights have been violated are limited. Under current law, no private right of action exists for patients and insureds whose rights under the HIPAA Rules have been violated.” Tovino at 1372; see also Boddie v. Van Steyn, 10th Dist. Franklin No. 13AP-623, 2014-Ohio-1069, ¶ 18 (collecting cases determining there is no private cause of action under Ohio law for HIPAA violations); Hill v. Smoot, 308 F.Supp.3d 14, 23 (D.D.C.2018) (” ‘Every district court that has considered this issue is in agreement that the statute does not support a private right of action’ “),
quoting Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006).
{¶ 24} There are other avenues for redress that patients who believe that their privacy and security rights have been violated may take. They can file a complaint with the covered entity itself under
{¶ 25} Although HIPAA provides for the sanctioning of covered entities that violate the Privacy Rule, HIPAA creates no private cause of action for a violation of its rules or regulations. We must next determine whether HIPAA precludes a patient from bringing a state-law cause of action for a breach of confidentiality.
D. The relationship between HIPAA and state law
{¶ 26} In English v. Gen. Elec. Co., 496 U.S. 72, 78-79, 110 S.Ct. 2270 (1990), the United States Supreme Court described three ways by which federal law can preempt state law under the Supremacy Clause. Those include when (1) Congress expressly preempts state law (express preemption), (2) Congress has occupied the entire field (field preemption), and (3) there is an actual conflict
between federal and state law (conflict preemption). In the HIPAA statutory and regulatory scheme, Congress has demonstrated no intention to occupy the entire field of medical privacy; instead, the HIPAA-related statutes and rules provide that federal law preempts state law when there is an actual conflict between the laws, and even that preemption is subject to significant exceptions.
{¶ 27}
More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:
(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use
or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:
(i) Required by the Secretary in connection with determining whether a covered entity or business associate is in compliance with this subchapter; or
(ii) To the individual who is the subject of the individually identifiable health information.
* * *
(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
{¶ 28} Therefore, even if HIPAA—a federal statute—created a safe harbor for a medical provider that releases certain protected patient information, that does not necessarily mean that such information can properly be released under state law; the patient may be protected to a greater degree by state law. If the state law is more stringent than the HIPAA regulation, the state law applies. See, e.g., Grove v. Northeast Ohio Nephrology Assoc., Inc., 164 Ohio App.3d 829, 2005-Ohio-6914, 844 N.E.2d 400, ¶ 22-23 (9th Dist.) (protection for patient‘s health information from discovery in a civil action is more stringent under Ohio law,
E. HIPAA does not preempt a state-law claim under our decision in Biddle
{¶ 29} In Biddle, we recognized an independent tort for the “unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within the physician-patient-relationship.” 86 Ohio St.3d 395, 715 N.E.2d 518, at paragraph one of the syllabus. Is Biddle contrary to HIPAA and therefore preempted by HIPAA? Menorah Park argues that if its disclosure of Rolston‘s nonpublic medical information to obtain payment of her debt is authorized by HIPAA and its regulations, then HIPAA preempts any common-law claim under our decision in Biddle. But that argument ignores HIPAA and its subsequent rules, which state that more stringent state laws regarding the disclosure of medical information prevail over HIPAA and its regulations.
{¶ 30} If our decision in Biddle were to mean that a covered entity is somehow permitted to release a patient‘s protected health information that it could not release under HIPAA, then HIPAA would preempt Biddle. But neither party makes that claim in this case. And our determination in Biddle that Ohio recognizes an independent cause of action for such disclosure is not contrary to HIPAA under HIPAA‘s own definition of the word “contrary“: the existence of a state-law private cause of action does not make it impossible for a covered entity to comply with both state and federal privacy requirements and does not stand in the way of the accomplishment of the aims of HIPAA. Instead, “a Biddle claim enhances the protection of confidentiality of medical information.” Sheldon v. Kettering Health Network, 2015-Ohio-3268, 40 N.E.3d 661, ¶ 25 (2d Dist.). In a situation in which state law provides a patient the potential personal recovery of damages, it is not impossible for the covered entity to comply with both HIPAA and the state law ” ‘because both laws, in complementary rather than contradictory fashion, discourage a person from wrongfully disclosing information from another person‘s health record.’ ” R.K. v. St. Mary‘s Med. Ctr., Inc., 229 W.Va. 712, 719, 735 S.E.2d
715 (2012), quoting Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 49 (Minn.Ct.App.2009). See also Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433, 459, 102 A.3d 32 (2014) (“The availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers’ compliance with HIPAA“). Biddle and HIPAA share the same goal of protecting the privacy of personal medical information. Their remedies are different but they are not at odds with each other.
F. Exception under Biddle for complaints for bill collection
{¶ 31} Having determined that HIPAA does not preempt claims brought under Biddle, we next consider whether one
confidentiality. Is that interest enough to outweigh the patient‘s interest in confidentiality?
{¶ 32} We can look to HIPAA for guidance in determining how those competing interests should be weighed. HIPAA permits the use or disclosure of protected health information “for treatment, payment, or health care operations.” (Emphasis added.)
{¶ 33}
{¶ 34} We determine that the acknowledgement in HIPAA and Ohio law that the privacy interest of the patient must at least partially give way to the interest of the medical provider in obtaining payment reflects the type of countervailing interest recognized in Biddle that gives the medical provider a qualified privilege
to disclose patient information. As in the HIPAA regulations, that interest is narrowed such that the covered entity may disclose only the minimum amount of patient information necessary to meet the interest, i.e., to sufficiently plead the claim. A patient
{¶ 35} Accordingly, we hold that doctors and hospitals have a qualified privilege to disclose patient information for the purpose of receiving payment for medical services. Therefore, a patient has no cause of action under Biddle when a medical provider discloses patient information in the minimum amount necessary to state a claim against the patient.
{¶ 36} As noted above, it is well-settled that a HIPAA violation does not create a private cause of action for the party whose information has been released. By referring to a HIPAA standard to inform our recognition of an exception under Biddle for the disclosure of patient information for the purpose of receiving payment for medical services, we have not created a private cause of action for a HIPAA violation. We have, instead, referred to HIPAA and Ohio law in limiting a common-law cause of action that recognizes an exception when disclosure is necessary to protect or further a countervailing interest that outweighs the patient‘s interest in confidentiality.
G. The complaint in this case falls under a Biddle exception
{¶ 37} When a healthcare provider uses protected health information to pursue the recovery of payment in court, it may release only as much information as is necessary to pursue its claim; otherwise a patient has a cause of action pursuant to Biddle for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has obtained within a physician-patient relationship.
founded on an unpaid account, the plaintiff must attach a copy of the account. Ohio courts have explained this requirement:
It is elementary that in an action on an account, a plaintiff must set forth an actual copy of the recorded account. * * * The records must show “the name of the party charged” and must include the following:
(1) a beginning balance (zero, or a sum that can qualify as an account stated, or some other provable sum);
(2) listed items, or an item, dated and identifiable by number or otherwise, representing charges, or debits, and credits; and
(3) summarization by means of a running or developing balance, or an arrangement of beginning balance and items which permits the calculation of the amount claimed to be due.
Arthur v. Parenteau, 102 Ohio App.3d 302, 304-305, 657 N.E.2d 284 (3d Dist.1995), quoting Brown v. Columbus Stamping & Mfg. Co., 9 Ohio App.2d 123, 126, 223 N.E.2d 373 (10th Dist.1967).
{¶ 38} Menorah Park attached to its complaint copies of its two most recent bills to Rolston. The bills contained no diagnosis or prognosis, no personal information other than Rolston‘s name and address, and no detailed medical records. They included no notes from therapists or doctors remarking on how Rolston responded to treatment and no indication of why she needed treatment in the first place. The bills referred to no body part or medical condition. The treatment reflected in the bills is described in general terms; the most detailed description indicates that Rolston received some aquatic therapy.
general category of services provided, and the amounts charged, paid, and due. We conclude that Menorah Park made reasonable efforts to limit the release of health information to the minimum amount necessary to inform Rolston—and later, the court—of the nature of the debt owed, and did not disclose medical information unnecessary to collect payment in an action on the account.
{¶ 39} Therefore, we conclude that since Rolston‘s cause of action is based upon the medical information disclosed in Menorah Park‘s complaint, she has failed to state a claim upon which relief can be granted on her counterclaim. The court of appeals erred in reversing the trial court‘s judgment granting Menorah Park‘s motion to dismiss.
H. We need not overturn or modify Biddle in this case
{¶ 40} After oral argument, we instructed the parties to submit briefs addressing an issue that had not been considered in the lower courts—whether we should overrule or modify our decision in Biddle in this case. Given our holding in this case, Biddle remains good law and it continues to permit a cause of action for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information. Our opinion today helps to define what constitutes privileged disclosure under Biddle.
{¶ 41} Biddle was not wrongly decided nor was it revolutionary. As Justice Deborah L. Cook recognized in her separate opinion in Biddle, independent torts for the unauthorized disclosure of medical information and for the inducement thereof had been recognized more than 30 years earlier in Hammonds v. Aetna Cas. & Sur. Co., 243 F.Supp. 793 (N.D.Ohio 1965). Biddle, 86 Ohio St.3d at 409, 715 N.E.2d 518 (Cook, J., concurring in part and dissenting in part).
{¶ 42} Our decision in Biddle preceded the promulgation of the HIPAA Privacy Rule. HIPAA does not supplant the personal right to recovery that we recognized in Biddle. As discussed above, a Biddle claim is not preempted by HIPAA and is in fact complementary and shares goals in common with HIPAA.
{¶ 43} Subsequent to our decision in Biddle and the establishment of the HIPAA Privacy Rule, this court reiterated and extended its holding in Biddle. See Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 2008-Ohio-3343, 893 N.E.2d 153. In Hageman, we held that “[a]n attorney may be liable to an opposing party for the unauthorized disclosure of that party‘s medical information that was obtained through litigation.” Id. at syllabus. We applied our holding in Biddle in the context of a divorce case in which a lawyer had given copies of the opposing party‘s medical records, including psychiatric records, to a prosecutor. Id. at ¶ 6. In that case, there was no direct involvement with a medical provider. The lead opinion in Hageman pointed out that ”Biddle stressed the importance of upholding an individual‘s right to medical confidentiality beyond just the facts of that case.” Id. at ¶ 13.
{¶ 44} Finally, the General Assembly has enacted medical-information-privacy legislation that largely follows HIPAA.
It is the intent of the general assembly in enacting this chapter to make the laws of this state governing the use and disclosure of protected health information by covered
entities consistent with, but generally not more stringent than, the HIPAA privacy rule for the purpose of eliminating barriers to the adoption and use of electronic health records and health information exchanges. Therefore, it is also the general assembly‘s intent in enacting this chapter to supersede any judicial or administrative ruling issued in this state that is inconsistent with the provisions of this chapter.
“[I]t is long-settled constitutional law that it is within the power of the legislature to alter, revise, modify, or abolish the common law as it may determine necessary
or advisable for the common good.” Arbino v. Johnson & Johnson, 116 Ohio St.3d 468, 2007-Ohio-6948, 880 N.E.2d 420, ¶ 131 (Cupp, J., concurring). The General Assembly had the ability to abolish Biddle claims when it enacted Ohio‘s version of HIPAA. It did not. And there is no reason for us to overturn our decision in Biddle today.
III. CONCLUSION
{¶ 45} We continue to recognize a common-law cause of action by a medical patient for the unauthorized, unprivileged disclosure by a medical provider to a third party of the patient‘s nonpublic medical information. See Biddle, 86 Ohio St.3d 395, 715 N.E.2d 518. We hold that a claim under our decision in Biddle is not preempted by HIPAA and its subsequent privacy rule. However, there are exceptions to liability under Biddle when the disclosure of medical information is necessary to protect or further a countervailing interest in disclosure that outweighs the patient‘s interest in confidentiality. After balancing the interests reflected in HIPAA, we conclude that a medical provider may disclose a limited amount of a patient‘s medical information to further its efforts to collect unpaid bills from the patient for medical services. Under our decision in Biddle, an exception for such a disclosure exists when the medical provider makes a reasonable effort to limit the disclosure of a patient‘s medical information to the minimum amount necessary to file a successful complaint for the recovery of past-due charges for medical services. We conclude that a medical provider discloses the minimum amount of medical information necessary to file a successful claim for unpaid medical-service bills when the medical provider attaches to its complaint, pursuant to
{¶ 46} Because Menorah Park limited its disclosure of Rolston‘s medical information in its complaint to the minimum amount necessary to assert a cause of action to recover payment from Rolston for her unpaid medical bills, Rolston has failed to state a claim for relief under Biddle. Therefore, we reverse the judgment of the Eighth District Court of Appeals on that issue and remand the cause to the Shaker Heights Municipal Court for further proceedings consistent with this opinion.
Judgment reversed and cause remanded.
FRENCH, J., concurs.
O‘CONNOR, C.J., concurs in part and dissents in part, with an opinion joined by STEWART, J.
DONNELLY, J., concurs in part and dissents in part, with an opinion.
O‘CONNOR, C.J., concurring in part and dissenting in part.
{¶ 47} I agree with the majority‘s conclusions in Parts II(E) and (H) of the above opinion. I also agree with the majority‘s conclusion in Part II(F) of that opinion that a medical provider that discloses patient information in a bill-collection action is not liable under our decision in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), if its disclosure is limited to the minimum amount of information necessary to obtain payment. I disagree, however, with the decision to address an additional issue, found in Part II(G) of that opinion. That part of the opinion applies the new minimum-necessary standard announced here to appellee Irene Rolston‘s class-action counterclaim and concludes that appellant, Menorah Park Center for Senior Living, made reasonable efforts to limit the release
of Rolston‘s heath information and that the information disclosed does not reveal more than the minimum amount of information necessary to obtain payment.
{¶ 48} To start, I am at a loss for what “reasonable efforts” Menorah Park made to limit the disclosure of Rolston‘s information. Menorah Park simply attached an unredacted copy of Rolston‘s account statement to its complaint. Although
{¶ 49} Next, the opinion acknowledges that the trial court dismissed Rolston‘s counterclaim at the
{¶ 50} In light of the majority‘s conclusions in Parts II(E), (F), and (H) of the above opinion, this court should refrain from addressing the matters discussed in Part II(G) and instead remand the case for further proceedings consistent with the court‘s opinion. Because the conclusion in Part II(G) of the opinion leads it to reverse the judgment of the Eighth District Court of Appeals and to reinstate the trial court‘s judgment dismissing Rolston‘s counterclaim, I dissent in part.
STEWART, J., concurs in the foregoing opinion.
FISCHER, J., concurring in judgment only in part and dissenting in part.
{¶ 51} I agree that this court should reverse the judgment of the Eighth District Court of Appeals. Respectfully, however, I would reach that outcome by simply overruling this court‘s decision in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999).
{¶ 52} This court may overrule its precedent when (1) “changes in circumstances no longer justify continued adherence to the decision,” (2) “the decision defies practical workability,” and (3) “abandoning the precedent would not create an undue hardship for those who have relied upon it.” Westfield Ins. Co. v. Galatis, 100 Ohio St.3d 216, 2003-Ohio-5849, 797 N.E.2d 1256, paragraph one of the syllabus. Because I think that our decision in Biddle meets all of these conditions, I would overrule it.
{¶ 53} First, the legal landscape today is drastically different than it was when Biddle was decided. In 1999, when this court issued its decision in Biddle, there was no uniform regulatory system governing the disclosure of medical information. As a result, that regulatory gap was often filled by the courts, which fashioned common-law causes of action for a medical provider‘s breach of confidence. See generally Alan B. Vickery, Breach of Confidence: An Emerging Tort, 82 Colum.L.Rev. 1426 (1982). Following Biddle, however, the United States Department of Health and Human Services, under its rulemaking authority derived from the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“),
{¶ 54} Next, at least comparatively, that legislative and regulatory solution is far more practical and workable than Biddle, which, with its vague generalities, e.g., “special situations” and “countervailing public interest[s],” 86 Ohio St.3d at 402, 715 N.E.2d 518, is unclear about what disclosures are authorized and what disclosures may result in liability for hospital systems and medical providers. Despite the court‘s thoroughness today, I suspect that Biddle will continue to defy practical workability because it will require a steady stream of cases like this one to properly define the contours of a claim and the scope of the duty (an event that those subject to liability under Biddle do not have the luxury of waiting around for).
{¶ 55} Finally, since a breach of confidence can still result in liability under the federal scheme, see
{¶ 56} Accordingly, in this post-HIPAA Privacy Rule world, the protections provided in Biddle are no longer necessary or practical. Since no undue hardship would result from doing so, I think that this court should overrule that decision. Because this court does not do so on its way to reversing the Eighth
District‘s judgment in this
DEWINE, J., concurs in the foregoing opinion.
DONNELLY, J., concurring in part and dissenting in part.
{¶ 57} I agree with the vast bulk of the majority‘s conclusions, including its holding that there is an exception to liability under our decision in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), when a medical provider makes a reasonable effort to limit the disclosure of the patient‘s medical information to the minimum amount necessary to file a successful complaint for the recovery of unpaid charges for medical services.
{¶ 58} But I disagree with the conclusion in Part II(G) regarding the application of that holding in this case. Here, appellant, Menorah Park Center for Senior Living (“Menorah Park“), sought payment for services disclosed on the billing statements relating to physical-therapy services, including “PT EVALUATION MOD COMPLEX,” “PT-MANUAL THERAPY,” “PT PHYSICAL PERFORMANCE TE,” and “PT THERAPEUTIC PROC-AQUATI[C].” (Capitalization sic.) Although I recognize that this information is not particularly illuminating with respect to the underlying health conditions or treatment provided, neither is it the minimum amount of information that would allow Menorah Park to pursue its claim for payment. I believe an utterly generic phrase such as “services rendered” and the date the services were rendered would be the minimum amount necessary to file a successful complaint. That general disclosure could be supplemented following an in camera review as the need arises. The use of such a generic phrase would result in no health information, even an admittedly rather nondescript term such as “therapy,” from being revealed to the public.
{¶ 59} In this case, Menorah Park revealed more than the minimum amount of medical information necessary to file a successful complaint. Accordingly, I concur in part and dissent in part.
Bonessi Switzer Polito & Hupp Co., L.P.A., Bret C. Perry, Brian F. Lange, and Jay Clinton Rice, for appellant.
Ciano & Goldwasser, L.L.P., Andrew S. Goldwasser, and Sarah E. Katz; Powers Friedman Linn, P.L.L., and Robert G. Friedman; and Paul W. Flowers Co., L.P.A., Paul W. Flowers, and Louis E. Grube, for appellee.
Dinkler Law Office, L.L.C., Lynette Dinkler, and Carin Al-Hamdani, urging reversal for amicus curiae Ohio Association of Civil Trial Attorneys.
Bricker & Eckler, L.L.P., Elizabeth A. Kastner, Victoria Flinn McCurdy, and Bryan M. Smeenk, urging reversal for amici curiae Ohio Hospital Association, Ohio State Medical Association, and Ohio Osteopathic Association.
Tucker Ellis, L.L.P., Susan M. Audey, Raymond Krncevic, and Emily J. Johnson, urging reversal for amicus curiae Academy of Medicine of Cleveland & Northern Ohio.