DHHS Moves to Dismiss AAPS Suit

On August 30, 2001, the Association of American Physicians and Surgeons (AAPS), Rep. Ron Paul (R-TX), and three individual "patients" filed a civil suit against DHHS, alleging that the Privacy Rule violates the Fourth and First Amendments. Three months later, the Department of Justice, on behalf of DHHS, moved the Court to dismiss each of the plaintiffs' five causes of action, arguing:

1. First, the Court lacks jurisdiction over plaintiffs' constitutional claims. Like nearly all pre-enforcement, facial attacks under the Fourth Amendment, plaintiffs' claim is unripe. Because plaintiffs have not yet suffered any injury, plaintiffs also lack standing. Enforcement of the Privacy Rule is, at a minimum, more than a year away. Plaintiffs' claims may change or be mooted by events that occur prior to that time. The Department has already issued extensive policy guidance on the practical application of the Privacy Rule, and is likely to issue additional guidance before the 2003 compliance date. The Secretary has also committed to modifying the Rule to facilitate compliance.
   
   Plaintiffs' Fourth Amendment claim is also entirely speculative because, even if the current enforcement scheme remains the same, the chances are remote that plaintiffs in this case will ever be affected. For plaintiffs to sustain injury, a succession of increasingly unlikely events must occur, and the possibility that any one of them may not occur as anticipated, or at all, renders their challenge premature and unripe.
   
   Plaintiffs' attempt to encompass permissive provisions of the Privacy Rule within the rubric of their Fourth Amendment claim also fails. These provisions merely permit disclosure to the government under certain conditions. In any event, the hypothetical nature of plaintiffs' claim is no less acute in the context of these provisions than in the enforcement setting. In any guise, plaintiffs' Fourth Amendment claim is unripe and should be dismissed.
   
   
2. Plaintiffs' second claim, under the First Amendment, is unripe for many of the same reasons. In addition, plaintiffs' claim of a "chilling effect" based on the mere existence of the Privacy Rule (with its provisions allegedly allowing the government unfettered access to health information), is legally insufficient to establish standing. The Supreme Court has long held that subjective allegations of "chill" must be accompanied by real injury in order to present a justiciable case or controversy. Moreover, in light of the extensive privacy protections afforded by the Privacy Rule, and the numerous disclosures to which medical information is already subject, the fear underlying plaintiffs' chill is not objectively reasonable.
   
   
3. Plaintiffs also lack standing to bring their third claim under the Tenth Amendment. The Supreme Court has held that, since the Tenth Amendment exists to protect states, only states may properly bring a claim under that amendment. In any event, it requires little analysis to conclude that the administration of health care, including its record keeping and business practices, is a commercial activity that substantially affects interstate commerce. As such, it falls comfortably within Congress' commerce clause authority.
   
   
4. Plaintiffs' fourth claim challenging the scope of the Privacy Rule fails because Congress did not limit the Agency's rulemaking authority to electronic transactions only. The Act simply requires that the Secretary promulgate regulations that "contain" standards with respect to the privacy of health information transmitted in connection with certain transactions. The Act defines "health information" to include any information, "whether oral or recorded in any form or media." Thus, the regulation of individually identifiable health information in any form (non-electronic as well as electronic), is not precluded by the terms of HIPAA.
   
   The Secretary's inclusion of non-electronic records within the regulatory scheme was reasonable and appropriate to effectuate the purpose of the Act. Protecting the confidentiality of medical information based only on how that information happens to be stored or transmitted would defeat the legislative intent. Congress, through HIPAA, sought to promote the computerization of medical information. A contrary result is achieved if, by reverting to paper, covered entities could circumvent parts of the statute and the regulations designed to protect the privacy of individuals. Congress was well informed of the rulemaking process and the Secretary's interpretation, and twice heard testimony on this very issue. That Congress did nothing to change the scope of the Privacy Rule adds further weight to the conclusion that the Secretary correctly implemented congressional will.
   
   
5. Finally, plaintiffs' procedural claim fails because the Secretary thoroughly and reasonably evaluated the impact of the Privacy Rule on small businesses in compliance with the Regulatory Flexibility Act. Moreover, plaintiffs cannot bring an action to strike the Privacy Rule under the Paperwork Reduction Act, since the sole remedy provided by that statute is the ability to raise non-compliance with the Act as a defense to an enforcement action. Since no enforcement of the Privacy Rule has occurred, such a claim is premature.
   
   Because plaintiffs' complaint in all respects fails to state a claim upon which relief can be granted, the lawsuit should be dismissed.

Read more about AAPS v. HHS on the HIPAA Privacy Regulations.