Webb v. Smart Document Solutions, LLC

499 F.3d 1078 (2007)

Kirk WEBB, individually and as class representative; Mann & Cook, a legal partnership, for itself and as class representative, Plaintiffs-Appellants,
v.
SMART DOCUMENT SOLUTIONS, LLC, Defendant-Appellee.

No. 05-56282.

United States Court of Appeals, Ninth Circuit.

Argued and Submitted May 10, 2007. Filed August 27, 2007.

*1079 *1080 Barrett S. Litt and Paul J. Estuar, Litt, Estuar, Harrison, Miller & Kitson, LLP, Los Angeles, CA, for plaintiffs-appellants.

Martin D. Bern, Munger, Tolles & Olson, LLP, San Francisco, CA, for defendant-appellee.

Before: ANDREW J. KLEINFELD and RICHARD A. PAEZ, Circuit Judges, and WILLIAM HART,[*] Senior Judge.

PAEZ, Circuit Judge:

The regulations promulgated by the Department of Health and Human Services ("DHHS") to implement the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 42 U.S.C.), provide for an individual's broad access to his own health records. Under HIPAA, an individual has the right to obtain copies of his medical records for a reasonable, cost-based fee, while third parties who seek the same records may be charged at a higher rate. See 45 C.F.R. § 164.524(c)(4). In this case, Kirk Webb's lawyers—the law firm of Mann & Cook — requested Webb's records on his behalf from his treating hospital. That hospital in turn passed the request on to Smart Document Systems ("Smart"), which charged Mann & Cook at the higher rate. Because Mann & Cook bills their clients for the cost of obtaining medical records, Webb and Mann & Cook (collectively, "Plaintiffs") sued Smart for unfair competition under California Business and Professions Code section 17200 ("Section 17200"), asserting that the lower, cost-based fee should apply.

In a matter of first impression for the federal courts, we must determine whether the term "individual" in the DHHS regulations implementing HIPAA encompassed Mann & Cook when it acted as Webb's agent, thereby qualifying the law firm to obtain medical records at the lower rate. Although nothing in the regulations prevents a law firm from drafting or mailing the request for records on behalf of its clients, or from directing that the records be sent to its office, we hold nonetheless that the HIPAA regulations require the reduced rate only when the individual himself requests the records.[1] Thus, we affirm the district court's dismissal of Plaintiffs' case for failure to state a claim for relief.

Before turning to the merits of Plaintiffs' claims, we also consider sua sponte whether the district court had jurisdiction over this case. Because HIPAA provides for no private right of action, Plaintiffs originally filed this case in the California Superior Court, invoking a California unfair competition statute to seek redress of the alleged HIPAA violations. Defendant removed the case to federal court. Although under certain circumstances concerns *1081 about federal question jurisdiction will preclude federal courts from hearing a case where there is no federal private right of action, we conclude that the district court correctly assumed diversity jurisdiction here.

I.

OVERVIEW

Webb and Mann & Cook filed a class action in California Superior Court. According to the allegations in their complaint, which we "presume[ ] to be true" when reviewing a district court's dismissal pursuant to Federal Rule of Civil Procedure 12(b)(6), Holcombe v. Hosmer, 477 F.3d 1094, 1097 (9th Cir.2007), the following facts formed the basis of the lawsuit:

Smart is the "world's largest health document processor." It contracts with numerous health care providers and facilities for the "exclusive" right to copy and provide patients' records. When a provider contracts with Smart, patients have "no other means to obtain copies of [their] medical records except through Smart"; Smart "does not notify the patient that it will be accessing and viewing the patient's health care records in advance," nor does it "obtain the patient's consent to do so." Upon receiving a request, "Smart then accesses and copies the patient's health care records through an agent who maintains copying equipment on the health care provider's premises, sends the health care records to the patient or representative, and sends a bill for the copies of the health care records to the patient or his agent."

In exchange for this exclusive right, "Smart provides free copies and other benefits and services of value to health care providers." Smart makes a profit in spite of the HIPAA provision allowing patients to obtain their records at a cost-based fee in part by "charg[ing] more for providing copies of health care records to patients who request their records through their agents, such as their personal injury lawyers, than to patients who are not represented by attorneys."

Plaintiffs encountered Smart when Webb hired Mann & Cook to represent him in his civil rights claim for excessive force and, in furtherance of that litigation, Mann & Cook ordered copies of Webb's medical records. For that service, Smart charged Mann & Cook $.35 cents per page, in addition to more than $65 in various additional fees, including a "Base Fee," a "Basic Fee," and a "Retrieval Fee." Mann & Cook have a contingent fee arrangement with Webb, so it "advanced the cost of the health care records for its client to Smart, and charged him with repayment of the advance to be paid at the time of the resolution of the case." Because Webb is thus ultimately responsible for Smart's charges, the Plaintiffs alleged that Smart violated the HIPAA fee limitations by charging him—through his agent, Mann & Cook—more than a reasonable, cost-based fee.

HIPAA itself provides no private right of action. Accordingly, Plaintiffs brought suit in state court invoking a California unfair competition law that makes violations of other state and federal laws independently actionable. See Cal. Bus. & Prof.Code §§ 17200-210 (West 2005). Smart removed the case to federal court on the basis of diversity of citizenship in class actions, see 28 U.S.C. §§ 1332(d), 1453,[2] and filed a motion to dismiss for *1082 failure to state a claim, see Fed.R.Civ.P. 12(b)(6). It argued that Plaintiffs had not stated a claim under Section 17200 because they had not adequately alleged a violation of any law. Specifically, Smart argued that Plaintiffs' allegations did not constitute a HIPAA violation because the HIPAA fee limitations apply only to individual patients who request records on their own behalf, and not to attorneys who act as agents of their clients. The district court granted Smart's motion. Plaintiffs timely appealed.

II.

STANDARD OF REVIEW

We review de novo dismissals under Rule 12(b)(6), taking all allegations in the complaint as true. Holcombe, 477 F.3d at 1097.

III.

DISCUSSION

A. Jurisdiction Over the Section 17200 Claim

This case presents an unusual situation. Generally, when we consider state law claims asserted in federal court after a diversity-based removal, we apply state substantive law, pursuant to Erie Railroad Co. v. Tompkins, 304 U.S. 64, 58 S. Ct. 817, 82 L. Ed. 1188 (1938). See, e.g., Kohlrautz v. Oilmen Participation Corp., 441 F.3d 827, 830-31 (9th Cir.2006); Conestoga Servs. Corp. v. Executive Risk Indem., Inc., 312 F.3d 976, 980-81 (9th Cir. 2002). Here, by contrast, the focus of our attention is directed at the proper interpretation of the regulations implementing a federal statute—HIPAA. This seems particularly incongruous because HIPAA itself does not provide for a private right of action, see 65 Fed.Reg. 82601 (Dec. 28, 2000) ("Under HIPAA, individuals do not have a right to court action."), so the federal courts would seldom have occasion to undertake such an analysis.

In fact, however, it is California law that directs, in this class action diversity case, that we examine federal law. Plaintiffs' California cause of action, Section 17200, is a broad statute designed to remedy violations of other laws, both state and federal. See People ex rel. Bill Lockyer v. Fremont Life Ins. Co., 104 Cal. App. 4th 508, 128 Cal. Rptr. 2d 463, 469 (2002) ("[V]irtually any state, federal, or local law can serve as the predicate for" a Section 17200 claim) (emphasis added). Section 17200 "establishes [and creates a private right of action to remedy] three varieties of unfair competition": the unlawful, the unfair, and the fraudulent. Id. (internal quotation marks omitted). Plaintiffs' claim is "based on" the allegedly unlawful and unfair conduct of Smart in violating HIPAA. Charging higher fees to lawyers thus must violate a law — here, the HIPAA regulations—in order for Plaintiffs to state a claim for relief under Section 17200's "unlawful" prong.[3]

Similarly, if we determine that the agency responsible for implementing HIPAA intended to permit Smart's conduct, it cannot be "unfair" under Section 17200. The California Supreme Court has held that if the allegedly unfair conduct is that which "the Legislature has permitted . . . or considered *1083 . . . and concluded no action should lie, courts may not over-ride that determination . . . [and] use the general unfair competition law to assault that [safe] harbor." Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 83 Cal. Rptr. 2d 548, 973 P.2d 527, 541 (1999). To withstand a motion to dismiss under Rule 12(b)(6) and state a claim under Section 17200, therefore, Plaintiffs must demonstrate that, in charging Mann & Cook a higher fee, Smart violated the HIPAA regulations.[4]

In some cases, federal jurisdictional requirements may preclude federal courts from entertaining a state law claim based on a violation of a federal statute.[5] "[A] complaint alleging a violation of a federal statute as an element of a state cause of action, when Congress has determined that there should be no private, federal cause of action for the violation, does not state a claim `arising under the Constitution, laws, or treaties of the United States.'" Merrell Dow Pharm. v. Thompson, 478 U.S. 804, 817, 106 S. Ct. 3229, 92 L. Ed. 2d 650 (1986) (quoting 28 U.S.C. § 1331); see also Utley v. Varian Assoc., Inc., 811 F.2d 1279, 1282-83 (9th Cir.1987). Therefore, where there is no federal private right of action, federal courts may not entertain a claim that depends on the presence of federal question jurisdiction under 28 U.S.C. § 1331.

This jurisdictional concern is not present here. Had Smart removed this case to federal court on the basis of federal question jurisdiction under § 1331, the lack of a private right of action to enforce HIPAA may have foreclosed Plaintiffs' Section 17200 claim. However, Smart invoked diversity jurisdiction pursuant to 28 U.S.C. § 1332(d) to justify the removal. See 28 U.S.C. § 1453; cf. Lockyer v. Dynegy, Inc., 375 F.3d 831, 841-42 (9th Cir.2004) (holding that removal was appropriate, and that the Merrell Dow/Utley rule did not apply where jurisdiction was not "predicated solely on 28 U.S.C. § 1331"); Ethridge v. Harbor House Restaurant, 861 F.2d 1389, 1393-94 & n. 4 (9th Cir.1988) (noting that the Merrell Dow/Utley rule does not apply to cases removed on the basis of diversity jurisdiction). Having satisfied ourselves that we have jurisdiction, therefore, in accordance with California substantive law, we must analyze the federal regulations that will decide whether Plaintiffs have stated a claim for relief.

B. HIPAA Statutory and Regulatory Framework

HIPAA aims "to improve the . . . efficiency and effectiveness of the health information system through the establishment of standards and requirements for the electronic transmission of certain health information." HIPAA § 261, *1084 Pub.L. 104-191, 110 Stat. 1936 (codified at 42 U.S.C. § 1320d notes). As the Fourth Circuit has noted, Congress intended through this legislation to "recogniz[e] the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems." S.C. Med. Ass'n v. Thompson, 327 F.3d 346, 348 (4th Cir.2003). HIPAA, therefore, emphasizes privacy, efficiency, and modernization. The statute itself, however, does not specify either how to protect privacy or to transmit health records efficiently and effectively. Instead, it authorizes the Secretary of Health and Human Services to "adopt standards" that will "enable health information to be exchanged electronically, . . . consistent with the goals of improving the operation of the health care system and reducing administrative costs," and that will "ensure the integrity and confidentiality of [individuals' health] information [and protect against] . . . unauthorized uses or disclosures of the information." See 42 U.S.C. § 1320d-2. Some of the regulations containing those standards are the focus of our inquiry. See 45 C.F.R. §§ 160.103, 160.202, 164.502, 164.508, 164.524.

In implementing this Congressional directive, DHHS has determined that, except in limited circumstances, "an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set." 45 C.F.R. § 164.524(a)(1) (emphasis added). Upon an "individual['s] request[ ]" to inspect or obtain his records,

the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:
(i) Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
(iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by [the regulation].

Id. § 164.524(c)(4) (emphasis added). The question raised by this case is whether designated agents, such as personal attorneys, can count as the "individual" in order to obtain the reasonable, cost-based fee.

"As a general interpretive principle, the plain meaning of a regulation governs." Safe Air for Everyone v. U.S. Envtl. Prot. Agency, 488 F.3d 1088, 1097 (9th Cir.2007) (internal quotation marks omitted). DHHS defined "individual" as "the person who is the subject of the protected health information." 45 C.F.R. § 160.103. On their face then, the regulations restrict the fee limitations to requests made by the individual and concretely define "individual" in a way that excludes others acting on that individual's behalf. Plain meaning thus favors Smart.

The canon of statutory construction expressio unius est exclusio alterius, which "creates a presumption that when a statute designates certain persons, things, or manners of operation, all omissions should be understood as exclusions," Silvers v. Sony Pictures Entm't, Inc., 402 F.3d 881, 885 (9th Cir.2005) (en banc) (internal quotation marks omitted), further supports Smart's argument. DHHS has provided for one situation in which other persons may be "treat[ed] . . . as the individual"—when a "personal representative" is authorized to make healthcare-related decisions for an individual:

As specified in this paragraph, a covered entity must, except [in limited circumstances], treat a personal representative as the individual for purposes of this subchapter. . . . If under applicable law a person has authority to act on behalf *1085 of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to personal representation.

45 C.F.R. § 164.502(g). Application of this canon suggests that because DHHS explicitly defined "individual" to encompass "personal representatives," it was fully capable of writing in an even broader definition of the term. That it did not underscores the conclusion that "individual" should be afforded its plain meaning, and that we should therefore reject Mann & Cook's claim to the lower rate.

Notwithstanding that plain meaning, Plaintiffs urge us to read the term "individual" to include authorized attorneys because such an interpretation would be more consistent with the purpose of HIPAA. Plain meaning is not the end of the inquiry. "The plain language of a regulation . . . will not control if clearly expressed administrative intent is to the contrary or if such plain meaning would lead to absurd results." Safe Air, 488 F.3d at 1097 (internal quotation marks and alterations omitted). We invoke this exception to the plain meaning canon, however, only when "some indication of the regulatory intent that overcomes plain language . . . [is] referenced in the published notices that accompanied the rulemaking process." Id. at 1098. Without this safeguard, "interested parties would not have the [requisite] meaningful opportunity to comment on proposed regulations." Id.

We are not persuaded that regulatory intent overcomes plain meaning in this case. Plaintiffs have not directed us to any part of the original notice of proposed rulemaking ("proposed rules"),[6] the commentary accompanying the final rules ("final commentary"),[7] or the subsequent published clarifications accompanying the publication of other rules ("subsequent clarification")[8] that suggests that "individual" means anything other than "the person who is the subject of the protected health information," and, when applicable, that person's personal representative.

On the contrary, a review of relevant regulatory history makes clear that DHHS did not intend for private attorneys to receive the reduced fees. Most notably, in the proposed rules, DHHS explicitly considered adopting a broader definition of "individual" that would have included legal representatives, but in the final rule ultimately decided against it. As explained in the final commentary, DHHS had previously

proposed that the term [individual] include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), the following types of legal representatives: . . . With respect to adults and emancipated minors, legal representatives (such as court-appointed guardians or persons with a power of attorney), to the extent to which applicable law permits such legal representatives to exercise the person's rights in such contexts.

65 Fed.Reg. 82492. However, "[i]n the final rule, [DHHS] eliminate[d] from the definition of `individual' the provisions designating a legal representative as the `individual.'" Id. The agency chose "[i]nstead" to "include in the final rule a separate *1086 standard for `personal representatives.'" Id. Further, in 2002, in response to a public comment asking whether the fee limitations applied to "payers, attorneys, or entities that have the individual's authorization," DHHS's subsequent clarification explained that "the Rule . . . limits only the fees that may be charged to individuals or to their personal representatives." 67 Fed.Reg. 53254 (emphasis added). The final commentary and subsequent clarification extinguish any doubt that the "personal representative" category constitutes the only class of persons that may be treated as the "individual" other than the individuals themselves. See Barnhart v. Peabody Coal Co., 537 U.S. 149, 168, 123 S. Ct. 748, 154 L. Ed. 2d 653 (2003) (holding that where "it is fair to suppose that [the drafters] considered the unnamed possibility and meant to say no to it," courts should "read the enumeration of one case to exclude another").

Because of this regulatory history, even if we believed the meaning of "individual" was ambiguous on its face, we would be compelled to agree with Smart. An "agency's interpretation [of a regulation] must be given controlling weight unless it is plainly erroneous or inconsistent with the regulation." Thomas Jefferson Univ. v. Shalala, 512 U.S. 504, 512, 114 S. Ct. 2381, 129 L. Ed. 2d 405 (1994) (internal quotation marks omitted). Plaintiffs argue with some force that the regulations implementing HIPAA are designed in general to allow individuals access to their own records at a limited cost, see 45 C.F.R. § 164.524, and that interpreting "individual" in a way that denies the reduced rate to authorized agents decreases accessibility to critical personal information. However, because privacy and efficiency of processing are also important statutory and regulatory goals, we cannot say that DHHS's interpretation—which allows for the imposition of higher costs on anyone other than the individual or personal representative, and provides for the development of an efficient document copying system in part by allowing document companies to make a profit—is "plainly erroneous or inconsistent" with those aims.

Plaintiffs also urge that neither the final commentary nor the subsequent clarification, which appear to foreclose Plaintiffs' argument, is directly on point. They argue that the "legal representatives" and "attorneys" to which the regulatory materials refer do not necessarily include "attorneys at law for individuals"; the final commentary and subsequent clarification, according to Plaintiffs, address only "true third party situations [such as attorneys for insurers], not situations where a `legal representative' is acting `to exercise the person's rights' in a `context' where the `applicable law permits' them to so act." This argument is not convincing. The DHHS final commentary and subsequent clarification clearly preclude both third party attorneys and private legal representatives from obtaining the reduced fees. First, as discussed, the agency considered, but decided against defining "individual" to include legal representatives, instead creating the narrower category of "personal representatives." Second, DHHS stated explicitly that "[t]he fee limitations . . . do not apply to disclosures that are based on an individual's authorization that is valid under [45 C.F.R.] § 164.508." 67 Fed.Reg. 53254.[9] The law firm of Mann & Cook, of *1087 course, must act pursuant to Webb's authorization.[10] Therefore, DHHS has explicitly ruled out Plaintiffs' proposed interpretation.

C. Plaintiffs' Agency Argument

Plaintiffs' case ultimately distills down to their argument that because Mann & Cook acts as Webb's agent, for HIPAA purposes the lawyer who makes the request is the individual, and thus should be charged the reduced fees for the medical records. They rely on California agency law, which provides that "an attorney, appearing and acting for a party to a cause, has authority to do so, and to do all other acts necessary or incidental to the proper conduct of the case." Clark Equip. Co. v. Wheat, 92 Cal. App. 3d 503, 154 Cal. Rptr. 874, 884 (1979). They cite California state law because the HIPAA savings clause provides that its "regulation[s] . . . shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent" than HIPAA's. 42 U.S.C. § 1320d-2 note. "More stringent" laws are defined, inter alia, as those that "permit[ ] greater rights of access" for the "individual, who is the subject of the individually identifiable health information." *1088 45 C.F.R. § 160.202. Plaintiffs argue that California agency law provides the individual with greater rights of access by allowing attorney-agents to obtain the records at the limited cost, and therefore trumps the HIPAA regulations to the extent they require a contrary interpretation.

In fact, however, California law does not support Plaintiffs' claim. In the only case—federal or state—to address directly a claim based on the HIPAA fee limitation at issue in this case, the California Court of Appeal analyzed the same agency argument, advanced by the same law firm — Mann & Cook — on behalf of a different client, and rejected it:

We agree that the lawyer is the client's agent, but we do not think that, for the purposes of protecting the privacy of medical, records, a lawyer's request is the same as the client's personal request for his or her own medical records. The problem that appellant's argument sidesteps is that a request by anyone other than the individual or his/her personal representative as defined in the regulations raises serious privacy concerns. DHHS considered but rejected giving lawyers the same status as personal representatives. This court is not empowered to redraft federal regulations, especially when the regulations do not impinge on fundamental rights. . . . [A]ll appellant has to do is to request a copy of his own records. We do not perceive that there is any "right" to have one's lawyer ask for one's records.

Bugarin v. Chartone, 135 Cal. App. 4th 1558, 38 Cal. Rptr. 3d 505, 510 (2006). We must defer to the California court's interpretation of its own agency law as not granting the rights Plaintiffs assert.[11]See Mullaney v. Wilbur, 421 U.S. 684, 691, 95 S. Ct. 1881, 44 L. Ed. 2d 508 (1975) ("[S]tate courts are the ultimate expositors of state law, and we are bound by their constructions except in extreme circumstances." (citations omitted)). State law does not, therefore, trump HIPAA in this case. Accordingly, because Plaintiffs have not sufficiently alleged a HIPAA violation, they have not stated a claim under Section 17200, and dismissal under Rule 12(b)(6) was appropriate.[12]

*1089 Our holding, however, in no way precludes attorneys from assisting their clients in accessing and obtaining their medical records without triggering the hefty fees. Although the plain meaning of "individual," as well as the DHHS final commentary and subsequent clarification evidence a clear intent to exclude attorney requests from the reduced fees, this intent does create at least some conflict with DHHS's statement that "[t]he fee limitation . . . is intended to assure that the right of access . . . is available to all individuals, and not just to those who can afford to do so." 67 Fed.Reg. 53254. As the California Court of Appeal noted,

lawyers routinely request copies of their clients' medical records. The effect of such requests by lawyers is to increase the cost to the client, even though the intent of the legislation, and the regulations, is to minimize the cost of copying, at least when an "individual" requests his or her own records.

Bugarin, 38 Cal.Rptr.3d at 509. It is possible to reconcile this seeming conflict; privacy concerns increase when anyone other than the individual requests medical records, and because privacy is a primary HIPAA goal, it makes sense to make it more difficult for third parties to obtain records, even with authorization. Still, it is "circuitous," if not downright silly, to require an individual "to request his own medical records . . . and having received them, hand them to his lawyer." Id. at 510.

We therefore echo the concurrence in Bugarin by emphasizing that in affirming the district court's judgment, we only

uphold[ ] the ability of copying services to charge higher rates when the attorney makes the request on behalf of his or her client than when the patient/ client makes the request directly. . . . [We do] not address such presumably common scenarios in which the client signs the request and asks the documents to be sent to the attorney, or the attorney prepares the documents on his or her letterhead and the client personally signs the request.

Id. at 511 (Rubin, J., concurring). In the end, then, we may not be "free to deviate from the text" of the HIPAA regulations, id. at 509, but we may nonetheless recognize that there is ample room for attorneys to provide important services for their clients.[13]

AFFIRMED.

NOTES

[*] The Honorable William Hart, Senior United States District Judge for the Northern District of Illinois, sitting by designation.

[1] We have jurisdiction pursuant to 28 U.S.C. § 1291.

[2] Under the Class Action Fairness Act of 2005, Pub.L. 109-2, 119 Stat. 4 (2005), except in certain circumstances not present here, "[a] class action may be removed to a district court of the United States . . . without regard to whether any defendant is a citizen of the State in which the action is brought." 28 U.S.C. § 1453(b); see also id. § 1332(d)(2) ("The district courts shall have original jurisdiction of any civil action in which the matter in controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class action in which—[, inter alia,] (A) any member of a class of plaintiffs is a citizen of a State different from any defendant.").

[3] Plaintiffs' complaint also referenced a claim under the California common law of unfair competition. Plaintiffs have not pursued that claim in this appeal, so we consider it waived. See United States v. Gomez-Mendez, 486 F.3d 599, 606 n. 10 (9th Cir.2007) ("We will not ordinarily consider matters on appeal that are not specifically and distinctly raised and argued in an appellant's opening brief." (internal quotation marks omitted)).

[4] Plaintiffs also alleged a claim for relief under California Civil Code section 52.1 (providing a cause of action for "interfere[nce] . . . by threats, intimidation, or coercion, . . . with the exercise or enjoyment . . . of rights secured by" state or federal statutes or constitutions). There is some question whether section 52.1 covers violations of federal regulations at all, even if a violation were adequately stated. Cf. Venegas v. County of Los Angeles, 32 Cal. 4th 820, 11 Cal. Rptr. 3d 692, 87 P.3d 1, 14 (2004) ("Civil Code section 52.1 does not extend to all ordinary tort actions because its provisions are limited to threats, intimidation, or coercion that interferes with a constitutional or statutory right." (emphasis added)). Because we determine that the HIPAA regulations do not limit the fees that Smart may charge to attorneys, however, we need not reach that question.

[5] Neither party challenges federal court jurisdiction over this removed case. See 28 U.S.C. § 1332(d) (authorizing diversity jurisdiction over class actions); id. § 1453 (authorizing removal of class actions). Because of the unusual procedural posture of this case, however, we discuss this issue to ensure that we in fact have subject matter jurisdiction.

[6] See 64 Fed.Reg. 59918-60065 (Nov. 3, 1999).

[7] See 65 Fed.Reg. 82462-82829 (Dec. 28, 2000).

[8] See 67 Fed.Reg. 53254 (Aug. 15, 2002).

[9] A valid authorization under HIPAA is defined as follows:

Implementation specifications: Core elements and requirements.

—

(1) Core elements. A valid authorization under this section must contain at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. . . .

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . .

(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all the following:

(i) The individual's right to revoke the authorization in writing, and . . . :

(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization;

****

(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization,

****

(3) Plain language requirement. The authorization must be written in plain language.

(4) Copy to the individual. If a covered entity seeks an authorization from an individual for use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.

45 C.F.R. § 164.508(c).

[10] To the extent that Plaintiffs suggest that, as an agent of Webb, Mann & Cook acts as Webb and thus does not need a valid HIPAA authorization, their argument lacks merit. Although § 164.508 is a general provision requiring authorization, nothing in that section exempts private attorneys. Moreover, the final commentary explicitly states that "[i]f the attorney [of an individual] is not the personal representative under the rule, or if the attorney wants a copy of more protected health information than that which is relevant to his personal representation, the individual would have to authorize such disclosure" of records. 65 Fed.Reg. 82651. Given HIPAA's concerns with the privacy of medical information, such a specific authorization requirement makes sense. Indeed, as the final commentary makes clear, even personal representatives do not get carte blanche to request medical records without specific authorization, but instead may request only records relevant to that representation. There is therefore no reason to think that a general attorney/client retainer form would be sufficient, without specific authorization, to allow disclosure of medical records.

[11] Some non-California state cases suggest that, in certain contexts, attorney-agents may qualify as individuals for the purpose of requesting medical records at a reduced, cost-based fee. However, none of these cases involve HIPAA or, for that matter, any statute with comparable text or commentary suggesting that the drafters intended to exclude private attorneys from benefitting from the fee limitations. Cf. Ford v. Chartone, Inc., 908 A.2d 72, 92 (D.C.Ct.App.2006) (relying on agency law to certify a class of lawyers seeking to obtain client medical records at reduced fees based on a state consumer protection statute, but not challenging Defendant Chartone's interpretation of the HIPAA regulation "as not imposing its fee caps on transactions with attorney requestors"); Cruz v. All Saints Healthcare Sys., Inc., 242 Wis. 2d 432, 625 N.W.2d 344 (Wis.Ct.App.2001) (certifying class of lawyers seeking to obtain client medical records at reduced fees where state statutory fee limitations explicitly applied to authorized representatives); Mermer v. Med. Correspondence Servs., 115 Ohio App. 3d 717, 686 N.E.2d 296 (1996) (relying on agency law to hold that attorney's request counted as client's, but not noting any contrary legislative intent in the relevant state statute). Moreover, other state cases have come to the opposite conclusion, so even apart from HIPAA, the issue is far from settled. See Street v. Smart Corp., 157 N.C.App. 303, 578 S.E.2d 695 (2003) (holding that attorneys who had obtained medical records for clients had no standing to sue document reproduction companies); Slobin v. Henry Ford Health Care, 469 Mich. 211, 666 N.W.2d 632, 634 (2003) (holding that an attorney's request for client's medical records was not subject to the fee limitations because, inter alia, the state consumer protection statute "applies only to purchases by consumers").

[12] California's statutory equivalent to the regulatory provision allowing reduced fees under HIPAA also appears on its face to be inapplicable to requests like Mann & Cook's: The state statutory fee limitations apply to the requests of a "patient" or "patient's representative." Cal. Health & Safety Code § 123110(b). The definition of "patient's representative" does not include private attorneys unless they are guardians or agents empowered to make healthcare decisions. Id. § 123105(e). It is possible that legislative intent, or the policy and practices of the agency implementing this statute might lead to a different conclusion. However, as neither party has raised the significance of this state, statute or its interpretation, we decline to address it further.

[13] In light of our disposition we need not reach the issue of whether Smart is subject to HIPAA's cost-based fee regulation in the first place.