Opinion
No. X10 NNH-CV-04-4003207S
April 3, 2006
MEMORANDUM OF DECISION
February 8, 2006, the court ruled on the motions to strike filed by Yale University and Yale New Haven Hospital ("Hospital"). The court reserved a ruling on the Hospital's motion to strike Count Twenty-one, inviting the parties to submit a supplemental memorandum on the following question: "To what extent, if any, has HIPAA pre-empted the right of a private individual to bring a CUTPA action in Connecticut (or an action under an analogous statute in another jurisdiction) for a violation of the provisions of HIPAA?" This decision addresses that novel question after receipt of the supplemental memoranda submitted by the plaintiffs and the defendant hospital. No court has addressed this issue.
For purposes of this memorandum, the court restates the allegations of facts by the plaintiffs and the statements of the law as it applies to a motion to strike in the associated decision of February 8, 2006.
In this action the plaintiff Jeannine Fisher complains that the defendants failed to safeguard her personal identifying information in their database and as a result the named defendant Ramon Delgado-Brooks was, as an employee of the defendants (directly or through a third party) able to access the information and intimidate, threaten and harass the plaintiff Jeannine Fisher and her immediate family. Delgado-Brooks had previously been convicted and incarcerated on two occasions for violent and threatening behavior toward the plaintiff and her son. She had sought to keep her location and identity (her name had changed) secret so that she would be free from his violent behavior. As a result of Delgado-Brooks accessing the plaintiff's personal information from the defendant hospital's computer database the plaintiff allegedly suffered emotional injuries of emotional distress, trauma, anxiety, aggravation of the post traumatic stress disorder she had suffered from Delgado-Brooks' attacks on her, and as a result thereof, migraine headaches, depression, sleeplessness, nausea and stress related temporo-mandibular joint pain. The plaintiffs William and Michael Fisher have also asserted separate claims for negligence and emotional distress arising out of the alleged conduct of the institutional defendants in permitting the defendant Delgado-Brooks to access the plaintiff Jeannine Fisher's personal information.
The law governing the court's consideration of a motion to strike is well-established. "The purpose of a motion to strike is to contest the legal sufficiency of the allegations of any complaint to state a claim upon which relief can be granted. In ruling on a motion to strike, the court is limited to the facts alleged in the complaint. The court must construe the facts in the complaint most favorably to the plaintiff." (Citations and internal quotation marks omitted.) Novametrix Medical Systems v. BOC Group, Inc., 224 Conn. 210, 214, 618 A.2d 25 (1992). "It is fundamental that in determining the sufficiency of a complaint challenged by a defendant's motion to strike, all well-pleaded facts and those facts necessarily implied from the allegations are taken as admitted." Suffield Devel. Assoc. L.P. v. National Loan Inv., 64 Conn.App. 192, 197, 779 A.2d 822 (2001). "The role of the trial court is to examine the complaint, construed in favor of the plaintiffs, to determine whether the pleading party has stated a legally sufficient cause of action." Dodd v. Middlesex Mutual Assurance Company, 242 Conn. 375, 378, 698 A.2d 859 (1997).
In count twenty-one, the plaintiff Jeannine Fisher asserts a claim under the Connecticut Unfair Trade Practices Act, Conn. Gen. Stat. § 42-110a et seq., ("CUTPA,"), as a result of the Hospital's alleged failure to comply with the HIPAA (Health Insurance Portability and Accountability Act) requirements to safeguard her medical records and personal information in their files. The court must determine whether the plaintiff's CUTPA claim is preempted by HIPAA.
HIPAA, which was enacted in 1996 by Congress as P.L. 104-191 (Aug. 21, 1996), required that safeguards be established "to ensure the integrity and confidentiality" of a person's heath information and "to protect against any reasonably anticipated . . . unauthorized uses or disclosures of the information . . ." HIPAA § 2026(2). Section 1177 of HIPAA provides for criminal penalties of fines and imprisonment for disclosure or possession of an individual's identifiable health information, and civil money penalties that may be imposed administratively if § 1177 does not apply, if a healthcare provider fails to comply with the statutory requirements and standards. HIPAA § 1176.
HIPAA contains preemption provisions, in both the statutory Act as well as administrative regulations promulgated by the Secretary of Health and Human Services, that are controlling of the issue before the court. In the section of the Act entitled, "Effect on State Law," codified at 42 U.S.C. § 1320d-7(a)(1), the Act provides what is styled a "general rule" for preemption of state law:
Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
The statute, in subsection (a)(2), provides two "exceptions" to the general preemption rule. It apparently is undisputed that the first of these exceptions, which pertains to provisions of state law that have been determined by the Secretary of Health and Human Services to be necessary for, inter alia, the prevention of fraud and abuse, is inapplicable to the issue at hand. The preemption issue therefore turns upon the second exception, which is set forth at 42 U.S.C. § 1320d-7(a)(2)(B):
A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State law, if the provision of State law . . . (B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
The statutory preemption provisions have been explicated by regulations promulgated by the Secretary of Health and Human Services. The structure of these regulations mirrors the general rule and two exceptions of the statute, but adds definitions and some substantive elaboration upon the exceptions. As previously articulated, it is the second exception that is relevant to the issue at hand. That exception, in regulation form, is embodied at 42 C.F.R. § 160.203(b) and provides, in relevant part, that a contrary provision of state law is preempted unless:
The provision of state law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart B of part 164 of this chapter.
It should be noted that this regulation adds to the statutory exception by creating the requirement that the state law in question be more "stringent' than the relevant HIPAA provision.
The court now turns to the application of these provisions to the plaintiff's claim that the conduct of the defendant Hospital, in failing to comply with HIPAA's privacy requirements, gives rise to a violation of CUTPA. The first part of the preemption analysis requires the court to consider whether CUTPA constitutes a "contrary" provision under the general HIPAA preemption rule. The term `contrary" is defined at 42 C.F.R. § 160.202 as follows: "when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means: . . . (2) The provision of State law stands as an obstacle to the accomplishment and execution of part C of title XI of the Act or section 264 of Pub.L. 104-191, as applicable." 45 C.F.R. § 160.202. The referenced sections contain the legislative purposes, definitions and provisions for administrative simplification for the execution of the legislative purposes of HIPAA. The federal legislature's stated purposes therein is "to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." Pub.L. 104-1911, Subtitle F, sec. 61; 42 USC 1320d.
If Congress had intended to allow for a private action as part of this program, it could have included it in the legislation or authorized the Secretary to provide for the same by rulemaking. "[I]t is not the province of a court to supply what the legislature chose to omit." Federal Aviation Administration v. Administrator, 196 Conn. 546, 550, 494 A.2d 564 (1985). Nothing in HIPAA's own provisions or the promulgated regulations authorize a private cause of action. Indeed, courts have repeatedly held that Congress did not intend to create a private cause of action under HIPAA. See Logan v. Department of Veterans Affairs, 357 F.Sup.2d 149, 155 (D.D.C. 2004) (Noting that HIPAA "specifically indicates that the Secretary of HHS shall pursue the action against an alleged offender, not a private individual"); Bradford v. Semar, 2005 WL 1806344 (E.D.Mo. July 28, 2005), at *3 (Holding that "Every court that has considered the issue has held that HIPAA does not create a private cause of action for violations under the act"). Therefore, to the extent CUTPA permits a private right of action for a HIPAA violation, CUTPA constitutes a "contrary" provision of state law and falls within the ambit of the HIPAA general preemption rule.
The court next turns to a consideration of whether the second exception to the HIPAA preemption rule obtains. Plaintiff argues that Congress did not intend to preempt an action under CUTPA for a violation of HIPAA because there was no Congressional intent to cover the field where the state law is more stringent. Plaintiff references the provision in HIPAA that regulations promulgated under the rulemaking authority provided in HIPAA "shall not supersede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." HIPAA § 264(c)(2). The plaintiff argues that the promulgated regulations which define "more stringent" in this context as "(6) . . . provides greater privacy protection for the individual who is the subject of the individually identifiable health information," 45 C.F.R. § 16.202, implicate CUTPA. The argument is that since a violation of HIPAA is a violation of a clearly delineated public policy, it is actionable under CUTPA, and that the ability of a plaintiff to bring the action will result in greater privacy protection to her as a subject of individually identifiable health information.
The defendant argues in response that HIPAA provides no private cause of action, and preempts the field since CUTPA is not a law which "relates to the privacy of individually identifiable health insurance" which has been defined as State law "that . . . has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way." 45 CFR § 160.202(6). For the reasons stated herein, the court agrees.
"State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law." 45 CFR § 160.202 (6).
While the plaintiff appears to concede that HIPAA did not create the right to a private cause of action for violation of HIPAA and none has been recognized by the courts, plaintiff does seem to argue that because stricter state laws that address a patient's right of privacy are permitted, that this court should create such an action at common law by recognizing a cause of action under CUTPA for HIPAA. The court rejects this argument.
Neither CUTPA itself, nor any decision construing it, purport to regulate the privacy of individually identifiable health information of medical patients. CUTPA was enacted to provide a cause of action for plaintiffs harmed by acts of unfair or deceptive business practices or acts, or unfair competition. Conn. Gen. Stat. § 42-110b(a). The CUTPA statute requires the court to look to the Federal Trade Commission for guidance in construing the intent of the state legislature in determining what conduct is prohibited. The Connecticut Supreme Court "has repeatedly held, in accordance with this statutory instruction, that Federal Trade Commission (FTC) rulings and cases under the Federal Trade Commission Act (FTC Act) serve as a lodestar for interpretation of the open-ended language of CUTPA. (Citations omitted)." Russell v. Dean Whitter Reynolds, Inc., 200 Conn. 172, 179, 510 A.2d 972 (1986).
The court is aware of, and the plaintiff has pointed to, no statute, rule, or judicial decision construing the FTC Act in a manner that implicates the privacy of patient information. The complete lack of FTC activity in this area is further evidence that CUTPA does not relate to the privacy of individually identifiable health information.
The court concludes that CUTPA is not in its express language or by inference through FTC regulations or case law, a law that "has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way," 42 CFR § 160.202(6). Accordingly, CUTPA is preempted by the general HIPAA preemption provisions set forth at 42 U.S.C. § 1320d-7 and 42 C.F.R. § 160.203(b). Although not necessary to the court's decision, the court notes that CUTPA is inapplicable to the defendant Hospital on the facts of this case. In Normand Josef Enterprises, Inc. v. Connecticut National Bank, 230 Conn. 486, 646 A.2d 1289 (1994) the court undertook a four-pronged analysis that examined the circumstances for the court to consider whether CUTPA applies where the subject matter of the CUTPA violation is regulated pursuant to federal law.
Pursuant to Normand Josef, the court first must consider the extent of FTC activity in the area to which CUTPA is sought to be applied. As discussed previously herein, there has been no FTC activity, either regulatory or by judicial application, in the area of hospital patient privacy. Next, the court considers whether the hospital industry is so comprehensively regulated that it would preclude application of CUTPA to the privacy violations. Id. at 517. The regulatory scheme of HIPAA, established by the federal Department of Health and Human Services, is comprehensive and complete. Indeed, it is this scheme that requires the finding of preemption unless Connecticut has an explicitly more stringent law.
The plaintiff is no more successful under the analysis of the third and fourth prongs of Normand Josef. Id. at 517-18. The administrative body in Connecticut responsible for the enforcing of CUTPA at the administrative level and promulgating regulations pursuant to the statute has not undertaken to create a regulatory scheme for the enforcement of HIPAA violations under CUTPA. Finally, no sister state has found a CUTPA or similar cause of action, statutory or otherwise, for a HIPAA violation.
This opinion is limited to the facts and circumstances before the court on the motion to strike, specifically whether a CUTPA action is pre-empted by HIPAA. This opinion is not intended as a ruling on, nor does it address the question of whether a CUTPA violation would lie against a hospital under different facts and circumstances or relying on a different claimed violation of law or public policy.
As a final measure for consideration, the common law of Connecticut has not, to date, been developed to provide a right of action for violation of HIPAA's privacy provisions. Accordingly, the court finds that CUTPA is inapplicable to the defendant Hospital on the facts of this case.
For the foregoing reasons, the court grants the defendant's motion to strike count twenty one.