View PDF Version

No. 03-114

In the Supreme Court of the United States

SOUTH CAROLINA MEDICAL ASSOCIATION, ET AL., PETITIONERS

v.

TOMMY G. THOMPSON, SECRETARY OF
HEALTH AND HUMAN SERVICES, ET AL.

ON PETITION FOR A WRIT OF CERTIORARI
TO THE UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT

BRIEF FOR THE RESPONDENTS IN OPPOSITION

THEODORE B. OLSON
Solicitor General
Counsel of Record
PETER D. KEISLER
Assistant Attorney General
J. STROM THURMOND, JR.
United States Attorney
MARK B. STERN
MARK S. DAVIES
Attorneys
Department of Justice
Washington, D.C. 20530-0001
202-514-2217

QUESTIONS PRESENTED

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the Secretary of Health and Human Services to promulgate regulations containing standards for the privacy of individually identifiable health information. The questions presented are:

1. Whether the provisions of HIPAA that authorize promulgation of privacy regulations violate the non-delegation doctrine.

2. Whether the Secretary exceeded his statutory authority in promulgating privacy regulations under HIPAA.

In the Supreme Court of the United States

No. 03-114

SOUTH CAROLINA MEDICAL ASSOCIATION, ET AL., PETITIONERS

v.

TOMMY G. THOMPSON, SECRETARY OF
HEALTH AND HUMAN SERVICES, ET AL.

ON PETITION FOR A WRIT OF CERTIORARI
TO THE UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT

BRIEF FOR THE RESPONDENTS IN OPPOSITION

OPINIONS BELOW

The opinion of the court of appeals (Pet. App. A1-A17) is reported at 327 F.3d 346. The opinion of the district court (Pet. App. A18-A41) is unreported.

JURISDICTION

The judgment of the court of appeals was entered on April 25, 2003. The petition for a writ of certiorari was filed on July 21, 2003. The jurisdiction of this Court is invoked under 28 U.S.C. 1254(1).

STATEMENT

1. Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936, to "improve portability and continuity of health insurance coverage in the group and individual markets." See H.R. Rep. No. 496, 104th Cong., 2d Sess. 66-67 (1996). Subtitle F of Title II of HIPAA is entitled "Administrative Simplification," and Section 261 (110 Stat. 2021) states that the purpose of the subtitle is "to improve the Medicare program * * *, the medicaid program * * *, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." 42 U.S.C. 1320d note (Supp. V 1999).1

Section 262(a) of HIPAA (110 Stat. 2021) requires the Secretary of Health and Human Services (HHS) to adopt uniform standards "to enable health information to be exchanged electronically." 42 U.S.C. 1320d-2(a)(1). Congress directed the Secretary to adopt standards for unique identifiers to identify individuals, employers, health plans, and health care providers across the nation, 42 U.S.C. 1320d-2(b)(1), and standards for, among other things, transactions and data elements relating to health information, 42 U.S.C. 1320d-2(a), (c) and (f), the security of that information, 42 U.S.C. 1320d-2(d), and verification of electronic signatures, 42 U.S.C. 1320d-2(e).

Congress also recognized that the standardization of certain electronic health care transactions required by HIPAA posed risks to the privacy of confidential patient information. Accordingly, Section 264 directed the Secretary to submit to Congress "detailed recommendations on standards with respect to the privacy of individually identifiable health information" within one year of HIPAA's enactment. 42 U.S.C. 1320d-2 note. Congress also provided in Section 264 that if it did not enact legislation covering these matters within three years, the Secretary shall promulgate final regulations containing such standards, 42 U.S.C. 1320d-2 note, and that such standards shall "address at least" the following three subjects:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

42 U.S.C. 1320d-2 note.

Section 264(c)(2) further provides that the privacy regulations promulgated by HHS "shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." HIPAA § 264(c)(2), 110 Stat. 2033-2034.

2. As required by Congress, HHS submitted recommendations for protecting the privacy of individually identifiable health information. Congress considered a number of bills, but did not enact new legislation. Pet. App. A5. Pursuant to Section 264(c)(1), and following a notice of proposed rulemaking, the Secretary published regulations contained in 45 C.F.R. Parts 160 and 164, generally known as the "Privacy Rule." In 2002, the Secretary published final modifications of the Privacy Rule. 67 Fed. Reg. 53,182 (2002).

The Privacy Rule protects the confidentiality of certain individually identifiable health information. It establishes a set of definitions, state law preemption requirements, compliance and enforcement requirements, and specific privacy protection standards with which covered entities must comply. As required by Congress in Section 264, the standards relate to the use and disclosure of "protected health information," the rights of individuals with respect to their own health information, and the procedures for exercising those rights. 45 C.F.R. Pts. 160, 164. The phrase "protected health information" is defined generally by the regulations as-

[I]ndividually identifiable health information . . . that is (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or (iii) Transmitted or maintained in any other form or medium.

45 C.F.R. 164.501.

3. Petitioners filed suit in federal district court in the District of South Carolina seeking declaratory relief from provisions of HIPAA and from the Privacy Rule. The complaint asserted that HIPAA violates the non-delegation doctrine by authorizing Secretary to promulgate privacy regulations and that the Privacy Rule exceeds the authority granted by HIPAA. The district court dismissed the complaint for failure to state a claim upon which relief could be granted. Pet. App. A18-A41.2

4. The court of appeals affirmed. Pet. App. A1-A17. The court rejected petitioners' claim that Section 264 of HIPAA violates the non-delegation doctrine. The court observed that Congress may vest rulemaking authority in an administrative agency so long as it lays down an "intelligible principle" to guide the exercise of that authority, and that the "test for determining whether an intelligible principle lies behind the conferral of authority" is whether "Congress clearly delineates the general policy, the public agency which is to apply it, and the boundaries of this delegated authority." Pet. App. A7 (quoting Mistretta v. United States, 488 U.S. 361, 372-373 (1989)). The court of appeals concluded that "the provisions of HIPAA provide a general policy, describe the agency in charge of applying that policy, and set boundaries for the reach of that agency's authority-all in keeping with the intelligible principle test." Id. at A9.

The court of appeals also rejected petitioners' contention that the Privacy Rule exceeds the scope of the Secretary's authority under HIPAA by regulating non-electronic information. The court concluded that the Privacy Rule's application to non-electronic information is fully consistent with the text of Section 264 of HIPAA, which requires the Secretary to address "[t]he rights that an individual who is a subject of individually identifiable health information should have," and Section 262, which defines "health information" as "any information, 'whether oral or recorded in any form or medium.'" Pet. App. A12 (quoting 42 U.S.C. 1320d-4) (emphasis added by court of appeals).

The court of appeals also concluded that the Privacy Rule's regulation of non-electronic information is "reasonably related to the larger purposes of HIPAA." Pet. App. A14. The court explained that "[r]egulating nonelectronic as well as electronic forms of health information effectuates HIPAA's intent to promote the efficient and effective portability of health information and the protection of confidentiality." Ibid. The court observed that "[i]f coverage were limited to electronic data, there would be perverse incentives for entities covered by the rule to avoid the computerization and portability of any medical records. Such a development would utterly frustrate the purposes of HIPAA." Ibid.

ARGUMENT

The decision of the court of appeals is correct and does not conflict with any decision of this Court or of any other court of appeals. Further review is unwarranted.

1. The court of appeals correctly held that HIPAA does not violate the non-delegation doctrine. Article I, Section 1 of the U.S. Constitution provides: "All legislative Powers herein granted shall be vested in a Congress of the United States." "In a delegation challenge, the constitutional question is whether the statute has delegated legislative power to the agency." Whitman v. American Trucking Assn's, 531 U.S. 457, 472 (2001). "[W]hen Congress confers decisionmaking authority upon agencies Congress must 'lay down by legislative act an intelligible principle to which the person or body authorized to [act] is directed to conform.'" Ibid. (quoting J.W. Hampton, Jr., & Co. v. United States, 276 U.S. 394, 409 (1928)).

The non-delegation doctrine has been applied to strike down only two statutes, both in 1935. As the Court in American Trucking noted, "[i]n the history of the Court we have found the requisite 'intelligible principle' lacking in only two statutes, one of which provided literally no guidance for the exercise of discretion, and the other of which conferred authority to regulate the entire economy on the basis of no more precise a standard than stimulating the economy by assuring 'fair competition.'" 531 U.S. at 474 (referring to Panama Refining Co. v. Ryan, 293 U.S. 388 (1935), and A.L.A. Schechter Poultry Corp. v. United States, 295 U.S. 495 (1935)).

Petitioners argue that HIPAA violates the non-delegation doctrine for two reasons. First, they argue (Pet. 11-14) that Congress assigned regulatory authority to the Secretary because Congress itself failed to reach consensus on controversial and complex policy issues covered by the Secretary's Privacy Rule. Second, they argue (Pet. 14-20) that HIPAA fails to articulate any intelligible principle for the Secretary to apply because HIPAA does not set forth any substantive factors for the Secretary to consider in protecting individual privacy rights or guide the Secretary in balancing the relevant criteria. Those arguments, however, fundamentally misconceive the scope of the non-delegation doctrine and are without merit.

Congress has never been prohibited from vesting broad rulemaking authority in a federal agency so that the agency may apply its expertise and make policy decisions, even when the subject matter is controversial. Indeed, a policy-making role is one of the core functions of administrative agencies. Mistretta, 488 U.S. at 372 ("[O]ur jurisprudence has been driven by a practical understanding that in our increasingly complex society, replete with ever changing and more technical problems, Congress simply cannot do its job absent an ability to delegate power under broad general directives."); American Power & Light Co. v. SEC, 329 U.S. 90, 105 (1946) (the "legislative process would frequently bog down if Congress were constitutionally required to appraise beforehand the myriad situations to which it wishes a particular policy to be applied and to formulate specific rules for each situation."); see American Trucking, 531 U.S. at 475.3

Nor is there any constitutional requirement that a delegation of authority be accompanied by specific substantive criteria for the agency to consider with explicit directives on how to weigh that criteria. Congress may constitutionally leave such policy choices to the expert agency, as this Court has "almost never felt qualified to second-guess Congress regarding the permissible degree of policy judgment that can be left to those executing or applying the law." American Trucking, 531 U.S. at 474-475 (quoting Mistretta, 488 U.S. at 416 (Scalia, J., dissenting)). Accordingly, a grant of broad rulemaking authority is constitutionally permissible if the statute sets forth an intelligible principle, i.e., "if Congress clearly delineates the general policy, the public agency which is to apply it, and the boundaries of this delegated authority." American Power & Light Co., 329 U.S. at 105.

The court of appeals correctly concluded that HIPAA satisfies that test. Section 264 itself directs that the Privacy Rule cover at least three subjects:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

42 U.S.C. 1320d-2 note. Other sections of Subtitle F provide additional "intelligible principles" that must be considered. Panama Refining, 293 U.S. at 416 (challenged provision must be examined in its statutory context). For example, HIPAA's statement of purpose makes plain that the Privacy Rule must encourage, rather than discourage, the use of electronic data transmission:

It is the purpose of this subtitle to improve * * * the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.

42 U.S.C. 1320d note (quoting HIPAA § 261, 110 Stat. 2021).

HIPAA further requires that the Rule must "be consistent with the objective of reducing the administrative costs of providing and paying for health care." 42 U.S.C. 1320d-1(b). In other provisions, Congress specified who the Privacy Rule is to cover, 42 U.S.C. 1320d-1(a), 1320d-8; what information is to be covered, 42 U.S.C. 1320d(6) (defining "individually identifiable health information"); a minimum list of the transactions which were to be covered, 42 U.S.C. 1320d-2(a)(2); when compliance with the privacy rules will be required and how they may be modified, 42 U.S.C. 1320d-3, 1320d-4; and what penalties will accrue for violations of privacy regulations, 42 U.S.C. 1320d-5, 1320d-6. The court of appeals thus properly concluded that "taken together, the provisions of HIPAA provide a general policy, describe the agency in charge of applying that policy, and set boundaries for the reach of that agency's authority-all in keeping with the intelligible principle test." Pet. App. A9.

Indeed, HIPAA's detailed set of statutory criteria and guidance that cabins the Secretary's exercise of rulemaking authority is at least as "intelligible" as the guidance set forth in the myriad statutes upheld by this Court against a non-delegation challenge. For example, the Court has upheld the Federal Communications Commission's broad authority to regulate broadcast communications "as public convenience, interest, or necessity requires." National Broad. Co. v. United States, 319 U.S. 190, 215, 225 (1943). The Court similarly has upheld a provision of the Occupational Safety and Health Act of 1970 that required the agency to set a standard for toxic materials such that "to the extent feasible" "no employee will suffer any impairment of health." Industrial Union Dep't v. American Petroleum Inst., 448 U.S. 607, 643 n.48, 646 (1980).4

Petitioners err in suggesting (Pet. 18-19) that the force of the intelligible principles in HIPAA is undermined by Congress's decision to order the Secretary to issue privacy regulations if Congress did not act within three years. As the court of appeals explained, "the procedures outlined by Congress establish a more explicit oversight mechanism than usually accompanies a rulemaking mandate imposed upon an agency." Pet. App. A10-A11. In any event, for purposes of the non-delegation doctrine, HIPAA is indistinguishable from a statute that immediately authorized the agency to issue regulations. The non-delegation doctrine is concerned with the substance, not the timing, of congressional action. U.S. Const. Art. I, § 1. If, as here, a statute does not delegate legislative authority, it is of no consequence when Congress orders an agency to issue rules.

Petitioners finally err in arguing (Pet. 19) that the lack of an intelligible principle is demonstrated by the absence of any reference in the rulemaking record to congressional guidance set forth in HIPAA. The rulemaking record confirms that the Secretary considered numerous congressional policy directives set forth in the Act. For example, the preamble to the final Privacy Rule starts by noting that "Congress called for steps to improve 'the efficiency and effectiveness of the health care system.'" 65 Fed. Reg. 82,463 (2000). Thus, the preamble explains, the "privacy standards have been, and continue to be, an integral part of the suite of Administrative Simplification standards intended to simplify and improve the efficiency of the administration of our health care system." Id. at 82,470. Similarly, the preamble notes the congressional "objective of reducing the administrative costs of providing and paying for health care" and explains how the rules are consistent with that objective. Id. at 82,474.

2. Petitioners also seek (Pet. 20-26) this Court's review of the court of appeals' determination that HIPAA provides the Secretary with authority to promulgate 45 C.F.R. 160.103, which regulates individually identifiable health information by covered entities in any "form or medium." That claim, too, lacks merit and does not warrant this Court's review.

Petitioners rely (Pet. 21-22) on Section 264(c)'s direction to the Secretary to promulgate standards "with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act [42 U.S.C. 1320d-2(a)] (as added by Section 262)," 42 U.S.C. 1320d-2 note (emphasis added), and argue that the Secretary was limited to promulgating rules governing electronic transmission of information set forth in Section 1173(a). Far from limiting the Secretary's authority to regulate information in electronic form, however, Section 264(c)(1)'s text broadly extends to any individually identifiable "health information," which includes "any information, whether oral or recorded in any form or medium." 42 U.S.C. 1320d(4) (emphasis added).

Nor does Section 264's reference to Section 1173(a) of the Social Security Act limit the Secretary's regulatory authority to electronic information. Section 1173(a) identifies a broad variety of transactions and directs the Secretary to develop "standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically." 42 U.S.C. 1320d-2(a)(1); accord 42 U.S.C. 1320d-2(a) (subsection title: "Standards to enable electronic exchange") (emphasis added). "Thus, the focus [of Section 1173(a)] is on enabling electronic portability, not simply on regulating purely electronic activity." Pet. App. A13. Indeed, the health care transactions listed in Section 1173(a)(2) are not described with reference to electronic media. See 42 U.S.C. 1320d-2(a)(2) (including transactions with respect to "[e]nrollment and disenrollment in a health plan," "[h]ealth care payment and remittance advice," and "[h]ealth plan premium payments"). Similarly, Section 1173(a) explicitly authorizes the Secretary to adopt standards for "other financial and administrative transactions" when "consistent with the goals of improving the operation of the health care system and reducing administrative costs." 42 U.S.C. 1320d-2(a)(1)(B).

Section 264(c)(1) also refers to Section 1173 by granting HHS the authority to develop privacy standards for health information transmitted "in connection with" the transactions described in Section 1173. As the court of appeals correctly concluded, the Secretary permissibly read that statutory phrase to allow him to regulate non-electronic transmissions that are "connect[ed] with" (e.g., related in some way to) a transaction that falls within the list of health care transactions in Section 1173.

Finally, as the court of appeals concluded, HHS's decision to include all forms of media is "reasonably related to the larger purposes of HIPAA." Pet. App. A14. See Thorpe v. Housing Authority, 393 U.S. 268, 280-281 (1969) (regulation will be sustained as long as it is "reasonably related to the purposes of the enabling legislation under which it was promulgated"). In issuing the final rule, the Secretary properly concluded that limiting patient protections to electronic transmissions of medical information would undermine Congress's intent to facilitate the development and use of more efficient health information systems. During the rulemaking process, HHS found that any attempt to define "electronic transmission" would be "arbitrary, unrelated to the potential use or disclosure of the information itself and therefore not responsive to actual privacy risks." 65 Fed. Reg. at 82,619. In addition, limiting the Privacy Rule to purely electronic records would subvert Congress's intent in passing HIPAA by creating an incentive for covered entities to avoid the use of electronic data-transmission methods in order to avoid the Privacy Rule. Id. at 82,618.

3. There is no conflict in the circuits on either the constitutional or statutory question presented by petitioners. Indeed, the court of appeals' decision represents the first appellate decision to decide either question. Petitioners "acknowledge that this Court's normal practice is not to grant review in the first case that presents a legal issue," but argue immediate review by this Court is warranted because of the substantive (and, in their view, negative) impact of the Privacy Rule. Pet. 26. That is incorrect. The substance of the Privacy Rule-other than its application to information in non-electronic form-has never been at issue in this case. Petitioners presented none of their substantive objections to the Privacy Rule (see Pet. 27-29) to the courts below, and accordingly neither court addressed them. Review by this Court therefore is especially unwarranted.

CONCLUSION

The petition for a writ of certiorari should be denied.

Respectfully submitted.

<

THEODORE B. OLSON
Solicitor General
PETER D. KEISLER
Assistant Attorney General
J. STROM THURMOND, JR.
United States Attorney
MARK B. STERN
MARK S. DAVIES
Attorneys

SEPTEMBER 2003

1 Subtitle F of Title II of HIPAA consists of Sections 261 through 264 (110 Stat. 2021-2033). Section 262 amends Title XI of the Social Security Act, 42 U.S.C. 1301 et seq., to add a Part C, entitled "Administrative Simplification," with Sections 1171-1179. Those sections are codified at 42 U.S.C. 1320d through 1320d-8. Section 261 (110 Stat. 2021) is found in the United States Code as a note to 42 U.S.C. 1320d (Supp. V 1999). Section 264 is found as a note to 42 U.S.C. 1320d-2 (Supp. V 1999). Section 263 (110 Stat. 2031) amends the Public Health Service Act, 42 U.S.C. 242k(k) (Supp. V 1999). For simplicity, citations in this brief will refer to HIPAA by the relevant citation to the 1999 supplement of the United States Code.

2 The district court also dismissed petitioners' claim that Section 264(c)(2)'s non-preemption of "more stringent" state privacy laws is unconstitutionally vague. Pet. App. A32-A41. The court of appeals affirmed that ruling (id. at A14-A16), and petitioners do not renew that challenge in this Court.

3 Petitioners rely (Pet. 14) on then-Justice Rehnquist's concurring opinion in Industrial Union Department v. American Petroleum Institute, 448 U.S. 607, 687 (1980), in arguing that Congress cannot permit "hard choices" to be made by administrative agencies. Justice Rehnquist's opinion, however, did not purport to state existing law. Ibid. (urging the Court to "reshoulder the burden of ensuring that Congress itself make the critical policy decisions"); see American Trucking, 531 U.S. at 475.

4 See Yakus v. United States, 321 U.S. 414, 420 (1944) (authorizing Price Administrator to fix commodity prices that "in his judgment will be generally fair and equitable and will effectuate the purposes of this Act"); Loving v. United States, 517 U.S. 748, 772-773 (1996) (Presidential power to determine when court-martial shall impose death penalty); Touby v. United States, 500 U.S. 160, 165 (1991) (Attorney General's authority to regulate new drugs that pose an "imminent hazard to the public safety"); Skinner v. Mid-America Pipeline Co., 490 U.S. 212, 223-224 (1989) (Secretary of Transportation's power to determine incidence and level of tax); Mistretta, 488 U.S. at 374 (power to issue binding sentencing guidelines); Lichter v. United States, 334 U.S. 742, 778-786 (1948) (authority of War Department to recover "excessive profits" earned on military contracts).