From Casetext: Smarter Legal Research

Menorah Park Ctr. for Senior Living v. Rolston

SUPREME COURT OF OHIO
Dec 15, 2020
2020 Ohio 6658 (Ohio 2020)

Opinion

No. 2019-0939

12-15-2020

MENORAH PARK CENTER FOR SENIOR LIVING, APPELLANT, v. ROLSTON, APPELLEE.

Bonessi Switzer Polito & Hupp Co., L.P.A., Bret C. Perry, Brian F. Lange, and Jay Clinton Rice, for appellant. Ciano & Goldwasser, L.L.P., Andrew S. Goldwasser, and Sarah E. Katz; Powers Friedman Linn, P.L.L., and Robert G. Friedman; and Paul W. Flowers Co., L.P.A., Paul W. Flowers, and Louis E. Grube, for appellee. Dinkler Law Office, L.L.C., Lynette Dinkler, and Carin Al-Hamdani, urging reversal for amicus curiae Ohio Association of Civil Trial Attorneys. Bricker & Eckler, L.L.P., Elizabeth A. Kastner, Victoria Flinn McCurdy, and Bryan M. Smeenk, urging reversal for amici curiae Ohio Hospital Association, Ohio State Medical Association, and Ohio Osteopathic Association. Tucker Ellis, L.L.P., Susan M. Audey, Raymond Krncevic, and Emily J. Johnson, urging reversal for amicus curiae Academy of Medicine of Cleveland & Northern Ohio.


NOTICE

This slip opinion is subject to formal revision before it is published in an advance sheet of the Ohio Official Reports. Readers are requested to promptly notify the Reporter of Decisions, Supreme Court of Ohio, 65 South Front Street, Columbus, Ohio 43215, of any typographical or other formal errors in the opinion, in order that corrections may be made before the opinion is published. [Until this opinion appears in the Ohio Official Reports advance sheets, it may be cited as Menorah Park Ctr. for Senior Living v. Rolston , Slip Opinion No. 2020-Ohio-6658.] Torts—Medical providers—Disclosure of patients' confidential health information—Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and HIPAA Privacy Rule—HIPAA does not preclude a claim for breach of physician-patient confidentiality when the limited disclosure of medical information was part of a court filing for the purpose of obtaining past-due payment on an account for medical services—There is an exception to liability when a medical provider makes a reasonable effort to limit the disclosure of the patient's medical information to the minimum amount necessary to file a successful complaint for the recovery of unpaid charges for medical services—Court of appeals' judgment reversed and cause remanded to trial court. APPEAL from the Court of Appeals for Cuyahoga County, No. 107615, 2019-Ohio-2114. KENNEDY, J.

{¶ 1} In this appeal from a judgment of the Eighth District Court of Appeals, we address the interplay between the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. No. 104-191, 110 Stat. 1936, the subsequent HIPAA Privacy Rule promulgated in 45 C.F.R. 160 and 164, and Ohio's common-law cause of action for the unauthorized, unprivileged disclosure by a medical provider to a third party of nonpublic medical information recognized by this court in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999). We hold that HIPAA does not preclude a claim under our decision in Biddle when the limited disclosure of medical information was part of a court filing for the purpose of obtaining a past-due payment on an account for medical services.

{¶ 2} However, we also hold that there is an exception to liability under our decision in Biddle when a medical provider makes a reasonable effort to limit the disclosure of the patient's medical information to the minimum amount necessary to file a successful complaint for the recovery of unpaid charges for medical services. We conclude that a provider of medical services acts reasonably to limit the release of health information to the minimum amount necessary to file a successful complaint for payment on a past-due account for medical services when the medical provider attaches to the complaint, pursuant to Civ.R. 10(D), medical bills that disclose the medical provider's name and address, the patient's name and address, the dates on which services were provided, billing or procedure codes, a description of the general category of services provided, and the amounts charged, paid, and due.

{¶ 3} Because the medical provider in this case limited its disclosure of information to the minimum amount necessary for it to assert a cause of action to recover from the patient payment for unpaid medical bills, the patient has failed to state a claim under our decision in Biddle. Therefore, we reverse the judgment of the court of appeals on that claim.

I. FACTUAL AND PROCEDURAL BACKGROUND

{¶ 4} Appellant, Menorah Park Center for Senior Living ("Menorah Park"), filed a small-claims complaint against appellee, Irene Rolston, in the Shaker Heights Municipal Court on March 21, 2018. Menorah Park alleged that Rolston had failed to pay a debt in the amount of $463.53 "for therapy services [that] were provided by Menorah Park" when Rolston "was at Menorah Park for rehabilitation." Attached to Menorah Park's complaint were copies of two billing statements. Civ.R. 10(D)(1) provides, "When any claim or defense is founded on an account or other written instrument, a copy of the account or written instrument must be attached to the pleading. If the account or written instrument is not attached, the reason for the omission must be stated in the pleading."

{¶ 5} The billing statements included a description of the medical services that Menorah Park had provided to Rolston, the dates on which the services were provided, medical-procedure codes, charges and credits, balances on Rolston's account, and the names and addresses of Menorah Park and Rolston. On the billing statements, the descriptions of the services provided to Rolston included "PT EVALUATION MOD COMPLEX," "PT-MANUAL THERAPY," "PT-PHYSICAL PERFORMANCE TE," and "PT THERAPEUTIC PROC-AQUATI[C]." (Capitalization sic.)

{¶ 6} Rolston successfully moved for the case to be transferred to the municipal court's regular docket and on May 1, 2018, she filed an answer and class-action counterclaim against Menorah Park for breach of confidence for the disclosure to a third party of "nonpublic medical information that it learned within a physician-patient relationship." Menorah Park moved to dismiss the counterclaim under Civ.R. 12(B)(6), arguing that HIPAA allows the disclosure of protected health information for the purpose of a medical provider's obtaining payment for medical services. Menorah Park argued that its actions had met the requirements under HIPAA and that even if it had failed to meet those requirements, HIPAA does not allow for a private cause of action for HIPAA violations.

{¶ 7} In responding to the motion to dismiss, Rolston countered that Menorah Park's disclosure of her medical information was not authorized under HIPAA, because HIPAA provides that when a medical provider seeks payment the provider is required to make reasonable efforts to limit the disclosure of information to the minimum amount necessary to obtain payment. Rolston also argued that HIPAA does not preclude a common-law claim under our decision in Biddle, in which this court recognized that "an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship," 86 Ohio St.3d 395, 715 N.E.2d 51, at paragraph one of the syllabus.

{¶ 8} The trial court granted Menorah Park's motion to dismiss Rolston's counterclaim, determining that "th[e] claim does not fall under the tort law claim established in Biddle * * * and the Defendant cannot sue on HIPAA grounds." In a nunc pro tunc entry, the trial court determined that its judgment dismissing Rolston's counterclaim was a final, appealable order and that there was no just cause for delay.

{¶ 9} The Eighth District reversed the trial court's judgment, holding that Rolston had not failed to state a claim upon which relief can be granted. Construing the allegations in Rolston's complaint in her favor, the court concluded that Rolston had a potential claim under Biddle and that HIPAA does not preempt such a state common-law claim. 2019-Ohio-2114, 137 N.E.3d 682, ¶ 23.

{¶ 10} This court accepted Menorah Park's jurisdictional appeal on two propositions of law:

1. The Health Insurance Portability & Accountability Act (HIPAA) preempts a common law claim brought under Biddle v. Warren Gen. Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), for disclosure of protected health information where the limited disclosure was for the purpose of obtaining payment on a past due account, which is an "authorized disclosure" under HIPAA regulations.

2. A claimant's reliance on a HIPAA regulation to determine whether the release of protected health information was "unauthorized" for the purpose of pursuing a common law claim under Biddle would allow private enforcement of HIPAA regulations, which is contrary to overwhelming legal authority that HIPAA does not provide a private right of action for improper disclosures of medical information but rather provides civil and criminal penalties which must be enforced by the Department of Health and Human Services.
(Emphasis sic.) See 157 Ohio St.3d 1427, 2019-Ohio-4003, 131 N.E.3d 977.

{¶ 11} After oral argument, this court sua sponte ordered the parties to brief the following issue:

Should this court overturn or modify the holding in Biddle v. Warren Gen. Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), in light of the enactment of Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. No. 104-191, 110
Stat. 1936, and the subsequent promulgation of the HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164?
See 159 Ohio St.3d 1405, 2020-Ohio-3206, 146 N.E.3d 582.

II. LAW AND ANALYSIS

A. Standard of Review

{¶ 12} This court applies a de novo standard of review to orders granting a Civ.R. 12(B)(6) motion to dismiss. Lunsford v. Sterilite of Ohio, L.L.C., ___ Ohio St.3d ___, 2020-Ohio-4193, ___ N.E.3d ___, ¶ 22. "In reviewing a motion to dismiss for failure to state a claim upon which relief can be granted, we accept as true all factual allegations in the complaint." Id., citing Mitchell v. Lawson Milk Co., 40 Ohio St.3d 190, 192, 532 N.E.2d 753 (1988). "A complaint should not be dismissed unless it appears 'beyond doubt from the complaint that the plaintiff can prove no set of facts entitling him to recovery.' " Id., quoting O'Brien v. Univ. Community Tenants Union, Inc., 42 Ohio St.2d 242, 327 N.E.2d 753 (1975), syllabus.

B. Biddle v. Warren Gen. Hosp.

{¶ 13} In Biddle, this court recognized an independent tort for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital obtained from a physician-patient relationship. 86 Ohio St.3d 395, 715 N.E.2d 51, at paragraph one of the syllabus. In Biddle, the hospital had given its patients' medical information to a law firm so that the firm could determine whether the hospital's patients who had unpaid medical bills could be eligible for Supplemental Security Income disability benefits, meaning that their unpaid medical bills could possibly be paid by the Social Security Administration. Id. at 395-396. The firm informed the hospital that in order to perform that service and screen the patients, it would be necessary for the hospital to provide four pieces of information: name, telephone number, age, and medical condition. Id. at 396. The firm then contacted the patients to inform them of their potential rights in regard to disability coverage. Id.

{¶ 14} The plaintiffs in Biddle were people whose hospital-registration forms had been provided to the law firm by the hospital without prior authorization. Id. They alleged several causes of action from that same factual root—mainly that the arrangement between the hospital and the law firm constituted a breach of physician-patient confidentiality—which included claims of invasion of privacy, intentional infliction of emotional distress, and negligence. Id. at 397. This court noted that it had long been the law in Ohio that a physician could be held liable for the unauthorized disclosure of medical information, but it also noted that courts in Ohio and elsewhere had failed to provide "a legal identity for an actionable breach of patient confidentiality." Id. at 400. This court recognized that in an effort to establish a civil remedy for such an evident wrongdoing, courts had shoehorned a breach-of-confidence theory of recovery into many traditional legal theories—e.g., invasion of privacy, defamation, implied breach of contract, intentional and negligent infliction of emotional distress, implied private statutory causes of action, breach of trust, detrimental reliance, negligence, and medical malpractice—all of which are ill-suited for the purpose of addressing a breach-of-confidence situation. Id. But this court noted the movement by some courts toward recognizing that an action for breach of confidence should "stand in its own right," and that "increasingly courts have begun to adopt it as an independent tort in their respective jurisdictions." Id. This court therefore decided in Biddle to recognize an independent tort "for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship." Id. at 401.

{¶ 15} Although we recognized that specific cause of action, this court was quick to add that there are exceptions to liability for disclosure. As we pointed out in Roe v. Planned Parenthood Southwest Ohio Region, 122 Ohio St.3d 399, 2009-Ohio-2973, 912 N.E.2d 61, ¶ 47-48,

Biddle * * * addressed liability for unauthorized disclosure and stressed the utmost importance of the patient's right to confidentiality of medical communications. * * * However, paragraph two of the syllabus in Biddle addressed the defenses to the tort of unauthorized disclosure of confidential medical information—i.e., the circumstances under which a physician or hospital may release confidential medical records in the absence of a waiver without incurring tort liability.
(Emphasis sic.)

{¶ 16} We have therefore explained that the duty to maintain confidentiality recognized in Biddle is not absolute and that in some instances the privilege exists for a medical provider to disclose medical information. In Biddle, this court identified particular instances in which the disclosure of confidential medical information is privileged, because statutes require the reporting of diseases that are infectious, contagious, or dangerous to public health, R.C. 3701.24, 3701.52, and 3707.06, medical conditions that are indicative of child abuse or neglect, R.C. 2151.421, and injuries that are indicative of criminal conduct, R.C. 2921.22. Biddle, 86 Ohio St.3d at 401-402, 715 N.E.2d 51.

{¶ 17} Still, this court in Biddle did not limit the privilege to disclose medical information to instances when a physician or hospital has a statutory duty to disclose; "the privilege to disclose is not necessarily coextensive with a duty to disclose." Id. at 402. A breach of confidentiality is actionable " 'only if it is wrongful, that is to say, without justification or excuse.' " Id., quoting MacDonald v. Clinger, 446 N.Y.S.2d 801, 805, 84 A.D.2d 482 (1982). The duty of confidentiality must yield in appropriate circumstances when there is a countervailing public interest. Id. "[S]pecial situations may exist where the interest of the public, the patient, the physician, or a third person are of sufficient importance to justify the creation of a conditional or qualified privilege to disclose in the absence of any statutory mandate or common-law duty." Id. Therefore, we held:

In the absence of prior authorization, a physician or hospital is privileged to disclose otherwise confidential medical information in those special situations where disclosure is made in accordance with a statutory mandate or common-law duty, or where disclosure is necessary to protect or further a countervailing interest which outweighs the patient's interest in confidentiality.
Id. at paragraph two of the syllabus.

{¶ 18} Whether the ability of medical providers to disclose confidential information when seeking payment through legal action is a "countervailing interest which outweighs the patient's interest in confidentiality," id., and is therefore an exception to a Biddle claim, is the focus of this case. But first we must address whether HIPAA regulations, which were enacted after our decision in Biddle, preempt all common-law claims under Biddle.

C. HIPAA

{¶ 19} HIPAA has several purposes, including making improvements to the portability and continuity of health-insurance coverage, combatting healthcare fraud and healthcare abuse, and simplifying the administration of health insurance. Tovino, A Timely Right to Privacy, 104 Iowa L.Rev. 1361, 1367 (2019). HIPAA established patient-privacy protection—it stated that if Congress failed to enact comprehensive privacy legislation within three years of HIPAA's enactment in 1996, the United States Department of Health and Human Services ("HHS") would be required to issue regulations protecting the privacy of individually identifiable health information. Id. at 1368. Less than two months after this court's decision in Biddle, HHS issued a proposed privacy rule on November 3, 1999, regulating the uses and disclosures of protected health information. See id. After modifications, a final rule went into effect in December of 2000. Id. Further changes were made to the rule in 2002, id., and again in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. 17932, 17933, 17934, 17935, and 17939, and HHS implemented more rules in 2013, id. at 1369. "[T]he HIPAA Privacy Rule strives to balance the interest of individuals in maintaining the confidentiality of their health information with the interests of society in obtaining, using, and disclosing health information to carry out a variety of public and private activities." Id.

{¶ 20} The HIPAA Privacy Rule provides to patients certain rights regarding their protected health information. They have a right to receive a notice of privacy practices, a right to request additional privacy protections, a right to access their protected health information, a right to request an amendment of that protected health information, and a right to receive accounting disclosures regarding their protected health information. Id. at 1371. The Privacy Rule includes use and disclosure requirements that apply to "covered entities," which include health plans, healthcare clearinghouses, and "health care provider[s] who transmit[] any health information in electronic form in connection with [standard] transaction[s]." 45 C.F.R. 160.103. The requirements also apply to "business associates" of the covered entities. 42 U.S.C. 17934. Business associates are associates outside the workforce of the covered entity that provide legal, actuarial, consulting, and other services to the covered entity. 45 C.F.R. 160.103.

{¶ 21} The authorization required to disclose or use a patient's protected health information depends on the nature of the use. For some purposes, such as including a patient in a directory of individuals in a facility, the covered entity must inform the patient in advance and give the patient the opportunity to agree to or prohibit or restrict that disclosure. C.F.R. 164.510. In other instances, such as those involving the sale of medical information, a signed authorization is required. C.F.R. 164.508.

{¶ 22} But in certain instances, the HIPAA Privacy Rule allows covered entities to use and disclose protected health information without first obtaining authorization from the patient. Pursuant to C.F.R. 164.502(a)(1)(ii), a covered entity is permitted to use or disclose protected health information "[f]or treatment, payment, or health care operations * * *." (Emphasis added.) But regarding the use of protected health information for such purposes, the HIPAA Privacy Rule limits the use or disclosure of the information to the minimum amount necessary to achieve the purpose of the use:

Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
45 C.F.R. 164.502(b)(1).

{¶ 23} "The remedies available to patients who believe their privacy and security rights have been violated are limited. Under current law, no private right of action exists for patients and insureds whose rights under the HIPAA Rules have been violated." Tovino at 1372; see also Boddie v. Van Steyn, 10th Dist. Franklin No. 13AP-623, 2014-Ohio-1069, ¶ 18 (collecting cases determining there is no private cause of action under Ohio law for HIPAA violations); Hill v. Smoot, 308 F.Supp.3d 14, 23 (D.D.C.2018) (" 'Every district court that has considered this issue is in agreement that the statute does not support a private right of action' "), quoting Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006).

{¶ 24} There are other avenues for redress that patients who believe that their privacy and security rights have been violated may take. They can file a complaint with the covered entity itself under 45 C.F.R. 164.530(d)(1), which allows the covered entity to impose sanctions on members of its workforce, 45 C.F.R. 164.530(e)(1). An aggrieved person can file a complaint with the secretary of HHS. 45 C.F.R. 160.306(a). HHS can impose a civil money penalty—ranging from $100 to $50,000 per violation, with maximum penalties of $25,000 or $1,500,000 per calendar year, 42 U.S.C. 1320d-5(a)(3)—or it can refer the case to the United States Department of Justice for criminal prosecution, Tovino at 1373; 42 U.S.C. 1320d-6(b). 42 U.S.C. 1320d-5(d) authorizes a state's attorney general to bring a civil action on behalf of residents of the state for violations of the HIPAA Privacy Rule. The state's attorney general can attempt to enjoin further violations by the covered entity or sue for damages for up to $100 per violation, not to exceed $25,000 in a calendar year. Id.

{¶ 25} Although HIPAA provides for the sanctioning of covered entities that violate the Privacy Rule, HIPAA creates no private cause of action for a violation of its rules or regulations. We must next determine whether HIPAA precludes a patient from bringing a state-law cause of action for a breach of confidentiality.

D. The relationship between HIPAA and state law

{¶ 26} In English v. Gen. Elec. Co., 496 U.S. 72, 78-79, 110 S.Ct. 2270 (1990), the United States Supreme Court described three ways by which federal law can preempt state law under the Supremacy Clause. Those include when (1) Congress expressly preempts state law (express preemption), (2) Congress has occupied the entire field (field preemption), and (3) there is an actual conflict between federal and state law (conflict preemption). In the HIPAA statutory and regulatory scheme, Congress has demonstrated no intention to occupy the entire field of medical privacy; instead, the HIPAA-related statutes and rules provide that federal law preempts state law when there is an actual conflict between the laws, and even that preemption is subject to significant exceptions.

{¶ 27} 42 U.S.C. 1320d-7(a)(1) states that HIPAA "shall supersede any contrary provision of State law." The HIPAA regulations echo that statement: "A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law." 45 C.F.R. 160.203. State law is contrary to HIPAA when (1) it is "impossible to comply with both the State and Federal requirements" or (2) "[s]tate law stands as an obstacle to the accomplishment and execution" of the act. 45 C.F.R. 160.202. 45 C.F.R. 160.202 defines a state law to "mean[] a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law." (Emphasis added.) HIPAA does not prevail over a state law in every situation in which there is a conflict between HIPAA and the state law. One exception to that general rule is when "[t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [HIPAA]." 45 C.F.R. 160.203(b). The regulations define what is meant by "more stringent":

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use
or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity or business associate is in compliance with this subchapter; or

(ii) To the individual who is the subject of the individually identifiable health information.

* * *

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
45 C.F.R. 160.202.

{¶ 28} Therefore, even if HIPAA—a federal statute—created a safe harbor for a medical provider that releases certain protected patient information, that does not necessarily mean that such information can properly be released under state law; the patient may be protected to a greater degree by state law. If the state law is more stringent than the HIPAA regulation, the state law applies. See, e.g., Grove v. Northeast Ohio Nephrology Assoc., Inc., 164 Ohio App.3d 829, 2005-Ohio-6914, 844 N.E.2d 400, ¶ 22-23 (9th Dist.) (protection for patient's health information from discovery in a civil action is more stringent under Ohio law, R.C. 2317.02(B)(1), than under HIPAA). A HIPAA regulation preempts state law if there is a conflict between the HIPAA regulation and the state law and the state law is not more stringent than the HIPAA regulation. Further, if a state law is not more stringent in that regard, it is not preempted unless it is contrary to HIPAA—that is, unless the state law makes it "impossible to comply with both the State and Federal requirements" or stands as "an obstacle to the accomplishment and execution" of HIPAA. 45 C.F.R. 160.202.

E. HIPAA does not preempt a state-law claim under our decision in Biddle

{¶ 29} In Biddle, we recognized an independent tort for the "unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within the physician-patient-relationship." 86 Ohio St.3d 395, 715 N.E.2d 518, at paragraph one of the syllabus. Is Biddle contrary to HIPAA and therefore preempted by HIPAA? Menorah Park argues that if its disclosure of Rolston's nonpublic medical information to obtain payment of her debt is authorized by HIPAA and its regulations, then HIPAA preempts any common-law claim under our decision in Biddle. But that argument ignores HIPAA and its subsequent rules, which state that more stringent state laws regarding the disclosure of medical information prevail over HIPAA and its regulations.

{¶ 30} If our decision in Biddle were to mean that a covered entity is somehow permitted to release a patient's protected health information that it could not release under HIPAA, then HIPAA would preempt Biddle. But neither party makes that claim in this case. And our determination in Biddle that Ohio recognizes an independent cause of action for such disclosure is not contrary to HIPAA under HIPAA's own definition of the word "contrary": the existence of a state-law private cause of action does not make it impossible for a covered entity to comply with both state and federal privacy requirements and does not stand in the way of the accomplishment of the aims of HIPAA. Instead, "a Biddle claim enhances the protection of confidentiality of medical information." Sheldon v. Kettering Health Network, 2015-Ohio-3268, 40 N.E.3d 661, ¶ 25 (2d Dist.). In a situation in which state law provides a patient the potential personal recovery of damages, it is not impossible for the covered entity to comply with both HIPAA and the state law " 'because both laws, in complementary rather than contradictory fashion, discourage a person from wrongfully disclosing information from another person's health record.' " R.K. v. St. Mary's Med. Ctr., Inc., 229 W.Va. 712, 719, 735 S.E.2d 715 (2012), quoting Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 49 (Minn.Ct.App.2009). See also Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433, 459, 102 A.3d 32 (2014) ("The availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers' compliance with HIPAA"). Biddle and HIPAA share the same goal of protecting the privacy of personal medical information. Their remedies are different but they are not at odds with each other.

F. Exception under Biddle for complaints for bill collection

{¶ 31} Having determined that HIPAA does not preempt claims brought under Biddle, we next consider whether one of the nondisclosure exceptions recognized in Biddle applies to Menorah Park's disclosure in this case. This court has not addressed the issue of a medical provider's use of protected health information in the context of instituting a legal action for the payment of medical bills. In Biddle, this court established that there are exceptions to liability for the unauthorized release of medical information. We stated that "special situations may exist where the interest of the public, the patient, the physician, or a third person are of sufficient importance to justify the creation of a conditional or qualified privilege to disclose in the absence of any statutory mandate or common-law duty." Biddle at 402. We held in Biddle that a patient has no cause of action for a breach of confidentiality "where disclosure is made in accordance with a statutory mandate or common-law duty, or where disclosure is necessary to protect or further a countervailing interest which outweighs the patient's interest in confidentiality." Id. at paragraph two of the syllabus. Certainly, there is no statutory mandate or common-law duty that requires a medical provider to file a complaint in small-claims court to recover payment for unpaid medical bills. That is a voluntary act by the medical provider. However, the interest in receiving payment for medical services is a countervailing interest to the patient's interest in confidentiality. Is that interest enough to outweigh the patient's interest in confidentiality?

{¶ 32} We can look to HIPAA for guidance in determining how those competing interests should be weighed. HIPAA permits the use or disclosure of protected health information "for treatment, payment, or health care operations." (Emphasis added.) 45 C.F.R. 164.502(a)(1)(ii). Payment means "activities undertaken by" a healthcare provider "to obtain or provide reimbursement for the provision of health care." 45 C.F.R. 164.501. When using protected health information for such purposes, the HIPAA Privacy Rule limits the use or disclosure of the information to the minimum amount necessary to achieve the purpose of the use. Therefore, HIPAA recognizes that there is a balancing of interests between a medical provider and a patient vis-à-vis the provider's efforts to collect payment for medical services. The medical provider may disclose only the information necessary to recover payment. The HIPAA Privacy Rule is a reflection of the legitimate governmental and societal interests in allowing medical providers to pursue payment for the medical services they provide and acknowledges that the disclosure of some of a patient's medical information is a necessary part of that endeavor.

{¶ 33} R.C. 3798.04 echoes HIPAA's privilege for covered entities to use patient information to pursue payment for medical bills. That statute provides that a covered entity shall not "[u]se or disclose protected health information without an authorization * * * except when the use or disclosure is required or permitted without such authorization by Subchapter C of Subtitle A of Title 45 of the Code of Federal Regulation," which contains 45 C.F.R. 164.501 and 164.502.

{¶ 34} We determine that the acknowledgement in HIPAA and Ohio law that the privacy interest of the patient must at least partially give way to the interest of the medical provider in obtaining payment reflects the type of countervailing interest recognized in Biddle that gives the medical provider a qualified privilege to disclose patient information. As in the HIPAA regulations, that interest is narrowed such that the covered entity may disclose only the minimum amount of patient information necessary to meet the interest, i.e., to sufficiently plead the claim. A patient has a claim under Biddle if the doctor or hospital uses more than the minimum medical information necessary to sufficiently state a claim for recovery.

{¶ 35} Accordingly, we hold that doctors and hospitals have a qualified privilege to disclose patient information for the purpose of receiving payment for medical services. Therefore, a patient has no cause of action under Biddle when a medical provider discloses patient information in the minimum amount necessary to state a claim against the patient.

{¶ 36} As noted above, it is well-settled that a HIPAA violation does not create a private cause of action for the party whose information has been released. By referring to a HIPAA standard to inform our recognition of an exception under Biddle for the disclosure of patient information for the purpose of receiving payment for medical services, we have not created a private cause of action for a HIPAA violation. We have, instead, referred to HIPAA and Ohio law in limiting a common-law cause of action that recognizes an exception when disclosure is necessary to protect or further a countervailing interest that outweighs the patient's interest in confidentiality.

G. The complaint in this case falls under a Biddle exception

{¶ 37} When a healthcare provider uses protected health information to pursue the recovery of payment in court, it may release only as much information as is necessary to pursue its claim; otherwise a patient has a cause of action pursuant to Biddle for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has obtained within a physician-patient relationship. Civ.R. 10(D)(1) states that when a plaintiff files a claim founded on an unpaid account, the plaintiff must attach a copy of the account. Ohio courts have explained this requirement:

It is elementary that in an action on an account, a plaintiff must set forth an actual copy of the recorded account. * * * The records must show "the name of the party charged" and must include the following:

(1) a beginning balance (zero, or a sum that can qualify as an account stated, or some other provable sum);

(2) listed items, or an item, dated and identifiable by number or otherwise, representing charges, or debits, and credits; and

(3) summarization by means of a running or developing balance, or an arrangement of beginning balance and items which permits the calculation of the amount claimed to be due.
Arthur v. Parenteau, 102 Ohio App.3d 302, 304-305, 657 N.E.2d 284 (3d Dist.1995), quoting Brown v. Columbus Stamping & Mfg. Co., 9 Ohio App.2d 123, 126, 223 N.E.2d 373 (10th Dist.1967).

{¶ 38} Menorah Park attached to its complaint copies of its two most recent bills to Rolston. The bills contained no diagnosis or prognosis, no personal information other than Rolston's name and address, and no detailed medical records. They included no notes from therapists or doctors remarking on how Rolston responded to treatment and no indication of why she needed treatment in the first place. The bills referred to no body part or medical condition. The treatment reflected in the bills is described in general terms; the most detailed description indicates that Rolston received some aquatic therapy. The medical bills included the provider's name and address, Rolston's name and address, the dates on which services were provided, billing or procedure codes, a description of the general category of services provided, and the amounts charged, paid, and due. We conclude that Menorah Park made reasonable efforts to limit the release of health information to the minimum amount necessary to inform Rolston—and later, the court—of the nature of the debt owed, and did not disclose medical information unnecessary to collect payment in an action on the account.

{¶ 39} Therefore, we conclude that since Rolston's cause of action is based upon the medical information disclosed in Menorah Park's complaint, she has failed to state a claim upon which relief can be granted on her counterclaim. The court of appeals erred in reversing the trial court's judgment granting Menorah Park's motion to dismiss.

H. We need not overturn or modify Biddle in this case

{¶ 40} After oral argument, we instructed the parties to submit briefs addressing an issue that had not been considered in the lower courts—whether we should overrule or modify our decision in Biddle in this case. Given our holding in this case, Biddle remains good law and it continues to permit a cause of action for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information. Our opinion today helps to define what constitutes privileged disclosure under Biddle.

{¶ 41} Biddle was not wrongly decided nor was it revolutionary. As Justice Deborah L. Cook recognized in her separate opinion in Biddle, independent torts for the unauthorized disclosure of medical information and for the inducement thereof had been recognized more than 30 years earlier in Hammonds v. Aetna Cas. & Sur. Co., 243 F.Supp. 793 (N.D.Ohio 1965). Biddle, 86 Ohio St.3d at 409, 715 N.E.2d 518 (Cook, J., concurring in part and dissenting in part).

{¶ 42} Our decision in Biddle preceded the promulgation of the HIPAA Privacy Rule. HIPAA does not supplant the personal right to recovery that we recognized in Biddle. As discussed above, a Biddle claim is not preempted by HIPAA and is in fact complementary and shares goals in common with HIPAA.

{¶ 43} Subsequent to our decision in Biddle and the establishment of the HIPAA Privacy Rule, this court reiterated and extended its holding in Biddle. See Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 2008-Ohio-3343, 893 N.E.2d 153. In Hageman, we held that "[a]n attorney may be liable to an opposing party for the unauthorized disclosure of that party's medical information that was obtained through litigation." Id. at syllabus. We applied our holding in Biddle in the context of a divorce case in which a lawyer had given copies of the opposing party's medical records, including psychiatric records, to a prosecutor. Id. at ¶ 6. In that case, there was no direct involvement with a medical provider. The lead opinion in Hageman pointed out that "Biddle stressed the importance of upholding an individual's right to medical confidentiality beyond just the facts of that case." Id. at ¶ 13.

{¶ 44} Finally, the General Assembly has enacted medical-information-privacy legislation that largely follows HIPAA. R.C. 3798.02 states:

It is the intent of the general assembly in enacting this chapter to make the laws of this state governing the use and disclosure of protected health information by covered entities consistent with, but generally not more stringent than, the HIPAA privacy rule for the purpose of eliminating barriers to the adoption and use of electronic health records and health information exchanges. Therefore, it is also the general assembly's intent in enacting this chapter to supersede any judicial or administrative ruling issued in this state that is inconsistent with the provisions of this chapter.
"[I]t is long-settled constitutional law that it is within the power of the legislature to alter, revise, modify, or abolish the common law as it may determine necessary or advisable for the common good." Arbino v. Johnson & Johnson, 116 Ohio St.3d 468, 2007-Ohio-6948, 880 N.E.2d 420, ¶ 131 (Cupp, J., concurring). The General Assembly had the ability to abolish Biddle claims when it enacted Ohio's version of HIPAA. It did not. And there is no reason for us to overturn our decision in Biddle today.

III. CONCLUSION

{¶ 45} We continue to recognize a common-law cause of action by a medical patient for the unauthorized, unprivileged disclosure by a medical provider to a third party of the patient's nonpublic medical information. See Biddle, 86 Ohio St.3d 395, 715 N.E.2d 518. We hold that a claim under our decision in Biddle is not preempted by HIPAA and its subsequent privacy rule. However, there are exceptions to liability under Biddle when the disclosure of medical information is necessary to protect or further a countervailing interest in disclosure that outweighs the patient's interest in confidentiality. After balancing the interests reflected in HIPAA, we conclude that a medical provider may disclose a limited amount of a patient's medical information to further its efforts to collect unpaid bills from the patient for medical services. Under our decision in Biddle, an exception for such a disclosure exists when the medical provider makes a reasonable effort to limit the disclosure of a patient's medical information to the minimum amount necessary to file a successful complaint for the recovery of past-due charges for medical services. We conclude that a medical provider discloses the minimum amount of medical information necessary to file a successful claim for unpaid medical-service bills when the medical provider attaches to its complaint, pursuant to Civ.R. 10(D), medical bills that disclose the medical provider's name and address, the patient's name and address, the dates on which services were provided, billing or procedure codes, a description of the general category of services provided, and the amounts charged, paid, and due.

{¶ 46} Because Menorah Park limited its disclosure of Rolston's medical information in its complaint to the minimum amount necessary to assert a cause of action to recover payment from Rolston for her unpaid medical bills, Rolston has failed to state a claim for relief under Biddle. Therefore, we reverse the judgment of the Eighth District Court of Appeals on that issue and remand the cause to the Shaker Heights Municipal Court for further proceedings consistent with this opinion.

Judgment reversed and cause remanded.

FRENCH, J., concurs.

O'CONNOR, C.J., concurs in part and dissents in part, with an opinion joined by STEWART, J.

FISCHER, J., concurs in judgment only in part and dissents in part, with an opinion joined by DEWINE, J.

DONNELLY, J., concurs in part and dissents in part, with an opinion.

O'CONNOR, C.J., concurring in part and dissenting in part.

{¶ 47} I agree with the majority's conclusions in Parts II(E) and (H) of the above opinion. I also agree with the majority's conclusion in Part II(F) of that opinion that a medical provider that discloses patient information in a bill-collection action is not liable under our decision in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), if its disclosure is limited to the minimum amount of information necessary to obtain payment. I disagree, however, with the decision to address an additional issue, found in Part II(G) of that opinion. That part of the opinion applies the new minimum-necessary standard announced here to appellee Irene Rolston's class-action counterclaim and concludes that appellant, Menorah Park Center for Senior Living, made reasonable efforts to limit the release of Rolston's heath information and that the information disclosed does not reveal more than the minimum amount of information necessary to obtain payment.

{¶ 48} To start, I am at a loss for what "reasonable efforts" Menorah Park made to limit the disclosure of Rolston's information. Menorah Park simply attached an unredacted copy of Rolston's account statement to its complaint. Although Civ.R. 10(D)(1) states that a copy of an account that is the basis of an action must be attached to the pleading, the rule does not require the document to be in its original, unredacted form. Indeed, the rule even goes so far as to permit a complaint to be filed with no account statement or written instrument attached as long as there is an explanation for the omission in the pleading. Menorah Park undertook none of these efforts. Is that reasonable?

{¶ 49} Next, the opinion acknowledges that the trial court dismissed Rolston's counterclaim at the Civ.R. 12(B)(6) stage and that the minimum-necessary standard is a defense to a Biddle claim, not an element thereof. See Roe v. Planned Parenthood Southwest Ohio Region, 122 Ohio St.3d 399, 2009-Ohio-2973, 912 N.E.2d 61, ¶ 47-48, citing Biddle at paragraph two of the syllabus. Given this, the trial court should be given the first opportunity to consider Menorah Park's defense under the new minimum-necessary standard—including what information suffices as the minimum amount necessary and whether protections against disclosure such as redactions should be employed—at the appropriate point in the case, if raised.

{¶ 50} In light of the majority's conclusions in Parts II(E), (F), and (H) of the above opinion, this court should refrain from addressing the matters discussed in Part II(G) and instead remand the case for further proceedings consistent with the court's opinion. Because the conclusion in Part II(G) of the opinion leads it to reverse the judgment of the Eighth District Court of Appeals and to reinstate the trial court's judgment dismissing Rolston's counterclaim, I dissent in part.

STEWART, J., concurs in the foregoing opinion.

FISCHER, J., concurring in judgment only in part and dissenting in part.

{¶ 51} I agree that this court should reverse the judgment of the Eighth District Court of Appeals. Respectfully, however, I would reach that outcome by simply overruling this court's decision in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999).

{¶ 52} This court may overrule its precedent when (1) "changes in circumstances no longer justify continued adherence to the decision," (2) "the decision defies practical workability," and (3) "abandoning the precedent would not create an undue hardship for those who have relied upon it." Westfield Ins. Co. v. Galatis, 100 Ohio St.3d 216, 2003-Ohio-5849, 797 N.E.2d 1256, paragraph one of the syllabus. Because I think that our decision in Biddle meets all of these conditions, I would overrule it.

{¶ 53} First, the legal landscape today is drastically different than it was when Biddle was decided. In 1999, when this court issued its decision in Biddle, there was no uniform regulatory system governing the disclosure of medical information. As a result, that regulatory gap was often filled by the courts, which fashioned common-law causes of action for a medical provider's breach of confidence. See generally Alan B. Vickery, Breach of Confidence: An Emerging Tort, 82 Colum.L.Rev. 1426 (1982). Following Biddle, however, the United States Department of Health and Human Services, under its rulemaking authority derived from the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. No. 104-191, 110 Stat. 1936, promulgated the HIPAA Privacy Rule found in 45 C.F.R. 160 and 164 and established a system of comprehensive standards to protect an individual's medical and health information. Consequently, the problem that led to our decision in Biddle was largely solved.

{¶ 54} Next, at least comparatively, that legislative and regulatory solution is far more practical and workable than Biddle, which, with its vague generalities, e.g., "special situations" and "countervailing public interest[s]," 86 Ohio St.3d at 402, 715 N.E.2d 518, is unclear about what disclosures are authorized and what disclosures may result in liability for hospital systems and medical providers. Despite the court's thoroughness today, I suspect that Biddle will continue to defy practical workability because it will require a steady stream of cases like this one to properly define the contours of a claim and the scope of the duty (an event that those subject to liability under Biddle do not have the luxury of waiting around for).

{¶ 55} Finally, since a breach of confidence can still result in liability under the federal scheme, see 42 U.S.C. 1320d-5, overruling Biddle would not result in an undue hardship for the patients that our decision in Biddle sought to protect. Simply put, the conduct that Biddle intended to discourage would still be deterred under the legislative and regulatory scheme developed after Biddle and in effect today. Further, to the extent that it concludes that a private cause of action is necessary to protect patient confidentiality, the General Assembly is free to supplement the federal scheme by creating one. The beauty of such an approach, of course, is that it would allow Ohio's policymakers to provide a comprehensive set of rules from the outset and to decide whether such a cause of action should be broadly stated to provide recourse for a breach of the applicable federal- or state-disclosure standards, see Cal.Civ.Code 56.35, or narrowly stated to simply fill the gap left in HIPAA for noncovered entities, see Mont.Code Ann. 50-16-502 and 50-16-505.

{¶ 56} Accordingly, in this post-HIPAA Privacy Rule world, the protections provided in Biddle are no longer necessary or practical. Since no undue hardship would result from doing so, I think that this court should overrule that decision. Because this court does not do so on its way to reversing the Eighth District's judgment in this case, I respectfully concur in the judgment of the court only in part and dissent in part.

DEWINE, J., concurs in the foregoing opinion.

DONNELLY, J., concurring in part and dissenting in part.

{¶ 57} I agree with the vast bulk of the majority's conclusions, including its holding that there is an exception to liability under our decision in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), when a medical provider makes a reasonable effort to limit the disclosure of the patient's medical information to the minimum amount necessary to file a successful complaint for the recovery of unpaid charges for medical services.

{¶ 58} But I disagree with the conclusion in Part II(G) regarding the application of that holding in this case. Here, appellant, Menorah Park Center for Senior Living ("Menorah Park"), sought payment for services disclosed on the billing statements relating to physical-therapy services, including "PT EVALUATION MOD COMPLEX," "PT-MANUAL THERAPY," "PT-PHYSICAL PERFORMANCE TE," and "PT THERAPEUTIC PROC-AQUATI[C]." (Capitalization sic.) Although I recognize that this information is not particularly illuminating with respect to the underlying health conditions or treatment provided, neither is it the minimum amount of information that would allow Menorah Park to pursue its claim for payment. I believe an utterly generic phrase such as "services rendered" and the date the services were rendered would be the minimum amount necessary to file a successful complaint. That general disclosure could be supplemented following an in camera review as the need arises. The use of such a generic phrase would result in no health information, even an admittedly rather nondescript term such as "therapy," from being revealed to the public.

{¶ 59} In this case, Menorah Park revealed more than the minimum amount of medical information necessary to file a successful complaint. Accordingly, I concur in part and dissent in part.

Bonessi Switzer Polito & Hupp Co., L.P.A., Bret C. Perry, Brian F. Lange, and Jay Clinton Rice, for appellant.

Ciano & Goldwasser, L.L.P., Andrew S. Goldwasser, and Sarah E. Katz; Powers Friedman Linn, P.L.L., and Robert G. Friedman; and Paul W. Flowers Co., L.P.A., Paul W. Flowers, and Louis E. Grube, for appellee.

Dinkler Law Office, L.L.C., Lynette Dinkler, and Carin Al-Hamdani, urging reversal for amicus curiae Ohio Association of Civil Trial Attorneys.

Bricker & Eckler, L.L.P., Elizabeth A. Kastner, Victoria Flinn McCurdy, and Bryan M. Smeenk, urging reversal for amici curiae Ohio Hospital Association, Ohio State Medical Association, and Ohio Osteopathic Association.

Tucker Ellis, L.L.P., Susan M. Audey, Raymond Krncevic, and Emily J. Johnson, urging reversal for amicus curiae Academy of Medicine of Cleveland & Northern Ohio.


Summaries of

Menorah Park Ctr. for Senior Living v. Rolston

SUPREME COURT OF OHIO
Dec 15, 2020
2020 Ohio 6658 (Ohio 2020)
Case details for

Menorah Park Ctr. for Senior Living v. Rolston

Case Details

Full title:MENORAH PARK CENTER FOR SENIOR LIVING, APPELLANT, v. ROLSTON, APPELLEE.

Court:SUPREME COURT OF OHIO

Date published: Dec 15, 2020

Citations

2020 Ohio 6658 (Ohio 2020)
164 Ohio St. 3d 400
173 N.E.3d 432

Citing Cases

Loparo v. Univ. Hosps. Health Sys.

HIPAA's patient privacy rules attempt to balance the interests of individuals in maintaining the privacy of…

In re B.F.

{¶ 20} Regarding the Agency's HIPAA argument, this court observes that, in a plurality opinion, the Ohio…