Opinion
No. 22-2268
03-29-2024
ARGUED: John A. Yanchunis, MORGAN & MORGAN, P.A., Tampa, Florida, for Appellant. Kevin Joseph Kennedy, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C., for Appellee. Matthew Sidney Freedus, FELDESMAN TUCKER LEIFER & FIDELL, LLP, Washington, D.C., for Appellee. ON BRIEF: Kenya J. Reddy, MORGAN & MORGAN, P.A., Tampa, Florida, for Appellant. Brian M. Boynton, Principal Deputy Assistant Attorney General, Mark B. Stern, Dana L. Kaersvang, Civil Division, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C.; Samuel R. Bagenstos, General Counsel, Michael I. Goulding, Associate General Counsel, Robert H. Murphy, Sean M. Flaim, General Law Division, UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, Washington, D.C.; Adair F. Boroughs, United States Attorney, OFFICE OF THE UNITED STATES ATTORNEY, Columbia, South Carolina, for Appellee United States. Rosie Dawn Griffin, FELDESMAN TUCKER LEIFER FIDELL, LLP, Washington, D.C.; Michael D. Wright, SAVAGE, ROYALL & SHEEHAN, LLP, Camden, South Carolina; Jessica L. Fickling, STROM LAW OFFICE, Columbia, South Carolina, for Appellee Sandhills Medical Foundation, Inc.
Appeal from the United States District Court for the District of South Carolina, at Florence. R. Bryan Harwell, Chief District Judge. (4:21-cv-02307-RBH) ARGUED: John A. Yanchunis, MORGAN & MORGAN, P.A., Tampa, Florida, for Appellant. Kevin Joseph Kennedy, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C., for Appellee. Matthew Sidney Freedus, FELDESMAN TUCKER LEIFER & FIDELL, LLP, Washington, D.C., for Appellee. ON BRIEF: Kenya J. Reddy, MORGAN & MORGAN, P.A., Tampa, Florida, for Appellant. Brian M. Boynton, Principal Deputy Assistant Attorney General, Mark B. Stern, Dana L. Kaersvang, Civil Division, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C.; Samuel R. Bagenstos, General Counsel, Michael I. Goulding, Associate General Counsel, Robert H. Murphy, Sean M. Flaim, General Law Division, UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, Washington, D.C.; Adair F. Boroughs, United States Attorney, OFFICE OF THE UNITED STATES ATTORNEY, Columbia, South Carolina, for Appellee United States. Rosie Dawn Griffin, FELDESMAN TUCKER LEIFER FIDELL, LLP, Washington, D.C.; Michael D. Wright, SAVAGE, ROYALL & SHEEHAN, LLP, Camden, South Carolina; Jessica L. Fickling, STROM LAW OFFICE, Columbia, South Carolina, for Appellee Sandhills Medical Foundation, Inc. Before THACKER, HARRIS, and RICHARDSON, Circuit Judges. Vacated and remanded by published opinion. Judge Thacker wrote the opinion in which Judge Harris and Judge Richardson joined. THACKER, Circuit Judge:
Joann Ford ("Appellant"), on behalf of herself and all others similarly situated, filed a complaint in South Carolina state court, alleging claims for negligence, breach of implied contract, invasion of privacy, and breach of confidentiality against Sandhills Medical Foundation, Inc. ("Sandhills") for failure to properly maintain her personally identifying information ("PII") and protected health information ("PHI"). Appellant provided this information to Sandhills as a condition of her treatment when she was a patient in 2018. After Appellant ceased being a patient at Sandhills, Appellant's PII was stolen from Sandhills' third party computer system in a cyberattack in late 2020. Appellant's PHI was not affected by the cyberattack.
Sandhills removed the case to federal court for a determination as to whether a federal immunity defense shielded it from liability. In order for Sandhills to be immune from suit, it had to demonstrate that Appellant's alleged damages resulted "from the performance of medical, surgical, dental, or related functions." 42 U.S.C. § 233(a). If § 233(a) applies, then the case is treated as one brought pursuant to the Federal Tort Claims Act ("FTCA"), Sandhills is afforded immunity, and the United States is substituted for Sandhills as the defendant.
The district court concluded that Sandhills was immune from suit and the United States was substituted for Sandhills as the defendant pursuant to § 233(a). In coming to this conclusion, the district court reasoned that because Appellant was required to provide her PII to Sandhills in order to receive treatment, the theft of her PII arose out of Sandhills' performance of "medical, surgical, dental, or related functions."
But as explained below, we conclude that § 233(a) does not apply to Appellant's claims because Sandhills was not performing a related function when an unnamed third party hacked and stole Appellant's PII.
Therefore, we vacate and remand.
I.
A.
Sandhills is a South Carolina nonprofit health center that receives federal funding pursuant to the Public Health Service Act, 42 U.S.C. § 254b et seq., (the "PHS Act") to provide primary health care and related services to medically underserved communities in South Carolina. This case arises from a cyberattack in late 2020, during which unknown bad actors stole the electronically stored PII of Sandhills' patients, including Appellant.
Appellant was a Sandhills patient from approximately 2018 to 2019. In order to provide her treatment, Sandhills requested, collected, and stored Appellant's PII. At the time, Sandhills did not store its patients' PII locally, but instead hired a third party vendor and utilized the vendor's online data storage platform to store the information.
In late 2020, the third party vendor's computer system was hacked, resulting in the disclosure of Appellant's PII. Sandhills did not learn of the breach until January 8, 2021. And on or about March 5, 2021, Sandhills announced the security breach to its current and former patients. Thereafter, in a public notice to its patients, Sandhills shared that it had "determined that patient medical records, lab results, medications, credit card numbers, and bank account numbers were NOT affected." J.A. 34 (emphasis in original). Rather, the impacted data included patient names, dates of birth, mailing and email addresses, driver's licenses and state identification cards, social security numbers, and insurance claims information that could be used to identify medical conditions.
Citations to the "J.A." refer to the Joint Appendix filed by the parties in this appeal.
On April 2, 2021, an unknown and unauthorized individual used Appellant's PII to apply for a $500 loan. Appellant asserts that she spent time dealing with this fraudulent use of her PII and remains concerned about the potential for further loss of privacy and fraud from unauthorized individuals using her stolen information. She also alleges that she suffered lost time, annoyance, interference, and inconvenience as a result of the data breach. Appellant claims she suffered "imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse" resulting from unauthorized persons possessing her PII. J.A. 41.
B.
On June 18, 2021, Appellant filed a Complaint in the Court of Common Pleas for Chesterfield County, South Carolina, alleging that Sandhills failed to safeguard her PII, which resulted in a fraudulent loan application in her name. Appellant styled her Complaint as a proposed nationwide class action, to include those current and former patients "whose PII or PHI was exposed to an unauthorized party." J.A. 42. Appellant alleged claims for negligence, breach of implied contract, invasion of privacy, and breach of confidentiality based on Sandhills' failure to: (1) adequately protect the PII and PHI of Appellant and the class; (2) warn Appellant and the class of its inadequate information security practices; and (3) avoid sharing the PII and PHI of Appellant and the class without adequate safeguards.
After Sandhills was served the complaint, it notified the United States Attorney General, claiming that it was "entitled to absolute immunity from this civil action, as it resulted from Sandhills' performance of medical or related functions." J.A. 65. After the time elapsed for the United States to make an appearance, Sandhills removed the action to the United States District Court for the District of South Carolina. In its removal, Sandhills argued the district court had subject matter jurisdiction over the case for three reasons.
If a suit covered by § 233(a) is brought in state court, the PHS defendant may notify the Attorney General. 42 U.S.C. § 233(l)(1). The Attorney General then has fifteen days to make an appearance in the state court and advise the court whether the defendant "is deemed to be an employee of the Public Health Services for purposes of this section with respect to the actions or omissions that are the subject of" the action. Id. This operates as the Attorney General certifying that the PHS defendant was acting in scope of employment. Id.; § 233(c). If fifteen days pass with no response from the Attorney General, "the civil action or proceeding shall be removed to the appropriate United States district court." § 233(l)(2). Once removed to federal court, the merits of the action "shall be stayed in such court until such court conducts a hearing, and makes a determination, as to" whether the claim falls within § 233(a). Id.
First, Sandhills relied on 42 U.S.C. § 233(l)(2), a federal removal statute that permits a community health center recipient of federal grant funds to remove a case to federal court to determine the applicability of 42 U.S.C. § 233(a) -- a federal immunity defense for qualifying private health centers that receive federal grant money. Section 233(a) shields qualifying health centers from damages arising "from the performance of medical, surgical, dental, or related functions, including the conduct of clinical studies or investigation." Sandhills argued that § 233(a) should apply to its data security functions, making it immune from suit, because it collects patient PII as a condition of providing treatment. Therefore, Sandhills contended that its maintenance of patient PII was inextricably woven into its provision of health care and thus qualified its data security as a "related" function of medical care.
Second, in support of removal, Sandhills cited 28 U.S.C. § 1442(a)(1), which permits any officer of the United States or of any federal agency -- or any person acting under that officer -- to remove a case against them in their official or individual capacity to federal court, even when the underlying federal question arises only as a defense to a state law claim. See Jefferson Cnty., Ala. v. Acker, 527 U.S. 423, 431, 119 S.Ct. 2069, 144 L.Ed.2d 408 (1999). Sandhills argued that, as "an officer, or a person acting under a federal officer" as a Public Health Service ("PHS") employee, it had a right to remove the case pursuant to § 1442(a)(1). J.A. 9.
And finally, Sandhills argued that federal question jurisdiction existed pursuant to 42 U.S.C. § 1331 because the substance of Appellant's action hinges on § 233(a).
Sandhills also requested that the district court substitute the United States for Sandhills as the defendant pursuant to § 233(a). Agyin v. Razmzan, 986 F.3d 168, 184 (2d Cir. 2021) (citing 42 U.S.C. § 233(a)) (stating that a defendant "is entitled to immunity from suit and to substitution of the United States as the defendant if this suit concerns actions [a federal employee] took within the scope of his employment as a deemed federal employee").
Pursuant to § 233(1)(2), the case was automatically stayed until the district court could resolve the removal issue. And the district court ordered Sandhills to file a motion to substitute the United States and to "confer with government counsel regarding whether Sandhills is entitled to immunity from suit and to substitution of the United States as the defendant." J.A. 4. Sandhills filed the motion to substitute, arguing that it should be immune from suit and the United States must be substituted for it as the defendant pursuant to 42 U.S.C. § 233(a). Thereafter, the United States filed a statement of interest expressing its position that Sandhills was not entitled to immunity because collecting and storing its patients' PII was not inextricably woven into the performance of medical, surgical, or dental functions such that Sandhills' data security should qualify as a "related" function within the meaning of § 233(a). The district court held a hearing on the motion, at which Sandhills, the United States, and Appellant were all heard.
Ultimately, the district court concluded that Sandhills was entitled to remove the case to federal court and to immunity and substitution of the United States. The district court reasoned that because Sandhills required Appellant to provide her PII as a condition of being a patient and receiving medical services, the breach of its systems containing such information arose out of Sandhills' performance of medical or "related functions" within the meaning of § 233(a). And the district court supported this conclusion by pointing to Sandhills' "statutory requirement of confidentiality," which the district court believed was "inextricably woven" into Sandhills' provision of health care such that it amounts to a "related" function. J.A. 267.
Once substituted as the defendant, the United States filed a motion to dismiss for lack of subject matter jurisdiction asserting that Appellant had failed to exhaust her administrative remedies with Health and Human Services before filing suit as required by the FTCA. Appellant conceded that she had not exhausted her administrative remedies, but she maintained that § 233(a) did not shield Sandhills from suit as the storage of her PII with a third party vendor was not a not a "medical, surgical, dental, or related function[ ]." Therefore, in Appellant's view, substituting the United States was improper as the claims did not fall within the purview of § 233(a) and therefore the FTCA did not apply. And if the FTCA did not apply, then Appellant was not required to exhaust her administrative remedies prior to suit.
The district court, finding no grounds to overturn its prior decision, granted the motion to dismiss for lack of subject matter jurisdiction. This appeal followed.
On appeal, Appellant argues that Sandhills' data storage practice, including the maintenance of her PII, is too removed from the provision of health care to amount to a "related" function such that Sandhills cannot receive § 233(a) immunity and, therefore, the case should not be treated as one brought pursuant to the FTCA. We agree with Appellant.
II.
Because the application of § 233(a) is a question of law, we review de novo the district court's conclusion that § 233(a) shields Sandhills from suit, as well as the substitution of the United States. S.C. Wildlife Fed'n v. Limehouse, 549 F.3d 324, 332 (4th Cir. 2008) ("[T]he existence of sovereign immunity is a question of law that we review de novo." (alterations in original) (internal quotation marks omitted)); Gutierrez de Martinez v. Drug Enf't Admin., 111 F.3d 1148, 1152 (4th Cir. 1997). And we also review de novo the district court's dismissal of Appellant's claims. Pledger v. Lynch, 5 F.4th 511, 517 (4th Cir. 2021).
III.
Whether Data Security Amounts to a "Related" Function Within the Purview of § 233(a)
A.
The Federally Supported Health Centers Assistance Act
Pursuant to the Federally Supported Health Centers Assistance Act ("FSHCAA"), private health centers that receive federal funds may be considered PHS employees if certain conditions are met. Friedenberg v. Lane Cnty., 68 F.4th 1113, 1118 (9th Cir. 2023) (citing 42 U.S.C. § 233(g)). Appellant does not challenge Sandhills' status as a PHS employee. If an entity receives PHS employee status, then § 233(a) provides the entity immunity from "damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions, including the conduct of clinical studies or investigation, by any commissioned officer or employee of the Public Health Service while acting within the scope of his office or employment." 42 U.S.C. § 233(a) (emphasis supplied).
If a claim is subject to § 233(a), then the claim is treated as one brought against the United States within the purview of the FTCA. Hui v. Castaneda, 559 U.S. 799, 802, 130 S.Ct. 1845, 176 L.Ed.2d 703 (2010) ("Section 233(a) makes the FTCA remedy against the United States exclusive of any other civil action or proceeding for any personal injury caused by a PHS officer or employee performing a medical or related function while acting within the scope of his office or employment." (internal quotation marks omitted)). If the FTCA applies, the United States is substituted as a defendant. See 42 U.S.C. § 233(a); Hui, 559 U.S. at 801-02, 130 S.Ct. 1845 ("When federal employees are sued for damages for harms caused in the course of their employment, the . . . FTCA . . . generally authorizes substitution of the United States as the defendant."); see also Agyin v. Razmzan, 986 F.3d 168, 184 (2d Cir. 2021) ("[A PHS employee] is entitled to immunity from suit and to substitution of the United States as the defendant if this suit concerns actions he took within the scope of his employment as a deemed federal employee.").
Thus, the FSHCAA "essentially makes the U.S. government the medical malpractice insurer for qualifying . . . health centers, their officers, employees, and contractors, allowing these 'deemed' health centers to forgo obtaining private malpractice insurance." Dedrick v. Youngblood, 200 F.3d 744, 745 (11th Cir. 2000). "This designation enables centers caring for underserved populations to spend their money on patient care rather than malpractice premiums." Chronis v. United States, 932 F.3d 544, 546 n.1 (7th Cir. 2019).
B.
Data Security Does Not Amount to a "Related" Function Within § 233(a)
We now turn to whether § 233(a) shields Sandhills from Appellant's suit, which arose out of Sandhills' allegedly negligent storage of her PII with a third party vendor. In this regard, the question we face is whether data security is a "medical, surgical, dental, or related function[ ]" that qualifies for § 233(a) immunity. In this instance, it is not.
1.
Based on the plain language of § 233(a) , data security is not a related function within the meaning of the statute
Clearly, the storage of patient PII is not in and of itself a medical, surgical, or dental function. Therefore, to fall within the purview of § 233(a), it must be a "related" function.
In assessing what may be a "related" function, we first look to the plain language of the statute. See Lynch v. Jackson, 853 F.3d 116, 121 (4th Cir. 2017) ("We start as we must with the plain language of the statute because when the statute's language is plain, the sole function of the courts—at least where the disposition required by the text is not absurd—is to enforce it according to its terms." (internal quotation marks omitted)).
Appellant contends that the plain language of the statute supports that a general term like "related functions" must be construed to embrace only the words that come before it -- medical, surgical, and dental. Appellant therefore argues that the collection and storage of PII does not amount to a "related" function of medical, surgical, or dental services where "[c]ollecting such information does not depend on a medical, surgical, or dental professional's skill, knowledge, or judgment." Appellant's Opening Br. at 17-18. In response, Sandhills argues that the word "related" must be broadly interpreted such that the statute covers "ancillary functions" to medical services. Sandhills Resp. at 15. We agree with Appellant that a more limited interpretation of "related functions" is proper.
We begin with the meaning of the words "related" and "function." Related is defined as "connected by relation," "having close harmonic connection." Webster's Seventh New Collegiate Dictionary 723 (1969), and "having mutual . . . connection," Oxford English Dictionary (compact ed. 1971). And "function" is defined not as any given activity, but as "the action for which one is particularly fitted or employed," Webster's, supra at 338, and "[t]he nature and proper action of anything; activity appropriate to any business or profession," Black's Law Dictionary (4th ed. 1968). Thus, a "related function[ ]" is an activity particularly fitted to whatever is connected to whatever proceeds the phrase. In other words, its meaning depends on the words that come before it.
Because § 233(a) was originally added to the PHS Act in 1970, see PL 91-623, 84 Stat. 1868 (1970), we employ definitions from that time to interpret Congress' intent. Wisc. Cent. Ltd. v. United States, 585 U.S. 274, 277, 138 S.Ct. 2067, 201 L.Ed.2d 490 (2018) ("[O]our job is to interpret the words consistent with their ordinary meaning . . . at the time Congress enacted the statute." (internal quotation marks omitted)).
Within § 233(a), the language "related functions" acts as a general catchall for specific functions -- "the performance of medical, surgical, [or] dental" functions. 42 U.S.C. § 233(a). "[W]here general words follow specific words in a statutory enumeration, the general words are construed to embrace only objects similar in nature to those objects enumerated by the preceding specific words." Cir. City Stores, Inc. v. Adams, 532 U.S. 105, 114-15, 121 S.Ct. 1302, 149 L.Ed.2d 234 (2001) (internal quotation marks omitted); see also Robinson v. Shell Oil Co., 519 U.S. 337, 341, 117 S.Ct. 843, 136 L.Ed.2d 808 (1997) ("The plainness or ambiguity of statutory language is determined by reference to the language itself, the specific context in which that language is used, and the broader context of the statute as a whole."). We therefore construe a general term like "related" as sharing the attributes of the specific words in the list. See Yates v. United States, 574 U.S. 528, 544, 135 S.Ct. 1074, 191 L.Ed.2d 64 (2015) (applying the principle of noscitur a sociis to limit "tangible object" to those items similar to "record" or "document" as opposed to the fish at issue in the investigation). As a matter of plain meaning, medical, surgical, and dental all fit into one category - they are adjectives that describe various fields of health care. Staying true to Congress' intent, we read a "related" function as fitting within that category, or in other words, a field of health care outside of medicine, surgery, or dentistry. See Wikimedia Found. v. Nat'l Sec. Agency, 14 F.4th 276, 297 (4th Cir. 2021) (applying noscitur a sociis as limiting the phrase "such other material" to the two preceding conditions in a list).
One might jump to the thought that surgery is merely a subset of medicine. And in some sense that is true. But this generalization misses the long-standing distinctions between medicine and surgery. Surgery involves bodily invasion while medicine is generally non-invasive. See Ankur Aggarwal, The Evolving Relationship Between Surgery and Medicine, 12 AMA J Ethics 119, 119 (2010) ("Medicine's two branches—the less invasive medical methods and the more invasive surgical methods—have been around since before the existence of written language. Surgery, however, was not viewed as belonging to the same sphere as medical treatments until relatively recently, and, even now, a sharp distinction exists between surgeons and other medical doctors. Analyzing the history of surgery can help explain the separation between medical and surgical treatments and why the two fields, although viewed quite differently, fit under the umbrella of medicine."); Connor T.A. Brenna & Sunit Das, Divides of Identity in Medicine and Surgery: A Review of the Duty-Hour Policy Preference, 57 Annals of Medicine and Surgery 1, 2 (2020) (noting the known and intuitive differences between Medicine and Surgery, including their historical origins); Fitzhugh Mullan, Big Doctoring in America 36 (2002) ("The philosophical difference between 'medicine' and 'surgery' is a time-honored one."); Dorland's Illustrated Medical Dictionary 785 (26th ed. 1985) (defining "medical" in part as "pertaining to medicine as opposed to surgery").
The words immediately following "related functions" also cabin its contextual meaning. The statute exemplifies "related functions" as "including the conduct of clinical studies or investigation." 42 U.S.C. § 233(a). This provides further support for the position that "related functions" explicitly encompasses only the provision of health care. Both the Supreme Court and this court have held that the word "including" "connotes simply an illustrative application of [a] general principle." United States v. Hawley, 919 F.3d 252, 256 (4th Cir. 2019) (quoting Fed. Land Bank of St. Paul v. Bismarck Lumber Co., 314 U.S. 95, 100, 62 S.Ct. 1, 86 L.Ed. 65 (1941)). Insofar as "related functions" include providing treatment or diagnoses in a clinical study, there is little support for the notion that data security, which is more akin to an administrative function, should be included within the meaning of § 233(a).
Defining § 233(a)'s scope to extend only to the provision of health care also makes sense because the subsection provides that the United States will be substituted as defendant solely for claims "for damage for personal injury, including death." Misfeasance in the provision of health care would most likely lead to personal injury or death. A wider definition of "related functions" may improperly broaden § 233(a) to encompass misfeasance that results in other types of damages, such as contract damages.
When employing the canons of construction and considering the plain meaning of the words in § 233(a), we discern no ambiguity in the phrase "related functions." As such, in order to trigger immunity, alleged damages giving rise to a lawsuit must arise from the provision of health care. See 42 U.S.C. § 233(a). As explained below, Appellant's alleged damages do not.
2.
Appellant's alleged damages did not occur because of the provision of health care
Appellant's claims arose when unknown bad actors hacked Sandhills' third party vendor's computer system and stole Appellant's PII at least a year after she had ended her treatment at Sandhills. Here, Appellant's PII was not released as a result of the provision of health care. Appellant's PII was not inappropriately divulged as a result of Sandhills providing health care to Appellant. In comparison, in Mele v. Hill Health Center, which Sandhills argues supports its position, the alleged injury arose when the patient's sensitive information was "improperly disclosed" to another provider at the direction of a medical professional in relation to the patient's treatment. See 2008 WL 160226, at *3 (D. Conn. Jan. 8, 2008). The plaintiff's injury in Mele, unlike Appellant's, "concern[ed] the medical functions of providing treatment." Id.
But here, the allegedly improper release of Appellant's PII did not occur because of Sandhills' performance of the provision of health care. Therefore, Appellant's damages did not arise from any action taken by Sandhills "in [its] capacity as a doctor responsible for, [or] in the course of rendering medical treatment for" Appellant. See Cuoco v. Moritsugu, 222 F.3d 99, 109 (2d Cir. 2000) (applying § 233(a) immunity to constitutional violation claim arising out of denial of gender affirming care for pre-trial detainee). This is especially true in this case where, at the time of the unexpected cyberattack, Appellant was no longer receiving any treatment at Sandhills and had not been a Sandhills patient for at least a year.
Nonetheless, Sandhills argues that its storage and maintenance of Appellant's PII was "related" to her health care treatment because Appellant was required to provide this information in order to receive treatment from Sandhills. Sandhills' interpretation misses the mark. Sandhills is shielded only from those damages that arise from its performance of "related functions" within the meaning of § 233(a). Data protection is not an activity the medical field in which Sandhills operates is "particularly fitted to" execute, nor is any "related" field of health care. Webster's, supra at 338. This is highlighted by the fact that Appellant alleges that Sandhills retains the relevant data "even after the [patient] relationship ends." J.A. 30 (emphasis added). Therefore, the fact that Appellant was required to provide her billing information prior to receiving treatment cannot shield Sandhills when the injury did not occur because of any provision of health care.
There is no limiting principle to Sandhills' position. If § 233(a) applied to any action that a patient must take in order to receive health care, it would shield Sandhills from any and all claims despite their lack of relation to their treatment. Consider a scenario where, in anticipation of receiving health care, Appellant provided her PII and billing information to Sandhills but never showed up for her appointment. In that instance, Appellant would have suffered the same injury she alleges here from the data breach without ever even receiving treatment. Similarly, Appellant's alleged injury could have resulted from a data breach at a host of businesses to which she likely discloses her PII, none of which are involved in the provision of health care, including an employer, an entity involved in a banking, financial, or real estate transaction, or an insurance company. In sum, the focus is on the function that caused the injury, and, here, Appellant was not injured by any health care provided by Sandhills.
3.
Sandhills' statutory duty to maintain patient confidentiality cannot override § 233(a)'s mandate that alleged damages arise during the performance of a medical or "related" function
Sandhills also argues that based on its statutory and ethical duty to maintain the confidentiality of patient information, it should be accorded immunity pursuant to § 233(a). Sandhills relies on its statutory duty pursuant to the FSHCAA to "have an ongoing quality improvement system . . . that maintains the confidentiality of patient records" to argue that its patient record systems should qualify as "related functions." See 42 U.S.C. § 254b(k)(3)(C). Sandhills posits that because it must show that it maintains these systems in order to receive grant money, then data security is included in the provision of health care.
But the requirements to receive federal grant money on which Sandhills relies are separate and apart from § 233(a) immunity. In fact, a health center that qualifies to receive federal grant money need not even apply to be considered a PHS employee. See 42 U.S.C. § 233(g)(1)(D) (the Secretary may not "deem an entity . . . to be an employee of the Public Health Service for purposes of this section, . . . unless the entity has submitted an application"); id. § 233(g)(1)(G)(ii) (allowing federal grant recipients "that ha[ve] not submitted an application . . . to purchase medical malpractice liability insurance coverage with Federal funds"). And as previously discussed, without PHS employee status, § 233(a) does not apply. Of note, there is no mention of data security or systems in § 233. Therefore, Sandhills' argument that Congress intended data security to be a "related" function lacks credence.
Nor does Sandhills' duty to keep patient information confidential mean that Appellant's claims arose from a "medical, surgical, dental, or related functions." 42 U.S.C. § 233(a). Sandhills points to Krandle v. Refuah Health Center, Inc. to support its argument that its duty to protect patient information makes data security a "function . . . essential to the practice of medicine." See No. 22cv4977, 2024 WL 1075359, at *9 (S.D.N.Y. Mar. 12, 2024). Not only is Krandle not binding precedent on this court, but it fails to focus on whether the alleged damages arose as a result of the provision of health care to the injured party. See id. In the case of this data breach, they did not. Simply because Sandhills has a duty to keep Appellant's information confidential does not mean that the release of her PII resulted from Sandhills' provision of health care.
Similarly, Hale v. ARcare, Inc., also provided by Sandhills, is not binding on this court. See No. 3:22cv117, 2024 WL 1016361, at *3 (E.D. Ark. Mar. 8, 2024). But Hale's conclusion that damages arising from a data security breach do not "occur[ ] during the course of medical treatment within the context of the provider-patient relationship" more closely aligns with the language of § 233(a).
The same applies to Sandhills' maintenance of any medical billing codes. In her complaint, Appellant alleges that Sandhills failed to properly secure its billing codes which could reveal her medical diagnoses. But again, § 233(a) requires that cause of Appellant's injury be the provision of health care. And even so, the development and protection of the codes is not part of the provision of health care. Instead, medical coding is typically a by-product, separate and apart from the provision of health care, performed by coders who review documentation of a patient's visit to assign it the appropriate billing code. These are not categories within the provision of health care. Rather, they are administrative operations.
Again, to determine whether § 233(a) immunity applies, the focus is on the function -- not the duty. See Cuoco, 222 F.3d at 109 (emphasizing that it is the conduct, not the style of the claim, that determines whether § 233(a) immunity applies). Appellant does not allege that Sandhills provided deficient health care or improperly collected her information as a part of her treatment. Indeed, Appellant's alleged damages arose from a data security breach that occurred at least a year after she ceased being a patient at Sandhills. Because Appellant's injury did not arise from Sandhills' provision of health care, § 233(a) does not shield Sandhills from Appellant's claims. Id.
And because § 233(a) does not apply, the United States cannot be substituted for Sandhills as the defendant. Section 233(a) allows the United States to be substituted only if the action falls within the scope of immunity. Hui, 559 U.S. at 801, 130 S.Ct. 1845. Because § 233(a) does not apply, Appellant's claims cannot be treated as ones brought pursuant to the FTCA, and thus, the substitution of the United States for Sandhills was in error. It then necessarily follows that the district court erred when it required Appellant to have exhausted her administrative remedies pursuant to the FTCA in order to maintain her suit.
IV.
For these reasons, the district court's order applying immunity pursuant to § 233(a) and substituting the United States for Sandhills as the defendant is vacated. We remand for further proceedings consistent with this opinion.
VACATED AND REMANDED