South Carolina Medical Ass'n v. Thompson

327 F.3d 346 | 4th Cir. | 2003

Before WILKINS, Chief Judge, and TRAXLER and

GREGORY, Circuit Judges. Affirmed by published opinion. Judge Traxler wrote the opinion, in which Chief Judge Wilkins and Judge Gregory joined.

COUNSEL

ARGUED: Terry Edward Richardson, Jr., RICHARDSON, PAT- RICK, WESTBROOK & BRICKMAN, L.L.C., Barnwell, South Car- olina, for Appellants. Alex Michael Azar, II, U.S. DEPARTMENT OF HEALTH & HUMAN SERVICES, Washington, D.C., for Appel- lees. ON BRIEF: Daniel S. Haltiwanger, RICHARDSON, PAT- RICK, WESTBROOK & BRICKMAN, L.L.C., Barnwell, South Carolina, for Appellants. Robert D. McCallum, Jr., Assistant Attorney General, J. Strom Thurmond, Jr., United States Attorney, Mark B. Stern, Charles W. Scarborough, Sambhav N. Sankar, Appellate Staff, Civil Division, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C., for Appellees.

OPINION

TRAXLER, Circuit Judge: Appellants, South Carolina Medical Association, Physicians Care Network, and several individual doctors, filed suit seeking to have declared unconstitutional several provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub. L. No. 104-191, 110 Stat. 1936 (1996). Because Congress laid out an intelli- gible principle in HIPAA to guide agency action, we reject appel- lants’ claim that the statute impermissibly delegates the legislative function. We also conclude that regulations promulgated pursuant to HIPAA are not beyond the scope of the congressional grant of author- ity, and that neither the statute nor the regulations are impermissibly vague. Accordingly, we affirm.

I.

Recognizing the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems, Congress passed HIPAA in August 1996. HIPAA’s Admin- istrative Simplification provisions, [1] sections 261 through 264 of the [1] Subtitle F of Title II of HIPAA consists of sections 261 through 264. HIPAA § 262 amends Title XI of the Social Security Act, 42 U.S.C. 3 statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information in connection with such transactions. The preamble to the Administrative Simplification provisions clarifies this goal:

It is the purpose of this subtitle to improve the Medicare program . . ., the medicaid program . . ., and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the elec- tronic transmission of certain health information.

HIPAA § 261, 110 Stat. 2021. To this end, Congress instructed the United States Department of Health and Human Services ("HHS") to adopt uniform standards "to enable health information to be exchanged electronically." 42 U.S.C.A. § 1320d-2(a)(1). Congress directed HHS to adopt standards for unique identifiers to distinguish individuals, employers, health care plans, and health care providers across the nation, see 42 U.S.C.A. § 1320d-2(b)(1), as well as standards for transactions and data elements relating to health information, see 42 U.S.C.A. § 1320d-2(a), (c) & (f), the security of that information, see 42 U.S.C.A. § 1320d-2(d), and verification of electronic signatures, see 42 U.S.C.A. § 1320d-2(e).

Within the Administrative Simplification section, Congress included another provision — section 264 — outlining a two-step process to address the need to afford certain protections to the privacy § 1301 et seq. , to add a Part C, entitled "Administrative Simplification," with sections 1171-1179, codified at 42 U.S.C.A. § 1320d through § 1320d-8 (West Supp. 2002). Section 261 is found as a note to 42 U.S.C.A. § 1320d. Section 264 is found as a note to 42 U.S.C.A. § 1320d-2. Section 263 amends the Public Health Service Act, at 42 U.S.C.A. § 242k(k) (West Supp. 2002). of health information maintained under HIPAA. First, section 264(a) directed HHS to submit to Congress within twelve months of HIPAA’s enactment "detailed recommendations on standards with respect to the privacy of individually identifiable health information." HIPAA § 264(a), 110 Stat. 2033. Second, if Congress did not enact further legislation pursuant to these recommendations within thirty- six months of the enactment of HIPAA, HHS was to promulgate final regulations containing such standards. Specifically, section 264(c)(1) provided:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations con- taining such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).

HIPAA § 264(c)(1), 110 Stat. 2033. The subjects Congress directed HHS to cover in promulgating privacy regulations included the fol- lowing: "(1) The rights that an individual who is a subject of individu- ally identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required." HIPAA § 264(b), 110 Stat. 2033. Through individual pro- visions of HIPAA, Congress outlined whom the regulations were to cover, see 42 U.S.C.A. § 1320d-1(a); what information was to be cov- ered, see 42 U.S.C.A. § 1320d(6) (defining "individually identifiable health information"); what types of transactions were to be covered, see 42 U.S.C.A. § 1320d-2(a)(2); what penalties would accrue for violations of HIPAA, see 42 U.S.C.A. §§ 1320d-5, 1320d-6; and what time lines and standards would govern compliance with the Act, see 42 U.S.C.A. §§ 1320d-3, 1320d-4.

Finally, section 264(c)(2) provided that the privacy regulations pro- mulgated by HHS "shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the 5 requirements, standards, or implementation specifications imposed under the regulation." HIPAA § 264(c)(2), 110 Stat. 2033-34 (empha- sis added).

Pursuant to Congress’s mandate, HHS submitted recommendations for protecting the privacy of individually identifiable health informa- tion in September 1997. Several detailed and comprehensive medical privacy bills were thereafter introduced; however, Congress did not pass any additional legislation. For its part, HHS followed Congress’s directive and drafted regulations that appeared in a November 1999 Notice of Proposed Rulemaking. The proposed regulations drew more than 50,000 comments from affected parties. After several further proposals and amendments were published, HHS promulgated final regulations in February 2001, collectively the "Privacy Rule." Although the effective date of the Privacy Rule was set for April 14, 2001, entities covered by the regulations were given until April 14, 2003, to comply, while some smaller entities were granted an addi- tional year.

Appellants sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS. The district court dismissed the action and this appeal followed. Appellants argue that 1) HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intel- ligible principle from Congress; 2) the Privacy Rule exceeds the scope of authority granted to HHS under HIPAA; and 3) HIPAA’s non-preemption of "more stringent" state privacy laws is unconstitu- tionally vague, in violation of the Due Process Clause of the Fifth Amendment. We address each of these issues in turn.

II. A.

The first issue is whether HIPAA violates the non-delegation doc- trine. "In a delegation challenge, the constitutional question is whether the statute has delegated legislative power to [an] agency" of the executive branch. Whitman v. American Trucking Ass’ns, Inc. , 531 U.S. 457, 472 (2001). The doctrine is "rooted in the principle of separation of powers that underlies our tripartite system of govern- ment." Mistretta v. United States , 488 U.S. 361, 371 (1989). The first lines of the Constitution set forth that "[a]ll legislative Powers herein granted shall be vested in a Congress of the United States." U.S. Const. art. I, § 1. Thus, from our nation’s earliest days, "the integrity and maintenance of the system of government ordained by the Consti- tution [has] mandate[d] that Congress generally cannot delegate its legislative power to another Branch." Mistretta , 488 U.S. at 371-72 (citation omitted).

In tension with this constitutional directive is the practical require- ment that Congress turn to the other branches of government for assistance in carrying out its general legislative policies: "[O]ur juris- prudence has been driven by a practical understanding that in our increasingly complex society, replete with ever changing and more technical problems, Congress simply cannot do its job absent an abil- ity to delegate power under broad general directives." Id. at 372; see also American Power & Light Co. v. S.E.C. , 329 U.S. 90, 105 (1946) (acknowledging that the "legislative process would frequently bog down if Congress were constitutionally required to appraise before- hand the myriad situations to which it wishes a particular policy to be applied and to formulate specific rules for each situation").

The Supreme Court has outlined an approach to determining the difference between prohibited delegation and necessary cooperation between coordinate branches: "In determining what [Congress] may do in seeking assistance from another branch, the extent and character of that assistance must be fixed according to common sense and the inherent necessities of the governmental co-ordination." J.W. Hamp- ton, Jr. & Co. v. United States , 276 U.S. 394, 406 (1928). This approach dictates that where Congress "lay[s] down by legislative act an intelligible principle to which the person or body authorized to [exercise the assigned duty] is directed to conform, such legislative action is not a forbidden delegation of legislative power." Id. at 409 (emphasis added). The Court has held that a delegation of legislative power will be found "constitutionally sufficient if Congress clearly delineates the general policy, the public agency which is to apply it, and the boundaries of this delegated authority." Mistretta , 488 U.S. at 372-73 (internal quotation marks omitted). These three factors make up the test for determining whether an intelligible principle lies behind the conferral of authority from Congress to an agency. 7

The government does not bear an onerous burden in demonstrating the existence of an intelligible principle. Since A.L.A. Schechter Poul- try Corp. v. United States , 295 U.S. 495 (1935), and Panama Refining Co. v. Ryan , 293 U.S. 388 (1935), the Supreme Court has not struck down a statute for an impermissible delegation. See American Truck- ing Ass’ns , 531 U.S. at 474 ("In the history of the Court we have found the requisite ‘intelligible principle’ lacking in only two statutes, one of which [ Panama Refining ] provided literally no guidance for the exercise of discretion, and the other of which [ A.L.A. Schechter ] conferred authority to regulate the entire economy on the basis of no more precise a standard than stimulating the economy by assuring ‘fair competition.’"). Rather, Congress has been able to delegate authority under "broad standards." Mistretta , 488 U.S. at 373; see , e.g. , Lichter v. United States , 334 U.S. 742, 785-86 (1948) (upholding delegation of authority to determine excessive profits); American Power , 329 U.S. at 105-06 (upholding delegation to SEC to prevent unfair or inequitable distribution of voting power among security holders); Yakus v. United States , 321 U.S. 414, 426-27 (1944) (upholding delegation to price administrator to fix commodity prices that would be fair and equitable); National Broadcasting Co. v. United States , 319 U.S. 190, 225-26 (1943) (upholding delegation to FCC to regulate broadcast licensing as public interest, convenience, or necessity require). The only limiting factor in each case has been the presence of an intelligible principle behind the congressional dele- gation.

In light of this guidance, we conclude that HIPAA also contains the requisite intelligible principle necessary to survive a non-delegation challenge. Specifically, there are at least three sources within HIPAA that provide intelligible principles outlining and limiting the Congres- sional conferral of authority on HHS. First, the language of the statute mandates that HHS implement regulations addressing three particular subjects: "(1) [t]he rights that an individual who is a subject of indi- vidually identifiable health information should have"; "(2) [t]he pro- cedures that should be established for the exercise of such rights"; and "(3) [t]he uses and disclosures of such information that should be authorized or required." HIPAA § 264, 110 Stat. 2033. The question is whether these amount to a statement of "general policy" by Con- gress. We believe that they do, particularly when read in connection with the second source — namely section 261, the preamble to the statute — which sets forth the general purpose of HIPAA as "improv- [ing] the Medicare program . . ., the medicaid program . . ., and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establish- ment of standards and requirements for the electronic transmission of certain health information." HIPAA § 261, 110 Stat. 2021. Section 262 further refines this goal by requiring that the Privacy Rule "be consistent with the objective of reducing the administrative costs of providing and paying for health care." HIPAA § 262, 110 Stat. 2023 (codified at 42 U.S.C.A. § 1320d-1(b)). The third source of an intelli- gible principle is Congress’s limitation of the Privacy Rule to commu- nications of listed information by particular covered entities. As noted above, individual provisions of HIPAA outline whom the Privacy Rule was to cover, see 42 U.S.C.A. § 1320d-1(a); what information was to be covered, see § 1320d(6) (defining "individually identifiable health information"); what types of transactions were to be covered, see § 1320d-2(a)(2); what penalties would accrue for violations of HIPAA, see §§ 1320d-5, 1320d-6; and what time lines and standards would govern compliance with HIPAA, see §§ 1320d-3, 1320d-4. We agree with the district court that, taken together, the provisions of HIPAA provide a general policy, describe the agency in charge of applying that policy, and set boundaries for the reach of that agency’s authority — all in keeping with the intelligible principle test. See American Power , 329 U.S. at 105 (holding a statute is "constitution- ally sufficient" if it meets these three requirements). Thus, we con- clude that HIPAA is "well within the outer limits of our nondelegation precedents." American Trucking Ass’ns , 531 U.S. at 474.

Although appellants argue that the present case is indistinguishable from Panama Refining , one of only two cases in which the Supreme Court has invalidated a statute on the basis of an unconstitutional del- egation, we disagree. In Panama Refining , the Court found that the challenged portion of the statute at issue, section 9(c) of the National Industrial Recovery Act ("NIRA"), did not provide the President with any mandate, but rather authorized him to pass a prohibitory law. See Panama Refining , 293 U.S. at 405-412. That is, the Court found that Congress had offered no guidance in NIRA as to whether the Presi- dent should or should not prohibit the transportation of excess petro- leum and petroleum products, so-called "hot oil," in interstate 9 commerce. Rather, the Court noted that "[s]o far as this section is concerned, it gives to the President an unlimited authority to deter- mine the policy and to lay down the prohibition, or not to lay it down, as he may see fit." Id. at 415. Finding no limit on executive discretion in this substantive provision of NIRA, the Court also looked to the preamble of the statute and, once again, found no guidance as to whether "hot oil" was good or bad. See id. at 416-18. Thus, NIRA "provided literally no guidance for the exercise of discretion." Ameri- can Trucking Ass’ns , 531 U.S. at 474. By contrast, in the case before us we have a clear mandate from Congress directing HHS to act in accordance with the intelligible principles set forth in HIPAA. Fur- ther, there are clear limits upon the scope of that authority and the type of entities whose actions are to be regulated.

Finally, we find unavailing appellants’ position that Congress unconstitutionally relinquished its lawmaking function by mandating that final regulations governing standards with respect to the privacy of individually identifiable health information be promulgated within thirty-six months of HIPAA’s enactment if no further legislation on the subject were enacted. We do not agree that this approach amounts to an abdication. Rather, the procedures outlined by Congress estab- lish a more explicit oversight mechanism than usually accompanies a rulemaking mandate imposed upon an agency. In conveying rule- making authority, Congress always reserves the right — indeed, never relinquishes the right — to engage in further lawmaking. As described above, Congress did not abdicate its legislative responsibil- ity in passing HIPAA, but outlined a broad set of principles to guide HHS action. See Yakus , 321 U.S. at 426 ("Only if we could say that there is an absence of standards for the guidance of the Administra- tor’s action . . . would [we] be justified in overriding its choice of means for effecting its declared purpose."). Animated by these princi- ples, HHS was directed first to offer recommendations within a year of HIPAA’s enactment. That Congress did not enact additional mea- sures in light of these recommendations indicates the legislature’s sat- isfaction with HHS’s proposed approach to protecting the privacy of individually identifiable health information. This decision did not, and does not, limit Congress’s ability to revisit the issue, change the direc- tion or scope of the statute or rules, or wholly undo the regulatory scheme HHS has established pursuant to HIPAA.

For these reasons, we conclude that HIPAA does not violate the non-delegation doctrine.

B.

Appellants’ second argument is that section 264(c) of HIPAA lim- its HHS to regulating only electronic records transmitted in connec- tion with section 1173(a) of the Social Security Act, see 42 U.S.C.A. § 1320d-2(a), yet HHS impermissibly expanded HIPAA’s scope to cover not only electronic transactions, but "every form of information for all Americans held by covered entities." Appellants’ Brief at 7. The government responds that neither section 264(c), nor other por- tions of the Administrative Simplification section to which it refers, limits HHS’s authority to regulating purely electronic information. The government also contends that during the rulemaking process HHS decided that protecting only electronic information would not adequately safeguard patient privacy and that it would be burdensome and ultimately unworkable to distinguish the same information in var- ious stages and formats that could be kept in electronic or non- electronic form.

The disputed section includes a broad grant of authority from Con- gress to HHS as to the regulation of medical information. Section 264(c)(1) states in pertinent part as follows:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by Section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations con- taining such standards not later than [February 21, 2000].

HIPAA § 264(c)(1), 110 Stat. 2033. In describing what kind of infor- mation is to be protected, Congress expressly defined "health infor- mation" to include any information, "whether oral or recorded in any form or medium ." 42 U.S.C.A. § 1320d(4) (emphasis added). The def- inition of "individually identifiable health information" — a subset of "health information" — contains no language limiting its reach to 11 electronic media. [2] Thus, the plain language of HIPAA indicates that HHS could reasonably determine that the regulation of individually identifiable health information should include non-electronic forms of that information.

Although appellants argue that the reference in HIPAA § 264(c)(1) to information "transmitted in connection with section 1173(a)" limits the scope of the regulations solely to electronic transactions, another reasonable reading is that section 1173(a) directs HHS to develop "standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically." 42 U.S.C.A. § 1320d-2(a)(1) (emphasis added). Thus, the focus is on enabling electronic portability, not simply on regulating purely elec- tronic activity. This reading is bolstered by the fact that transactions listed in connection with section 1173(a) are not described in terms that limit their scope to electronic media, but rather include transac- tions with respect to "[e]nrollment and disenrollment in a health plan," "[h]ealth care payment and remittance advice," and "[h]ealth plan premium payments" — terms that do not invite the limitation to a purely electronic scheme. 42 U.S.C.A. § 1320d-2(a)(2)(C), (E) and

(F).

The validity of a regulation promulgated by an agency pursuant to a congressional mandate is to be sustained so long as it is "reasonably related to the purposes of the enabling legislation under which it was promulgated." Thorpe v. Housing Auth. of the City of Durham , 393 U.S. 268, 280-81 (1969); see Chevron U.S.A., Inc. v. Natural Res. [2] The phrase "individually identifiable health information" refers to information that: (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and-

(i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the indi- vidual.

42 U.S.C.A. § 1320d(6)(B). Def. Council, Inc. , 467 U.S. 837, 844 (1984). Regulating non- electronic as well as electronic forms of health information effectu- ates HIPAA’s intent to promote the efficient and effective portability of health information and the protection of confidentiality. If coverage were limited to electronic data, there would be perverse incentives for entities covered by the rule to avoid the computerization and portabil- ity of any medical records. Such a development would utterly frus- trate the purposes of HIPAA. HHS’s interpretation of the scope of the grant of authority given by Congress is not inconsistent with the lan- guage of the statute and is reasonably related to the larger purposes of HIPAA. The agency reasonably determined that regulating health information in such a way as to foster effective and efficient elec- tronic transmission requires that the rule encompass paper records.

C.

Appellant’s final argument is that HIPAA’s non-preemption provi- sion, which provides for the preemption of state laws unless they are "more stringent" than HIPAA, is impermissibly vague because it nec- essarily calls for subjective judgments on the part of health care pro- viders, who face jail or fines for incorrect determinations. Contending that it fails to provide fair notice or minimal guidelines to covered entities and individuals, appellants argue that the statute violates the Due Process Clause of the Fifth Amendment. [3] [3] The government contends that the vagueness challenge is unripe because "the non-preemption provision has not been applied to plaintiffs in any concrete way that would permit a fair assessment of its clarity in the proper context." Brief of Appellees at 31. See Lyng v. Northwest Indian Cemetery Protective Ass’n , 485 U.S. 439, 445 (1988) (holding that courts should "avoid reaching constitutional questions in advance of the necessity of deciding them"); Commonwealth of Virginia v. Browner , 80 F.3d 869, 881 n.6 (4th Cir. 1996) (holding that a constitutional chal- lenge to sanctions in the Clean Air Act was not ripe for review because the threat of sanctions had not been felt by plaintiffs "in a concrete way" (internal quotation marks omitted)). We disagree. "Ripeness depends on the fitness of the issues for judicial decision and the hardship to the par- ties of withholding court consideration." Bituminous Coal Operators’ Ass’n v. Secy. of Interior , 547 F.2d 240, 244 (4th Cir. 1977) (internal quotation marks omitted). We believe both requirements are met here. 13

The Court has stated that "[i]t is a basic principle of due process that an enactment is void for vagueness if its prohibitions are not clearly defined." Grayned v. City of Rockford , 408 U.S. 104, 108 (1972). A challenged statutory provision will survive scrutiny "unless it is so unclear with regard to what conduct is prohibited that it may trap the innocent by not providing fair warning, or it is so standardless that it enables arbitrary and discriminatory enforcement." Greenville Women’s Clinic v. South Carolina Dep’t of Health & Envtl. Control , 317 F.3d 357, 366 (4th Cir. 2002) (internal quotation marks omitted).

The disputed preemption provision is found in section 264(c)(2) and states as follows: A regulation promulgated under paragraph (1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implemen- tation specifications that are more stringent than the require- ments, standards, or implementation specifications imposed under the regulation.

HIPAA § 264(c)(2), 110 Stat. 2033-34 (emphasis added). In order to determine what state laws will be preempted under HIPAA, we look to the regulations promulgated pursuant to the non-preemption provi- sion. See Village of Hoffman Estates v. Flipside Hoffman Estates, Inc. , 455 U.S. 489, 504 (1982) (holding that "administrative regula- tion will often suffice to clarify a standard with an otherwise uncer- tain scope").

According to the regulations promulgated by HHS, a state law is "more stringent" than HIPAA if it "provides greater privacy protec- tion for the individual who is the subject of the individually identifi- able health information." 45 C.F.R. § 160.202 (2002). To further clarify this standard, the regulation explains that a state law is "more stringent" where it meets one or more of the following criteria: the state law prohibits or restricts a use or a disclosure of information where HIPAA would allow it; the state law provides an individual with "greater rights of access or amendment" to his medical informa- tion than provided under HIPAA; the state law provides an individual with a "greater amount of information" about "a use, a disclosure, rights, and remedies"; the state law provides for the retention or reporting of more detailed information or for a longer duration; or the state law "provides greater privacy protection for the individual who is the subject of the individually identifiable health information." 45 C.F.R. § 160.202. These criteria will doubtless call for covered enti- ties to make some common sense evaluations and comparisons between state and federal laws, but this does not mean they are either vague or constitutionally infirm. Because the regulations are suffi- ciently definite to give fair warning as to what will be considered a "more stringent" state privacy law, we affirm the district court’s deci- sion on this issue as well. [4]

III.

For the foregoing reasons, the judgment of the district court grant- ing the motion to dismiss is hereby affirmed.

AFFIRMED

[4] We summarily dispense with appellants’ argument that the Privacy Rule will chill patients’ rights of free speech, as we find this claim to be without merit.