The regulations promulgated by the Department of Health and Human Services (“DHHS”) to implement the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub.L. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 42 U.S.C.), provide for an individual’s broad access to his own health records. Under HIPAA, an individual has the right to obtain copies of his medical records for a reasonable, cost-based fee, while third parties who seek the same records may be charged at a higher rate. See 45 C.F.R. § 164.524(c)(4). In this case, Kirk Webb’s lawyers' — the law firm of Mann & Cook— requested Webb’s records on his behalf from his treating hospital. That hospital in turn passed the request on to Smart Document Systems (“Smart”), which charged Mann & Cook at the higher rate. Because Mann & Cook bills their clients for the cost of obtaining medical records, Webb and Mann & Cook (collectively, “Plaintiffs”) sued Smart for unfair competition under California Business and Professions Code section 17200 (“Section 17200”), asserting that the lower, cost-based fee should apply.
In a matter of first impression for the federal courts, we must determine whether the term “individual” in the DHHS regulations implementing HIPAA encompassed Mann & Cook when it acted as Webb’s agent, thereby qualifying the law firm to obtain medical records at the lower rate. Although nothing in the regulations prevents a law firm from drafting or mailing the request for records on behalf of its clients, or from directing that the records be sent to its office, we hold nonetheless that the HIPAA regulations require the reduced rate only when the individual himself requests the records. 1 Thus, we affirm the district court’s dismissal of Plaintiffs’ case for failure to state a claim for relief.
Before turning to the merits of Plaintiffs’ claims, we also consider sua sponte whether the district court had jurisdiction over this case. Because HIPAA provides for no private right of action, Plaintiffs originally filed this case in the California Superior Court, invoking a California unfair competition statute to seek redress of the alleged HIPAA violations. Defendant removed the case to federal court. Although under certain circumstances con *1081 cerns about federal question jurisdiction will preclude federal courts from hearing a case where there is no federal private right of action, we conclude that the district court correctly assumed diversity jurisdiction here.
I.
Overview
Webb and Mann
&
Cook filed a class action in California Superior Court. According to the allegations in their complaint, which we “presume! ] to be true” when reviewing a district court’s dismissal pursuant to Federal Rule of Civil Procedure 12(b)(6),
Holcombe v. Hosmer,
Smart is the “world’s largest health document processor.” It contracts with numerous health care providers and facilities for the “exclusive” right to copy and provide patients’ records. When a provider contracts with Smart, patients have “no other means to obtain copies of [their] medical records except through Smart”; Smart “does not notify the patient that it will be accessing and viewing the patient’s health care records in advance,” nor does it “obtain the patient’s consent to do so.” Upon receiving a request, “Smart then accesses and copies the patient’s health care records through an agent who maintains copying equipment on the health care provider’s premises, sends the health care records to the patient or representative, and sends a bill for the copies of the health care records to the patient or his agent.”
In exchange for this exclusive right, “Smart provides free copies and other benefits and services of value to health care providers.” Smart makes a profit in spite of the HIPAA provision allowing patients to obtain their records at a cost-based fee in part by “charging] more for providing copies of health care records to patients who request their records through their agents, such as their personal injury lawyers, than to patients who are not represented by attorneys.”
Plaintiffs encountered Smart when Webb hired Mann & Cook to represent him in his civil rights claim for excessive force and, in furtherance of that litigation, Mann & Cook ordered copies of Webb’s medical records. For that service, Smart charged Mann & Cook $.35 cents per page, in addition to more than $65 in various additional fees, including a “Base Fee,” a “Basic Fee,” and a “Retrieval Fee.” Mann & Cook have a contingent fee arrangement with Webb, so it “advanced the cost of the health care records for its client to Smart, and charged him with repayment of the advance to be paid at the time of the resolution of the case.” Because Webb is thus ultimately responsible for Smart’s charges, the Plaintiffs alleged that Smart violated the HIPAA fee limitations by charging him — through his agent, Mann & Cook — more than a reasonable, cost-based fee.
HIPAA itself provides no private right of action. Accordingly, Plaintiffs brought suit in state court invoking a California unfair competition law that makes violations of other state and federal laws independently actionable. See Cal. Bus. & Prof.Code §§ 17200-210 (West 2005). Smart removed the case to federal court on the basis of diversity of citizenship in class actions, see 28 U.S.C. §§ 1332(d), 1453, 2 and filed a motion to dismiss for *1082 failure to state a claim, see Fed.R.Civ.P. 12(b)(6). It argued that Plaintiffs had not stated a claim under Section 17200 because they had not adequately alleged a violation of any law. Specifically, Smart argued that Plaintiffs’ allegations did not constitute a HIPAA violation because the HI-PAA fee limitations apply only to individual patients who request records on their own behalf, and not to attorneys who act as agents of their clients. The district court granted Smart’s motion. Plaintiffs timely appealed.
II.
STANDARD OF REVIEW We review
de novo
dismissals under Rule 12(b)(6), taking all allegations in the complaint as true.
Holcombe,
III.
Discussion
A. Jurisdiction Over the Section 17200 Claim
This case presents an unusual situation. Generally, when we consider state law claims asserted in federal court after a diversity-based removal, we apply state substantive law, pursuant to
Erie Railroad Co. v. Tompkins,
In fact, however, it is California law that directs, in this class action diversity case, that we examine federal law. Plaintiffs’ California cause of action, Section 17200, is a broad statute designed to remedy violations of other laws, both state and federal.
See People ex rel. Bill Lockyer v. Fremont Life Ins. Co.,
Similarly, if we determine that the agency responsible for implementing HIPAA intended to permit Smart’s conduct, it cannot be “unfair” under Section 17200. The California Supreme Court has held that if the allegedly unfair conduct is that which “the Legislature has permitted ... or eon-
*1083
sidered ... and concluded no action should lie, courts may not over-ride that determination ... [and] use the general unfair competition law to assault that [safe] harbor.”
Cel-Tech Commc’ns, Inc. v. Los Angeles Cellular Tel. Co.,
In some cases, federal jurisdictional requirements may preclude federal courts from entertaining a state law claim based on a violation of a federal statute.
5
“[A] complaint alleging a violation of a federal statute as an element of a state cause of action, when Congress has determined that there should be no private, federal cause of action for the violation, does not state a claim ‘arising under the Constitution, laws, or treaties of the United States.’ ”
Merrell Dow Pharm. v. Thompson,
This jurisdictional concern is not present here. Had Smart removed this case to federal court on the basis of federal question jurisdiction under § 1331, the lack of a private right of action to enforce HIPAA may have foreclosed Plaintiffs’ Section 17200 claim. However, Smart invoked diversity jurisdiction pursuant to 28 U.S.C. § 1332(d) to justify the removal.
See
28 U.S.C. § 1453;
cf. Lockyer v. Dynegy, Inc.,
B. HIPAA Statutory and Regulatory Framework
HIPAA aims “to improve the ... efficiency and effectiveness of the health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” HIPAA § 261,
*1084
Pub.L. 104-191, 110 Stat. 1936 (codified at 42 U.S.C. § 1320d notes). As the Fourth Circuit has noted, Congress intended through this legislation to “recogniz[e] the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems.”
S.C. Med. Ass’n v. Thompson,
In implementing this Congressional directive, DHHS has determined that, except in limited circumstances, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 C.F.R. § 164.524(a)(1) (emphasis added). Upon an “individual [’s ] request[ ]” to inspect or obtain his records,
the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:
(i)Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
(iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by [the regulation].
Id. § 164.524(c)(4) (emphasis added). The question raised by this case is whether designated agents, such as personal attorneys, can count as the “individual” in order to obtain the reasonable, cost-based fee.
“As a general interpretive principle, the plain meaning of a regulation governs.”
Safe Air for Everyone v. U.S. Envtl. Prot. Agency,
The canon of statutory construction
expressio unius est exclusio alterius,
which “creates a presumption that when a statute designates certain persons, things, or manners of operation, all omissions should be understood as exclusions,”
Silvers v. Sony Pictures Entm’t, Inc.,
As specified in this paragraph, a covered entity must, except [in limited circumstances), treat a personal representative as the individual for purposes of this subchapter.... If under applicable law a person has authority to act on behalf *1085 of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to personal representation.
45 C.F.R. § 164.502(g). Application of this canon suggests that because DHHS explicitly defined “individual” to encompass “personal representatives,” it was fully capable of writing in an even broader definition of the term. That it did not underscores the conclusion that “individual” should be afforded its plain meaning, and that we should therefore reject Mann & Cook’s claim to the lower rate.
Notwithstanding that plain meaning, Plaintiffs urge us to read the term “individual” to include authorized attorneys because such an interpretation would be more consistent with the purpose of HIPAA. Plain meaning is not the end of the inquiry. “The plain language of a regulation ... will not control if clearly expressed administrative intent is to the contrary or if such plain meaning would lead to absurd results.”
Safe Air,
We are not persuaded that regulatory intent overcomes plain meaning in this case. Plaintiffs have not directed us to any part of the original notice of proposed rulemaking (“proposed rules”), 6 the commentary accompanying the final rules (“final commentary”), 7 or the subsequent published clarifications accompanying the publication of other rules (“subsequent clarification”) 8 that suggests that “individual” means anything other than “the person who is the subject of the protected health information,” and, when applicable, that person’s personal representative.
On the contrary, a review of relevant regulatory history makes clear that DHHS did not intend for private attorneys to receive the reduced fees. Most notably, in the proposed rules, DHHS explicitly considered adopting a broader definition of “individual” that would have included legal representatives, but in the final rule ultimately decided against it. As explained in the final commentary, DHHS had previously
proposed that the term [individual] include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), the following types of legal representatives: ... With respect to adults and emancipated minors, legal representatives (such as court-appointed guardians or persons with a power of attorney), to the extent to which applicable law permits such legal representatives to exercise the person’s rights in such contexts.
65 Fed.Reg. 82492. However, “[i]n the final rule, [DHHS] eliminate[d] from the definition of ‘individual’ the provisions designating a legal representative as the ‘individual.’ ”
Id.
The agency chose “[finstead” to “include in the final rule a separate
*1086
standard for ‘personal representatives.’”
Id.
Further, in 2002, in response to a public comment asking whether the fee limitations applied to “payers,
attorneys,
or entities that have the individual’s authorization,” DHHS’s subsequent clarification explained that “the Rule ... limits
only
the fees that may be charged to individuals or to their personal representatives.” 67 Fed.Reg. 53254 (emphasis added). The final commentary and subsequent clarification extinguish any doubt that the “personal representative” category constitutes the only class of persons that may be treated as the “individual” other than the individuals themselves.
See Barnhart v. Peabody Coal Co.,
Because of this regulatory history, even if we believed the meaning of “individual” was ambiguous on its face, we would be compelled to agree with Smart. An “agency’s interpretation [of a regulation] must be given controlling weight unless it is plainly erroneous or inconsistent with the regulation.”
Thomas Jefferson Univ. v. Shalala,
Plaintiffs also urge that neither the final commentary nor the subsequent clarification, which appear to foreclose Plaintiffs’ argument, is directly on point. They argue that the “legal representatives” and “attorneys” to which the regulatory materials refer do not necessarily include “attorneys at law for individuals”; the final commentary and subsequent clarification, according to Plaintiffs, address only “true third party situations [such as attorneys for insurers], not situations where a ‘legal representative’ is acting ‘to exercise the person’s rights’ in a ‘context’ where the ‘applicable law permits’ them to so act.” This argument is not convincing. The DHHS final commentary and subsequent clarification clearly preclude both third party attorneys and private legal representatives from obtaining the reduced fees. First, as discussed, the agency considered, but decided against defining “individual” to include legal representatives, instead creating the narrower category of “personal representatives.” Second, DHHS stated explicitly that “[t]he fee limitations ... do not apply to disclosures that are based on an individual’s authorization that is valid under [45 C.F.R.] § 164.508.” 67 Fed.Reg. 53254. 9 The law firm of Mann & Cook, of *1087 course, must act pursuant to Webb’s authorization. 10 Therefore, DHHS has explicitly ruled out Plaintiffs’ proposed interpretation.
C. Plaintiffs’ Agency Argument
Plaintiffs’ case ultimately distills down to their argument that because Mann & Cook acts as Webb’s agent, for HIPAA purposes the lawyer who makes the request
is
the individual, and thus should be charged the reduced fees for the medical records. They rely on California agency law, which provides that “an attorney, appearing and acting for a party to a cause, has authority to do so, and to do all other acts necessary or incidental to the proper conduct of the case.”
Clark Equip. Co. v. Wheat,
In fact, however, California law does not support Plaintiffs’ claim. In the only case — federal or state — to address directly a claim based on the HIPAA fee limitation at issue in this case, the California Court of Appeal analyzed the same agency argument, advanced by the same law firm'— Mann & Cook — on behalf of a different client, and rejected it:
We agree that the lawyer is the client’s agent, but we do not think that, for the purposes of protecting the privacy of medical records, a lawyer’s request is the same as the client’s personal request for his or her own medical records. The problem- that appellant’s argument sidesteps is that a request by anyone other than the individual or his/her personal representative as defined in the regulations raises serious privacy concerns. DHHS considered but rejected giving lawyers the same status as personal representatives. This court is not empowered to redraft federal regulations, especially when the regulations do not impinge on fundamental rights.... [A]ll appellant has to do is to request a copy of his own records. We do not perceive that there is any “right” to have one’s lawyer ask for one’s records.
Bugarin v. Chartone,
*1089 Our holding, however, in no way precludes attorneys from assisting their clients in accessing and obtaining their medical records without triggering the hefty fees. Although the plain meaning of “individual,” as well as the DHHS final commentary and subsequent clarification evidence a clear intent to exclude attorney requests from the reduced fees, this intent does create at least some conflict with DHHS’s statement that “[t]he fee limitation ... is intended to assure that the right of access ... is available to all individuals, and not just to those who can afford to do so.” 67 Fed.Reg. 53254. As the California Court of Appeal noted,
lawyers routinely request copies of their clients’ medical records. The effect of such requests by lawyers is to increase the cost to the client, even though the intent of the legislation, and the regulations, is to minimize the cost of copying, at least when an “individual” requests his or her own records.
Bugarin, 38 Cal.Rptr.3d at 509. It is possible to reconcile this seeming conflict; privacy concerns increase when anyone other than the individual requests medical records, and because privacy is a primary HIPAA goal, it makes sense to make it more difficult for third parties to obtain records, even with authorization. Still, it is “circuitous,” if not downright silly, to require an individual “to request his own medical records ... and having received them, hand them to his lawyer.” Id. at 510.
We therefore echo the concurrence in Bugarin by emphasizing that in affirming the district court’s judgment, we only
uphold[ ] the ability of copying services to charge higher rates when the attorney makes the request on behalf of his or her client than when the patient/ client makes the request directly.... [We do] not address such presumably common scenarios in which the client signs the request and asks the documents to be sent to the attorney, or the attorney prepares the documents on his or her letterhead and the client personally signs the request.
Id. at 511 (Rubin, J., concurring). In the end, then, we may not be “free to deviate from the text” of the HIPAA regulations, id. at 509, but we may nonetheless recognize that there is ample room for attorneys to provide important services for their clients. 13
AFFIRMED.
Notes
. We have jurisdiction pursuant to 28 U.S.C. § 1291.
. Under the Class Action Fairness Act of 2005, Pub.L. 109-2, 119 Stat. 4 (2005), except in certain circumstances not present here, "[a] class action may be removed to a district court of the United States ... without regard to whether any defendant is a citizen of the State in which the action is brought.” 28 U.S.C. § 1453(b); see also id. § 1332(d)(2) ("The district courts shall have original jurisdiction of any civil action in which the matter in controversy exceeds the sum or value of *1082 $5,000,000, exclusive of interest and costs, and is a class action in which — [, inter alia,] (A) any member of a class of plaintiffs is a citizen of a State different from any defendant.”).
. Plaintiffs’ complaint also referenced a claim under the California common law of unfair competition. Plaintiffs have not pursued that claim in this appeal, so we consider it waived.
See United States v. Gomez-Mendez,
. Plaintiffs also alleged a claim for relief under California Civil Code section 52.1 (providing a cause of action for "interfere[nce] ... by threats, intimidation, or coercion, ... with the exercise or enjoyment ... of rights secured by” state or federal statutes or constitutions). There is some question whether section 52.1 covers violations of federal regulations at all, even if a violation were adequately stated.
Cf. Venegas v. County of Los Angeles,
. Neither party challenges federal court jurisdiction over this removed case. See 28 U.S.C. § 1332(d) (authorizing diversity jurisdiction over class actions); id. § 1453 (authorizing removal of class actions). Because of the unusual procedural posture of this case, however, we discuss this issue to ensure that we in fact have subject matter jurisdiction.
. See 64 Fed.Reg. 59918-60065 (Nov. 3, 1999).
. See 65 Fed.Reg. 82462-82829 (Dec. 28, 2000).
.See 67 Fed.Reg. 53254 (Aug. 15, 2002).
. A valid authorization under HIPAA is defined as follows:
Implementation specifications: Core elements and requirements.
(1) Core elements. A valid authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the infor *1087 mation in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure....
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure....
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all the following:
(i) The individual’s right to revoke the authorization in writing, and ...:
(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization;
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization,
(3) Plain language requirement. The authorization must be written in plain language.
(4)Copy to the individual. If a covered entity seeks an authorization from an individual for use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.
45 C.F.R. § 164.508(c).
. To the extent that Plaintiffs suggest that, as an agent of Webb, Mann & Cook acts as Webb and thus does not need a valid HIPAA authorization, their argument lacks merit. Although § 164.508 is a general provision requiring authorization, nothing in that section exempts private attorneys. Moreover, the final commentary explicitly states that ”[i]f the attorney [of an individual] is not the personal representative under the rule, or if the attorney wants a copy of more protected health information than that which is relevant to his personal representation, the individual would have to authorize such disclosure” of records. 65 Fed.Reg. 82651. Given HIPAA's concerns with the privacy of medical information, such a specific authorization requirement makes sense. Indeed, as the final commentary makes clear, even personal representatives do not get carte blanche to request medical records without specific authorization, but instead may request only records relevant to that representation. There is therefore no reason to think that a general attorney/client retainer form would be sufficient, without specific authorization, to allow disclosure of medical records.
. Some non-California state cases suggest that, in certain contexts, attorney-agents may qualify as individuals for the purpose of requesting medical records at a reduced, cost-based fee. However, none of these cases involve HIPAA or, for that matter,
any
statute with comparable text or commentary suggesting that the drafters intended to exclude private attorneys from benefitting from the fee limitations.
Cf. Ford v. Chartone, Inc.,
. California's statutory equivalent to the regulatory provision allowing reduced fees under HIPAA also appears on its face to be inapplicable to requests like Mann & Cook's: The state statutory fee limitations apply to the *1089 requests of a "patient” or “patient's representative.” Cal. Health & Safety Code § 123110(b). The definition of "patient's representative” does not include private attorneys unless they are guardians or agents empowered to make healthcare decisions. Id. § 123105(e). It is possible that legislative intent, or the policy and practices of the agency implementing this statute might lead to a different conclusion. However, as neither party has raised the significance of this state statute or its interpretation, we decline to address it further.
. In light of our disposition we need not reach the issue of whether Smart is subject to HIPAA's cost-based fee regulation in the first place.