By Jeffrey H. Brochin, J.D.
An Ohio common-law claim for disclosing private medical information is not preempted by HIPAA and its privacy rule; however, there are exceptions to liability.
The Supreme Court of Ohio has reversed an Appellate Court ruling that found in favor of a patient who counter-claimed a medical provider’s debt collection complaint by raising of confidentiality causes of action. Although Ohio continues to recognize a common-law cause of action by a medical patient for the unauthorized, unprivileged disclosure by a medical provider to a third party of the patient’s nonpublic medical information, there are exceptions to liability under a prior Ohio decision, Biddle v. Warren Gen. Hosp., when the disclosure of medical information is necessary to protect or further a countervailing interest in disclosure that outweighs the patient’s interest in confidentiality. Accordingly, a medical provider may disclose a limited amount of a patient’s medical information to further its efforts to collect unpaid bills from the patient for medical services (Menorah Park Center for Senior Living v. Rolston, December 15, 2020, Kennedy, J.).
Provider’s disclosure. On March 21, 2018 Menorah Park Center for Senior Living (Menorah Park), filed a small-claims complaint against a patient alleging she failed to pay a debt in the amount of $463.53 for therapy services. Attached to Menorah Park’s complaint were copies of two billing statements in accordance with Ohio’s Civ.R. 10(D)(1) which provides: "When any claim or defense is founded on an account or other written instrument, a copy of the account or written instrument must be attached to the pleading. If the account or written instrument is not attached, the reason for the omission must be stated in the pleading." The billing statements included a listing of various physical therapy treatments.
Counter-claim for confidentiality breach. The patient filed an answer and class action counterclaim against Menorah Park for breach of confidence for the disclosure to a third party of ‘nonpublic medical information that it learned within a physician-patient relationship.’ Menorah Park moved to dismiss the counterclaim arguing that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191) allowed the disclosure of protected health information for the purpose of a medical provider’s obtaining payment for medical services, and that its actions had met the requirements under HIPAA. Furthermore, they argued that HIPAA does not allow for a private cause of action for HIPAA violations.
The trial court granted Menorah Park’s motion to dismiss the counter-claim, determining that the claim did not fall under the tort law claim established in Biddle and the patient could not sue on HIPAA grounds. However, the Appellate Court reversed, resulting in the instant appeal to the Ohio Supreme Court.
Protections and exceptions in Biddle. The Supreme Court directed the parties to brief the issue of: "Should this court overturn or modify the holding in Biddle in light of the enactment of HIPAA and the subsequent promulgation of the HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164?"
In Biddle, the court recognized an independent tort for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information obtained via the physician-patient relationship. However, although the court recognized that specific cause of action, the court added that there were exceptions to liability for disclosure, and that the duty to maintain confidentiality recognized in Biddle was not absolute: there are instances where privilege exists for a medical provider to disclose medical information such as when statutes require the reporting of diseases that are infectious, contagious, or dangerous to public health, or because of medical conditions that are indicative of child abuse or neglect, or injuries that are indicative of criminal conduct. The court did not limit disclosure privilege to the cited examples.
Privacy protection under HIPAA. When Congress enacted HIPAA in 1996, it further directed HHS to issue regulations protecting the privacy of individually identifiable health information. Less than two months after the court’s decision in Biddle, HHS issued a privacy rule regulating the uses and disclosures of protected health information, and after modifications, a final rule went into effect in December of 2000.
However, in certain instances, the HIPAA Privacy Rule allows covered entities to use and disclose protected health information without first obtaining authorization from the patient, including "for treatment, payment, or health care operations." But when protected health information is used for such purposes, the HIPAA Privacy Rule limits the use or disclosure of the information to the minimum amount necessary to achieve the purpose of the use.
Weighing Biddle against HIPAA. Although HIPAA provides for the sanctioning of covered entities that violate the Privacy Rule, HIPAA creates no private cause of action for a violation of its rules or regulations, and therefore, the court was tasked with determining whether HIPAA precludes a patient from bringing a state-law cause of action for a breach of confidentiality.
The court answered that question by concluding that Ohio continues to recognize a common-law cause of action by a medical patient for the unauthorized, unprivileged disclosure by a medical provider to a third party of the patient’s nonpublic medical information, and that a claim under their decision in Biddle is not preempted by HIPAA or its privacy rule. However, there are exceptions to liability under Biddle when the disclosure of medical information is necessary to protect or further a countervailing interest in disclosure that outweighs the patient’s interest in confidentiality. After balancing the interests reflected in HIPAA, the court concluded that a medical provider may disclose a limited amount of a patient’s medical information to further its efforts to collect unpaid bills from the patient for medical services, and the exception exists when the provider makes a reasonable effort to limit the disclosure of a patient’s medical information to the minimum amount necessary to file a successful complaint for the recovery of past-due charges for medical services.
Minimum disclosure defined. A medical provider discloses the minimum amount of medical information necessary to file a claim for unpaid medical bills when the provider attaches to its complaint, pursuant to Ohio Civ.R. 10(D), medical bills that disclose the medical provider’s name and address, the patient’s name and address, the dates on which services were provided, billing or procedure codes, a description of the general category of services provided, and the amounts charged, paid, and due. Because Menorah Park complied with the minimum disclosure, the Supreme Court reversed and remanded the decision of the Appellate Court.
The case is No.: 2020-Ohio-6658.
Attorneys: Bret C. Perry (Bonessi Switzer Polito & Hupp Co. L.P.A.) for Menorah Park Center for Senior Living. Andrew S. Goldwasser (Ciano & Goldwasser, L.L.P.) for Irene Rolston.
Companies: Menorah Park Center for Senior Living
MainStory: TopStory CaseDecisions ConfidentialityNews HIPAANews OhioNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.