South Carolina Medical Ass'n v. Thompson, 02-2001.

• Decision Date: 25 April 2003
• Docket Number: No. 02-2001.,02-2001.
• Citation: 327 F.3d 346
• Parties: SOUTH CAROLINA MEDICAL ASSOCIATION; Physicians Care Network; J. Capers Hiott, M.D.; John R. Ross, M.D.; Gordon E. Pennebaker, M.D.; Carol S. Nichols, M.D.; Dannette F. McAlhaney, M.D.; Herbert Moskow, M.D.; Louisiana State Medical Society, Plaintiffs-Appellants, v. Tommy G. THOMPSON, sued as Secretary of the U.S. Department of Health and Human Services; U.S. Department Of Health & Human Services, Defendants-Appellees.
• Court: U.S. Court of Appeals — Fourth Circuit

Page 346

327 F.3d 346

SOUTH CAROLINA MEDICAL ASSOCIATION; Physicians Care Network; J. Capers Hiott, M.D.; John R. Ross, M.D.; Gordon E. Pennebaker, M.D.; Carol S. Nichols, M.D.; Dannette F. McAlhaney, M.D.; Herbert Moskow, M.D.; Louisiana State Medical Society, Plaintiffs-Appellants, v. Tommy G. THOMPSON, sued as Secretary of the U.S. Department of Health and Human Services; U.S. Department Of Health & Human Services, Defendants-Appellees.

No. 02-2001.

United States Court of Appeals, Fourth Circuit.

Argued: January 23, 2003.

Decided: April 25, 2003.

ARGUED:

Terry Edward Richardson, Jr., Richardson, Patrick, Westbrook & Brickman, L.L.C., Barnwell, South Carolina, for Appellants. Alex Michael Azar, II, U.S. Department Of Health & Human Services, Washington, D.C., for Appellees.

ON BRIEF:

Daniel S. Haltiwanger, Richardson, Patrick, Westbrook & Brickman, L.L.C., Barnwell, South Carolina, for Appellants. Robert D. McCallum, Jr., Assistant Attorney General, J. Strom Thurmond, Jr., United States Attorney, Mark B. Stern, Charles W. Scarborough, Sambhav N. Sankar, Appellate Staff, Civil Division, United States Department of Justice, Washington, D.C., for Appellees.

Before WILKINS, Chief Judge, and TRAXLER and GREGORY, Circuit Judges.

Affirmed by published opinion. Judge TRAXLER wrote the opinion, in which Chief Judge WILKINS and Judge GREGORY joined.

OPINION

TRAXLER, Circuit Judge:

Appellants, South Carolina Medical Association, Physicians Care Network, and several individual doctors, filed suit seeking to have declared unconstitutional several provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. No. 104-191, 110 Stat. 1936 (1996). Because Congress laid out an intelligible principle in HIPAA to guide agency action, we reject appellants' claim that the statute impermissibly delegates the legislative function. We also conclude that regulations promulgated pursuant to HIPAA are not beyond the scope of the congressional grant of authority, and that neither the statute nor the regulations are impermissibly vague. Accordingly, we affirm.

I.

Recognizing the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems, Congress passed HIPAA in August 1996. HIPAA's Administrative Simplification provisions,¹ sections 261 through 264 of the statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information in connection with such transactions. The preamble to the Administrative Simplification provisions clarifies this goal:

It is the purpose of this subtitle to improve the Medicare program ..., the medicaid program ..., and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.

HIPAA § 261, 110 Stat. 2021.

To this end, Congress instructed the United States Department of Health and Human Services ("HHS") to adopt uniform standards "to enable health information to be exchanged electronically." 42 U.S.C.A. § 1320d-2(a)(1). Congress directed HHS to adopt standards for unique identifiers to distinguish individuals, employers, health care plans, and health care providers across the nation, see 42 U.S.C.A. § 1320d-2(b)(1), as well as standards for transactions and data elements relating to health information, see 42 U.S.C.A. § 1320d-2(a), (c) & (f), the security of that information, see 42 U.S.C.A. § 1320d-2(d), and verification of electronic signatures, see 42 U.S.C.A. § 1320d-2(e).

Within the Administrative Simplification section, Congress included another provision — section 264 — outlining a two-step process to address the need to afford certain protections to the privacy of health information maintained under HIPAA. First, section 264(a) directed HHS to submit to Congress within twelve months of HIPAA's enactment "detailed recommendations on standards with respect to the privacy of individually identifiable health information." HIPAA § 264(a), 110 Stat. 2033. Second, if Congress did not enact further legislation pursuant to these recommendations within thirty-six months of the enactment of HIPAA, HHS was to promulgate final regulations containing such standards. Specifically, section 264(c)(1) provided:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).

HIPAA § 264(c)(1), 110 Stat.2033. The subjects Congress directed HHS to cover in promulgating privacy regulations included the following: "(1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required." HIPAA § 264(b), 110 Stat.2033. Through individual provisions of HIPAA, Congress outlined whom the regulations were to cover, see 42 U.S.C.A. § 1320d-1(a); what information was to be covered, see 42 U.S.C.A. § 1320d(6) (defining "individually identifiable health information"); what types of transactions were to be covered, see 42 U.S.C.A. § 1320d-2(a)(2); what penalties would accrue for violations of HIPAA, see 42 U.S.C.A. §§ 1320d-5, 1320d-6; and what time lines and standards would govern compliance with the Act, see 42 U.S.C.A. §§ 1320d-3, 1320d-4.

Finally, section 264(c)(2) provided that the privacy regulations promulgated by HHS "shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." HIPAA § 264(c)(2), 110 Stat.2033-34 (emphasis added).

Pursuant to Congress's mandate, HHS submitted recommendations for protecting the privacy of individually identifiable health information in September 1997. Several detailed and comprehensive medical privacy bills were thereafter introduced; however, Congress did not pass any additional legislation. For its part, HHS followed Congress's directive and drafted regulations that appeared in a November 1999 Notice of Proposed Rulemaking. The proposed regulations drew more than 50,000 comments from affected parties. After several further proposals and amendments were published, HHS promulgated final regulations in February 2001, collectively the "Privacy Rule." Although the effective date of the Privacy Rule was set for April 14, 2001, entities covered by the regulations were given until April 14, 2003, to comply, while some smaller entities were granted an additional year.

Appellants sought declaratory relief from provisions of HIPAA and the accompanying Privacy Rule promulgated by HHS. The district court dismissed the action and this appeal followed. Appellants argue that 1) HIPAA violates the non-delegation doctrine by authorizing HHS to promulgate the regulations at issue in the absence of an intelligible principle from Congress; 2) the Privacy Rule exceeds the scope of authority granted to HHS under HIPAA; and 3) HIPAA's non-preemption of "more stringent" state privacy laws is unconstitutionally vague, in violation of the Due Process Clause of the Fifth Amendment. We address each of these issues in turn.

II.

A.

The first issue is whether HIPAA violates the non-delegation doctrine. "In a delegation challenge, the constitutional question is whether the statute has delegated legislative power to [an] agency" of the executive branch. Whitman v. American Trucking Ass'ns, Inc., 531 U.S. 457, 472, 121 S.Ct. 903, 149 L.Ed.2d 1 (2001). The doctrine is "rooted in the principle of separation of powers that underlies our tripartite system of government." Mistretta v. United States, 488 U.S. 361, 371, 109 S.Ct. 647, 102 L.Ed.2d 714 (1989). The first lines of the Constitution set forth that "[a]ll legislative Powers herein granted shall be vested in a Congress of the United States." U.S. Const. art. I, § 1. Thus, from our nation's earliest days, "the integrity and maintenance of the system of government ordained by the Constitution [has] mandate[d] that Congress generally cannot delegate its legislative power to another Branch." Mistretta, 488 U.S. at 371-72, 109 S.Ct. 647 (citation omitted).

In tension with this constitutional directive is the practical requirement that Congress turn to the other branches of government for assistance in carrying out its general legislative policies: "[O]ur jurisprudence has been driven by a practical understanding that in our increasingly complex society, replete with ever changing and more technical problems, Congress simply cannot do its job absent an ability to delegate power under broad general directives." Id. at 372, 109 S.Ct. 647; see also American Power & Light Co. v. S.E.C., 329 U.S. 90, 105, 67 S.Ct. 133, 91 L.Ed. 103 (1946) (acknowledging that the "legislative process would frequently bog down if Congress were constitutionally required to appraise beforehand the myriad situations to which it wishes a particular policy to be applied and to formulate specific rules for each situation").

The Supreme Court has outlined an approach to determining the difference between prohibited delegation and necessary...