May 10, 2011
IN THE MATTER OF MIGUEL M. (ANONYMOUS), &C., APPELLANT;
CHARLES BARRON, &C., RESPONDENT.
The opinion of the court was delivered by: Smith, J.:
This opinion is uncorrected and subject to revision before publication in the New York Reports.
We hold that the Privacy Rule adopted by the federal government pursuant to the Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of a patient's medical records to a State agency that requests them for use in a proceeding to compel the patient to accept mental health treatment, where the patient has neither authorized the disclosure nor received notice of the agency's request for the records.
Dr. Charles Barron, as designee of the New York City Department of Health and Mental Hygiene, applied for an order under Mental Hygiene Law § 9.60 requiring "assisted outpatient treatment" (AOT) for Miguel M. The petition alleged that Miguel was suffering from a mental illness; that he was unlikely to survive safely in the community without supervision; that he had a history of failing to comply with treatment; that he was unlikely to participate in necessary treatment voluntarily; and that he needed, and would benefit from, AOT to prevent a relapse or deterioration of his mental status, which would be likely to result in serious harm to Miguel or to others.
At the hearing on the petition, Barron offered in evidence records from two hospitals relating to three occasions on which Miguel was hospitalized. A witness called by Barron testified that the hospitals had furnished the records in response to a request -- a request made, it is clear from the record, without notice to Miguel. The witness acknowledged that Miguel had not authorized the release of the records, and that no court order for their disclosure had been sought or obtained.
The records were received in evidence over Miguel's objection, and Barron's witness described their contents. After the hearing, Supreme Court directed that Miguel "receive and accept assisted outpatient treatment" for a period of six months. The Appellate Division affirmed. We granted leave to appeal, and now reverse.
The six-month duration of Supreme Court's order expired before the Appellate Division decided this case, and the immediate controversy is therefore moot. Neither party challenges, however, the Appellate Division's conclusion that the case presents a novel and substantial issue that is likely to recur and likely to evade review, and that therefore the exception to the rule against deciding moot disputes applies here (see Matter of Hearst Corp. v Clyne, 50 NY2d 707, 714-715 ). We agree, and proceed to the merits.
Mental Hygiene Law § 9.60, known as "Kendra's Law," was enacted in 1999. It is named for Kendra Webdale, who was killed by a mentally ill man who pushed her off a subway platform. It says that, on a proper showing, a mentally ill person whose lack of compliance with treatment has, twice within the last 36 months, caused him or her to be hospitalized may be the subject of AOT pursuant to a plan stated in a court order (see Mental Hygiene Law § 9.60 [c], [j] ). Public officials identified as "directors of community services" are given the duty of enforcing Kendra's Law (Mental Hygiene Law § 9.47 [b]), and a petition to require AOT may be filed by a director of community services or his or her designee (Mental Hygiene Law § 9.60 [e]  [vii]).
Mental Hygiene Law § 33.13 (c) (12) permits disclosure of medical records to a director of community services who requests it in the exercise of his or her duties. Thus, the disclosure of a patient's medical records for purposes of an AOT proceeding is permitted by State law, unless the applicable State law is preempted. Miguel argues that it is.
Miguel says that preemption is found in HIPAA (Pub L No 104-191, 110 US Stat 1936, codified in various titles of the United States Code) and the Privacy Rule (45 CFR Titles 160 and 164) promulgated by the United States Department of Health and Human Services under authority granted by HIPAA § 264 (c) (1) (see note to 42 USC § 1320d-2). The Privacy Rule prohibits disclosure of an identifiable patient's health information without the patient's authorization, subject to certain exceptions (45 CFR § 164.508 [a] ). HIPAA § 264 (c) (2) (see note to 42 USC § 1320d-2) and the Privacy Rule (45 CFR § 160.203 [b]) say that contrary state laws are preempted unless they offer privacy protections that are "more stringent" than those of the federal law; New York does not offer any more stringent protection that is relevant here. The preemption issue thus comes down to whether the disclosure of Miguel's medical records was permitted by one of the exceptions to the Privacy Rule.
Barron relies on two exceptions, those permitting disclosure for purposes of "public health" and "treatment." It is possible to read the language of both exceptions as covering the disclosure now at issue, but in both cases the reading is strained. Considering the apparent purposes of these two exceptions, we conclude that neither fits these facts.
The public health exception permits disclosure of protected information to:
"A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions" (45 CFR § 164.512 [b]  [i]).
Barron reasons that disclosure of a mentally ill person's hospital records for purposes of requiring that person to accept AOT protects the public health, because mentally ill people might kill or injure other people -- like Kendra Webdale -- who, of course, are members of the public. Thus Barron, a person designated to enforce Kendra's Law, would be a "public health authority," collecting information for the "purpose of preventing . . . injury," and his action to require AOT in Miguel's case could be called a public health intervention. We are not convinced, however, that the authors of the Privacy Rule meant "public health" in this literal, but counterintuitive, sense.
The apparent purpose of the public health exception is to facilitate government activities that protect large numbers of people from epidemics, environmental hazards, and the like, or that advance public health by accumulating valuable statistical information. To disclose private information about particular people, for the purpose of preventing those people from harming themselves or others, effects a very substantial invasion of privacy without the sort of generalized public benefit that would come from, for example, tracing the course of an infectious disease. The disclosure to Barron of Miguel's hospital records was not within the scope of the public health exception.
The treatment exception permits disclosure of protected health information "for treatment activities of a health care provider" (45 CFR § 164.506 [c] ). "Treatment" is defined as:
"the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another" (45 CFR § 164.501).
Again, Barron's argument is literalistic: AOT -- assisted outpatient treatment -- is literally "treatment" -- "the provision . . . of health care . . . by one or more health care providers." But the thrust of the treatment exception is to facilitate the sharing of information among health care providers working together. We see no indication that the authors of the regulation meant to facilitate "treatment" administered by a volunteer "provider" over the patient's objection. Disclosure for that purpose is a more serious invasion of privacy than, for example, the transmission of medical records from a patient's primary care physician to a specialist -- the sort of activity for which the treatment exception seems primarily designed. The treatment exception is inapplicable here.
We find support for our conclusion that the two exceptions Barron relies on are inapposite in the existence of other exceptions that Barron might have invoked but did not. The Privacy Rule authorizes disclosure of health information, subject to certain conditions, "in the course of any judicial or administrative proceeding," in response to either "an order of a court or administrative tribunal" (45 CFR § 164.512 [e]  [i]) or "a subpoena, discovery request, or other lawful process" (45 CFR § 164.512 [e]  [ii]). Thus, Barron could have pursued Miguel's records either by seeking a court order or by serving a subpoena. To do so in compliance with the Privacy Rule, however, Barron would have had to give notice to Miguel of his request for the records. He could not, absent extraordinary circumstances, have obtained a court order requiring disclosure without giving such notice. And the Privacy Rule's exception for subpoenas and the like is conditioned on "satisfactory assurance" from the person seeking the information to the entity providing it either "that reasonable efforts have been made . . . to ensure that the individual who is the subject of the protected health information . . . has been given notice of the request" (45 CFR § 164.512 [e]  [ii] [A]), or that an order protecting the confidentiality of the information has been sought (45 CFR § 164.512 [e]  [ii] [B]). In a case, like this one, to which the patient is a party, a request for a protective order would require notice to the patient.
We can see no reason, and Barron has suggested none, why notice should not have been given here. It may well be, in this case as in many others, that no valid ground for withholding the records exists; courts ruling on disclosure issues will surely be conscious, as we are, of the strong public interest in seeing that mentally ill people who might otherwise be dangerous receive necessary treatment. But it seems only fair, and no great burden on the public agencies charged with enforcing Kendra's Law, to give patients a chance to object before the records are delivered.
We emphasize that it is far from our purpose to make the enforcement of Kendra's Law difficult. It may often be possible to avoid all disclosure problems by getting the patient to authorize the disclosure in advance; surely many mentally ill people will, while they are under proper care, recognize that disclosure is very much in their own interest. When there is no advance authorization, patients who are given notice that their records are being sought often may not object; when they do object, their objections may often be overruled. We hold only that unauthorized disclosure without notice is, under circumstances like those present here, inconsistent with the Privacy Rule.
Barron argues in the alternative that, even if the disclosure of the records to him was unlawful -- as we have held it was -- Supreme Court did not err by admitting the records into evidence at the AOT hearing. HIPAA, as Barron points out, contains its own remedies for violations: civil penalties (HIPAA § 262 [a], 42 USC § 1320d-5) and, for the knowing and wrongful disclosure of individually identifiable health information, fines and imprisonment (HIPAA § 262 [a], 42 USC § 1320d-6). Neither exclusion of the records from evidence nor suppression of evidence obtained by use of the records is among the remedies listed. Barron cites decisions from other states holding that evidence obtained as a result of a HIPAA violation need not be suppressed in a criminal case (State v Carter, 23 So 3d 798, 801 [Fla App 2009]; State v Yenzer, 40 Kan App 2d 710, 712-713, 195 P 3d 271, 272-273 ; State v Straehler, 307 Wis 2d 360, 745 NW 2d 431 [Wis App 2007]).
We assume it is correct that, in a criminal case, a HIPAA or Privacy Rule violation does not always require the suppression of evidence. Indeed, we have held that suppression is not required in such a case where evidence was obtained as a result of a violation of New York's physician-patient privilege (People v Greene, 9 NY3d 277 ). But this case is different. It is one thing to allow the use of evidence resulting from an improper disclosure of information in medical records to prove that a patient has committed a crime; it is another to use the records themselves, or their contents, in a proceeding to subject to unwanted medical treatment a patient who is not accused of any wrongdoing. Using the records in that way directly impairs, without adequate justification, the interest protected by HIPAA and the Privacy Rule: the interest in keeping one's own medical condition private. We therefore hold that medical records obtained in violation of HIPAA or the Privacy Rule, and the information contained in those records, are not admissible in a proceeding to compel AOT.
Accordingly, the order of the Appellate Division should be reversed, with costs, and the case remitted to Supreme Court for further proceedings in accordance with this opinion.
* * * * Order reversed, with costs, and matter remitted to Supreme Court, Queens County, for further proceedings in accordance with the opinion herein. Opinion by Judge Smith. Chief Judge Lippman and Judges Ciparick, Graffeo, Read, Pigott and Jones concur.
© 1992-2011 VersusLaw Inc.