Summary
noting that although Health Insurance Portability and Accountability Act (HIPAA) does not provide private cause of action for unauthorized disclosure of medical information, HIPAA can establish the standard of care associated with a state tort claim
Summary of this case from Tuck v. City of Gardiner Police Dep'tOpinion
No. Oxf-10-300.
Argued: January 13, 2011.
Decided: April 12, 2011.
Appeal from the Superior Court, Oxford County, 2010 WL 3218051, Clifford, J.
Thomas J. Connolly, Esq. (orally), Portland, ME, for Dwayne and Debbie Bonney.
Mark G. Lavoie, Esq., Christopher C. Taintor, Esq. (orally), Norman, Hanson DeTroy, LLC, Portland, ME, for Stephens Memorial Hospital.
Panel: SAUFLEY, C.J., and ALEXANDER, LEVY, SILVER, MEAD, GORMAN, and JABAR, JJ.
[¶ 1] This appeal stems from an incident in which a hospital security guard overheard a conversation between Dwayne and Debbie Bonney and emergency room nurses attending to them and then reported information from that conversation to local law enforcement officials. The report led police to interview the Bonneys and then obtain a warrant authorizing the search of the Bonneys' residence, resulting in the Bonneys' indictment and subsequent conviction for drug trafficking. The Bonneys sued Stephens Memorial Hospital and the unnamed security guard for damages, contending that the security guard's report was an unauthorized disclosure of an individual's confidential health care information in violation of 22 M.R.S. § 1711 — C(2) (2010) and the Health Insurance Portability and Accountability Act (HIPAA) of 1996, 42 U.S.C.S. §§ 1320d to 1320d-9 (LexisNexis 2008 Supp. 2010), a violation of their privacy, and constituted the negligent infliction of emotional distress.
[¶ 2] The Superior Court (Oxford County, Clifford, J.) entered a summary judgment in favor of the Hospital, determining that the statutory immunity established in 30-A M.R.S. § 287(3) (2010) applied to the Hospital with respect to the Bonneys' state law claims. The court also dismissed the Bonneys' federal claim because it concluded that no private right of action exists for an alleged violation of HIPAA.
[¶ 3] We affirm the judgment as to the Bonneys' HIPAA-based claim, but because we conclude that the immunity established in 30-A M.R.S. § 287(3) does not apply, we vacate the judgment as to the Bonneys' state law claims and remand for further proceedings.
I. BACKGROUND
[¶ 4] The following facts, viewed in the light most favorable to the Bonneys as the nonmoving party, are established in the summary judgment record. See Kurtz Perry, P.A. v. Emerson, 2010 ME 107, ¶ 5, 8 A.3d 677, 679.
[¶ 5] On February 1, 2007, Dwayne and Debbie Bonney were victims of a violent assault that occurred during an invasion of their home in South Paris. Both of the Bonneys suffered severe skull fractures. One of Debbie Bonney's fractures, from a hammer blow, resulted in her skull being pushed one-half inch into her brain. The Bonneys drove themselves to Stephens Memorial Hospital in Norway.
[¶ 6] Upon the Bonneys' arrival at the Hospital, several nurses rushed to the Bonneys and asked them what had happened. Dwayne Bonney responded that he and his wife had been assaulted. A hospital security guard overheard the conversation and said that he was going to call the police. Both of the Bonneys told him not to call the police. While the Bonneys continued to receive medical treatment, the security guard called the Norway Police Department and disclosed the information he had learned concerning the Bonneys. The police responded to the Hospital and spoke with the Bonneys about the assault.
[¶ 7] Based in part on information received from the Bonneys at the Hospital, the police obtained a warrant to search the Bonneys' home for evidence pertaining to the invasion and assault. At the residence, the police observed evidence of marijuana cultivation. This evidence eventually resulted in the Bonneys' indictment and subsequent conviction for drug trafficking.
[¶ 8] In January 2009, the Bonneys filed a complaint against the Hospital and the security guard, alleging that the security guard violated their rights under both state and federal law by reporting confidential health care information to the police and that they suffered emotional distress as a result.
At oral argument, the Bonneys contended that the security guard's actions also gave rise to a breach of contract. Because the Bonneys did not advance this claim before the trial court, it is unpreserved and we do not address it. See Verizon New England, Inc. v. Pub. Utils. Comm'n, 2005 ME 16, ¶ 15, 866 A.2d 844, 849-50.
[¶ 9] The Hospital moved for a summary judgment on the Bonneys' state law claims, arguing that 30-A M.R.S. § 287(3) immunizes health care providers who report assaults to law enforcement when serious bodily injury has been inflicted, even when no written authorization from the patients is obtained. The Hospital also moved to dismiss the Bonneys' federal claim, arguing that HIPAA does not authorize a private cause of action.
[¶ 10] The court granted the Hospital's motion for a summary judgment on the state tort claims and its motion to dismiss the HIPAA claim. Interpreting section 287(3), the court concluded that because the Hospital "provided a report of the assault and the resultant serious bodily injuries to law enforcement for the purpose of prosecuting the alleged crime[,] . . . [the Hospital] is immune from suit even though the [Bonneys] did not provide written authorization to report the home invasion to the police." The court also determined that HIPAA "does not provide a private right of action to the individuals it purports to protect." This appeal followed.
II. DISCUSSION
A. Immunity and 30-A M.R.S. § 287 (2010)
[¶ 11] Because the parties do not dispute the facts, we review the grant of a summary judgment de novo to determine whether the Hospital was entitled to judgment as a matter of law. See M.R. Civ. P. 56(c); Beal v. Allstate Ins. Co., 2010 ME 20, ¶ 11, 989 A.2d 733, 738. Here, the only issue is a question of law — whether the Hospital's unauthorized disclosure of confidential health care information is shielded from liability by statute. We review the interpretation of a statute de novo. Garrison City Broad., Inc. v. York Obstetrics Gynecology, P.A., 2009 ME 124, ¶ 9, 985 A.2d 465, 468.
[¶ 12] The Bonneys argue that the court erred by concluding that the immunity provision of 30-A M.R.S. § 287 applies to the disclosure of information under the circumstances of this case. Section 287, entitled "Physical examination of crime victims," provides immunity from damages for certain medical personnel in subsection (3):
3. Medical personnel not liable for furnishing reports, records or testimony. A physician, nurse, hospital, clinic or any other person, firm or corporation attending a victim, under subsection 1 is not liable in damages or otherwise for providing reports or records, copies of reports or records or for their testimony relating to any examination performed under this section when those reports, records or testimony are provided to a district attorney, a law enforcement officer or a court for the purpose of prosecuting the alleged crime, whether or not the reports, records or testimony are provided with the written authorization of the victim examined under this section.
30-A M.R.S. § 287(3) (emphasis added). The immunity established in subsection (3) relates to those who "attend[] a victim under subsection 1." That subsection provides
1. Payment of expenses by district attorney. . . . [I]n all cases reported to a law enforcement officer of sexual crimes against minors or assault when serious bodily injury has been inflicted, the office of the district attorney of the county in which the alleged crime occurred shall pay the expenses of a physical examination of the victim conducted, for the purpose of obtaining evidence for the prosecution.
Id. § 287(1) (emphasis added).
[¶ 13] The plain and unambiguous language of subsections (1) and (3), read together, establish immunity for medical personnel who provide information to a district attorney, a law enforcement officer, or a court after having attended a victim by conducting "a physical examination of the victim . . . for the purpose of obtaining evidence for the prosecution." Id. The statute does not establish immunity for medical personnel who provide information regarding a victim who has sought medical treatment and is being examined solely for that purpose. Accordingly, the statute does not immunize the Hospital or its personnel from damages arising from the security guard's unauthorized disclosure of information concerning the Bonneys to law enforcement.
[¶ 14] Because 30-A M.R.S. § 287 does not shield health care providers from liability for the unauthorized reporting of confidential health care information when the reporting involved is not related to an examination of a victim performed to obtain evidence for the prosecution, the court erred in granting summary judgment based on statutory immunity.
B. HIPAA and Private Causes of Action
[¶ 15] The Bonneys also seek damages based on the theory that the security guard's disclosure of information violated HIPAA and that "[t]he disclosure caused injury to the [Bonneys] including violation of privacy and mental pain and severe suffering which continues and which has caused economic harm and injury." The court determined that HIPAA does not provide a private cause of action to the individuals whose privacy it seeks to protect and granted the Hospital's motion to dismiss the Bonneys' HIPAA-based claim.
[¶ 16] In reviewing a judgment granting a motion to dismiss, we consider the facts in the complaint as if they were admitted. Saunders v. Tisher, 2006 ME 94, ¶ 8, 902 A.2d 830, 832. We "examine the complaint in the light most favorable to the plaintiff to determine whether it sets forth elements of a cause of action or alleges facts that would entitle the plaintiff to relief pursuant to some legal theory." Id. (quotation marks omitted). "Dismissal is warranted when it appears beyond a doubt that the plaintiff is not entitled to relief under any set of facts that he might prove in support of his claim." Id. (quotation marks omitted).
[¶ 17] Although we have not previously addressed the issue of whether HIPAA authorizes a private cause of action, all courts that have decided this question have concluded that HIPAA does not provide a private cause of action. The analysis in Acara v. Banks is representative:
HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals. . . . HIPAA limits enforcement of the statute to the Secretary of Health and Human Services. Because HIPAA specifically delegates enforcement [to the Secretary], there is a strong indication that Congress intended to preclude private enforcement.
470 F.3d 569, 571-72 (5th Cir. 2006) (citations omitted) (collecting cases).
[¶ 18] The relevant inquiry to determine whether a federal statute provides a private cause of action is whether Congress "displays an intent" to create a private right and private remedy. Alexander v. Sandoval, 532 U.S. 275, 286-87, 121 S.Ct. 1511, 149 L.Ed.2d 517 (2001). "The express provision of one method of enforcing a substantive rule suggests that Congress intended to preclude others." Id. at 290, 121 S.Ct. 1511.
[¶ 19] With regard to HIPAA, Congress has provided for the administrative enforcement of its provisions by the Secretary of Health and Human Services, see 42 U.S.C.S. §§ 1320d- 5, 1320d-6, as well as by State Attorneys General, see 42 U.S.C.S. § 1320d-5(d). HIPAA is silent with respect to private enforcement. In addition, we are unaware of any legislative history or other extrinsic evidence that suggests that Congress intended HIPAA to give rise to private damages actions when the law's requirements are alleged to have been violated. See Astra USA, Inc. v. Santa Clara Cnty., ___ U.S. ___, 131 S.Ct. 1342, 1347, 179 L.Ed.2d 457 (2011) ("[R]ecognition of any private right of action for violating a federal statute . . . must ultimately rest on congressional intent to provide a private remedy." (quotation marks omitted)). We discern no basis on which to conclude that Congress viewed a private cause of action as implicit in a comprehensive Act that fails to make such a cause of action explicit.
[¶ 20] Although, as the Hospital acknowledges, HIPAA standards, like state laws and professional codes of conduct, may be admissible to establish the standard of care associated with a state tort claim, the Act itself does not authorize a private action. See Ilene N. Moore et al., Confidentiality and Privacy in Health Care from the Patient's Perspective: Does HIPAA Help?, 17 Health Matrix 215, 230-31 (2007) ("Although HIPAA does not provide for a private cause of action, its regulations have been used to provide evidence of standards in state tort actions." (footnotes omitted)). However, because HIPAA does not provide a private cause of action, the court did not err in dismissing the Bonneys' HIPAA-based claim.
The entry is:
Summary judgment regarding state law claims vacated and remanded to the Superior Court for proceedings consistent with this opinion; judgment dismissing HIPAA-based claim affirmed.