dissenting:
In the case at bar, defendants sent each and every class member a complete list of over 1,700 former employees’ first and last names, addresses, marital status, social security numbers, medical and dental insurers, and other health care insurance information.1 That means, for every class member, over 1,700 people received his or her personal information. In other words, approximately 1,700 people received the personal information of approximately 1,700 other people.
Most of the conclusions in the majority opinion are dependent on its first conclusion. If the first conclusion is removed, then the other dependent conclusions become unpersuasive.
The majority’s first conclusion is that the Board’s disclosure falls outside of HIPAA’s coverage. The majority bases this conclusion entirely on an exclusion in the Code of Federal Regulation. This exclusion states that “employment records held by a covered entity in its role as employer” are excluded from HIPAA’s protection. (Emphasis added.) 45 C.F.R. §160.103 (West 2006); see 407 Ill. App. 3d at 361-62.
What the majority misses is that there is a world of difference between “held” and “disclosed.” No one objects to the fact that the Board “held” the records. The Board’s ability to hold and maintain these records is not at issue here. If the Board had simply held the records — and held on to them — there would be no lawsuit. But the Board did not hold on to them. It is their disclosure, not their holding, that is at issue in this case.2
This distinction between holding and maintenance on the one hand, and disclosing on the other, was made clear by the recent amendment to section 1320d—6. American Recovery and Reinvestment Act of 2009, Pub. L. No. 111—5, §13409, 123 Stat. 271 (codified as amended at 42 U.S.C. §1320d—6). Although this amendment was not in effect on the date of the disclosure in question, the amendment merely clarifies the existing statute, rather than adds to it. The amendment clarifies that an individual “shall be considered” to have disclosed individually identifiable health information in violation of this section, if a covered entity both “maintained” the information and then subsequently “disclosed” it. American Recovery and Reinvestment Act of 2009, §13409. The amendment thus recognizes what we would have assumed even without it, that there is a world of difference between maintaining or holding on the one hand, and disclosing on the other.
Thus, the exclusion for “held” records, quoted by the majority, does not apply to the case at bar. As a result, the majority’s first conclusion, that there is no duty because of this exclusion, is incorrect.
The majority seems to imply that, but for this exclusion, there would be a duty, and we agree. See also Moss v. Amira, 356 Ill. App. 3d 701, 712 (2005) (Quinn, J., specially concurring) (observing that Illinois law concerning disclosure is generally “far more restrictive” than HIPAA); 215 ILCS 5/1021(B) (2006) (providing a private cause of action and damages for the unauthorized disclosure of personal information by “an insurance institution, agent or insurance-support organization”).
The majority correctly states:
“We must first decide whether the Board had a duty to safeguard plaintiffs’ personal information under a statutory directive, because where no duty is owed, there is no negligence. Washington v. City of Chicago, 188 Ill. 2d 235, 239, 720 N.E.2d 1030 (1999). Plaintiffs argue that HIPAA (42 U.S.C. §1320d—6 (2006))[3] provides a statutory basis for the creation of a new duty. A violation of a statute designed to protect human life and property may be used as prima facie evidence of negligence. Kalata v. Anheuser-Busch Cos., 144 Ill. 2d 425, 434-35, 581 N.E.2d 656 (1991).[4] HIPAA prohibits the disclosure of ‘individually identifiable health information to another person.’ 42 U.S.C. §1320d—6(a)(3) (2006).” 407 Ill. App. 3d at 361-62.
This court has already held that the term “individually identifiable health information” in HIPAA includes names, addresses and social security numbers. Giangiulio v. Ingalls Memorial Hospital, 365 Ill. App. 3d 823, 839 (2006). Specifically, in Giangiulio, we found that this term “includes common identifiers such as name, address, birth date, and social security number.” Giangiulio, 365 Ill. App. 3d at 839. See also In re Bextra & Celebrex Marketing, Sales Practices & Product Liability Litigation, No. M—05—CV—01699—CRB (N.D. Cal. December 8, 2008) (interpreting the term to include social security numbers).
Our holding in Giangiulio, that the term includes names, addresses and social security numbers, is also supported by the definition provided for the term. The term “individually identifiable health information,” as used in HIPAA, is defined in both the statute and in the Code of Federal Regulations. 42 U.S.C. §1320d(6) (2006); 45 C.F.R. §160.103 (2006). This definition includes “demographic information” (1) that is received by an employer; (2) that relates to the provision of or payment for health care; and (3) that identifies an individual. 42 U.S.C. §1320d(6) (2006); 45 C.F.R. §160.103 (2006). Demographic information is widely understood to include social security numbers, as well as names and addresses. E.g. In re Bextra, No. M—05—CV— 01699—CRB (discussing “names and addresses, dates of birth, social security numbers *** and other demographic information”); Mayfield v. United States, 504 F. Supp. 2d 1023, 1027 (D. Or. 2007) (“Demographic information included name, date of birth, sex, race, and social security number”). In the case at bar, the names, addresses and social security numbers (1) were received by the employer, (2) related to the provision of or payment for health care, and (3) identified the individual. Thus, our holding in Giangiulio, that the term includes names, addresses and social security numbers, is also supported by the definition provided for the term.
Since the disclosed names, addresses and social security numbers in the case at bar qualify as “individually identifiable health information,” HIPAA applies to the disclosed information. HIPAA also applies to enrollment and disenrollment decisions. 42 U.S.C. §1320d—2(a)(2)(C) (2006) (covered transactions include “[ejnrollment and dis-enrollment in a health plan”); 45 C.F.R. §160.103 (2006).
As the majority already observed, “[a] violation of a statute designed to protect human life and property may be used as prima facie evidence of negligence.” 407 Ill. App. 3d at 361, citing Kalata, 144 Ill. 2d at 434-35. See also Noyola v. Board of Education of the City of Chicago, 179 Ill. 2d 121, 129 (1997) (discussed recently with approval in Vancura v. Katris, 238 Ill. 2d 352, 376 (2010). Following the majority’s suggestion, I would find that the HIPAA violation serves as prima facie evidence of negligence, and I would not dismiss at this early stage of the litigation. Acosta v. Byrum, 180 N.C. App. 562, 571-72, 638 S.E.2d 246, 252 (2006) (HIPAA violation used as evidence of “the duty” owed in a negligence case).
In short, the majority and I seem to be in agreement that, but for the exception, there would be a duty. We differ primarily because the majority believes that the exception applies, and I do not.
Most of the remaining conclusions in the majority opinion are based on this first conclusion and thus are also faulty. For example, later in the opinion, the majority concludes that plaintiffs’ claims of emotional distress must fail because plaintiffs “failed to establish a duty” on the part of defendants. 407 Ill. App. 3d at 363.5 However, this conclusion depends on finding, first, that there was no duty under HIPAA. If there was a duty then, at this early stage, plaintiffs would have only to allege, rather than provide evidence, of their anxiety and emotional distress. Rowe v. Unicare Life & Health Insurance Co., No. 09 C 2286 (N.D. Ill. January 5, 2010) (although plaintiffs did not allege that the disclosure of their social security numbers and other personal information resulted in unauthorized access by specific persons, plaintiffs’ allegations of anxiety were sufficient to withstand a motion to dismiss their emotional distress claim, under Illinois state law).
Similarly, the majority concludes that plaintiffs failed to establish that the Board had a fiduciary duty to avoid disclosure, because the majority finds that plaintiffs cited “no authority supporting such a duty.” 407 Ill. App. 3d at 363. Again, this conclusion depends on finding no duty under HIPAA.
Since I find that the exclusion, quoted by the majority, does not apply, I must find that the majority’s first conclusion is incorrect. Since that first conclusion is the foundation for much of the subsequent opinion, I must respectfully dissent.
I cannot find that HIPAA would allow the disclosure of someone’s social security number, marital status, and insurance information and leave that person without any recourse.
Paragraph 10 of the Cooney second amended complaint alleged that the mailing included “addresses, social security numbers and specific health insurance plan selection information.” Paragraph 10 of the Morgan-Wulf third amended complaint alleged that the mailing included “first and last names, addresses, dates of qualification, medical and dental insurers and marital status,” as well as social security numbers. The two cases were consolidated.
The dictionary defines “hold” as “to have and keep in one’s grasp.” American Heritage Dictionary 616 (2d coll. ed. 1982).
Section 1320d—6(a) provides that “[a] person who knowingly and in violation of this part *** discloses individually identifiable health information to another person, shall be punished as provided in subsection b” of this section. 42 U.S.C. §1320d—6(a)(3) (2006). Subsection b provides that for a base offense, which is a disclosure committed without false pretenses and without an intent to sell, then the punishment can be up to one year in jail and may include up to a $50,000 fine. 42 U.S.C. §1320d—6(b) (2006).
In its brief to this court, defendant Board of Education concedes, as it must, that the violation of a statute designed to protect human life or property may be used as prima facie evidence of negligence.
The majority does not find that plaintiffs failed to allege emotional distress; rather it simply does not reach this issue. 407 Ill. App. 3d at 363.