[Cite as Menorah Park Ctr. for Senior Living v. Rolston, 2019-Ohio-2114.]

                              COURT OF APPEALS OF OHIO

                             EIGHTH APPELLATE DISTRICT
                                COUNTY OF CUYAHOGA

MENORAH PARK CENTER FOR
SENIOR LIVING,                                         :

                Plaintiff-Appellee,                    :
                                                                            No. 107615
                v.                                     :

IRENE ROLSTON,                                         :

                Defendant-Appellant.                   :


                               JOURNAL ENTRY AND OPINION

                JUDGMENT: REVERSED AND REMANDED
                RELEASED AND JOURNALIZED: May 30, 2019


                   Civil Appeal from the Shaker Heights Municipal Court
                                   Case No. 18CVF00504


                                            Appearances:

                Ciano, & Goldwasser, L.L.P., Sarah E. Katz, Robert A.
                West, and Andrew S. Goldwasser; Powers, Friedman
                Linn, P.L.L., and Robert G. Friedman, for appellant.

                Bonezzi, Switzer, Polito & Hupp Co., L.P.A., Bret C. Perry,
                and Brian F. Lange, for appellee.


SEAN C. GALLAGHER, P.J.:

                   This appeal is before this court on the accelerated docket pursuant to

App.R. 11.1 and Loc.App.R. 11.1.
                Appellant Irene Rolston appeals the decision of the Shaker Heights

Municipal Court that granted appellee Menorah Park Center for Senior Living’s

motion to dismiss the counterclaim. Upon review, we reverse the trial court’s

decision and remand the matter for further proceedings on the counterclaim.

      Background

                On March 21, 2018, Menorah Park Center for Senior Living

(“Menorah Park”) filed a small claims complaint against Irene Rolston (“Rolston”)

to recover on a debt related to health care services. The statement of claim alleged

that “[Rolston] owes the outstanding balance for therapy services [that] were

provided by Menorah Park when Irene Rolston was at Menorah Park for

rehabilitation at Menorah Park.” Attached to the complaint was an unredacted copy

of account billing statements that included a description of medical services

provided to Rolston; the dates the services were provided; medical procedure codes;

charges, credits, and balances on Rolston’s account; and other information.

                On May 1, 2018, Rolston filed an answer and class-action

counterclaim.     The counterclaim raised a common-law claim for “breach of

confidence” for the unauthorized disclosure to a third party of nonpublic medical

information learned within a physician-patient relationship. Rolston also filed a

motion to transfer the action to the municipal court’s regular docket, which was later

granted by the trial court.

                On May 29, 2018, Menorah Park filed a motion to dismiss the

counterclaim pursuant to Civ.R. 12(B)(6). Menorah Park argued that it could not be
held liable on the counterclaim because the Health Insurance Portability and

Accountability Act of 1996 (“HIPAA”) permits the disclosure of protected health

information for the purpose of obtaining payment of medical bills. Menorah Park

also asserted that it had released account information, as opposed to actual medical

records, in attempting to obtain payment for services rendered. Menorah Park

argued that its actions were “entirely within HIPAA” and that HIPAA does not allow

a private right of action for alleged violations.

               In opposing the motion to dismiss, Rolston reiterated that she was

making a common-law claim, and that she was not raising a claim under HIPAA. In

response to Menorah Park’s argument, Rolston argued that the disclosure was not

protected under HIPAA because, pursuant to 45 C.F.R. 164.502(b), Menorah Park

was required, but failed, to make “reasonable efforts” to limit disclosure of protected

health information to the “minimum necessary” for the purpose of collecting

payment on medical bills. Rolston maintained that all that is required to collect on

a debt is written confirmation of the amount of the debt owed and the name of the

debtor, and she argued that Menorah Park made no effort to redact any information

on her account statements.         Therefore, she claimed the disclosure was not

authorized under HIPAA, and that HIPAA does not preclude her common-law claim

for the unauthorized, unprivileged disclosure of nonpublic medical information that

was recognized by the Supreme Court of Ohio in Biddle v. Warren Gen. Hosp., 86

Ohio St.3d 395, 1999-Ohio-115, 715 N.E.2d 518.
               After additional briefing by the parties, the trial court granted

Menorah Park’s motion to dismiss the counterclaim. The trial court determined that

Rolston’s claim “does not fall under the tort law claim established in [Biddle] and

[Rolston] cannot sue on [HIPAA] grounds.”

               Rolston appealed the trial court’s ruling, which was corrected nunc

pro tunc to include “no just cause for delay” language under Civ.R. 54(B). The

matter is now before us on review.

      Law and Analysis

               Rolston’s sole assignment of error challenges the trial court’s decision

to grant Menorah Park’s motion to dismiss the counterclaim pursuant to Civ.R.

12(B)(6).

               “‘A motion to dismiss for failure to state a claim upon which relief can

be granted is procedural and tests the sufficiency of the complaint.’” State ex rel.

Belle Tire Distribs. v. Indus. Comm. of Ohio, Slip Opinion No. 2018-Ohio-2122, 116

N.E.3d 102, ¶ 17, quoting State ex rel. Hanson v. Guernsey Cty. Bd. of Commrs., 65

Ohio St.3d 545, 548, 1992-Ohio-73, 605 N.E.2d 378. A court may grant a Civ.R.

12(B)(6) motion to dismiss “only when the complaint, when construed in the light

most favorable to the plaintiff and presuming all the factual allegations in the

complaint are true, demonstrates that the plaintiff can prove no set of facts entitling

him to relief.” Id., citing Mitchell v. Lawson Milk Co., 40 Ohio St.3d 190, 192, 532

N.E.2d 753 (1988). A trial court’s decision to grant a Civ.R. 12(B)(6) motion to

dismiss is reviewed de novo. LGR Realty, Inc. v. Frank & London Ins. Agency, 152
Ohio St.3d 517, 2018-Ohio-334, 98 N.E.3d 241, ¶ 10. In a de novo review, we must

independently review the record and afford no deference to the trial court’s decision.

Moncrief v. Bohn, 2014-Ohio-837, 9 N.E.3d 508, ¶ 4 (8th Dist.). Additionally,

interpretations of state or federal law are questions of law that are reviewed de novo.

Nationwide Mut. Fire Ins. Co. v. Guman Bros. Farm, 73 Ohio St.3d 107, 108, 1995-

Ohio-214, 652 N.E.2d 684.

               Rolston argues that her counterclaim asserts a valid claim under

common law and that her claim is not precluded by HIPAA. In support of her

argument, she argues that Ohio law recognizes an independent common-law tort for

the unauthorized, unprivileged disclosure to a third party of nonpublic medical

information. As recognized by the Supreme Court of Ohio in Biddle, 86 Ohio St.3d

at 401, 715 N.E.2d 518, “in Ohio, an independent tort exists for the unauthorized,

unprivileged disclosure to a third party of nonpublic medical information that a

physician or hospital has learned within the physician-patient-relationship.” The

court further recognized that a privilege to disclose otherwise confidential medical

information exists only “in those special situations where disclosure is made in

accordance with a statutory mandate or common-law duty, or where disclosure is

necessary to protect or further a countervailing interest which outweighs the

patient’s interest in confidentiality.”    Id. at 402.     The court reasoned that

“‘[a]lthough public policy favors confidentiality [of medical information], there is a

countervailing public interest to which it must yield in appropriate circumstances.’”
Id. at 402, quoting MacDonald v. Clinger, 84 A.D.2d 482, 487, 446 N.Y.S.2d 801

(1982).

               In moving to dismiss the counterclaim, Menorah Park raised the

contention that the disclosure in this case was permitted under HIPAA, which does

not provide for a private right of action for violations of its provisions. HIPAA

protects the disclosure of health information except in certain specific

circumstances. Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 2008-

Ohio-3343, 893 N.E.2d 153, ¶ 9, citing 45 C.F.R. 164.502. Under HIPAA, “health

information” includes “any information * * * created or received by a health care

provider * * * relat[ing] to * * * the past, present, or future payment for the provision

of health care to an individual.” 42 U.S.C. 1320d(4). HIPAA permits a covered entity

to disclose protected health information for “treatment, payment, or health care

operations[.]” 45 C.F.R. 164.502(a)(1)(ii). However, when using or disclosing

protected health information under HIPAA, a “minimum necessary” standard is

applied pursuant to which covered entities “must make reasonable efforts to limit

protected health information to the minimum necessary to accomplish the intended

purpose of the use, disclosure or request.” 45 C.F.R. 164.502(b).

               In response to Menorah Park’s argument, Rolston contends Menorah

Park’s disclosure was not permitted by HIPAA since Menorah Park attached

unredacted account statements to its complaint and did not make any reasonable

effort to limit the disclosure of her protected health information to the minimum

necessary to collect on the account. In considering the disclosure of the minimum
health information as is necessary in attempting to collect on a debt, the Fourth

Circuit Court of Appeals explained that debt verification requires only a written

confirmation that the debt collector is demanding what the creditor claims is owed,

and that details of the alleged debt are not required. Chaudhry v. Gallerizzo, 174

F.3d 394, 406 (4th Cir.1999). In Zaborac v. Mut. Hosp. Serv., S.D.Ind. No. 1:03-cv-

1199-LJM-WTL, 2004 U.S. Dist. LEXIS 22816, *4-8 (Oct. 7, 2004), the court

recognized that HIPAA allows disclosure of minimum information necessary to

obtain payment for health care services, but that a copy of medical bills or other

detailed evidence is not required for collection on a debt.

               Menorah Park argues that even if it violated HIPAA, HIPAA

nonetheless governs the release of the documentation at issue and is fatal to the

counterclaim. Menorah Park’s position is that Ohio law bars any claim premised on

HIPAA. In support of its argument, Menorah Park cites OhioHealth Corp. v. Ryan,

10th Dist. Franklin No. 10AP-937, 2012-Ohio-60.

              In OhioHealth, the Tenth District Court of Appeals upheld the

dismissal of a counterclaim that alleged OhioHealth had disclosed false protected

health information, specifically that the appellant was uninsured, to a third party.

In rejecting the appellant’s contention that his counterclaim was improperly

dismissed because Ohio law recognizes an independent tort as set forth in Biddle,

the Tenth District found that the disclosure at issue was “not unauthorized” because

the disclosure was permitted under HIPAA for purposes of obtaining payment. Id.

at ¶ 15.   As a result, the court found that there was not an “unauthorized,
unprivileged disclosure” as required to establish a Biddle claim. Id. The court

further determined HIPAA was the governing authority because it was “aware of no

applicable exceptions to preemption, and because HIPAA is applicable” to the

circumstances of the case. Id. at ¶ 17. Recognizing that HIPAA does not provide a

private cause of action for violations of HIPAA, the trial court determined the

counterclaim was properly dismissed. Id. at ¶ 18-21.

               The circumstances of this case are different from those in

OhioHealth. In OhioHealth, the plaintiff attached a redacted account statement to

the complaint, which alleged unpaid medical services. Id. at ¶ 2. The counterclaim

involved an alleged disclosure that appellant was “uninsured,” which was deemed

not to be an “unauthorized, unprivileged disclosure” as required for a Biddle claim,

and was considered a permissible disclosure under HIPAA, which provides no

private right of action. Id. at ¶ 15-21.

               Unlike OhioHealth, in this matter Menorah Park attached unredacted

copies of account statements to the complaint for purposes of obtaining payment.

Rolston asserts that this was an “unauthorized, unprivileged disclosure” as required

to establish a common-law Biddle claim. The fact that Menorah Park attempts to

defeat Rolston’s common-law claim by asserting that it made an “authorized”

disclosure under HIPAA does not change the nature of Rolston’s claim. Contrary to

Menorah Park’s argument, Rolston’s claim is premised on a violation of Ohio law,

not HIPAA.
               The Supreme Court of Ohio has continued to recognize the common-

law tort claim for the unauthorized, unprivileged disclosure to a third party of

nonpublic medical information set forth in Biddle. See Hageman, 119 Ohio St.3d

185, 2008-Ohio-3343, 893 N.E.2d 153, at ¶ 10-13. Sufficient authority exists to

establish this common-law tort is not preempted by HIPAA, and the Supreme Court

of Ohio has never indicated otherwise.

               In Sheldon v. Kettering Health Network, 2015-Ohio-3268, 40 N.E.3d

661 (2d Dist.), the Second District recognized that the absence of a private right of

action under HIPAA does not foreclose an Ohio common-law tort claim based on

the wrongful release of confidential information, which is still viable after HIPAA.

Id. at ¶ 25, discretionary appeal not allowed, 2016-Ohio-467, 2016 Ohio LEXIS

325. The court recognized that although HIPAA supersedes any contrary provision

of state law, it does not preempt the Ohio independent tort recognized in Biddle.

Sheldon at ¶ 23-24. The Sheldon court held as follows:

       We determine that a Biddle claim is not preempted because we fail to
       see how such a claim conflicts with HIPAA unless the alleged claim
       asserts recovery for release of information that HIPAA specifically
       allows. * * * [W]e do not find it impossible to comply with HIPAA and
       with state law to the extent we have indicated, and state law is not an
       obstacle to the accomplishment of HIPAA’s purposes. We believe a
       Biddle claim enhances the protection of confidentiality of medical
       information.

Id. at ¶ 25.

               Under the circumstances in Sheldon, it was determined that the

plaintiffs had alleged common-law claims against a healthcare network for the
actions of an administrator whose actions were not within the scope of employment

such that there could be no vicarious liability. Id. at ¶ 15. Although the court found

a Biddle claim was not preempted by HIPAA, the court found the facts alleged

against the healthcare network did not constitute a “disclosure” for purposes of a

Biddle breach of confidentiality claim. Id. at ¶ 33.1

               Likewise, courts in other states have found that “HIPAA does not

preempt state-law causes of action for the wrongful disclosure of health

information.” R.K. v. St. Mary’s Med. Ctr., Inc., 229 W.Va. 712, 718-720, 735 S.E.2d

715 (2012), citing Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 49-50

(Minn.App.2009) (finding state statute providing private cause of action for

wrongful disclosure of an individual’s medical records is not a contrary state law

preempted by HIPAA); Barber v. Camden Clark Mem. Hosp. Corp., 240 W.Va. 663,

672-673, 815 S.E.2d 474 (2018) (finding a hospital’s compliance with HIPAA when

responding to a subpoena for patient records did not preclude an action based on

the wrongful disclosure of confidential information). The R.K. decision noted a

number of other cases, including Biddle, that have allowed common-law claims

alleging wrongful disclosure of medical information to go forward in state court.

R.K. at 720, citing Baum v. Keystone Mercy Health Plan, 826 F.Supp.2d 718


      1  In Sheldon, the court also found “that federal regulations * * * cannot be used as
a basis for negligence per se under Ohio law” and also that “utilization of HIPAA as an
ordinary negligence ‘standard of care’ is tantamount to authorizing a prohibited private
right of action for violation of HIPAA itself[.]” Id. at ¶ 24. Nonetheless, whether the
disclosure of health information is protected under HIPAA, such that it is authorized, may
be relevant to the determination of a Biddle claim as was the case in OhioHealth, 10th
Dist. Franklin No. 10AP-937, 2012-Ohio-60, at ¶ 15.
(E.D.Pa.2011) (remanding to state court a case asserting claims including negligence

and negligence per se based upon improper handling of personal health

information, and commenting “[i]n spite of the fact that the personal data at the

heart of this case is protected by HIPAA, this is a fairly straightforward state-law tort

case”); Doe v. Southwest Community Health Ctr., Conn. Super.Ct. No.

FSTCV085008345S, 2010 Conn. Super. LEXIS 2167 (Aug. 25, 2010) (denying

summary judgment on negligence claim alleging failure to safeguard adequately the

confidentiality of the plaintiff's protected health care information pursuant to duty

imposed by common law and by HIPAA); Biddle, 86 Ohio St.3d at 401, 1999-Ohio-

115, 715 N.E.2d 518 (holding that, “in Ohio, an independent tort exists for the

unauthorized, unprivileged disclosure to a third party of non-public medical

information that a physician or hospital has learned within a physician-patient

relationship”). See also Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314

Conn. 433, 102 A.3d 32 (2014) (holding that HIPAA did not preempt state common-

law claims where the plaintiff sued the defendant health care provider for allegedly

breaching the confidentiality of her medical records in responding to a subpoena).

               As concluded in R.K.,

      [W]e conclude that state common-law claims for the wrongful
      disclosure of medical or personal health information are not
      inconsistent with HIPAA. Rather, as observed by the court in Yath,
      such state-law claims compliment HIPAA by enhancing the penalties
      for its violation and thereby encouraging HIPAA compliance.
      Accordingly, we now hold that common-law tort claims based upon the
      wrongful disclosure of medical or personal health information are not
      preempted by the Health Insurance Portability and Accountability Act
      of 1996.
R.K. at 721.

               At the motion to dismiss stage, we look to whether the complaint

states a claim upon which relief can be granted. Upon our review, we find Rolston’s

common-law tort claim for the unauthorized, unprivileged disclosure to a third

party of nonpublic medical information is not preempted by HIPAA. Construing the

allegations in Rolston’s favor, the complaint permits the inference that a Biddle

claim is properly presented.2 Accordingly, we sustain Rolston’s assignment of error.

               Judgment reversed; case remanded.

      It is ordered that appellant recover from appellee costs herein taxed.

      The court finds there were reasonable grounds for this appeal.

      It is ordered that a special mandate be sent to said court to carry this judgment

into execution.

      A certified copy of this entry shall constitute the mandate pursuant to Rule 27

of the Rules of Appellate Procedure.



SEAN C. GALLAGHER, PRESIDING JUDGE

ANITA LASTER MAYS, J., and
EILEEN A. GALLAGHER, J., CONCUR




      2 Although we have found Rolston’s counterclaim sufficient to withstand a Civ.R.
12(B)(6) motion to dismiss, we make no determination as to whether she will prevail upon
remand.
