[Until this opinion appears in the Ohio Official Reports advance sheets, it may be cited as
Menorah Park Ctr. for Senior Living v. Rolston, Slip Opinion No. 2020-Ohio-6658.]
NOTICE
This slip opinion is subject to formal revision before it is published in an
advance sheet of the Ohio Official Reports. Readers are requested to
promptly notify the Reporter of Decisions, Supreme Court of Ohio, 65
South Front Street, Columbus, Ohio 43215, of any typographical or other
formal errors in the opinion, in order that corrections may be made before
the opinion is published.
SLIP OPINION NO. 2020-OHIO-6658
MENORAH PARK CENTER FOR SENIOR LIVING, APPELLANT, v. ROLSTON,
APPELLEE.
[Until this opinion appears in the Ohio Official Reports advance sheets, it
may be cited as Menorah Park Ctr. for Senior Living v. Rolston, Slip Opinion
No. 2020-Ohio-6658.]
Torts—Medical providers—Disclosure of patients’ confidential health
information—Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) and HIPAA Privacy Rule—HIPAA does not preclude a claim
for breach of physician-patient confidentiality when the limited disclosure
of medical information was part of a court filing for the purpose of
obtaining past-due payment on an account for medical services—There is
an exception to liability when a medical provider makes a reasonable effort
to limit the disclosure of the patient’s medical information to the minimum
amount necessary to file a successful complaint for the recovery of unpaid
charges for medical services—Court of appeals’ judgment reversed and
cause remanded to trial court.
SUPREME COURT OF OHIO
(No. 2019-0939—Submitted August 4, 2020—Decided December 15, 2020.)
APPEAL from the Court of Appeals for Cuyahoga County,
No. 107615, 2019-Ohio-2114.
_________________
KENNEDY, J.
{¶ 1} In this appeal from a judgment of the Eighth District Court of
Appeals, we address the interplay between the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), Pub.L. No. 104-191, 110 Stat. 1936, the
subsequent HIPAA Privacy Rule promulgated in 45 C.F.R. 160 and 164, and
Ohio’s common-law cause of action for the unauthorized, unprivileged disclosure
by a medical provider to a third party of nonpublic medical information recognized
by this court in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518
(1999). We hold that HIPAA does not preclude a claim under our decision in Biddle
when the limited disclosure of medical information was part of a court filing for the
purpose of obtaining a past-due payment on an account for medical services.
{¶ 2} However, we also hold that there is an exception to liability under our
decision in Biddle when a medical provider makes a reasonable effort to limit the
disclosure of the patient’s medical information to the minimum amount necessary
to file a successful complaint for the recovery of unpaid charges for medical
services. We conclude that a provider of medical services acts reasonably to limit
the release of health information to the minimum amount necessary to file a
successful complaint for payment on a past-due account for medical services when
the medical provider attaches to the complaint, pursuant to Civ.R. 10(D), medical
bills that disclose the medical provider’s name and address, the patient’s name and
address, the dates on which services were provided, billing or procedure codes, a
description of the general category of services provided, and the amounts charged,
paid, and due.
2
January Term, 2020
{¶ 3} Because the medical provider in this case limited its disclosure of
information to the minimum amount necessary for it to assert a cause of action to
recover from the patient payment for unpaid medical bills, the patient has failed to
state a claim under our decision in Biddle. Therefore, we reverse the judgment of
the court of appeals on that claim.
I. FACTUAL AND PROCEDURAL BACKGROUND
{¶ 4} Appellant, Menorah Park Center for Senior Living (“Menorah Park”),
filed a small-claims complaint against appellee, Irene Rolston, in the Shaker
Heights Municipal Court on March 21, 2018. Menorah Park alleged that Rolston
had failed to pay a debt in the amount of $463.53 “for therapy services [that] were
provided by Menorah Park” when Rolston “was at Menorah Park for
rehabilitation.” Attached to Menorah Park’s complaint were copies of two billing
statements. Civ.R. 10(D)(1) provides, “When any claim or defense is founded on
an account or other written instrument, a copy of the account or written instrument
must be attached to the pleading. If the account or written instrument is not
attached, the reason for the omission must be stated in the pleading.”
{¶ 5} The billing statements included a description of the medical services
that Menorah Park had provided to Rolston, the dates on which the services were
provided, medical-procedure codes, charges and credits, balances on Rolston’s
account, and the names and addresses of Menorah Park and Rolston. On the billing
statements, the descriptions of the services provided to Rolston included “PT
EVALUATION MOD COMPLEX,” “PT-MANUAL THERAPY,” “PT-
PHYSICAL PERFORMANCE TE,” and “PT THERAPEUTIC PROC-
AQUATI[C].” (Capitalization sic.)
{¶ 6} Rolston successfully moved for the case to be transferred to the
municipal court’s regular docket and on May 1, 2018, she filed an answer and class-
action counterclaim against Menorah Park for breach of confidence for the
disclosure to a third party of “nonpublic medical information that it learned within
3
SUPREME COURT OF OHIO
a physician-patient relationship.” Menorah Park moved to dismiss the
counterclaim under Civ.R. 12(B)(6), arguing that HIPAA allows the disclosure of
protected health information for the purpose of a medical provider’s obtaining
payment for medical services. Menorah Park argued that its actions had met the
requirements under HIPAA and that even if it had failed to meet those
requirements, HIPAA does not allow for a private cause of action for HIPAA
violations.
{¶ 7} In responding to the motion to dismiss, Rolston countered that
Menorah Park’s disclosure of her medical information was not authorized under
HIPAA, because HIPAA provides that when a medical provider seeks payment the
provider is required to make reasonable efforts to limit the disclosure of information
to the minimum amount necessary to obtain payment. Rolston also argued that
HIPAA does not preclude a common-law claim under our decision in Biddle, in
which this court recognized that “an independent tort exists for the unauthorized,
unprivileged disclosure to a third party of nonpublic medical information that a
physician or hospital has learned within a physician-patient relationship,” 86 Ohio
St.3d 395, 715 N.E.2d 51, at paragraph one of the syllabus.
{¶ 8} The trial court granted Menorah Park’s motion to dismiss Rolston’s
counterclaim, determining that “th[e] claim does not fall under the tort law claim
established in Biddle * * * and the Defendant cannot sue on HIPAA grounds.” In
a nunc pro tunc entry, the trial court determined that its judgment dismissing
Rolston’s counterclaim was a final, appealable order and that there was no just
cause for delay.
{¶ 9} The Eighth District reversed the trial court’s judgment, holding that
Rolston had not failed to state a claim upon which relief can be granted. Construing
the allegations in Rolston’s complaint in her favor, the court concluded that Rolston
had a potential claim under Biddle and that HIPAA does not preempt such a state
common-law claim. 2019-Ohio-2114, 137 N.E.3d 682, ¶ 23.
4
January Term, 2020
{¶ 10} This court accepted Menorah Park’s jurisdictional appeal on two
propositions of law:
1. The Health Insurance Portability & Accountability Act
(HIPAA) preempts a common law claim brought under Biddle v.
Warren Gen. Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999),
for disclosure of protected health information where the limited
disclosure was for the purpose of obtaining payment on a past due
account, which is an “authorized disclosure” under HIPAA
regulations.
2. A claimant’s reliance on a HIPAA regulation to determine
whether the release of protected health information was
“unauthorized” for the purpose of pursuing a common law claim
under Biddle would allow private enforcement of HIPAA
regulations, which is contrary to overwhelming legal authority that
HIPAA does not provide a private right of action for improper
disclosures of medical information but rather provides civil and
criminal penalties which must be enforced by the Department of
Health and Human Services.
(Emphasis sic.) See 157 Ohio St.3d 1427, 2019-Ohio-4003, 131 N.E.3d 977.
{¶ 11} After oral argument, this court sua sponte ordered the parties to brief
the following issue:
Should this court overturn or modify the holding in Biddle v.
Warren Gen. Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999),
in light of the enactment of Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), Pub.L. No. 104-191, 110
5
SUPREME COURT OF OHIO
Stat. 1936, and the subsequent promulgation of the HIPAA Privacy
Rule, 45 C.F.R. Parts 160 and 164?
See 159 Ohio St.3d 1405, 2020-Ohio-3206, 146 N.E.3d 582.
II. LAW AND ANALYSIS
A. Standard of Review
{¶ 12} This court applies a de novo standard of review to orders granting a
Civ.R. 12(B)(6) motion to dismiss. Lunsford v. Sterilite of Ohio, L.L.C., ___ Ohio
St.3d ___, 2020-Ohio-4193, ___ N.E.3d ___, ¶ 22. “In reviewing a motion to
dismiss for failure to state a claim upon which relief can be granted, we accept as
true all factual allegations in the complaint.” Id., citing Mitchell v. Lawson Milk
Co., 40 Ohio St.3d 190, 192, 532 N.E.2d 753 (1988). “A complaint should not be
dismissed unless it appears ‘beyond doubt from the complaint that the plaintiff can
prove no set of facts entitling him to recovery.’ ” Id., quoting O’Brien v. Univ.
Community Tenants Union, Inc., 42 Ohio St.2d 242, 327 N.E.2d 753 (1975),
syllabus.
B. Biddle v. Warren Gen. Hosp.
{¶ 13} In Biddle, this court recognized an independent tort for the
unauthorized, unprivileged disclosure to a third party of nonpublic medical
information that a physician or hospital obtained from a physician-patient
relationship. 86 Ohio St.3d 395, 715 N.E.2d 51, at paragraph one of the syllabus.
In Biddle, the hospital had given its patients’ medical information to a law firm so
that the firm could determine whether the hospital’s patients who had unpaid
medical bills could be eligible for Supplemental Security Income disability
benefits, meaning that their unpaid medical bills could possibly be paid by the
Social Security Administration. Id. at 395-396. The firm informed the hospital that
in order to perform that service and screen the patients, it would be necessary for
the hospital to provide four pieces of information: name, telephone number, age,
6
January Term, 2020
and medical condition. Id. at 396. The firm then contacted the patients to inform
them of their potential rights in regard to disability coverage. Id.
{¶ 14} The plaintiffs in Biddle were people whose hospital-registration
forms had been provided to the law firm by the hospital without prior authorization.
Id. They alleged several causes of action from that same factual root—mainly that
the arrangement between the hospital and the law firm constituted a breach of
physician-patient confidentiality—which included claims of invasion of privacy,
intentional infliction of emotional distress, and negligence. Id. at 397. This court
noted that it had long been the law in Ohio that a physician could be held liable for
the unauthorized disclosure of medical information, but it also noted that courts in
Ohio and elsewhere had failed to provide “a legal identity for an actionable breach
of patient confidentiality.” Id. at 400. This court recognized that in an effort to
establish a civil remedy for such an evident wrongdoing, courts had shoehorned a
breach-of-confidence theory of recovery into many traditional legal theories—e.g.,
invasion of privacy, defamation, implied breach of contract, intentional and
negligent infliction of emotional distress, implied private statutory causes of action,
breach of trust, detrimental reliance, negligence, and medical malpractice—all of
which are ill-suited for the purpose of addressing a breach-of-confidence situation.
Id. But this court noted the movement by some courts toward recognizing that an
action for breach of confidence should “stand in its own right,” and that
“increasingly courts have begun to adopt it as an independent tort in their respective
jurisdictions.” Id. This court therefore decided in Biddle to recognize an
independent tort “for the unauthorized, unprivileged disclosure to a third party of
nonpublic medical information that a physician or hospital has learned within a
physician-patient relationship.” Id. at 401.
{¶ 15} Although we recognized that specific cause of action, this court was
quick to add that there are exceptions to liability for disclosure. As we pointed out
7
SUPREME COURT OF OHIO
in Roe v. Planned Parenthood Southwest Ohio Region, 122 Ohio St.3d 399, 2009-
Ohio-2973, 912 N.E.2d 61, ¶ 47-48,
Biddle * * * addressed liability for unauthorized disclosure
and stressed the utmost importance of the patient’s right to
confidentiality of medical communications. * * * However,
paragraph two of the syllabus in Biddle addressed the defenses to the
tort of unauthorized disclosure of confidential medical
information—i.e., the circumstances under which a physician or
hospital may release confidential medical records in the absence of
a waiver without incurring tort liability.
(Emphasis sic.)
{¶ 16} We have therefore explained that the duty to maintain confidentiality
recognized in Biddle is not absolute and that in some instances the privilege exists
for a medical provider to disclose medical information. In Biddle, this court
identified particular instances in which the disclosure of confidential medical
information is privileged, because statutes require the reporting of diseases that are
infectious, contagious, or dangerous to public health, R.C. 3701.24, 3701.52, and
3707.06, medical conditions that are indicative of child abuse or neglect, R.C.
2151.421, and injuries that are indicative of criminal conduct, R.C. 2921.22.
Biddle, 86 Ohio St.3d at 401-402, 715 N.E.2d 51.
{¶ 17} Still, this court in Biddle did not limit the privilege to disclose
medical information to instances when a physician or hospital has a statutory duty
to disclose; “the privilege to disclose is not necessarily coextensive with a duty to
disclose.” Id. at 402. A breach of confidentiality is actionable “ ‘only if it is
wrongful, that is to say, without justification or excuse.’ ” Id., quoting MacDonald
v. Clinger, 446 N.Y.S.2d 801, 805, 84 A.D.2d 482 (1982). The duty of
8
January Term, 2020
confidentiality must yield in appropriate circumstances when there is a
countervailing public interest. Id. “[S]pecial situations may exist where the interest
of the public, the patient, the physician, or a third person are of sufficient
importance to justify the creation of a conditional or qualified privilege to disclose
in the absence of any statutory mandate or common-law duty.” Id. Therefore, we
held:
In the absence of prior authorization, a physician or hospital
is privileged to disclose otherwise confidential medical information
in those special situations where disclosure is made in accordance
with a statutory mandate or common-law duty, or where disclosure
is necessary to protect or further a countervailing interest which
outweighs the patient’s interest in confidentiality.
Id. at paragraph two of the syllabus.
{¶ 18} Whether the ability of medical providers to disclose confidential
information when seeking payment through legal action is a “countervailing
interest which outweighs the patient’s interest in confidentiality,” id., and is
therefore an exception to a Biddle claim, is the focus of this case. But first we must
address whether HIPAA regulations, which were enacted after our decision in
Biddle, preempt all common-law claims under Biddle.
C. HIPAA
{¶ 19} HIPAA has several purposes, including making improvements to the
portability and continuity of health-insurance coverage, combatting healthcare
fraud and healthcare abuse, and simplifying the administration of health insurance.
Tovino, A Timely Right to Privacy, 104 Iowa L.Rev. 1361, 1367 (2019). HIPAA
established patient-privacy protection—it stated that if Congress failed to enact
comprehensive privacy legislation within three years of HIPAA’s enactment in
9
SUPREME COURT OF OHIO
1996, the United States Department of Health and Human Services (“HHS”) would
be required to issue regulations protecting the privacy of individually identifiable
health information. Id. at 1368. Less than two months after this court’s decision
in Biddle, HHS issued a proposed privacy rule on November 3, 1999, regulating
the uses and disclosures of protected health information. See id. After
modifications, a final rule went into effect in December of 2000. Id. Further
changes were made to the rule in 2002, id., and again in 2009 with the enactment
of the Health Information Technology for Economic and Clinical Health Act, 42
U.S.C. 17932, 17933, 17934, 17935, and 17939, and HHS implemented more rules
in 2013, id. at 1369. “[T]he HIPAA Privacy Rule strives to balance the interest of
individuals in maintaining the confidentiality of their health information with the
interests of society in obtaining, using, and disclosing health information to carry
out a variety of public and private activities.” Id.
{¶ 20} The HIPAA Privacy Rule provides to patients certain rights
regarding their protected health information. They have a right to receive a notice
of privacy practices, a right to request additional privacy protections, a right to
access their protected health information, a right to request an amendment of that
protected health information, and a right to receive accounting disclosures
regarding their protected health information. Id. at 1371. The Privacy Rule
includes use and disclosure requirements that apply to “covered entities,” which
include health plans, healthcare clearinghouses, and “health care provider[s] who
transmit[] any health information in electronic form in connection with [standard]
transaction[s].” 45 C.F.R. 160.103. The requirements also apply to “business
associates” of the covered entities. 42 U.S.C. 17934. Business associates are
associates outside the workforce of the covered entity that provide legal, actuarial,
consulting, and other services to the covered entity. 45 C.F.R. 160.103.
{¶ 21} The authorization required to disclose or use a patient’s protected
health information depends on the nature of the use. For some purposes, such as
10
January Term, 2020
including a patient in a directory of individuals in a facility, the covered entity must
inform the patient in advance and give the patient the opportunity to agree to or
prohibit or restrict that disclosure. C.F.R. 164.510. In other instances, such as those
involving the sale of medical information, a signed authorization is required.
C.F.R. 164.508.
{¶ 22} But in certain instances, the HIPAA Privacy Rule allows covered
entities to use and disclose protected health information without first obtaining
authorization from the patient. Pursuant to C.F.R. 164.502(a)(1)(ii), a covered
entity is permitted to use or disclose protected health information “[f]or treatment,
payment, or health care operations * * *.” (Emphasis added.) But regarding the
use of protected health information for such purposes, the HIPAA Privacy Rule
limits the use or disclosure of the information to the minimum amount necessary to
achieve the purpose of the use:
Minimum necessary applies. When using or disclosing
protected health information or when requesting protected health
information from another covered entity or business associate, a
covered entity or business associate must make reasonable efforts to
limit protected health information to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or request.
45 C.F.R. 164.502(b)(1).
{¶ 23} “The remedies available to patients who believe their privacy and
security rights have been violated are limited. Under current law, no private right
of action exists for patients and insureds whose rights under the HIPAA Rules have
been violated.” Tovino at 1372; see also Boddie v. Van Steyn, 10th Dist. Franklin
No. 13AP-623, 2014-Ohio-1069, ¶ 18 (collecting cases determining there is no
private cause of action under Ohio law for HIPAA violations); Hill v. Smoot, 308
11
SUPREME COURT OF OHIO
F.Supp.3d 14, 23 (D.D.C.2018) (“ ‘Every district court that has considered this
issue is in agreement that the statute does not support a private right of action’ ”),
quoting Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006).
{¶ 24} There are other avenues for redress that patients who believe that
their privacy and security rights have been violated may take. They can file a
complaint with the covered entity itself under 45 C.F.R. 164.530(d)(1), which
allows the covered entity to impose sanctions on members of its workforce, 45
C.F.R. 164.530(e)(1). An aggrieved person can file a complaint with the secretary
of HHS. 45 C.F.R. 160.306(a). HHS can impose a civil money penalty—ranging
from $100 to $50,000 per violation, with maximum penalties of $25,000 or
$1,500,000 per calendar year, 42 U.S.C. 1320d-5(a)(3)—or it can refer the case to
the United States Department of Justice for criminal prosecution, Tovino at 1373;
42 U.S.C. 1320d-6(b). 42 U.S.C. 1320d-5(d) authorizes a state’s attorney general
to bring a civil action on behalf of residents of the state for violations of the HIPAA
Privacy Rule. The state’s attorney general can attempt to enjoin further violations
by the covered entity or sue for damages for up to $100 per violation, not to exceed
$25,000 in a calendar year. Id.
{¶ 25} Although HIPAA provides for the sanctioning of covered entities
that violate the Privacy Rule, HIPAA creates no private cause of action for a
violation of its rules or regulations. We must next determine whether HIPAA
precludes a patient from bringing a state-law cause of action for a breach of
confidentiality.
D. The relationship between HIPAA and state law
{¶ 26} In English v. Gen. Elec. Co., 496 U.S. 72, 78-79, 110 S.Ct. 2270
(1990), the United States Supreme Court described three ways by which federal
law can preempt state law under the Supremacy Clause. Those include when (1)
Congress expressly preempts state law (express preemption), (2) Congress has
occupied the entire field (field preemption), and (3) there is an actual conflict
12
January Term, 2020
between federal and state law (conflict preemption). In the HIPAA statutory and
regulatory scheme, Congress has demonstrated no intention to occupy the entire
field of medical privacy; instead, the HIPAA-related statutes and rules provide that
federal law preempts state law when there is an actual conflict between the laws,
and even that preemption is subject to significant exceptions.
{¶ 27} 42 U.S.C. 1320d-7(a)(1) states that HIPAA “shall supersede any
contrary provision of State law.” The HIPAA regulations echo that statement: “A
standard, requirement, or implementation specification adopted under this
subchapter that is contrary to a provision of State law preempts the provision of
State law.” 45 C.F.R. 160.203. State law is contrary to HIPAA when (1) it is
“impossible to comply with both the State and Federal requirements” or (2) “[s]tate
law stands as an obstacle to the accomplishment and execution” of the act. 45
C.F.R. 160.202. 45 C.F.R. 160.202 defines a state law to “mean[] a constitution,
statute, regulation, rule, common law, or other State action having the force and
effect of law.” (Emphasis added.) HIPAA does not prevail over a state law in
every situation in which there is a conflict between HIPAA and the state law. One
exception to that general rule is when “[t]he provision of State law relates to the
privacy of individually identifiable health information and is more stringent than a
standard, requirement, or implementation specification adopted under [HIPAA].”
45 C.F.R. 160.203(b). The regulations define what is meant by “more stringent”:
More stringent means, in the context of a comparison of a
provision of State law and a standard, requirement, or
implementation specification adopted under subpart E of part 164 of
this subchapter, a State law that meets one or more of the following
criteria:
(1) With respect to a use or disclosure, the law prohibits or
restricts a use or disclosure in circumstances under which such use
13
SUPREME COURT OF OHIO
or disclosure otherwise would be permitted under this subchapter,
except if the disclosure is:
(i) Required by the Secretary in connection with determining
whether a covered entity or business associate is in compliance with
this subchapter; or
(ii) To the individual who is the subject of the individually
identifiable health information.
***
(6) With respect to any other matter, provides greater
privacy protection for the individual who is the subject of the
individually identifiable health information.
45 C.F.R. 160.202.
{¶ 28} Therefore, even if HIPAA—a federal statute—created a safe harbor
for a medical provider that releases certain protected patient information, that does
not necessarily mean that such information can properly be released under state
law; the patient may be protected to a greater degree by state law. If the state law
is more stringent than the HIPAA regulation, the state law applies. See, e.g., Grove
v. Northeast Ohio Nephrology Assoc., Inc., 164 Ohio App.3d 829, 2005-Ohio-6914,
844 N.E.2d 400, ¶ 22-23 (9th Dist.) (protection for patient’s health information
from discovery in a civil action is more stringent under Ohio law, R.C.
2317.02(B)(1), than under HIPAA). A HIPAA regulation preempts state law if
there is a conflict between the HIPAA regulation and the state law and the state law
is not more stringent than the HIPAA regulation. Further, if a state law is not more
stringent in that regard, it is not preempted unless it is contrary to HIPAA—that is,
unless the state law makes it “impossible to comply with both the State and Federal
requirements” or stands as “an obstacle to the accomplishment and execution” of
HIPAA. 45 C.F.R. 160.202.
14
January Term, 2020
E. HIPAA does not preempt a state-law claim under our decision in Biddle
{¶ 29} In Biddle, we recognized an independent tort for the “unauthorized,
unprivileged disclosure to a third party of nonpublic medical information that a
physician or hospital has learned within the physician-patient-relationship.” 86
Ohio St.3d 395, 715 N.E.2d 518, at paragraph one of the syllabus. Is Biddle
contrary to HIPAA and therefore preempted by HIPAA? Menorah Park argues that
if its disclosure of Rolston’s nonpublic medical information to obtain payment of
her debt is authorized by HIPAA and its regulations, then HIPAA preempts any
common-law claim under our decision in Biddle. But that argument ignores
HIPAA and its subsequent rules, which state that more stringent state laws
regarding the disclosure of medical information prevail over HIPAA and its
regulations.
{¶ 30} If our decision in Biddle were to mean that a covered entity is
somehow permitted to release a patient’s protected health information that it could
not release under HIPAA, then HIPAA would preempt Biddle. But neither party
makes that claim in this case. And our determination in Biddle that Ohio recognizes
an independent cause of action for such disclosure is not contrary to HIPAA under
HIPAA’s own definition of the word “contrary”: the existence of a state-law private
cause of action does not make it impossible for a covered entity to comply with
both state and federal privacy requirements and does not stand in the way of the
accomplishment of the aims of HIPAA. Instead, “a Biddle claim enhances the
protection of confidentiality of medical information.” Sheldon v. Kettering Health
Network, 2015-Ohio-3268, 40 N.E.3d 661, ¶ 25 (2d Dist.). In a situation in which
state law provides a patient the potential personal recovery of damages, it is not
impossible for the covered entity to comply with both HIPAA and the state law
“ ‘because both laws, in complementary rather than contradictory fashion,
discourage a person from wrongfully disclosing information from another person’s
health record.’ ” R.K. v. St. Mary’s Med. Ctr., Inc., 229 W.Va. 712, 719, 735 S.E.2d
15
SUPREME COURT OF OHIO
715 (2012), quoting Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 49
(Minn.Ct.App.2009). See also Byrne v. Avery Ctr. for Obstetrics & Gynecology,
P.C., 314 Conn. 433, 459, 102 A.3d 32 (2014) (“The availability of such private
rights of action in state courts, to the extent that they exist as a matter of state law,
do not preclude, conflict with, or complicate health care providers’ compliance with
HIPAA”). Biddle and HIPAA share the same goal of protecting the privacy of
personal medical information. Their remedies are different but they are not at odds
with each other.
F. Exception under Biddle for complaints for bill collection
{¶ 31} Having determined that HIPAA does not preempt claims brought
under Biddle, we next consider whether one of the nondisclosure exceptions
recognized in Biddle applies to Menorah Park’s disclosure in this case. This court
has not addressed the issue of a medical provider’s use of protected health
information in the context of instituting a legal action for the payment of medical
bills. In Biddle, this court established that there are exceptions to liability for the
unauthorized release of medical information. We stated that “special situations
may exist where the interest of the public, the patient, the physician, or a third
person are of sufficient importance to justify the creation of a conditional or
qualified privilege to disclose in the absence of any statutory mandate or common-
law duty.” Biddle at 402. We held in Biddle that a patient has no cause of action
for a breach of confidentiality “where disclosure is made in accordance with a
statutory mandate or common-law duty, or where disclosure is necessary to protect
or further a countervailing interest which outweighs the patient’s interest in
confidentiality.” Id. at paragraph two of the syllabus. Certainly, there is no
statutory mandate or common-law duty that requires a medical provider to file a
complaint in small-claims court to recover payment for unpaid medical bills. That
is a voluntary act by the medical provider. However, the interest in receiving
payment for medical services is a countervailing interest to the patient’s interest in
16
January Term, 2020
confidentiality. Is that interest enough to outweigh the patient’s interest in
confidentiality?
{¶ 32} We can look to HIPAA for guidance in determining how those
competing interests should be weighed. HIPAA permits the use or disclosure of
protected health information “for treatment, payment, or health care operations.”
(Emphasis added.) 45 C.F.R. 164.502(a)(1)(ii). Payment means “activities
undertaken by” a healthcare provider “to obtain or provide reimbursement for the
provision of health care.” 45 C.F.R. 164.501. When using protected health
information for such purposes, the HIPAA Privacy Rule limits the use or disclosure
of the information to the minimum amount necessary to achieve the purpose of the
use. Therefore, HIPAA recognizes that there is a balancing of interests between a
medical provider and a patient vis-à-vis the provider’s efforts to collect payment
for medical services. The medical provider may disclose only the information
necessary to recover payment. The HIPAA Privacy Rule is a reflection of the
legitimate governmental and societal interests in allowing medical providers to
pursue payment for the medical services they provide and acknowledges that the
disclosure of some of a patient’s medical information is a necessary part of that
endeavor.
{¶ 33} R.C. 3798.04 echoes HIPAA’s privilege for covered entities to use
patient information to pursue payment for medical bills. That statute provides that
a covered entity shall not “[u]se or disclose protected health information without
an authorization * * * except when the use or disclosure is required or permitted
without such authorization by Subchapter C of Subtitle A of Title 45 of the Code
of Federal Regulation,” which contains 45 C.F.R. 164.501 and 164.502.
{¶ 34} We determine that the acknowledgement in HIPAA and Ohio law
that the privacy interest of the patient must at least partially give way to the interest
of the medical provider in obtaining payment reflects the type of countervailing
interest recognized in Biddle that gives the medical provider a qualified privilege
17
SUPREME COURT OF OHIO
to disclose patient information. As in the HIPAA regulations, that interest is
narrowed such that the covered entity may disclose only the minimum amount of
patient information necessary to meet the interest, i.e., to sufficiently plead the
claim. A patient has a claim under Biddle if the doctor or hospital uses more than
the minimum medical information necessary to sufficiently state a claim for
recovery.
{¶ 35} Accordingly, we hold that doctors and hospitals have a qualified
privilege to disclose patient information for the purpose of receiving payment for
medical services. Therefore, a patient has no cause of action under Biddle when a
medical provider discloses patient information in the minimum amount necessary
to state a claim against the patient.
{¶ 36} As noted above, it is well-settled that a HIPAA violation does not
create a private cause of action for the party whose information has been released.
By referring to a HIPAA standard to inform our recognition of an exception under
Biddle for the disclosure of patient information for the purpose of receiving
payment for medical services, we have not created a private cause of action for a
HIPAA violation. We have, instead, referred to HIPAA and Ohio law in limiting a
common-law cause of action that recognizes an exception when disclosure is
necessary to protect or further a countervailing interest that outweighs the patient’s
interest in confidentiality.
G. The complaint in this case falls under a Biddle exception
{¶ 37} When a healthcare provider uses protected health information to
pursue the recovery of payment in court, it may release only as much information
as is necessary to pursue its claim; otherwise a patient has a cause of action pursuant
to Biddle for the unauthorized, unprivileged disclosure to a third party of nonpublic
medical information that a physician or hospital has obtained within a physician-
patient relationship. Civ.R. 10(D)(1) states that when a plaintiff files a claim
18
January Term, 2020
founded on an unpaid account, the plaintiff must attach a copy of the account. Ohio
courts have explained this requirement:
It is elementary that in an action on an account, a plaintiff
must set forth an actual copy of the recorded account. * * * The
records must show “the name of the party charged” and must include
the following:
(1) a beginning balance (zero, or a sum that can qualify as an
account stated, or some other provable sum);
(2) listed items, or an item, dated and identifiable by number
or otherwise, representing charges, or debits, and credits; and
(3) summarization by means of a running or developing
balance, or an arrangement of beginning balance and items which
permits the calculation of the amount claimed to be due.
Arthur v. Parenteau, 102 Ohio App.3d 302, 304-305, 657 N.E.2d 284 (3d
Dist.1995), quoting Brown v. Columbus Stamping & Mfg. Co., 9 Ohio App.2d 123,
126, 223 N.E.2d 373 (10th Dist.1967).
{¶ 38} Menorah Park attached to its complaint copies of its two most recent
bills to Rolston. The bills contained no diagnosis or prognosis, no personal
information other than Rolston’s name and address, and no detailed medical
records. They included no notes from therapists or doctors remarking on how
Rolston responded to treatment and no indication of why she needed treatment in
the first place. The bills referred to no body part or medical condition. The
treatment reflected in the bills is described in general terms; the most detailed
description indicates that Rolston received some aquatic therapy. The medical bills
included the provider’s name and address, Rolston’s name and address, the dates
on which services were provided, billing or procedure codes, a description of the
19
SUPREME COURT OF OHIO
general category of services provided, and the amounts charged, paid, and due. We
conclude that Menorah Park made reasonable efforts to limit the release of health
information to the minimum amount necessary to inform Rolston—and later, the
court—of the nature of the debt owed, and did not disclose medical information
unnecessary to collect payment in an action on the account.
{¶ 39} Therefore, we conclude that since Rolston’s cause of action is based
upon the medical information disclosed in Menorah Park’s complaint, she has
failed to state a claim upon which relief can be granted on her counterclaim. The
court of appeals erred in reversing the trial court’s judgment granting Menorah
Park’s motion to dismiss.
H. We need not overturn or modify Biddle in this case
{¶ 40} After oral argument, we instructed the parties to submit briefs
addressing an issue that had not been considered in the lower courts—whether we
should overrule or modify our decision in Biddle in this case. Given our holding in
this case, Biddle remains good law and it continues to permit a cause of action for
the unauthorized, unprivileged disclosure to a third party of nonpublic medical
information. Our opinion today helps to define what constitutes privileged
disclosure under Biddle.
{¶ 41} Biddle was not wrongly decided nor was it revolutionary. As Justice
Deborah L. Cook recognized in her separate opinion in Biddle, independent torts
for the unauthorized disclosure of medical information and for the inducement
thereof had been recognized more than 30 years earlier in Hammonds v. Aetna Cas.
& Sur. Co., 243 F.Supp. 793 (N.D.Ohio 1965). Biddle, 86 Ohio St.3d at 409, 715
N.E.2d 518 (Cook, J., concurring in part and dissenting in part).
{¶ 42} Our decision in Biddle preceded the promulgation of the HIPAA
Privacy Rule. HIPAA does not supplant the personal right to recovery that we
recognized in Biddle. As discussed above, a Biddle claim is not preempted by
HIPAA and is in fact complementary and shares goals in common with HIPAA.
20
January Term, 2020
{¶ 43} Subsequent to our decision in Biddle and the establishment of the
HIPAA Privacy Rule, this court reiterated and extended its holding in Biddle. See
Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 2008-Ohio-3343, 893
N.E.2d 153. In Hageman, we held that “[a]n attorney may be liable to an opposing
party for the unauthorized disclosure of that party’s medical information that was
obtained through litigation.” Id. at syllabus. We applied our holding in Biddle in
the context of a divorce case in which a lawyer had given copies of the opposing
party’s medical records, including psychiatric records, to a prosecutor. Id. at ¶ 6.
In that case, there was no direct involvement with a medical provider. The lead
opinion in Hageman pointed out that “Biddle stressed the importance of upholding
an individual’s right to medical confidentiality beyond just the facts of that case.”
Id. at ¶ 13.
{¶ 44} Finally, the General Assembly has enacted medical-information-
privacy legislation that largely follows HIPAA. R.C. 3798.02 states:
It is the intent of the general assembly in enacting this
chapter to make the laws of this state governing the use and
disclosure of protected health information by covered entities
consistent with, but generally not more stringent than, the HIPAA
privacy rule for the purpose of eliminating barriers to the adoption
and use of electronic health records and health information
exchanges. Therefore, it is also the general assembly’s intent in
enacting this chapter to supersede any judicial or administrative
ruling issued in this state that is inconsistent with the provisions of
this chapter.
“[I]t is long-settled constitutional law that it is within the power of the legislature
to alter, revise, modify, or abolish the common law as it may determine necessary
21
SUPREME COURT OF OHIO
or advisable for the common good.” Arbino v. Johnson & Johnson, 116 Ohio St.3d
468, 2007-Ohio-6948, 880 N.E.2d 420, ¶ 131 (Cupp, J., concurring). The General
Assembly had the ability to abolish Biddle claims when it enacted Ohio’s version
of HIPAA. It did not. And there is no reason for us to overturn our decision in
Biddle today.
III. CONCLUSION
{¶ 45} We continue to recognize a common-law cause of action by a
medical patient for the unauthorized, unprivileged disclosure by a medical provider
to a third party of the patient’s nonpublic medical information. See Biddle, 86 Ohio
St.3d 395, 715 N.E.2d 518. We hold that a claim under our decision in Biddle is
not preempted by HIPAA and its subsequent privacy rule. However, there are
exceptions to liability under Biddle when the disclosure of medical information is
necessary to protect or further a countervailing interest in disclosure that outweighs
the patient’s interest in confidentiality. After balancing the interests reflected in
HIPAA, we conclude that a medical provider may disclose a limited amount of a
patient’s medical information to further its efforts to collect unpaid bills from the
patient for medical services. Under our decision in Biddle, an exception for such a
disclosure exists when the medical provider makes a reasonable effort to limit the
disclosure of a patient’s medical information to the minimum amount necessary to
file a successful complaint for the recovery of past-due charges for medical
services. We conclude that a medical provider discloses the minimum amount of
medical information necessary to file a successful claim for unpaid medical-service
bills when the medical provider attaches to its complaint, pursuant to Civ.R. 10(D),
medical bills that disclose the medical provider’s name and address, the patient’s
name and address, the dates on which services were provided, billing or procedure
codes, a description of the general category of services provided, and the amounts
charged, paid, and due.
22
January Term, 2020
{¶ 46} Because Menorah Park limited its disclosure of Rolston’s medical
information in its complaint to the minimum amount necessary to assert a cause of
action to recover payment from Rolston for her unpaid medical bills, Rolston has
failed to state a claim for relief under Biddle. Therefore, we reverse the judgment
of the Eighth District Court of Appeals on that issue and remand the cause to the
Shaker Heights Municipal Court for further proceedings consistent with this
opinion.
Judgment reversed
and cause remanded.
FRENCH, J., concurs.
O’CONNOR, C.J., concurs in part and dissents in part, with an opinion joined
by STEWART, J.
FISCHER, J., concurs in judgment only in part and dissents in part, with an
opinion joined by DEWINE, J.
DONNELLY, J., concurs in part and dissents in part, with an opinion.
_________________
O’CONNOR, C.J., concurring in part and dissenting in part.
{¶ 47} I agree with the majority’s conclusions in Parts II(E) and (H) of the
above opinion. I also agree with the majority’s conclusion in Part II(F) of that
opinion that a medical provider that discloses patient information in a bill-collection
action is not liable under our decision in Biddle v. Warren Gen. Hosp., 86 Ohio
St.3d 395, 715 N.E.2d 518 (1999), if its disclosure is limited to the minimum
amount of information necessary to obtain payment. I disagree, however, with the
decision to address an additional issue, found in Part II(G) of that opinion. That
part of the opinion applies the new minimum-necessary standard announced here
to appellee Irene Rolston’s class-action counterclaim and concludes that appellant,
Menorah Park Center for Senior Living, made reasonable efforts to limit the release
23
SUPREME COURT OF OHIO
of Rolston’s heath information and that the information disclosed does not reveal
more than the minimum amount of information necessary to obtain payment.
{¶ 48} To start, I am at a loss for what “reasonable efforts” Menorah Park
made to limit the disclosure of Rolston’s information. Menorah Park simply
attached an unredacted copy of Rolston’s account statement to its complaint.
Although Civ.R. 10(D)(1) states that a copy of an account that is the basis of an
action must be attached to the pleading, the rule does not require the document to
be in its original, unredacted form. Indeed, the rule even goes so far as to permit a
complaint to be filed with no account statement or written instrument attached as
long as there is an explanation for the omission in the pleading. Menorah Park
undertook none of these efforts. Is that reasonable?
{¶ 49} Next, the opinion acknowledges that the trial court dismissed
Rolston’s counterclaim at the Civ.R. 12(B)(6) stage and that the minimum-
necessary standard is a defense to a Biddle claim, not an element thereof. See Roe
v. Planned Parenthood Southwest Ohio Region, 122 Ohio St.3d 399, 2009-Ohio-
2973, 912 N.E.2d 61, ¶ 47-48, citing Biddle at paragraph two of the syllabus. Given
this, the trial court should be given the first opportunity to consider Menorah Park’s
defense under the new minimum-necessary standard—including what information
suffices as the minimum amount necessary and whether protections against
disclosure such as redactions should be employed—at the appropriate point in the
case, if raised.
{¶ 50} In light of the majority’s conclusions in Parts II(E), (F), and (H) of
the above opinion, this court should refrain from addressing the matters discussed
in Part II(G) and instead remand the case for further proceedings consistent with
the court’s opinion. Because the conclusion in Part II(G) of the opinion leads it to
reverse the judgment of the Eighth District Court of Appeals and to reinstate the
trial court’s judgment dismissing Rolston’s counterclaim, I dissent in part.
24
January Term, 2020
STEWART, J., concurs in the foregoing opinion.
_________________
FISCHER, J., concurring in judgment only in part and dissenting in part.
{¶ 51} I agree that this court should reverse the judgment of the Eighth
District Court of Appeals. Respectfully, however, I would reach that outcome by
simply overruling this court’s decision in Biddle v. Warren Gen. Hosp., 86 Ohio
St.3d 395, 715 N.E.2d 518 (1999).
{¶ 52} This court may overrule its precedent when (1) “changes in
circumstances no longer justify continued adherence to the decision,” (2) “the
decision defies practical workability,” and (3) “abandoning the precedent would
not create an undue hardship for those who have relied upon it.” Westfield Ins. Co.
v. Galatis, 100 Ohio St.3d 216, 2003-Ohio-5849, 797 N.E.2d 1256, paragraph one
of the syllabus. Because I think that our decision in Biddle meets all of these
conditions, I would overrule it.
{¶ 53} First, the legal landscape today is drastically different than it was
when Biddle was decided. In 1999, when this court issued its decision in Biddle,
there was no uniform regulatory system governing the disclosure of medical
information. As a result, that regulatory gap was often filled by the courts, which
fashioned common-law causes of action for a medical provider’s breach of
confidence. See generally Alan B. Vickery, Breach of Confidence: An Emerging
Tort, 82 Colum.L.Rev. 1426 (1982). Following Biddle, however, the United States
Department of Health and Human Services, under its rulemaking authority derived
from the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”),
Pub.L. No. 104-191, 110 Stat. 1936, promulgated the HIPAA Privacy Rule found
in 45 C.F.R. 160 and 164 and established a system of comprehensive standards to
protect an individual’s medical and health information. Consequently, the problem
that led to our decision in Biddle was largely solved.
25
SUPREME COURT OF OHIO
{¶ 54} Next, at least comparatively, that legislative and regulatory solution
is far more practical and workable than Biddle, which, with its vague generalities,
e.g., “special situations” and “countervailing public interest[s],” 86 Ohio St.3d at
402, 715 N.E.2d 518, is unclear about what disclosures are authorized and what
disclosures may result in liability for hospital systems and medical providers.
Despite the court’s thoroughness today, I suspect that Biddle will continue to defy
practical workability because it will require a steady stream of cases like this one
to properly define the contours of a claim and the scope of the duty (an event that
those subject to liability under Biddle do not have the luxury of waiting around for).
{¶ 55} Finally, since a breach of confidence can still result in liability under
the federal scheme, see 42 U.S.C. 1320d-5, overruling Biddle would not result in
an undue hardship for the patients that our decision in Biddle sought to protect.
Simply put, the conduct that Biddle intended to discourage would still be deterred
under the legislative and regulatory scheme developed after Biddle and in effect
today. Further, to the extent that it concludes that a private cause of action is
necessary to protect patient confidentiality, the General Assembly is free to
supplement the federal scheme by creating one. The beauty of such an approach,
of course, is that it would allow Ohio’s policymakers to provide a comprehensive
set of rules from the outset and to decide whether such a cause of action should be
broadly stated to provide recourse for a breach of the applicable federal- or state-
disclosure standards, see Cal.Civ.Code 56.35, or narrowly stated to simply fill the
gap left in HIPAA for noncovered entities, see Mont.Code Ann. 50-16-502 and 50-
16-505.
{¶ 56} Accordingly, in this post-HIPAA Privacy Rule world, the
protections provided in Biddle are no longer necessary or practical. Since no undue
hardship would result from doing so, I think that this court should overrule that
decision. Because this court does not do so on its way to reversing the Eighth
26
January Term, 2020
District’s judgment in this case, I respectfully concur in the judgment of the court
only in part and dissent in part.
DEWINE, J., concurs in the foregoing opinion.
_________________
DONNELLY, J., concurring in part and dissenting in part.
{¶ 57} I agree with the vast bulk of the majority’s conclusions, including its
holding that there is an exception to liability under our decision in Biddle v. Warren
Gen. Hosp., 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), when a medical provider
makes a reasonable effort to limit the disclosure of the patient’s medical
information to the minimum amount necessary to file a successful complaint for
the recovery of unpaid charges for medical services.
{¶ 58} But I disagree with the conclusion in Part II(G) regarding the
application of that holding in this case. Here, appellant, Menorah Park Center for
Senior Living (“Menorah Park”), sought payment for services disclosed on the
billing statements relating to physical-therapy services, including “PT
EVALUATION MOD COMPLEX,” “PT-MANUAL THERAPY,” “PT-
PHYSICAL PERFORMANCE TE,” and “PT THERAPEUTIC PROC-
AQUATI[C].” (Capitalization sic.) Although I recognize that this information is
not particularly illuminating with respect to the underlying health conditions or
treatment provided, neither is it the minimum amount of information that would
allow Menorah Park to pursue its claim for payment. I believe an utterly generic
phrase such as “services rendered” and the date the services were rendered would
be the minimum amount necessary to file a successful complaint. That general
disclosure could be supplemented following an in camera review as the need arises.
The use of such a generic phrase would result in no health information, even an
admittedly rather nondescript term such as “therapy,” from being revealed to the
public.
27
SUPREME COURT OF OHIO
{¶ 59} In this case, Menorah Park revealed more than the minimum amount
of medical information necessary to file a successful complaint. Accordingly, I
concur in part and dissent in part.
_________________
Bonessi Switzer Polito & Hupp Co., L.P.A., Bret C. Perry, Brian F. Lange,
and Jay Clinton Rice, for appellant.
Ciano & Goldwasser, L.L.P., Andrew S. Goldwasser, and Sarah E. Katz;
Powers Friedman Linn, P.L.L., and Robert G. Friedman; and Paul W. Flowers Co.,
L.P.A., Paul W. Flowers, and Louis E. Grube, for appellee.
Dinkler Law Office, L.L.C., Lynette Dinkler, and Carin Al-Hamdani,
urging reversal for amicus curiae Ohio Association of Civil Trial Attorneys.
Bricker & Eckler, L.L.P., Elizabeth A. Kastner, Victoria Flinn McCurdy,
and Bryan M. Smeenk, urging reversal for amici curiae Ohio Hospital Association,
Ohio State Medical Association, and Ohio Osteopathic Association.
Tucker Ellis, L.L.P., Susan M. Audey, Raymond Krncevic, and Emily J.
Johnson, urging reversal for amicus curiae Academy of Medicine of Cleveland &
Northern Ohio.
_________________
28