In an opinion announced on January 10, 2012, the Ohio Tenth District Court of Appeals, in Columbus, Ohio, held that a hospital’s use of a patient’s individually identifiable health information (PHI) for obtaining payment of a patient’s account was a valid use of PHI for payment purposes under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), and rejected the patient’s claim that disclosure of the patient’s PHI was a wrongful disclosure of medical information under Biddle v. Warren General Hospital, Ohio’s seminal case that established a personal injury tort for wrongful disclosure of confidential medical information.
In OhioHealth Corp. v. Ryan, No. 10AP-937, 2012-OH-60 (10th Dist. App., January 10, 2012), OhioHealth filed a legal action against Ryan, a former patient, to recover on an account for unpaid medical services. The defendant Ryan denied the allegations of the complaint and filed a counterclaim against OhioHealth alleging that OhioHealth created false PHI by claiming that Ryan was uninsured, and that OhioHealth engaged in unauthorized disclosure of said information to a third party. Ryan asserted that under Biddle v. Warren Gen. Hosp., 86 Ohio St. 3d 395 (1999), OhioHealth disclosed, without authorization or privilege, nonpublic medical information of Ryan obtained in a confidential relationship. OhioHealth countered that, as a “covered entity” under HIPAA, its actions were governed by HIPAA’s privacy regulations that specifically authorize disclosure of PHI for purposes of obtaining payment for services, and which preempt contrary state laws (and that no exceptions to state law preemption applied). The trial court granted OhioHealth’s motion to dismiss the patient’s counterclaim on the basis that the disclosure of PHI at issue was indeed permitted under HIPAA and therefore constituted an authorized, privileged use of medical information under the Biddle case. After additional motions for summary judgment and dismissal, the trial court issued a judgment entry finding there were no genuine issues of material fact remaining for trial and held defendant Ryan liable on the unpaid account. Defendant Ryan appealed both the dismissal of the counterclaim, and the judgment entry on the unpaid account.
Appellate Court Finds Biddle Case Inapplicable to Privileged Use of PHI for Payment
The Ohio Tenth District Court of Appeals, in addressing defendant Ryan’s first assignment of error, found that (a) Biddle v. Warren Gen. Hosp. was distinguishable from the instant case because OhioHealth’s disclosure of Ryan’s account information was a protected or “privileged” disclosure, meaning it was legally permitted under HIPAA without obtaining the patient’s consent, and that (b) no private right of action exists under HIPAA, which is the dispositive authority in the case. First, assuming that the Biddle case did apply, the Court found the disclosure in the present case was authorized by HIPAA for payment purposes, thus rendering the disclosure by OhioHealth permissive and not wrongful or unauthorized under Biddle. Further, the disclosure involved account information, and not the entire medical records of the patient, as was the case in Biddle. Second, the Court reasoned that the federal HIPAA law generally preempts or supersedes state laws that are contrary to its requirements, unless such state laws impose requirements that are more stringent than HIPAA (citing 45 C.F.R. § 160.202(6) and § 160.203(b)). The Court found that defendant Ryan failed to cite any Ohio authority more stringent than HIPAA. Third, and significantly, the Court of Appeals recognized that, even if there was a wrongful disclosure under HIPAA, there is no private right of action under HIPAA, as recognized by several federal district courts in Ohio on prior occasions. Ryan was without ability to bring an action under HIPAA in court. Thus, given the privileged, authorized disclosure of information by OhioHealth under HIPAA, and absent any more stringent state law requirement, the defendant was unable to establish a claim that OhioHealth engaged in the tort of wrongful disclosure of nonpublic medical information obtained in a confidential relationship under Biddle v. Warren General Hospital. The Court of Appeals upheld the dismissal of the defendant’s counterclaim against OhioHealth, and upheld the trial court’s summary judgment in favor of OhioHealth on the patient’s past due account.
