                    FOR PUBLICATION
  UNITED STATES COURT OF APPEALS
       FOR THE NINTH CIRCUIT

KIRK WEBB, individually and as             
class representative; MANN &
COOK, a legal partnership, for                    No. 05-56282
itself and as class representative,
                Plaintiffs-Appellants,             D.C. No.
                                                 CV-05-03373-R
                  v.                               OPINION
SMART DOCUMENT SOLUTIONS, LLC,
                Defendant-Appellee.
                                           
         Appeal from the United States District Court
            for the Central District of California
          Manuel L. Real, District Judge, Presiding

                   Argued and Submitted
             May 10, 2007—Pasadena, California

                      Filed August 27, 2007

      Before: Andrew J. Kleinfeld and Richard A. Paez,
      Circuit Judges, and William Hart,* Senior Judge.

                     Opinion by Judge Paez




   *The Honorable William Hart, Senior United States District Judge for
the Northern District of Illinois, sitting by designation.

                                10547
              WEBB v. SMART DOCUMENT SOLUTIONS             10549


                          COUNSEL

Barrett S. Litt and Paul J. Estuar, Litt, Estuar, Harrison, Miller
& Kitson, LLP, Los Angeles, California, for the plaintiffs-
appellants.
10550        WEBB v. SMART DOCUMENT SOLUTIONS
Martin D. Bern, Munger, Tolles & Olson, LLP, San Fran-
cisco, California, for the defendant-appellee.


                         OPINION

PAEZ, Circuit Judge:

   The regulations promulgated by the Department of Health
and Human Services (“DHHS”) to implement the Health
Insurance Portability and Accountability Act of 1996
(“HIPAA”), Pub. L. 104-191, 110 Stat. 1936 (codified as
amended in scattered sections of 42 U.S.C.), provide for an
individual’s broad access to his own health records. Under
HIPAA, an individual has the right to obtain copies of his
medical records for a reasonable, cost-based fee, while third
parties who seek the same records may be charged at a higher
rate. See 45 C.F.R. § 164.524(c)(4). In this case, Kirk Webb’s
lawyers—the law firm of Mann & Cook—requested Webb’s
records on his behalf from his treating hospital. That hospital
in turn passed the request on to Smart Document Systems
(“Smart”), which charged Mann & Cook at the higher rate.
Because Mann & Cook bills their clients for the cost of
obtaining medical records, Webb and Mann & Cook (collec-
tively, “Plaintiffs”) sued Smart for unfair competition under
California Business and Professions Code section 17200
(“Section 17200”), asserting that the lower, cost-based fee
should apply.

   In a matter of first impression for the federal courts, we
must determine whether the term “individual” in the DHHS
regulations implementing HIPAA encompassed Mann &
Cook when it acted as Webb’s agent, thereby qualifying the
law firm to obtain medical records at the lower rate. Although
nothing in the regulations prevents a law firm from drafting
or mailing the request for records on behalf of its clients, or
from directing that the records be sent to its office, we hold
               WEBB v. SMART DOCUMENT SOLUTIONS            10551
nonetheless that the HIPAA regulations require the reduced
rate only when the individual himself requests the records.1
Thus, we affirm the district court’s dismissal of Plaintiffs’
case for failure to state a claim for relief.

   Before turning to the merits of Plaintiffs’ claims, we also
consider sua sponte whether the district court had jurisdiction
over this case. Because HIPAA provides for no private right
of action, Plaintiffs originally filed this case in the California
Superior Court, invoking a California unfair competition stat-
ute to seek redress of the alleged HIPAA violations. Defen-
dant removed the case to federal court. Although under
certain circumstances concerns about federal question juris-
diction will preclude federal courts from hearing a case where
there is no federal private right of action, we conclude that the
district court correctly assumed diversity jurisdiction here.

                                  I.

                             OVERVIEW

   Webb and Mann & Cook filed a class action in California
Superior Court. According to the allegations in their com-
plaint, which we “presume[ ] to be true” when reviewing a
district court’s dismissal pursuant to Federal Rule of Civil
Procedure 12(b)(6), Holcombe v. Hosmer, 477 F.3d 1094,
1097 (9th Cir. 2007), the following facts formed the basis of
the lawsuit:

   Smart is the “world’s largest health document processor.”
It contracts with numerous health care providers and facilities
for the “exclusive” right to copy and provide patients’
records. When a provider contracts with Smart, patients have
“no other means to obtain copies of [their] medical records
except through Smart”; Smart “does not notify the patient that
it will be accessing and viewing the patient’s health care
  1
   We have jurisdiction pursuant to 28 U.S.C. § 1291.
10552         WEBB v. SMART DOCUMENT SOLUTIONS
records in advance,” nor does it “obtain the patient’s consent
to do so.” Upon receiving a request, “Smart then accesses and
copies the patient’s health care records through an agent who
maintains copying equipment on the health care provider’s
premises, sends the health care records to the patient or repre-
sentative, and sends a bill for the copies of the health care
records to the patient or his agent.”

   In exchange for this exclusive right, “Smart provides free
copies and other benefits and services of value to health care
providers.” Smart makes a profit in spite of the HIPAA provi-
sion allowing patients to obtain their records at a cost-based
fee in part by “charg[ing] more for providing copies of health
care records to patients who request their records through
their agents, such as their personal injury lawyers, than to
patients who are not represented by attorneys.”

   Plaintiffs encountered Smart when Webb hired Mann &
Cook to represent him in his civil rights claim for excessive
force and, in furtherance of that litigation, Mann & Cook
ordered copies of Webb’s medical records. For that service,
Smart charged Mann & Cook $.35 cents per page, in addition
to more than $65 in various additional fees, including a “Base
Fee,” a “Basic Fee,” and a “Retrieval Fee.” Mann & Cook
have a contingent fee arrangement with Webb, so it “ad-
vanced the cost of the health care records for its client to
Smart, and charged him with repayment of the advance to be
paid at the time of the resolution of the case.” Because Webb
is thus ultimately responsible for Smart’s charges, the Plain-
tiffs alleged that Smart violated the HIPAA fee limitations by
charging him—through his agent, Mann & Cook—more than
a reasonable, cost-based fee.

   HIPAA itself provides no private right of action. Accord-
ingly, Plaintiffs brought suit in state court invoking a Califor-
nia unfair competition law that makes violations of other state
and federal laws independently actionable. See Cal. Bus. &
Prof. Code §§ 17200-210 (West 2005). Smart removed the
                WEBB v. SMART DOCUMENT SOLUTIONS                      10553
case to federal court on the basis of diversity of citizenship in
class actions, see 28 U.S.C. §§ 1332(d), 1453,2 and filed a
motion to dismiss for failure to state a claim, see Fed. R. Civ.
P. 12(b)(6). It argued that Plaintiffs had not stated a claim
under Section 17200 because they had not adequately alleged
a violation of any law. Specifically, Smart argued that Plain-
tiffs’ allegations did not constitute a HIPAA violation because
the HIPAA fee limitations apply only to individual patients
who request records on their own behalf, and not to attorneys
who act as agents of their clients. The district court granted
Smart’s motion. Plaintiffs timely appealed.

                                     II.

                         STANDARD OF Review

   We review de novo dismissals under Rule 12(b)(6), taking
all allegations in the complaint as true. Holcombe, 477 F.3d
at 1097.

                                    III.

                               DISCUSSION

A.    Jurisdiction Over the Section 17200 Claim

  This case presents an unusual situation. Generally, when
we consider state law claims asserted in federal court after a
  2
    Under the Class Action Fairness Act of 2005, Pub. L. 109-2, 119 Stat.
4 (2005), except in certain circumstances not present here, “[a] class
action may be removed to a district court of the United States . . . without
regard to whether any defendant is a citizen of the State in which the
action is brought.” 28 U.S.C. § 1453(b); see also id. § 1332(d)(2) (“The
district courts shall have original jurisdiction of any civil action in which
the matter in controversy exceeds the sum or value of $5,000,000, exclu-
sive of interest and costs, and is a class action in which—[, inter alia,] (A)
any member of a class of plaintiffs is a citizen of a State different from
any defendant.”).
10554           WEBB v. SMART DOCUMENT SOLUTIONS
diversity-based removal, we apply state substantive law, pur-
suant to Erie Railroad Co. v. Tompkins, 304 U.S. 64 (1938).
See, e.g., Kohlrautz v. Oilmen Participation Corp., 441 F.3d
827, 830-31 (9th Cir. 2006); Conestoga Servs. Corp. v. Exec-
utive Risk Indem., Inc., 312 F.3d 976, 980-81 (9th Cir. 2002).
Here, by contrast, the focus of our attention is directed at the
proper interpretation of the regulations implementing a fed-
eral statute—HIPAA. This seems particularly incongruous
because HIPAA itself does not provide for a private right of
action, see 65 Fed. Reg. 82601 (Dec. 28, 2000) (“Under
HIPAA, individuals do not have a right to court action.”), so
the federal courts would seldom have occasion to undertake
such an analysis.

   In fact, however, it is California law that directs, in this
class action diversity case, that we examine federal law.
Plaintiffs’ California cause of action, Section 17200, is a
broad statute designed to remedy violations of other laws,
both state and federal. See People ex rel. Bill Lockyer v. Fre-
mont Life Ins. Co., 128 Cal. Rptr. 2d 463, 469 (Cal. Ct. App.
2002) (‘[V]irtually any state, federal, or local law can serve
as the predicate for” a Section 17200 claim) (emphasis
added). Section 17200 “establishes [and creates a private right
of action to remedy] three varieties of unfair competition”: the
unlawful, the unfair, and the fraudulent. Id. (internal quotation
marks omitted). Plaintiffs’ claim is “based on” the allegedly
unlawful and unfair conduct of Smart in violating HIPAA.
Charging higher fees to lawyers thus must violate a law—
here, the HIPAA regulations—in order for Plaintiffs to state
a claim for relief under Section 17200’s “unlawful” prong.3
  3
    Plaintiffs’ complaint also referenced a claim under the California com-
mon law of unfair competition. Plaintiffs have not pursued that claim in
this appeal, so we consider it waived. See United States v. Gomez-Mendez,
486 F.3d 599, 606 n.10 (9th Cir. 2007) (“We will not ordinarily consider
matters on appeal that are not specifically and distinctly raised and argued
in an appellant’s opening brief.” (internal quotation marks omitted)).
                 WEBB v. SMART DOCUMENT SOLUTIONS                      10555
    Similarly, if we determine that the agency responsible for
implementing HIPAA intended to permit Smart’s conduct, it
cannot be “unfair” under Section 17200. The California
Supreme Court has held that if the allegedly unfair conduct is
that which “the Legislature has permitted . . . or considered
. . . and concluded no action should lie, courts may not over-
ride that determination . . . [and] use the general unfair com-
petition law to assault that [safe] harbor.” Cel-Tech
Commc’ns, Inc. v. Los Angeles Cellular Tel. Co., 973 P.2d
527, 541 (Cal. 1999). To withstand a motion to dismiss under
Rule 12(b)(6) and state a claim under Section 17200, there-
fore, Plaintiffs must demonstrate that, in charging Mann &
Cook a higher fee, Smart violated the HIPAA regulations.4

   [1] In some cases, federal jurisdictional requirements may
preclude federal courts from entertaining a state law claim
based on a violation of a federal statute.5 “[A] complaint
alleging a violation of a federal statute as an element of a state
cause of action, when Congress has determined that there
should be no private, federal cause of action for the violation,
does not state a claim ‘arising under the Constitution, laws, or
treaties of the United States.’ ” Merrell Dow Pharm. v.
  4
     Plaintiffs also alleged a claim for relief under California Civil Code
section 52.1 (providing a cause of action for “interfere[nce] . . . by threats,
intimidation, or coercion, . . . with the exercise or enjoyment . . . of rights
secured by” state or federal statutes or constitutions). There is some ques-
tion whether section 52.1 covers violations of federal regulations at all,
even if a violation were adequately stated. Cf. Venegas v. County of Los
Angeles, 87 P.3d 1, 14 (Cal. 2004) (“Civil Code section 52.1 does not
extend to all ordinary tort actions because its provisions are limited to
threats, intimidation, or coercion that interferes with a constitutional or
statutory right.” (emphasis added)). Because we determine that the
HIPAA regulations do not limit the fees that Smart may charge to attor-
neys, however, we need not reach that question.
   5
     Neither party challenges federal court jurisdiction over this removed
case. See 28 U.S.C. § 1332(d) (authorizing diversity jurisdiction over class
actions); id. § 1453 (authorizing removal of class actions). Because of the
unusual procedural posture of this case, however, we discuss this issue to
ensure that we in fact have subject matter jurisdiction.
10556        WEBB v. SMART DOCUMENT SOLUTIONS
Thompson, 478 U.S. 804, 817 (1986) (quoting 28 U.S.C.
§ 1331); see also Utley v. Varian Assoc., Inc., 811 F.2d 1279,
1282-83 (9th Cir. 1987). Therefore, where there is no federal
private right of action, federal courts may not entertain a
claim that depends on the presence of federal question juris-
diction under 28 U.S.C. § 1331.

   [2] This jurisdictional concern is not present here. Had
Smart removed this case to federal court on the basis of fed-
eral question jurisdiction under § 1331, the lack of a private
right of action to enforce HIPAA may have foreclosed Plain-
tiffs’ Section 17200 claim. However, Smart invoked diversity
jurisdiction pursuant to 28 U.S.C. § 1332(d) to justify the
removal. See 28 U.S.C. § 1453; cf. Lockyer v. Dynergy, Inc.,
375 F.3d 831, 841-42 (9th Cir. 2004) (holding that removal
was appropriate, and that the Merrell Dow/Utley rule did not
apply where jurisdiction was not “predicated solely on 28
U.S.C. § 1331”); Ethridge v. Harbor House Restaurant, 861
F.2d 1389, 1393-94 & n.4 (9th Cir. 1988) (noting that the
Merrell Dow/Utley rule does not apply to cases removed on
the basis of diversity jurisdiction). Having satisfied ourselves
that we have jurisdiction, therefore, in accordance with Cali-
fornia substantive law, we must analyze the federal regula-
tions that will decide whether Plaintiffs have stated a claim
for relief.

B.   HIPAA Statutory and Regulatory Framework

   [3] HIPAA aims “to improve the . . . efficiency and effec-
tiveness of the health information system through the estab-
lishment of standards and requirements for the electronic
transmission of certain health information.” HIPAA § 261,
Pub. L. 104-191, 110 Stat. 1936 (codified at 42 U.S.C.
§ 1320d notes). As the Fourth Circuit has noted, Congress
intended through this legislation to “recogniz[e] the impor-
tance of protecting the privacy of health information in the
midst of the rapid evolution of health information systems.”
S.C. Med. Ass’n v. Thompson, 327 F.3d 346, 348 (4th Cir.
              WEBB v. SMART DOCUMENT SOLUTIONS             10557
2003). HIPAA, therefore, emphasizes privacy, efficiency, and
modernization. The statute itself, however, does not specify
either how to protect privacy or to transmit health records
efficiently and effectively. Instead, it authorizes the Secretary
of Health and Human Services to “adopt standards” that will
“enable health information to be exchanged electronically, . . .
consistent with the goals of improving the operation of the
health care system and reducing administrative costs,” and
that will “ensure the integrity and confidentiality of [individu-
als’ health] information [and protect against] . . . unauthorized
uses or disclosures of the information.” See 42 U.S.C.
§ 1320d-2. Some of the regulations containing those standards
are the focus of our inquiry. See 45 C.F.R. §§ 160.103,
160.202, 164.502, 164.508, 164.524.

   [4] In implementing this Congressional directive, DHHS
has determined that, except in limited circumstances, “an indi-
vidual has a right of access to inspect and obtain a copy of
protected health information about the individual in a desig-
nated record set, for as long as the protected health informa-
tion is maintained in the designated record set.” 45 C.F.R.
§ 164.524(a)(1) (emphasis added). Upon an “individual[’s]
request[ ]” to inspect or obtain his records,

    the covered entity may impose a reasonable, cost-
    based fee, provided that the fee includes only the
    cost of:

    (i) Copying, including the cost of supplies for and
    labor of copying, the protected health information
    requested by the individual;

    (ii) Postage, when the individual has requested the
    copy, or the summary or explanation, be mailed; and

    (iii) Preparing an explanation or summary of the
    protected health information, if agreed to by the indi-
    vidual as required by [the regulation].
10558        WEBB v. SMART DOCUMENT SOLUTIONS
Id. § 164.524(c)(4) (emphasis added). The question raised by
this case is whether designated agents, such as personal attor-
neys, can count as the “individual” in order to obtain the rea-
sonable, cost-based fee.

   [5] “As a general interpretive principle, the plain meaning
of a regulation governs.” Safe Air for Everyone v. U.S. Envtl.
Prot. Agency, 488 F.3d 1088, 1097 (9th Cir. 2007) (internal
quotation marks omitted). DHHS defined “individual” as “the
person who is the subject of the protected health information.”
45 C.F.R. § 160.103. On their face then, the regulations
restrict the fee limitations to requests made by the individual
and concretely define “individual” in a way that excludes oth-
ers acting on that individual’s behalf. Plain meaning thus
favors Smart.

   The canon of statutory construction expressio unius est
exclusio alterius, which “creates a presumption that when a
statute designates certain persons, things, or manners of oper-
ation, all omissions should be understood as exclusions,” Sil-
vers v. Sony Pictures Entm’t, Inc., 402 F.3d 881, 885 (9th Cir.
2005) (en banc) (internal quotation marks omitted), further
supports Smart’s argument. DHHS has provided for one situa-
tion in which other persons may be “treat[ed] . . . as the
individual”—when a “personal representative” is authorized
to make healthcare-related decisions for an individual:

    As specified in this paragraph, a covered entity must,
    except [in limited circumstances], treat a personal
    representative as the individual for purposes of this
    subchapter. . . . If under applicable law a person has
    authority to act on behalf of an individual who is an
    adult or an emancipated minor in making decisions
    related to health care, a covered entity must treat
    such person as a personal representative under this
    subchapter, with respect to protected health informa-
    tion relevant to personal representation.
              WEBB v. SMART DOCUMENT SOLUTIONS             10559
45 C.F.R. § 164.502(g). Application of this canon suggests
that because DHHS explicitly defined “individual” to encom-
pass “personal representatives,” it was fully capable of writ-
ing in an even broader definition of the term. That it did not
underscores the conclusion that “individual” should be
afforded its plain meaning, and that we should therefore reject
Mann & Cook’s claim to the lower rate.

   Notwithstanding that plain meaning, Plaintiffs urge us to
read the term “individual” to include authorized attorneys
because such an interpretation would be more consistent with
the purpose of HIPAA. Plain meaning is not the end of the
inquiry. “The plain language of a regulation . . . will not con-
trol if clearly expressed administrative intent is to the contrary
or if such plain meaning would lead to absurd results.” Safe
Air, 488 F.3d at 1097 (internal quotation marks and alter-
ations omitted). We invoke this exception to the plain mean-
ing canon, however, only when “some indication of the
regulatory intent that overcomes plain language . . . [is] refer-
enced in the published notices that accompanied the rulemak-
ing process.” Id. at 1098. Without this safeguard, “interested
parties would not have the [requisite] meaningful opportunity
to comment on proposed regulations.” Id.

   We are not persuaded that regulatory intent overcomes
plain meaning in this case. Plaintiffs have not directed us to
any part of the original notice of proposed rulemaking
(“proposed rules”),6 the commentary accompanying the final
rules (“final commentary”),7 or the subsequent published clar-
ifications accompanying the publication of other rules
(“subsequent clarification”)8 that suggests that “individual”
means anything other than “the person who is the subject of
the protected health information,” and, when applicable, that
person’s personal representative.
  6
    See 64 Fed. Reg. 59918-60065 (Nov. 3, 1999).
  7
    See 65 Fed. Reg. 82462-82829 (Dec. 28, 2000).
  8
    See 67 Fed. Reg. 53254 (Aug. 15, 2002).
10560         WEBB v. SMART DOCUMENT SOLUTIONS
   [6] On the contrary, a review of relevant regulatory history
makes clear that DHHS did not intend for private attorneys to
receive the reduced fees. Most notably, in the proposed rules,
DHHS explicitly considered adopting a broader definition of
“individual” that would have included legal representatives,
but in the final rule ultimately decided against it. As explained
in the final commentary, DHHS had previously

    proposed that the term [individual] include, with
    respect to the signing of authorizations and other
    rights (such as access, copying, and correction), the
    following types of legal representatives: . . . With
    respect to adults and emancipated minors, legal rep-
    resentatives (such as court-appointed guardians or
    persons with a power of attorney), to the extent to
    which applicable law permits such legal representa-
    tives to exercise the person’s rights in such contexts.

65 Fed. Reg. 82492. However, “[i]n the final rule, [DHHS]
eliminate[d] from the definition of ‘individual’ the provisions
designating a legal representative as the ‘individual.’ ” Id. The
agency chose “[i]nstead” to “include in the final rule a sepa-
rate standard for ‘personal representatives.’ ” Id. Further, in
2002, in response to a public comment asking whether the fee
limitations applied to “payers, attorneys, or entities that have
the individual’s authorization,” DHHS’s subsequent clarifica-
tion explained that “the Rule . . . limits only the fees that may
be charged to individuals or to their personal representatives.”
67 Fed. Reg. 53254 (emphasis added). The final commentary
and subsequent clarification extinguish any doubt that the
“personal representative” category constitutes the only class
of persons that may be treated as the “individual” other than
the individuals themselves. See Barnhart v. Peabody Coal
Co., 537 U.S. 149, 168 (2003) (holding that where “it is fair
to suppose that [the drafters] considered the unnamed possi-
bility and meant to say no to it,” courts should “read the enu-
meration of one case to exclude another”).
              WEBB v. SMART DOCUMENT SOLUTIONS             10561
   Because of this regulatory history, even if we believed the
meaning of “individual” was ambiguous on its face, we would
be compelled to agree with Smart. An “agency’s interpreta-
tion [of a regulation] must be given controlling weight unless
it is plainly erroneous or inconsistent with the regulation.”
Thomas Jefferson Univ. v. Shalala, 512 U.S. 504, 512 (1994)
(internal quotation marks omitted). Plaintiffs argue with some
force that the regulations implementing HIPAA are designed
in general to allow individuals access to their own records at
a limited cost, see 45 C.F.R. § 164.524, and that interpreting
“individual” in a way that denies the reduced rate to autho-
rized agents decreases accessibility to critical personal infor-
mation. However, because privacy and efficiency of
processing are also important statutory and regulatory goals,
we cannot say that DHHS’s interpretation—which allows for
the imposition of higher costs on anyone other than the indi-
vidual or personal representative, and provides for the devel-
opment of an efficient document copying system in part by
allowing document companies to make a profit—is “plainly
erroneous or inconsistent” with those aims.

   Plaintiffs also urge that neither the final commentary nor
the subsequent clarification, which appear to foreclose Plain-
tiffs’ argument, is directly on point. They argue that the “legal
representatives” and “attorneys” to which the regulatory
materials refer do not necessarily include “attorneys at law for
individuals”; the final commentary and subsequent clarifica-
tion, according to Plaintiffs, address only “true third party sit-
uations [such as attorneys for insurers], not situations where
a ‘legal representative’ is acting ‘to exercise the person’s
rights’ in a ‘context’ where the ‘applicable law permits’ them
to so act.” This argument is not convincing. The DHHS final
commentary and subsequent clarification clearly preclude
both third party attorneys and private legal representatives
from obtaining the reduced fees. First, as discussed, the
agency considered, but decided against defining “individual”
to include legal representatives, instead creating the narrower
category of “personal representatives.” Second, DHHS stated
10562            WEBB v. SMART DOCUMENT SOLUTIONS
explicitly that “[t]he fee limitations . . . do not apply to disclo-
sures that are based on an individual’s authorization that is
valid under [45 C.F.R.] § 164.508.” 67 Fed. Reg. 53254.9 The
  9
   A valid authorization under HIPAA is defined as follows:
      Implementation specifications: Core elements and requirements.
      —
      (1) Core elements. A valid authorization under this section
      must contain at least the following elements:
      (i) A description of the information to be used or disclosed that
      identifies the information in a specific and meaningful fashion.
      (ii) The name or other specific identification of the person(s),
      or class of persons, authorized to make the requested use or dis-
      closure.
      (iii) The name or other specific identification of the person(s),
      or class of persons, to whom the covered entity may make the
      requested use or disclosure.
      (iv) A description of each purpose of the requested use or dis-
      closure. . . .
      (v) An expiration date or an expiration event that relates to the
      individual or the purpose of the use or disclosure. . . .
      (vi) Signature of the individual and date. If the authorization is
      signed by a personal representative of the individual, a descrip-
      tion of such representative’s authority to act for the individual
      must also be provided.
      (2) Required statements. In addition to the core elements, the
      authorization must contain statements adequate to place the indi-
      vidual on notice of all the following:
      (i) The individual’s right to revoke the authorization in writing,
      and . . . :
      (A) The exceptions to the right to revoke and a description of
      how the individual may revoke the authorization;
      ****
      (ii) The ability or inability to condition treatment, payment,
      enrollment or eligibility for benefits on the authorization,
      ****
                WEBB v. SMART DOCUMENT SOLUTIONS                     10563
law firm of Mann & Cook, of course, must act pursuant to
Webb’s authorization.10 Therefore, DHHS has explicitly ruled
out Plaintiffs’ proposed interpretation.

C.    Plaintiffs’ Agency Argument

   [7] Plaintiffs’ case ultimately distills down to their argu-
ment that because Mann & Cook acts as Webb’s agent, for
HIPAA purposes the lawyer who makes the request is the
individual, and thus should be charged the reduced fees for
the medical records. They rely on California agency law,
which provides that “an attorney, appearing and acting for a
party to a cause, has authority to do so, and to do all other acts
necessary or incidental to the proper conduct of the case.”

     (3) Plain language requirement. The authorization must be writ-
     ten in plain language.
     (4) Copy to the individual. If a covered entity seeks an authori-
     zation from an individual for use or disclosure of protected health
     information, the covered entity must provide the individual with
     a copy of the signed authorization.
45 C.F.R. § 164.508(c).
   10
      To the extent that Plaintiffs suggest that, as an agent of Webb, Mann
& Cook acts as Webb and thus does not need a valid HIPAA authoriza-
tion, their argument lacks merit. Although § 164.508 is a general provision
requiring authorization, nothing in that section exempts private attorneys.
Moreover, the final commentary explicitly states that “[i]f the attorney [of
an individual] is not the personal representative under the rule, or if the
attorney wants a copy of more protected health information than that
which is relevant to his personal representation, the individual would have
to authorize such disclosure” of records. 65 Fed. Reg. 82651. Given
HIPAA’s concerns with the privacy of medical information, such a spe-
cific authorization requirement makes sense. Indeed, as the final commen-
tary makes clear, even personal representatives do not get carte blanche to
request medical records without specific authorization, but instead may
request only records relevant to that representation. There is therefore no
reason to think that a general attorney/client retainer form would be suffi-
cient, without specific authorization, to allow disclosure of medical
records.
10564        WEBB v. SMART DOCUMENT SOLUTIONS
Clark Equip. Co. v. Wheat, 154 Cal. Rptr. 874, 884 (Cal. Ct.
App. 1979). They cite California state law because the
HIPAA savings clause provides that its “regulation[s] . . .
shall not supercede a contrary provision of State law, if the
provision of State law imposes requirements, standards, or
implementation specifications that are more stringent” than
HIPAA’s. 42 U.S.C. § 1320d-2 note. “More stringent” laws
are defined, inter alia, as those that “permit[ ] greater rights
of access” for the “individual, who is the subject of the indi-
vidually identifiable health information.” 45 C.F.R.
§ 160.202. Plaintiffs argue that California agency law pro-
vides the individual with greater rights of access by allowing
attorney-agents to obtain the records at the limited cost, and
therefore trumps the HIPAA regulations to the extent they
require a contrary interpretation.

   [8] In fact, however, California law does not support Plain-
tiffs’ claim. In the only case—federal or state—to address
directly a claim based on the HIPAA fee limitation at issue in
this case, the California Court of Appeal analyzed the same
agency argument, advanced by the same law firm—Mann &
Cook—on behalf of a different client, and rejected it:

    We agree that the lawyer is the client’s agent, but we
    do not think that, for the purposes of protecting the
    privacy of medical records, a lawyer’s request is the
    same as the client’s personal request for his or her
    own medical records. The problem that appellant’s
    argument sidesteps is that a request by anyone other
    than the individual or his/her personal representative
    as defined in the regulations raises serious privacy
    concerns. DHHS considered but rejected giving law-
    yers the same status as personal representatives. This
    court is not empowered to redraft federal regulations,
    especially when the regulations do not impinge on
    fundamental rights. . . . [A]ll appellant has to do is
    to request a copy of his own records. We do not per-
                WEBB v. SMART DOCUMENT SOLUTIONS                     10565
       ceive that there is any “right” to have one’s lawyer
       ask for one’s records.

Bugarin v. Chartone, 38 Cal. Rptr. 3d 505, 510 (Cal. Ct. App.
2006). We must defer to the California court’s interpretation
of its own agency law as not granting the rights Plaintiffs assert.11
See Mullaney v. Wilbur, 421 U.S. 684, 691 (1975) (“[S]tate
courts are the ultimate expositors of state law, and we are
bound by their constructions except in extreme circum-
stances.” (citations omitted)). State law does not, therefore,
trump HIPAA in this case. Accordingly, because Plaintiffs
have not sufficiently alleged a HIPAA violation, they have
  11
     Some non-California state cases suggest that, in certain contexts,
attorney-agents may qualify as individuals for the purpose of requesting
medical records at a reduced, cost-based fee. However, none of these cases
involve HIPAA or, for that matter, any statute with comparable text or
commentary suggesting that the drafters intended to exclude private attor-
neys from benefitting from the fee limitations. Cf. Ford v. Chartone, Inc.,
908 A.2d 72, 92 (D.C. Ct. App. 2006) (relying on agency law to certify
a class of lawyers seeking to obtain client medical records at reduced fees
based on a state consumer protection statute, but not challenging Defen-
dant Chartone’s interpretation of the HIPAA regulation “as not imposing
its fee caps on transactions with attorney requestors”); Cruz v. All Saints
Healthcare Sys., Inc., 625 N.W. 2d 344 (Wis. Ct. App. 2001) (certifying
class of lawyers seeking to obtain client medical records at reduced fees
where state statutory fee limitations explicitly applied to authorized repre-
sentatives); Mermer v. Med. Correspondence Servs., 686 N.E. 2d 296
(Ohio Ct. App. 1996) (relying on agency law to hold that attorney’s
request counted as client’s, but not noting any contrary legislative intent
in the relevant state statute). Moreover, other state cases have come to the
opposite conclusion, so even apart from HIPAA, the issue is far from set-
tled. See Street v. Smart Corp., 578 S.E. 2d 695 (N.C. Ct. App. 2003)
(holding that attorneys who had obtained medical records for clients had
no standing to sue document reproduction companies); Slobin v. Henry
Ford Health Care, 666 N.W. 2d 632, 634 (Mich. 2003) (holding that an
attorney’s request for client’s medical records was not subject to the fee
limitations because, inter alia, the state consumer protection statute “ap-
plies only to purchases by consumers”).
10566            WEBB v. SMART DOCUMENT SOLUTIONS
not stated a claim under Section 17200, and dismissal under
Rule 12(b)(6) was appropriate.12

   Our holding, however, in no way precludes attorneys from
assisting their clients in accessing and obtaining their medical
records without triggering the hefty fees. Although the plain
meaning of “individual,” as well as the DHHS final commen-
tary and subsequent clarification evidence a clear intent to
exclude attorney requests from the reduced fees, this intent
does create at least some conflict with DHHS’s statement that
“[t]he fee limitation . . . is intended to assure that the right of
access . . . is available to all individuals, and not just to those
who can afford to do so.” 67 Fed. Reg. 53254. As the Califor-
nia Court of Appeal noted,

     lawyers routinely request copies of their clients’
     medical records. The effect of such requests by law-
     yers is to increase the cost to the client, even though
     the intent of the legislation, and the regulations, is to
     minimize the cost of copying, at least when an “indi-
     vidual” requests his or her own records.

Bugarin, 38 Cal. Rptr. 3d at 509. It is possible to reconcile
this seeming conflict; privacy concerns increase when anyone
other than the individual requests medical records, and
because privacy is a primary HIPAA goal, it makes sense to
make it more difficult for third parties to obtain records, even
   12
      California’s statutory equivalent to the regulatory provision allowing
reduced fees under HIPAA also appears on its face to be inapplicable to
requests like Mann & Cook’s: The state statutory fee limitations apply to
the requests of a “patient” or “patient’s representative.” Cal. Health &
Safety Code § 123110(b). The definition of “patient’s representative” does
not include private attorneys unless they are guardians or agents empow-
ered to make healthcare decisions. Id. § 123105(e). It is possible that legis-
lative intent, or the policy and practices of the agency implementing this
statute might lead to a different conclusion. However, as neither party has
raised the significance of this state statute or its interpretation, we decline
to address it further.
                WEBB v. SMART DOCUMENT SOLUTIONS                  10567
with authorization. Still, it is “circuitous,” if not downright
silly, to require an individual “to request his own medical
records . . . and having received them, hand them to his law-
yer.” Id. at 510.

   We therefore echo the concurrence in Bugarin by empha-
sizing that in affirming the district court’s judgment, we only

       uphold[ ] the ability of copying services to charge
       higher rates when the attorney makes the request on
       behalf of his or her client than when the patient/
       client makes the request directly. . . . [We do] not
       address such presumably common scenarios in
       which the client signs the request and asks the docu-
       ments to be sent to the attorney, or the attorney pre-
       pares the documents on his or her letterhead and the
       client personally signs the request.

Id. at 511 (Rubin, J., concurring). In the end, then, we may
not be “free to deviate from the text” of the HIPAA regula-
tions, id. at 509, but we may nonetheless recognize that there
is ample room for attorneys to provide important services for
their clients.13

  AFFIRMED.




  13
   In light of our disposition we need not reach the issue of whether
Smart is subject to HIPAA’s cost-based fee regulation in the first place.
