No. 14-0965 -        West Virginia Department of Health and Human Resources, Bureau for
                     Behavioral Health and Health Facilities v. E.H., et al.


                                                                             FILED
                                                                          October 22, 2015
                                                                        RORY L. PERRY II, CLERK
Davis, Justice, dissenting:                                           SUPREME COURT OF APPEALS
                                                                          OF WEST VIRGINIA




              In this proceeding, Legal Aid sought to force DHHR to continue to allow Legal

Aid to have complete access to patient records, without patient consent, at the Bateman and

Sharpe psychiatric facilities. Before this Court, DHHR argued that it was violating federal

law, specifically HIPAA, when it previously authorized Legal Aid to have complete access

to patient records without the consent of the patients. The circuit court and majority opinion

disagreed with DHHR. The circuit court found that Legal Aid did not need patient consent

to have unfettered access to patient records, because Legal Aid came under the following

exceptions recognized by HIPAA: business associate, health oversight agency, health care

operations, and legal requirement. The majority opinion correctly found that not one of the

exceptions relied upon by the trial court applied to Legal Aid. Rather than stopping there and

reversing the circuit court’s order, the majority opinion affirmed the circuit court on a

different ground. With absolutely no legal analysis, the majority opinion determined that

Legal Aid could have unfettered access to patient information because of the “more

stringent” State law exception found under HIPAA.



              As I will demonstrate below, if the majority opinion had performed but a

                                              1
scintilla of the legal analysis that is required to determine whether a State law is more

stringent than HIPAA, it would have reversed the circuit court’s order. Consequently, for

the reasons set out below, I dissent.



          The Majority Decision Authorizes Legal Aid to Violate Federal Law

              Because of the arrogant and complete disregard of federal law by the majority

opinion, I must start my dissent with a review of some basic legal principles. To begin, it has

been noted that “[t]he preemption doctrine has its origin in the Supremacy Clause of the

United States Constitution[.]” Hartley Marine Corp. v. Mierke, 196 W. Va. 669, 673, 474

S.E.2d 599, 603 (1996). See also Harrison v. Skyline Corp., 224 W. Va. 505, 510, 686

S.E.2d 735, 740 (2009) (“[T]he preemption doctrine has its roots in the supremacy clause of

the United States Constitution and is based on the premise that federal law can supplant

inconsistent state law.”). The Supremacy Clause of the federal constitution provides that the

laws of the United States “shall be the supreme law of the Land; . . . anything in the

Constitution or laws of any state to the Contrary notwithstanding.” U.S. Const. Art. VI, Cl.

2. We have recognized that “[t]he Supremacy Clause of the United States Constitution,

Article VI, Clause 2, invalidates state laws that interfere with or are contrary to federal law.”

Syl. pt. 1, Cutright v. Metropolitan Life Ins. Co., 201 W. Va. 50, 491 S.E.2d 308 (1997).

Pursuant to the Supremacy Clause, federal preemption of state law occurs if: (1) Congress

expressly preempts state law; (2) Congress has completely supplanted state law in that field;

(3) adhering to both state and federal law is not possible; or (4) state law impedes the

                                               2
achievement of the objectives of Congress. See Crosby v. Nat’l Foreign Trade Council, 530

U.S. 363, 372, 120 S. Ct. 2288, 2293-94, 147 L. Ed. 2d 352 (2000).                   “Although

Congressional intent is commonly the starting point for federal preemption analysis, the

existence of an express preemption provision in a statute nullifies the need for further

analysis.” Wade v. Vabnick-Wener, 922 F. Supp. 2d 679, 686 (internal citations omitted).

See also Syl. pt. 4, Morgan v. Ford Motor Co., 224 W. Va. 62, 680 S.E.2d 77 (2009) (“When

it is argued that a state law is preempted by a federal law, the focus of analysis is upon

congressional intent. Preemption is compelled whether Congress’ command is explicitly

stated in the statute’s language or implicitly contained in its structure and purpose.”).

HIPAA sets out an express preemption provision; therefore, no further analysis is necessary

to discern Congressional intent. See Cipollone v. Liggett Grp., Inc., 505 U.S. 504, 517, 112

S. Ct. 2608, 2618, 120 L. Ed. 2d 407 (1992) (“When Congress has considered the issue of

pre-emption and has included in the enacted legislation a provision explicitly addressing that

issue, and when that provision provides a reliable indicium of congressional intent with

respect to state authority, there is no need to infer congressional intent to pre-empt state laws

from the substantive provisions of the legislation. . . . Therefore, we need only identify the

domain expressly pre-empted by each of those sections.” (internal quotations and citations

omitted)).



              Congress enacted HIPAA in 1996, in part, to protect the privacy of individually

identifiable health information. See Jennifer Guthrie, “Time Is Running Out–The Burdens

                                               3
and Challenges of HIPAA Compliance: A Look at Preemption Analysis, the ‘Minimum

Necessary’ Standard, and the Notice of Privacy Practices,” 12 Annals Health L. 143, 146

(2003) (“The main premise of HIPAA is to protect individually identifiable health

information. This means that certain information will not be revealed without a patient’s

express authorization, in an effort to contain important information to as few people as

possible.”). For purposes of HIPAA, protected health information “is any health information,

oral or recorded, that is individually identifiable and transmitted or maintained by a covered

entity in any form or medium.” Holman v. Rasak, 486 Mich. 429, 435-36, 785 N.W.2d 98,

102 (2010). The Secretary of Health and Human Services was directed by Congress to

promulgate regulations setting privacy standards for health information. See Northwestern

Mem’l Hosp. v. Ashcroft, 362 F.3d 923, 924 (7th Cir. 2004) (“Section 264 of HIPAA, 42

U.S.C. § 1320d . . . , directs the Secretary of Health and Human Services to promulgate

regulations to protect the privacy of medical records[.]”).1         In 2000, the Secretary

responded by issuing the Standards for Privacy of Individually Identifiable Health

Information, known as the “Privacy Rule” and codified at 45 C.F.R. 160, 164. See Smith v.

Am. Home Prods. Corp. Wyeth-Ayerst Pharm., 372 N.J. Super. 105, 111 n.2, 855 A.2d 608,

612 n.2 (2003) (“On December 28, 2000, pursuant to a mandate under the ‘administrative

simplification’ provisions of HIPAA, the Department of Health and Human Services issued


              1
               Actually, “HIPAA mandated the passage of comprehensive privacy legislation
by Congress within three years, otherwise the Department of Health and Human Services
was required to step in and create privacy regulations.” Guthrie, “Time Is Running Out,” 12
Annals Health L. at 144.

                                              4
new standards for privacy of individually identifiable health information (IIHI) called ‘The

Final Privacy Rule’ as published in the Federal Register.”).2   Compliance with the Privacy

Rule was not required until 2003.3    See United States v. Sutherland, 143 F. Supp. 2d 609,

612 (W.D. Va. 2001) (“Although the Standards were effective April 14, 2001, compliance

is not required until April 14, 2003.”). Specific to the case at hand, the Secretary

promulgated a federal regulation on HIPAA’s preemptive effect. See Morgan v. Ford Motor

Co., 224 W. Va. 62, 70, 680 S.E.2d 77, 85 (2009) (“[T]he U.S. Supreme Court has

recognized that an agency regulation with the force of law can explicitly or implicitly

preempt conflicting state regulations.”).      This regulation states that “[a] standard,



              2
                  It is important that I point out the significance of the year in which HIPAA
was created, 1996, and the date the Privacy Rule was created, 2000, because this will help
explain the initial broad authority DHHR gave to Legal Aid. When the litigation originally
began in this case, 1981, HIPAA did not exist–no expansive patient privacy rights existed.
It was in 1990, pre-HIPAA, that DHHR first contracted to have Legal Aid monitor patient
health care services at Bateman and Sharpe. It was only after the creation of HIPAA that
DHHR realized that, in order for Legal Aid to continue to have access to patient records
without patient consent, Legal Aid had to come under an exception to HIPAA. It appears
that, initially, DHHR believed that Legal Aid came under the “business associate” exception
created by the Privacy Rule. The majority opinion acknowledged this fact in footnote 28.
However, in 2014, an astute Privacy Officer at DHHR realized that it was permitting Legal
Aid to violate HIPAA, because Legal Aid did not come under the “business associate”
exception to the privacy requirements. It was only after this determination, which even the
majority opinion conceded was correct, that DHHR began requiring Legal Aid comply with
HIPAA by obtaining patient consent before it could review patient records. There was
nothing sinister in this, as was suggested by the majority opinion. DHHR simply was trying
to comply with federal law–something the majority believes is not necessary in spite of the
Supremacy Clause.
              3
               For ease in understanding, I will refer to HIPAA and the Privacy Rule
collectively as HIPAA.

                                              5
requirement, or implementation specification adopted under this subchapter that is contrary

to a provision of State law preempts the provision of State law.” 45 C.F.R. § 160.203.4 See

Nat’l Abortion Fed’n v. Ashcroft, No. 03 Civ. 8695(RCC), 2004 WL 555701, at *3 (S.D.N.Y.

March 19, 2004) (“Recognizing that HIPAA’s privacy provisions might differ from state

regulations, Congress directed that all state laws contrary to the regulations promulgated by

HHS be preempted, unless the state laws fall within the exception created by HIPAA[.]”).

It has been recognized that the regulations “restrict and define the ability of health plans,

health care clearinghouses, and most health care providers to divulge patient medical

records.” United States v. Sutherland, 143 F. Supp. 2d 609, 612 (W.D. Va. 2001).



              “[T]he intent of HIPAA is to ensure the integrity and confidentiality of

patients’ [medical] information and to protect against unauthorized uses or disclosures of the

information[.]” In re Antonia E., 838 N.Y.S.2d 872, 874-75 (2007) (internal quotations and

citations omitted). Under HIPAA, the general rule is that a covered entity may not use or

disclose protected health information without a written authorization from the individual.

See 45 CFR 164.508. However, as recognized by the majority opinion, HIPAA enumerates

several specific situations in which a covered entity may use or disclose protected health

information without the written authorization of the individual. See Pal v. New York Univ.,



              4
             The regulations define State law as “a constitution, statute, regulation, rule,
common law, or other State action having the force and effect of law.” 45 C.F.R. § 160.202.
See Crenshaw v. MONY Life Ins. Co., 318 F. Supp.2d 1015, 1028 (S.D. Cal.2004).

                                              6
No. 06Civ.5892 (BSJ)(FM), 2007 WL 1522618, at *3 (S.D.N.Y. May 22, 2007) (“HIPAA

permits the disclosure of ‘protected health information’ without a patient’s consent in a

variety of circumstances.”). The majority opinion found that only one of HIPAA’s

exceptions to the general privacy of health information applied to the facts of this case.5

That exception involves a State law that is “more stringent” than HIPAA. See 45 C.F.R. §

160.203(b) (“The provision of State law relates to the privacy of individually identifiable

health information and is more stringent than a standard, requirement, or implementation

specification adopted under subpart E of part 164 of this subchapter.”). That is, “courts have

recognized that HIPAA does not preempt ‘more stringent’ privacy protections guaranteed

under state law.” Pac. Radiation Oncology, LLC v. Queen’s Med. Ctr., 47 F. Supp. 3d 1069,

1081 (D. Haw. 2014). Accord Citizens for Health v. Leavitt, 428 F.3d 167, 174 (3d Cir.

2005).



              The majority opinion reached the conclusion that our State law was more

stringent than HIPAA without performing any legal analysis of this complex issue. The

majority opinion, in a rather awkward way, merely pointed out that DHHR had annually

“conclud[ed] that our state laws set forth in 64 CSR § 59 are not preempted by HIPAA as our

provisions are more stringent.” The majority opinion then went on to provide:



              5
               I previously noted that the majority opinion correctly found that the exceptions
for business associate, health oversight agency, health care operations, and required by law
did not apply.

                                              7
      From the record submitted in this case, the protections set forth in Title 64,
      Series 59 have been determined to be more stringent than those required by
      federal law. Accordingly, our state regulations set forth in Title 64, Series 59
      are not preempted by HIPAA.

This was the sum total of how and why the majority opinion determined that our State law

was more stringent than HIPAA. This total lack of analysis makes no sense. It is illogical

to rely on a general finding by DHHR that its regulations are more stringent than HIPAA,

when DHHR already had realized its disclosures to Legal Aid violated HIPAA, and DHHR

tried to correct the violation by asserting that no authority exists for Legal Aid to

indiscriminately access patient information. More fundamentally, the yard stick used by the

majority opinion to determine whether a State law is more stringent than HIPAA is absurd!

Under the majority opinion’s mind-boggling yardstick, all that any state must do to get

around HIPAA is unilaterally proclaim that its laws are more stringent than HIPAA. Surely

Congress did not mean for HIPAA and the Supremacy Clause to be defeated in such a self-

serving manner. Indeed, as I will demonstrate below, this absolutely was not what Congress

intended.



             “[A] standard is more stringent if it provides greater privacy protection for the

individual who is the subject of the individually identifiable health information than the

standard set forth in the rules and regulations.” Bayne v. Provost, 359 F. Supp. 2d 234,

237-38 (N.D.N.Y. 2005) (internal quotations and citations omitted). See also Wade v.

Vabnick-Wener, 922 F. Supp. 2d 679, 686 (“To meet the ‘more stringent’ requirement, a state


                                             8
law must ‘provide greater protection for the individual who is the subject of the individually

identifiable health information’ than the standard set forth by HIPAA and its regulations.”).

More importantly, it has been recognized that, under federal law, “‘[m]ore stringent,’ as

defined in 45 C.F.R.§ 160.202, means, that the state law meets any one of six criteria.” Law

v. Zuckerman, 307 F. Supp. 2d 705, 709 (D. Md. 2004). See also Webb v. Smart Document

Sols., LLC, 499 F.3d 1078, 1087 (9th Cir. 2007) (“‘More stringent’ laws are defined.”). The

six criteria under HIPAA that define “more stringent,” have been summarized by the Fourth

Circuit as follows:

       [1] the state law prohibits or restricts a use or a disclosure of information
       where HIPAA would allow it; [2] the state law provides an individual with
       greater rights of access or amendment to his medical information than
       provided under HIPAA; [3] the state law provides an individual with a greater
       amount of information about a use, a disclosure, rights and remedies; [4] [state
       law provides requirements that narrow the scope or duration, increase the
       privacy protections afforded, or reduce the coercive effect of the circumstances
       surrounding the express legal permission of an individual to disclose
       information]; [5] the state law provides for the retention or reporting of more
       detailed information or for a longer duration; or [6] the state law provides
       greater privacy protection for the individual who is the subject of the
       individually identifiable health information.


South Carolina Med. Ass’n v. Thompson, 327 F.3d 346, 355 (4th Cir. 2003). Accord In re

Antonia E., 838 N.Y.S.2d 872, 876 (2007).



              Simply put, in order for a court to determine that a State law is more stringent

than HIPAA, it must find that the State law satisfies one of the six definitions of “more

stringent” contained under 45 C.F.R.§ 160.202. The majority opinion in this case literally

                                              9
failed to even cite, let alone discuss, the mandatory six criteria set out under 45 C.F.R.

§160.202. Ignoring the law, or pretending the law does not exist, should not be a license to

manipulate and corrupt the law.



              My research revealed that other courts called upon to decide whether a State

law was more stringent than HIPAA have complied with federal law and applied the six

criteria under 45 C.F.R.§ 160.202. For example, a case which examined all six criteria under

45 C.F.R. § 160.202 is State v. La Cava, No. CR060128258S, 2007 WL 1599888

(Conn. Super. Ct. May 17, 2007). In La Cava, the court was asked to decide whether a

Connecticut statute, which authorized disclosure of patient information in a judicial

proceeding and in certain other circumstances, was more stringent than HIPAA. The

Connecticut statute allowed:

              (1) any patient who has been treated in a private hospital, public
              hospital society or corporation receiving state aid to, upon the
              demand, examine and/or copy her hospital record, including the
              history, bedside notes, charts, pictures and plates kept in
              connection with her treatment and authorize her physician or
              attorney to do the same; (2) a hospital, society or corporation
              that is served with a subpoena issued by competent authority
              directing the production of a hospital record to deliver such
              record or a copy thereof to the clerk of such court where it will
              remain sealed except upon the order of a judge of the court
              concerned; (3) any and all parts of the hospital record or copy
              that is not otherwise inadmissible to be admitted in evidence
              without the necessity of having a witness from the hospital
              identity the records as ones kept in the usual course of business
              by the hospital.

La Cava, 2007 WL 1599888, at *3. The decision in La Cava summarily applied the six

                                             10
criteria under 45 C.F.R.§ 160.202 and determined that the Connecticut statute was not more

stringent than HIPAA:

                      In comparison to [HIPAA’s requirements for disclosures
              for judicial and administrative proceedings], [the state statute]
              does not: (1) prohibit or restrict a use or disclosure in
              circumstances under which such use or disclosure otherwise
              would be permitted under the federal rule; (2) permit greater
              rights of access or amendment to the individual who is the
              subject of the individually identifiable health information; (3)
              provide a greater amount of information to the individual who
              is the subject of the individually identifiable health information
              about a use, a disclosure, rights, and remedies; (4) provide
              requirements that narrow the scope or duration, increase the
              privacy protections afforded, or reduce the coercive effect of the
              circumstances surrounding the need for express legal permission
              from the individual who is the subject of the individually
              identifiable health information with respect to the form,
              substance, or the need for express legal permission; (5) provide
              for the retention or reporting of more detailed information or for
              a longer duration with respect to recordkeeping or requirements
              relating to accounting of disclosures; and (6) provide greater
              privacy protection for the individual who is the subject of the
              individually identifiable health information with respect to any
              other matter. Accordingly, the state statute is not more stringent
              than the federal regulation.

                    Because [the state statute] is a contrary state law that is
              not more stringent than the Privacy Rule, it is preempted in
              accordance with 45 C.F.R. § 160.203 (2007).

La Cava, 2007 WL 1599888, at *3.



              In U.S. ex rel. Stewart v. Louisiana Clinic, No. CivA. 99-1767, 2002 WL

31819130 (E.D. La. Dec. 12, 2002), the defendants attempted to prevent disclosure of patient

information in a judicial proceeding by invoking the protections of a Louisiana statute. The

                                             11
disclosure was allowed under HIPAA, but was not allowed under Louisiana law. The

opinion in Stewart framed the issue as follows:

                    Defendants argue that HIPAA does not preempt
              Louisiana law concerning disclosure of nonparty patient records
              without patient consent. . . .

                      Defendants focus solely on the “more stringent” element
              of this regulatory test and on paragraph (4) of the definition of
              “more stringent.” “More stringent” means a State law that meets
              one or more of the following criteria: . . .

              (4) With respect to the form, substance, or the need for express
              legal permission from an individual, who is the subject of the
              individually identifiable health information, for use or disclosure
              of individually identifiable health information, provides
              requirements that narrow the scope or duration, increase the
              privacy protections afforded (such as by expanding the criteria
              for), or reduce the coercive effect of the circumstances
              surrounding the express legal permission, as applicable.

                     Defendants argue that the Louisiana health care
              provider/patient privilege law is more stringent than the federal
              regulations. They contend that the Louisiana statute increases
              the privacy protections afforded to individual patients by
              requiring either patient consent for the disclosure or, in the
              absence of consent, that a “court shall, issue an order for the
              production and disclosure of a patient’s records . . . only: after
              a contradictory hearing with the patient . . . and after a finding
              by the court that the release of the requested information is
              proper.”

Stewart, 2002 WL 31819130, at *4-5. The court in Stewart found that, based upon the

defendants’ reliance solely on the fourth criterion of 45 C.F.R. § 160.202, Louisiana law was

not more stringent than HIPAA:

                    Defendants’ argument fails because this provision of
              Louisiana law does not address “the form, substance, or the need

                                              12
              for express legal permission from an individual,” as required by
              45 C.F.R. § 160.202 for the exception to apply. Rather, the
              Louisiana statute provides a way of negating the need for such
              permission. In other words, although the individual patient may
              attend the contradictory hearing, the Louisiana provision states
              that the court shall issue an order for disclosure (despite the
              patient’s lack of consent), if the court finds that release of the
              information is proper. Because the Louisiana statute does not fit
              within the exception from preemption cited by defendants, it is
              preempted by the HIPAA regulations. Therefore, Louisiana law
              does not apply in this pure federal question case.

Stewart, 2002 WL 31819130, at *5.



              A case which illustrates a State statute that was actually found to be more

stringent than HIPAA is Wade v. Vabnick-Wener, 922 F. Supp. 2d 679. In Wade, the court

was called upon to decide whether Tennessee’s privacy law, on ex parte communication with

a plaintiff’s treating physician was more stringent than HIPPA. The opinion relied upon the

sixth criterion of 45 C.F.R. § 160.202. That is, “a state law must ‘provide greater protection

for the individual who is the subject of the individually identifiable health information’ than

the standard set forth by HIPAA and its regulations.” Wade, 922 F. Supp. 2d at 686. The

opinion determined that, based upon the sixth criterion, Tennessee’s law was more stringent

than HIPAA:

                     It is therefore clear that Tennessee law is more stringent
              than HIPAA’s privacy rules concerning ex parte
              communications with health care providers. Absent a plaintiff's
              express consent, Tennessee law prohibits informal
              communications with the plaintiff’s treating physician to obtain
              health information. On the contrary, HIPAA only bars such
              communications prior to the entry of a qualified protective

                                              13
             order. After the requisite protective order is entered, whether by
             consent or over the plaintiff’s objection, defendant is free to
             utilize informal discovery, including specifically ex parte
             interviews, under HIPAA.

                     Accordingly, because the laws of Tennessee are more
             stringent than HIPAA concerning defense counsels ability to
             make use of informal discovery methods, HIPAA does not
             preempt Tennessee’s ban on ex parte communications with a
             plaintiff’s non-party treating physician.

Wade, 922 F. Supp. 2d at 691-92. See Nat’l Abortion Fed’n v. Ashcroft, No. 04 C 55, 2004

WL 292079, at *4 (N.D. Ill. Feb. 6, 2004) (“Because we find that Illinois law is more

stringent than HIPAA’s disclosure requirements and that it would be impossible for

Northwestern to comply with both Judge Casey’s HIPAA-pursuant Order and various

provisions of Illinois law, Illinois’s nonparty patient privacy laws are not preempted by

HIPAA and its subsequent regulations.”); Pal v. New York Univ., 2007 WL 1522618, at *3

(“Because New York law requires patient consent before disclosure and HIPAA provides for

certain exceptions to that rule, New York law is more stringent.”); Tyson v. Warden, No.

CV064001202, 2007 WL 4171583, at *2 (Conn. Super. Ct. Nov. 5, 2007) (“It is clear to this

court that § 52-146k and 52-146o prohibit disclosure where the HIPAA regulation relied

upon by the petitioner would allow it. Sections 52-146k and 52-146o provide greater

protection of the victim’s private health information and are therefore not preempted by

HIPAA.”); In re Antonia E., 838 N.Y.S.2d 872, 876 (2007) (“Upon consideration of the

physician-patient privilege and the broad provisions for court ordered disclosure under

HIPAA, this Court finds that HIPAA provisions do not supersede New York law.”).


                                            14
              The above cases clearly demonstrate that a court cannot determine that a State

statute is more stringent than HIPAA by relying solely on a state agency’s statement that a

particular state law is more stringent than HIPAA. If that was true, as the majority opinion

concludes, then there would have been no reason to define “more stringent” under 45 C.F.R.

§ 160.202. The term “more stringent” is defined for a purpose. That purpose, to me, is quite

clear. The definition is designed to narrow the circumstances in which a state law may be

categorized as more stringent than HIPAA. “[W]e are not free to rewrite HIPAA’s mandates;

we are required to follow them.” Holman v. Rasak, 486 Mich. 429, 458, 785 N.W.2d 98, 114

(2010) (Hathaway, J., dissenting). The majority opinion in this case has made a mockery of

the unambiguous and mandatory language contained in 45 C.F.R. § 160.202.



              I can surmise only that the majority opinion ignored the law as dictated under

45 C.F.R. § 160.202 because it wanted to reach a result that simply could not be reached by

following the law. A cursory review of what the relevant state law allowed in this case

clearly shows that it was not more stringent than HIPAA.



              What should be clearly understood is that, for purposes of the “more stringent”

requirement of HIPAA, “any state law providing greater privacy protection for the individual

who is the subject of the individually identifiable health information is a more stringent state

law.” Natalie F. Weiss, “To Release or Not to Release: An Analysis of the HIPAA Subpoena

Exception,” 15 Mich. St. U. J. Med. & L. 253, 260 (2011) (emphasis added). This point

                                              15
needs to be emphatically understood–the “more stringent” requirement under HIPAA can

never be satisfied by a State law that provides lesser privacy protection. In this case, the

majority opinion has indicated that the applicable state law is found in 64 C.S.R. § 59-11-

5.1.d, which provides:

                     No written consent is necessary for employees of the
               department, comprehensive behavioral centers serving the client
               or advocates under contract with the department.

In sum, this state regulation allows Legal Aid, as an “advocate,” to have complete access to

patient information without the consent of the patient. On its face, it is clear that this law

does not provide greater privacy protection. Instead, it exposes all patient information to a

private legal entity in the absence of patient consent for either representation by the agency

or the disclosure of their medical records to the agency.



               It has correctly been observed that “[i]f state law can force disclosure without

a court order, or the patient’s consent, it is not ‘more stringent’ than the HIPAA regulations.”

Law v. Zuckerman, 307 F. Supp. 2d 705, 711 (D. Md. 2004). Through a summary

application of HIPAA’s six criteria, it is clear that the state regulation at issue in this matter

does not: (1) prohibit or restrict a use or a disclosure of information where HIPAA would

allow it; (2) provide an individual with greater rights of access or amendment to his medical

information than provided under HIPAA; (3) provide an individual with a greater amount of

information about a use, a disclosure, rights and remedies; (4) provide requirements that

narrow the scope or duration, increase the privacy protections afforded, or reduce the

                                               16
coercive effect of the circumstances surrounding the express legal permission of an

individual to disclose information; (5) provide for the retention or reporting of more detailed

information or for a longer duration; or (6) provide greater privacy protection for the

individual who is the subject of the individually identifiable health information. Insofar as

the state regulation does not satisfy any of the above six factors contained in 45 C.F.R. §

160.202, the state law is not more stringent than HIPAA. The majority knew this, and that

is why its opinion completely ignored 45 C.F.R. § 160.202. See In re Funderburke, No. 687-

0026, 1988 WL 1607927, at *4 (S.D. Ga. Jan. 18, 1988) (“[T]he record shows that the

[majority] did nothing except to assume the position of an ostrich with its head in the sand

and ignore [the law] which [was] readily available to it.”).



              Finally, I wish to point out that the majority opinion conceivably has opened

the floodgates for civil litigation, because of the unlawful access it has given Legal Aid to

patient hospital information. This Court recently held that “[c]ommon-law tort claims based

upon the wrongful disclosure of medical or personal health information are not preempted

by the Health Insurance Portability and Accountability Act of 1996.” Syl. pt. 3, R.K. v. St.

Mary’s Med. Ctr., Inc., 229 W. Va. 712, 735 S.E.2d 715 (2012). If the majority opinion is

not appealed to the United States Supreme Court, I have no doubt that civil law suits will

follow in the wake of the misguided majority opinion.



                                                         For the reasons so stated, I dissent.

                                              17
18
