supreme court of the united states · 164.306, 164.312 (2016), are located at appendix a. 302...
TRANSCRIPT
i
No. 18-251
________________
IN THE
Supreme Court of the United States
October Term, 2018
________________
BARKER & TODD, INC.,
Petitioner,
v.
Anthony HOPE,
Respondent.
________________
On Writ of Certiorari to the
Thirteenth Circuit Federal Court of Appeals
________________
BRIEF FOR RESPONDENT
________________
Attorneys for Respondent
Team 2720
ii
QUESTIONS PRESENTED
I. Whether Hope satisfied the injury-in-fact requirement of standing where attackers
placed Hope’s electronic protected health information (“ePHI”) for sale on the dark
web and his ePHI was downloaded hundreds of times.
II. Whether HIPAA may inform the standard of care for Hope’s general negligence and
negligence per se claims under Missouriana law where B&T collected and failed to
safeguard the putative class’s ePHI.
iii
TABLE OF CONTENTS
Page TABLE OF CONTENTS ............................................................................................................... iii
TABLE OF AUTHORITIES .......................................................................................................... v
OPINIONS BELOW ....................................................................................................................... 1
STATUTORY AND REGULATORY PROVISIONS INVOLVED ............................................. 1
STATEMENT OF THE CASE ....................................................................................................... 2
SUMMARY OF THE ARGUMENT ............................................................................................. 5
I. Hope Suffered an Injury-In-Fact Sufficient to Confer Standing. ........................................ 5
II. Hope Can Sue B&T for Negligence Under Missouriana Law. ........................................... 6
ARGUMENT .................................................................................................................................. 7
I. STANDARD OF REVIEW ................................................................................................. 7
II. THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT THE PUTATIVE CLASS
SATISFIED THE INJURY-IN-REQUIREMENT. ...................................................... 8
A. Hope Suffered a Particularized Injury Because His Personal Information
Was Targeted in a Data Breach That Affected a Finite Group of
Consumers................................................................................................... 9
B. Hope Suffered a Concrete Injury Because His Injury Is Closely Linked to
the Traditionally Recognized Harm of Invasion of Privacy and Congress
Has Emphasized the Importance of Protecting Private Medical
Information. .............................................................................................. 11
C. Hope Suffered Actual or Imminent Injuries Because B&T’s Data Breach
Increased Hope’s Risk of Identity Theft and Attackers Sold His Sensitive
Personal Information on the Dark Web. ................................................... 13
III.THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT HOPE STATED
PLAUSIBLE CLAIMS ENTITLED TO RELIEF UNDER MISSOURIANA
NEGLIGENCE LAW THAT ARE NOT PREEMPTED BY HIPAA. ...................... 16
A. HIPAA Allows Missouriana to Protect Its Citizens’ Privacy Interests
Because Its Preemption Clause Only Applies to Contrary State Law. ..... 17
B. B&T Had a General Negligence Duty to Protect the Putative Class’s
Health Information Based on the Surrounding Circumstances and B&T’s
Undertaking............................................................................................... 22
iv
C. B&T Had a Duty to Protect the Class’s Health Information Under
Missouriana’s Negligence Per Se Statute. ................................................ 29
CONCLUSION ............................................................................................................................. 34
APPENDIX A ............................................................................................................................... 35
v
TABLE OF AUTHORITIES
Cases Page(s)
Alaska Ass’n of Naturopathic Physicians v. State Dep’t of Commerce,
414 P.3d 630 (Alaska 2018)...............................................................................................32
Arkansas Elec. Co-op. Corp. v. Arkansas Pub. Serv. Comm’n,
461 U.S. 375 (1983) ...........................................................................................................16
Ashcroft v. Iqbal,
556 U.S. 662 (2009) .............................................................................................................8
Astra USA, Inc. v. Santa Clara Cty.,
563 U.S. 110 (2011) ...........................................................................................................17
Attias v. Carefirst, Inc.,
865 F.3d 620 (D.C. Cir. 2017) .....................................................................................14, 15
Baker v. Carr,
369 U.S. 186 (1962) .............................................................................................................9
Barnhill v. Teva Pharm. USA, Inc.,
819 F. Supp. 2d 1254 (S.D. Ala. 2011)........................................................................23, 24
Basileh v. Alghusain,
912 N.E.2d 814 (Ind. 2009) ...............................................................................................31
Baum v. Keystone Mercy Health Plan,
826 F. Supp. 2d 718 (E.D. Pa. 2011) .................................................................................21
Batterton v. Francis,
432 U.S. 416 (1977) ...........................................................................................................31
Bell Atl. Corp. v. Twombly,
550 U.S. 544 (2007) .........................................................................................................7, 8
Biddle v. Warren Gen. Hosp.,
715 N.E.2d 518 (Ohio 1999) ......................................................................................26, 27
Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C.,
102 A. 3d 32 (Conn. 2014) ....................................................................................16, 18, 19
Chrysler Corp. v. Brown,
441 U.S. 281 (1979) ...........................................................................................................31
vi
Dan’s City Used Cars, Inc. v. Pelkey,
569 U.S. 251 (2013) ...........................................................................................................17
Dep’t of Homeland Sec. v. MacLean,
135 S. Ct. 913 (2015) .........................................................................................................31
D.H. ex rel. A.M.J. v. Whipple,
103 N.E.3d 1119 (Ind. Ct. App. 2018)...............................................................................27
Dixon v. Int’l Harvester Co.,
754 F.2d 573 (5th Cir. 1985) .............................................................................................30
English v. Gen. Elec. Co.,
496 U.S. 72 (1990) .......................................................................................................18, 19
Exelon Generation Co., LLC v. Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO,
676 F.3d 566 (7th Cir. 2012) .............................................................................................18
Fanean v. Rite Aid Corp. of Delaware,
984 A.2d 812 (Del. Super. Ct. 2009) ...........................................................................27, 28
Ford v. Oliver,
176 A.3d 891 (Pa. Super. Ct. 2017) ..................................................................................26
Fraley v. Facebook,
830 F. Supp. 2d 785 (N.D. Cal. 2011)9, 10 ...................................................................9, 10
Galaria v. Nationwide Mut. Insurance Co.,
663 F. App’x 384 (6th Cir.) .........................................................................................14, 15
Gill v. Whitford,
138 S.Ct. 1916 (2018)9 ........................................................................................................9
Grable & Sons Metal Products, Inc. v. Darue Engineering & Mfg.,
545 U.S. 308 (2005) ...............................................................................................20, 22, 30
Gratz v. Bollinger,
539 U.S. 244 (2003)8 ...........................................................................................................8
Greater Houston Transp. Co. v. Phillips,
801 S.W.2d 523 (Tex. 1990) ..............................................................................................23
Hanson v. Jones Medical Ctr.,
199 Mis. 2d 321 (2002) ......................................................................................................26
vii
Heckman v. Ryder Truck Rental, Inc.,
962 F. Supp. 2d 792 (D. Md. 2013) ...................................................................................24
In Re Horizon Healthcare Serv. Inc. Data Breach,
846 F.3d 625 (3rd Cir. 2017) .................................................................................11, 12, 12
Howard v. Zimmer, Inc.,
299 P.3d 463 (Okla. 2013) ...........................................................................................21, 22
I.S. v. Washington Univ.,
No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo. June 14, 2011) ...............................21
K.V. & S.V. v. Women’s Healthcare Network, LLC,
No. 07-0228-CV-W-DW, 2007 WL 1655734 ...................................................................30
State v. Lee,
957 P.2d 741 (Wash. 1998)................................................................................................16
Lewert v. P.F. Chang’s China Bistro, Inc.,
819 F.3d 963 (7th Cir. 2016) .............................................................................................15
Lujan v. Def. of Wildlife,
504 U.S. 555 (1992) .............................................................................................................8
Martin v. Herzog,
126 N.E. 814 (N.Y. 1920) ..................................................................................................29
Medtronic, Inc. v. Lohr,
518 U.S. 470 (1996) ...........................................................................................................18
Merrell Dow Pharm., Inc. v. Thompson,
478 U.S. 804 (1986) ...............................................................................................20, 22, 30
Mower v. Baird,
422 P.3d 837 (Utah 2018) ..................................................................................................25
Muskrat v. United States,
219 U.S. 346 (1911) .............................................................................................................8
N.L.R.B. v. Brown,
380 U.S. 278 (1965) ...........................................................................................................23
New Star Realty, Inc. v. Jungang PRI USA, LLC,
816 S.E.2d 501 (Ga. Ct. App. 2018) ..................................................................................22
viii
In re Nickelodeon Consumer Privacy Litig.,
827 F.3d 262 (3d Cir. 2016)...........................................................................................9, 11
Oakey ex rel. Lucero v. May Maple Pharmacy, Inc.,
399 P.3d 939 (N.M. Ct. App. 2017) ..................................................................................28
Petruska v. Gannon Univ.,
462 F.3d 294 (3d Cir. 2006).................................................................................................7
Pisciotta v. Old Nat’l Bancorp.,
499 F.3d 629 (7th Cir. 2007) .........................................................................................8, 13
Potvin v. Speedway LLC,
891 F.3d 410 (1st Cir. 2018) ..............................................................................................22
Pratico v. Portland Terminal Co.,
783 F.2d 255 (1st Cir. 1985) ..............................................................................................30
R.K. v. St. Mary’s Med. Ctr., Inc.,
735 S.E.2d 715 (W. Va. 2012) .....................................................................................16, 19
Regents of Univ. of California v. Superior Court,
413 P.3d 656 (Cal. 2018) .............................................................................................25, 26
Remijas v. Neiman Marcus Grp., LLC,
794 F.3d 688 (7th Cir. 2015) .............................................................................................10
United States. v. Richardson,
418 U.S. 166 (1974) .............................................................................................................9
Sheldon v. Kettering Health Network,
40 N.E.3d 661 (Ohio Ct. App. 2015) ...........................................................................19, 21
State v. Slavens,
190 S.W.3d 410 (Mo. Ct. App. 2006) ................................................................................31
Spokeo v. Robins,
136 S.Ct. 1540 (2016) ....................................................................................................8, 11
Staggs ex rel. Coulter v. ADS Logistics Co., LLC,
102 N.E.3d 319 (Ind. Ct. App. 2018).................................................................................26
In re Target Corp. Customer Data Sec. Breach Litig.,
64 F. Supp. 3d 1304 (D. Minn. 2014) ..........................................................................23, 26
ix
Vill. of Euclid, Ohio v. Ambler Realty Co.,
272 U.S. 365 (1926) ...........................................................................................................16
Weinberg v. Advanced Data Processing, Inc.,
147 F. Supp. 3d 1359 (S.D. Fla. 2015) ..............................................................................28
Yath v. Fairview Clinics,
767 N.W.2d 34 (Minn. Ct. App. 2009) ..................................................................16, 19, 20
Statutes
42 U.S.C. § 1320d-7 ......................................................................................................................18
Pub. L. No. 104-191 .......................................................................................................2, 16, 20, 32
Rules
45 C.F.R. § 160 ............................................................................................................10, 17, 18, 32
45 C.F.R. § 164 ............................................................................................................1, 3, 4, 32, 33
58 M.C.S. § 10/5-101 .....................................................................................................1, 22, 26, 27
302 M.C.S. § 3/22-104 .....................................................................................................1, 4, 29, 32
410 M.C.S § 22/46-101(a) ...................................................................................1, 3, 24, 25, 26, 27
Fed. R. Civ. P. 12 ......................................................................................................4, 7, 12, 29, 33
Other Authorities
Black’s Law Dictionary (9th ed. 2009) ............................................................................................8
Erin Fuchs, Identity theft now costs far more than all other property crimes combined, Business
Insider (Dec. 12, 2013), (available at https://www.businessinsider.com/bureau-of-justice-
statistics-identity-theft-report-2013-12) .............................................................................15
HHS OCR Imposition of CMP Against Children’s Medical Center of Dallas for Lack of Timely
Action Risks Security and Costs Money, Healthcare Compl. Rep. ¶ 480033 ..............32, 33
HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research (Sharyl J. Nass
et al. eds., 2009) .................................................................................................................13
x
Restatement (Second) of Torts § 323 (Am. Law Inst. 1965) .........................................................27
Restatement (Second) of Torts § 652A (Am. Law Inst. 1977) ......................................................12
Restatement (Third) of Torts § 14 (Am. Law Inst. 2001) ..................................................20, 29, 31
Social Security Administration, Identity Theft and Your Social Security Number 2 (2018),
available at http:// www.ssa.gov/pubs/10064.pdf .............................................................15
Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462
(December 28, 2000) .........................................................................................................19
1
OPINIONS BELOW
The unreported opinion of the United States Court of Appeals for the Thirteenth Circuit
appears on pages 15-24 of the record. The unreported opinion of the United States District Court
for the District of Missouriana appears on pages 1-14 of the record.
STATUTORY AND REGULATORY PROVISIONS INVOLVED
HIPAA regulations cited by Hope as informing the standard of care, 45 C.F.R. §§
164.306, 164.312 (2016), are located at Appendix A.
302 M.C.S. § 3/22-104 provides that “[a]n actor is negligent if, without excuse, the actor
violates a statute that is designed to protect against the type of accident the actor’s conduct
causes, and if the accident victim is within the class of persons the statute is designed to protect.”
302 M.C.S. § 3/22-104 (2014).
58 M.C.S. § 10/5-101 requires “health care providers” to maintain patient record
confidentiality and defines “health care provider” to include “physicians; surgeons; podiatrists;
dentists; optometrists; psychologists; physical or occupational therapists; marriage, family and
child counselors; clinical social workers, and any other health care professional licensed under
Missouriana law.” 58 M.C.S. § 10/5-101 (2008).
The Missouriana Data Breach Notification Act requires “[an] individual or a commercial
entity that conducts business in Missouriana and that owns or licenses computerized data that
includes personally identifiable information about a resident of Missouriana” to “conduct in good
faith a reasonable and prompt investigation to determine the source of the breach and give notice
as soon as possible to the affected Missouriana resident.” Missouriana Data Breach Notification
Act, 410 M.C.S § 22/46-101(a) (2005).
2
STATEMENT OF THE CASE
This case involves a dispute over whether a data breach constitutes injury-in-fact for
purposes of Article III standing and whether wrongful disclosure of electronic protected health
information (“ePHI”) covered by the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered
sections of 42 U.S.C.) may form the basis for state law negligence claims. Anthony Hope
(“Hope”) complains that Baker & Todd, Inc.’s (“B&T”) negligently failed to update its servers to
protect its customers’ ePHI including medical history information and social security numbers.
(R. at 1.) Due to B&T’s failure to safeguard this ePHI, attackers accessed the customers’
information and placed it for sale on a “darknet market” website, where it was downloaded
hundreds of times. (R. at 3.) The total number of potentially affected participants was 426. (Id.)
Hope and other affected participants brought this class action lawsuit, seeking recovery from
B&T for the wrongful disclosure and related injuries. (R. at 4.)
B&T’s Pharmaceutical Program
B&T manufactures prescription drugs that several of its customers cannot afford. (R. at
2.) Moreover, medical insurance only partially covers the cost of a number of these drugs. (R. at
2.) While B&T offers a prescription assistance program to offset these costs, B&T requires
participants to complete an application which asks for personal information including income,
date of birth, social security number, medical insurance policy numbers, and medical history
regarding the prescribed medication. (R. at 3.) Based on factors such as income and availability
of insurance, B&T determines whether to reduce individual patients’ costs for obtaining its
drugs. (R. at 2.)
3
Hope and other members of the putative class participated in a prescription drug access
program for B&T’s new arthritis drug, Flexacor. (R. at 3.). As with B&T’s other prescription
assistance programs, members of the putative class provided B&T with their incomes, dates of
birth, social security numbers, medical insurance policy numbers, and medical histories. (R. at
2.) B&T stored this ePHI on its servers. (R. at 2.)
B&T’s Failure to Safeguard the Class’s ePHI
Attackers first accessed the putative class’s ePHI on B&T’s servers on October 26, 2015.
(R. at 2.) Although the ePHI was encrypted and password-protected due to the risk of an exploit,
B&T left the information vulnerable to attackers while transferring it from local servers to
upgraded cloud-based servers it purchased from an outside vendor. (R. at 2.) Specifically, B&T
failed to install the vendor’s upgrade to patch a hole in the cloud-based servers’ security that
would have prevented attackers from accessing B&T’s customers’ ePHI without a decryption
key. (R. at 2.)
By moving the ePHI to the new the servers without installing the update, B&T left the
putative class’s data vulnerable for about eight hours. (R. at 3.) During this time attackers
utilized an exploit that rendered encryption ineffective and accessed the putative class’s ePHI.
(R. at 3.) Afterward, B&T installed the outside vendor’s patch but would later learn that the data
had already been compromised. (R. at 3.)
On November 8, 2015, B&T notified members of the putative class about the possibility
of a breach, pursuant to HIPAA’s regulations, 45 C.F.R. § 164.404(b), and Missouriana’s Data
Breach Notification Act, 410 M.C.S. § 22/45–101(a). (R. at 3.) B&T offered the affected
participants a year of free credit monitoring due to their increased risk of identity theft and
continued to investigate whether a breach had occurred. (R. at 3.) Hope signed up for the credit
4
monitoring. (R. at 3.) On November 30, 2015, Hope learned that his B&T account user name
and password, date of birth, and social security number had been placed for sale on the dark web
and downloaded hundreds of times. (R. at 3.)
Hope has experienced fear and anxiety about identity theft, especially considering that he
will soon be married and combine finances with his new husband. (R. at 4.) While Hope had
not yet experienced fraudulent charges or other instances of identity theft at the time of initiating
this suit, his information remained for sale on the dark web. (R. at 4.)
Procedural History
Hope filed this class action suit on February 15, 2016 under the federal court’s diversity
jurisdiction. (R. at 4.) The putative class includes B&T customers who, like Hope, found their
information on the dark web. (R. at 4.) Hope alleges that B&T negligently handled the
consumers’ ePHI by failing to protect the privacy of their ePHI. (R. at 4.) Hope cites to 45
C.F.R. §§ 164.306-164.312, which provide HIPAA’s privacy standards, as evidence of the
standard of care in a general negligence claim. (R. at 4.) Hope also argues that HIPAA defines
the standard of care in a separate cause of action based on Missouriana’s negligence per se law,
302 M.C.S. § 3/22-104. (R. at 4.)
B&T moved to dismiss Hope’s complaint under Fed. R. Civ. P. 12(b)(1), arguing that the
breach of his ePHI on B&T’s server and its dissemination on the dark web, along with the
downloads, do not constituent injury for purposes of Article III standing. (R. at 4.) B&T also
moved to dismiss under Fed. R. Civ. P. 12(b)(6), arguing that Missouriana negligence law does
not provide Hope a cause of action based on its failure to protect the putative class’s ePHI. (R. at
4.)
5
While the United States District Court for the District of Missouriana granted B&T’s
motions and dismissed the complaint without prejudice, the Thirteenth Circuit reversed and
remanded the matter. (R. at 14, 24.) The Thirteenth Circuit held that the district court dismissed
Hope’s complaint in error as to both grounds. (R. at 24.)
On July 16, 2018, this Court granted certiorari. (R. at 25.) On appeal, this Court
considers: 1) whether Hope established injury-in-fact to confer standing under Article III and 2)
whether Hope’s Missouriana negligence claims may be based on violations of HIPAA. (R. at
25.)
SUMMARY OF THE ARGUMENT
I. Hope Suffered an Injury-In-Fact Sufficient to Confer Standing.
Hope’s injuries resulting from B&T’s negligent failure to safeguard his electronic
protected health information (“ePHI”) constitute injury-in-fact for purposes of Article III
standing. To establish standing, a plaintiff must allege an injury which is concrete and
particularized and actual or imminent.
Hope’s suffered a particularized injury when attackers targeted his personal, identifiable
information. Rather than being a universal harm, the breach affected a finite group of
consumers. Hope had a personal stake in keeping his personal information away from the dark
web. Because attackers downloaded his ePHI hundreds of times, Hope faces a threat of identity
theft unique to him. Due to this misappropriation of his sensitive personal information, Hope
must now carefully monitor his credit for fraudulent acts.
Next, Hope suffered a concrete injury. Courts have traditionally recognized a person’s
interest in freedom from invasion of privacy. The data breach resulted in a similar type of
6
concrete harm. Also, Congress has expressed the importance of protecting the privacy of
patients like Hope by passing HIPAA.
Finally, the data breach imminently and substantially increased Hope’s risk of future
harm from identity theft and other fraudulent activities. Attackers generally instigate data
breaches like the one at issue to commit fraudulent activities. Considering that attackers sold
Hope’s personal information on the dark web hundreds of times, its further misuse is imminent.
II. Hope Can Sue B&T for Negligence Under Missouriana Law.
The putative class stated plausible claims which entitle Hope to relief under Missouriana
law. In passing HIPAA, Congress left the states to provide additional protections for patients’
privacy. While HIPAA preempts contrary state laws, Hope’s claims complement the goals of
HIPAA by encouraging those entrusted with ePHI, such as B&T, to protect patients’ privacy.
Also, Missouriana common law affirmatively required B&T to exercise reasonable care
in protecting Hope’s ePHI. The surrounding circumstances imposed a common law duty upon
B&T to protect its customers’ sensitive information. B&T reasonably foresaw the possibility of
a data breach like the one that occurred and kept patients’ ePHI in encrypted form, albeit
negligently. Also, B&T created relationships with members of the putative class by asking them
to provide sensitive information to receive financial assistance. Likewise, the Missouriana Data
Breach Notification Act statutorily created a relationship between B&T and the putative class.
Moreover, Missouriana has recognized the importance of protecting medical patients’
information, and the state’s public policy favors imposing a duty of care. B&T also voluntarily
assumed a duty of care toward the putative class by obtaining the class’s information and storing
it in encrypted form.
7
Finally, Missouriana statutory law provides Hope a cause of action based on negligence
per se. Missouriana’s negligence per se statute uses the language of the Third Restatement of
Torts, showing the legislature’s intent to follow the Restatement’s approach of allowing federal
regulations like HIPAA to define B&T’s standard of care. Although Hope’s negligence claims
refer to regulatory provisions, their legislative-type nature makes them like statutory law. Based
on the allegations in the Complaint, B&T had an affirmative obligation to follow HIPAA’s
standards cited by Hope but failed to do so.
ARGUMENT
Hope states claims upon which relief may be granted by the federal courts. While the
District Court dismissed Hope’s claims, the Court of Appeals for the Thirteenth Circuit reversed,
holding that Hope’s Complaint established injury-in-fact for Article III standing and pleaded
claims for which relief could be granted under Missouriana negligence law. (R. at 24.)
The Thirteenth Circuit correctly held that the putative class’s injuries related to attackers
placing its electronic protected health information (“ePHI”) for sale on the dark web confer
standing under Article III. The Thirteenth Circuit also correctly held that Hope stated plausible
general negligence and negligence per se claims under Missouriana law by asserted that B&T
failed to properly safeguard the class’s ePHI.
I. STANDARD OF REVIEW
This Court reviews decisions on a motion to dismiss under Fed. R. Civ. P. 12(b)(6) de
novo. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 556 (2007). A motion to dismiss under
Fed. R. Civ. P. 12(b)(1) is reviewed under the same standard. Petruska v. Gannon Univ., 462
F.3d 294, 299 (3d Cir. 2006). “[A] complaint must contain sufficient factual matter, accepted as
8
true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678
(2009) (citing Twombly, 550 U.S. at 570). “[O]nce a claim has been stated adequately, it may be
supported by showing any set of facts consistent with the allegations in the complaint.”
Twombly, 550 U.S. at 563.
II. THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT THE PUTATIVE
CLASS SATISFIED THE INJURY-IN-REQUIREMENT.
The Thirteenth Circuit correctly held that the putative class satisfied the injury-in-fact
requirement to confer standing. Article III limits this Court’s exercise of judicial power to cases
and controversies. Muskrat v. United States, 219 U.S. 346, 356 (1911). The standing to sue
doctrine, rooted in this “case or controversy” doctrine, further limits the jurisdiction of federal
courts. Spokeo v. Robins, 136 S.Ct. 1540, 1547 (2016). To establish standing, a plaintiff must
establish they have suffered an injury-in-fact, traceable to the acts of the defendant, where the
court may fashion a possible remedy. Lujan v. Def. of Wildlife, 504 U.S. 555, 590 (1992). In a
class action, injury for standing requires the named plaintiff to demonstrate that they have been
injured, independent of unidentified members of the class. Gratz v. Bollinger, 539 U.S. 244, 289
(2003).
To establish injury-in-fact, a plaintiff must allege an injury which is “concrete and
particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at
590. A particularized injury affects the plaintiff in a personal and individual way. Spokeo, 136
S.Ct. at 1548. A concrete injury must be “de facto”, that is it must “actually exist”, and it cannot
be abstract. Id. (citing Black’s Law Dictionary 479 (9th ed. 2009)). Threat and increased risk of
future harm may meet the injury-in-fact requirement. Pisciotta v. Old Nat’l Bancorp., 499 F.3d
629, 634 (7th Cir. 2007) (“As many of our sister circuits have noted, the injury-in-fact
requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff
9
only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent
the defendant’s actions.”). Hope has alleged injuries which are concrete, particularized, and
actual or imminent.
A. Hope Suffered a Particularized Injury Because His Personal Information Was
Targeted in a Data Breach That Affected a Finite Group of Consumers.
The putative class alleged a particularized injury because attackers accessed a finite
group of consumers’ sensitive personal information, disseminated the information on the dark
web, and that information was downloaded. To establish a particularized injury, the plaintiff
must have a “personal stake in the outcome.” Gill v. Whitford, 138 S.Ct. 1916, 1923 (2018). A
plaintiff clearly demonstrating a “plain, direct and adequate interest” in the result of a case due to
an injury pleads a particularized injury. See Baker v. Carr, 369 U.S. 186, 208 (1962). The
plaintiff must suffer a direct injury as the result of the defendant’s actions. United States. v.
Richardson, 418 U.S. 166, 179-80 (1974). A universal harm or “general interest common to all
members of the public” does not confer standing. Id. at 177-78.
Misappropriation of identifiable information about an individual in an identifiable
manner constitutes a particularized injury. Fraley v. Facebook, 830 F. Supp. 2d 785, 797 (N.D.
Cal. 2011); see also In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 274 (3d Cir.
2016) (“The purported injury here is clearly particularized, as each plaintiff complains about the
disclosure of information relating to his or her online behavior.”). In Fraley, a class of users of a
social network website sued the owner of the website for violating their statutory right of
publicity when their names and pictures were placed on users’ pages for advertising purposes.
Id. at 790. The court held that each individual plaintiff had alleged a particularized injury
because they had described exactly what information belonging to each named plaintiff was used
by the defendant, how the defendant used that information, and to whom that information was
10
published. Id. 797. In this way, the plaintiffs were able to precisely describe the alleged
commercial misappropriation and how it affected them personally. Id.
The putative class has suffered a direct injury rather than a “generalized grievance.” The
group of potentially affected consumers only includes 426 participants in the prescription drug
access program for Flexacor. (R. at 3.). Harm to these consumers does not constitute a universal
harm.
Hope has a personal stake in the outcome of this case because his sensitive personal
information has been placed on the dark web and downloaded hundreds of times. (R. at 3.) He
must now carefully monitor his credit due to B&T’s data breach. (R. at 4.) B&T has provided
no guarantee that it will continue paying for Hope’s credit monitoring services beyond one year.
(R. at 3.) Considering that attackers repeatedly downloaded Hope’s data within about a month of
the breach, Hope may have to pay for additional credit monitoring services in the future. See
Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015) (noting that it is
plausible to infer that plaintiffs are at a substantial risk of harm from a data breach because it is
presumably the purpose of the hack to, sooner or later, make fraudulent charges or assume those
consumers’ identities). Moreover, this experience has already caused Hope a considerable
amount of fear and anxiety. (R. at 4.) Therefore, Hope has clearly demonstrated he has a
personal stake in the outcome of this case.
Moreover, like in Fraley, Hope’s injury relates to information about an individual that
attackers misappropriated in an identifiable manner. In fact, ePHI must allow for individual
identification. 45 C.F.R. § 160.103 (defining “protected health information” as “individually
identifiable health information”). Attackers misappropriated the information in an identifiable
manner by placing it for sale on the dark web, where Hope was able to see how many times his
11
personal information had been downloaded. (R. at 3.) The credit monitoring company alerted
Hope based on his individual risk of harm because his account user name and password for his
B&T account, date of birth, and social security number had been placed on the dark web and
downloaded hundreds of times. (R. at 3.). Hope’s ePHI being placed on the dark web is not a
“generalized grievance.” Thus, Hope has alleged a particularized injury.
B. Hope Suffered a Concrete Injury Because His Injury Is Closely Linked to the
Traditionally Recognized Harm of Invasion of Privacy and Congress Has
Emphasized the Importance of Protecting Private Medical Information.
Hope has sufficiently alleged a concrete injury because Hope has experienced harm
closely linked to the traditionally recognized harm of invasion of privacy and Congress has
emphasized the importance of protecting private medical information. A concrete injury must
“actually exist” and cannot be abstract. Spokeo, 136 S.Ct. at 1548. However, an intangible
injury may still be concrete. Id. at 1549.
Courts consider history and the judgment of Congress when determining whether an
intangible harm constitutes injury-in-fact. Id. A harm having “a close relationship to a harm that
has traditionally been regarded as proving a basis for a lawsuit in English or American courts”
weighs in favor of concreteness. See id. Congressional recognition of an injury through
legislation also suggests that the injury is concrete. Id. (noting that Congress has the power to
“define injuries and articulate chains of causation that will give rise to a case or controversy
where none existed before.”); see also Nickelodeon, 827 F.3d at 274 (“Congress has long
provided plaintiffs with the right to seek redress for unauthorized disclosures of information that,
in Congress’s judgment, ought to remain private.”).
Unauthorized disclosure and improper dissemination of information constitute a
cognizable injury. See In Re Horizon Healthcare Serv. Inc. Data Breach, 846 F.3d 625, 638-39
12
(3rd Cir. 2017). In Horizon, a putative class sued its insurer under the Fair Credit Reporting Act
(“FCRA”) for failing to encrypt personal information, resulting in a data breach. Id. at 629.
Attackers obtained the information, which included names, dates of birth, social security
numbers, medical histories, and insurance information, by stealing laptops at the defendant’s
headquarters. Id. Although the defendant offered a year of credit monitoring services and
plaintiffs did not allege that identity theft had occurred, plaintiffs argued that both the breach
itself and the resulting increased risk of harm constituted concrete injury. Id. at 634.
The court denied the defendant’s motion to dismiss under Fed. R. Civ. P. 12(b)(1),
holding that the plaintiffs suffered a cognizable injury. Id. The court reasoned that a person’s
right to guard against the dissemination of private information has been recognized by the
American legal system. Id. at 638-39. The type of injury at issue was the same type that
Congress intended to prevent by passing the FCRA. Id. at 640. The court noted that Congress’s
creation of a private right of action to enforce the FCRA “clearly illustrates that Congress
believed that the violation of FCRA causes a concrete harm to consumers.” Id.
Hope suffered a concrete intangible harm which closely resembles the historically
recognized tort of invasion of privacy. Hope’s sensitive personal information, which was like
the information involved in Horizon, was compromised due to B&T’s negligence. (R. at 3.)
B&T left attackers to access Hope’s personal information such as his income, date of birth,
social security number, medical insurance policy numbers, and medical history. (R. at 2.) Like
in Horizon, Hope must now carefully monitor his finances to guard against potential identity
theft. (R. at 3.) This unauthorized disclosure of Hope’s information closely resembles the tort of
invasion of privacy. See Restatement (Second) of Torts § 652A (Am. Law Inst. 1977) (“One
who invades the right of privacy of another is subject to liability for the resulting harm to the
13
interests of the other”). Therefore, Hope alleged a concrete injury that has a close relationship to
a traditionally recognized harm.
Furthermore, Hope’s injury is concrete because Congress has recognized a plaintiff’s
right to seek redress for unauthorized disclosures of information. Congress enacted HIPAA with
the intention of better protecting health information given advances in electronic technology.
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, 63-
64 (Sharyl J. Nass et al. eds., 2009). HIPAA helped create nationwide security standards and
safeguards for the use of electronic health care information, as well as privacy standards for
protected health information. Id. Hope’s injury relates to the unauthorized disclosure of his
ePHI—the type of information that Congress emphasized the importance of protecting.
Therefore, Hope’s alleged injury is concrete because Congress has recognized the importance of
protecting private medical information.
Thus, Hope has alleged a concrete injury that resembles historically recognized privacy
torts. Additionally, Hope’s alleged injury is concrete because Congress has recognized the
importance of protecting private medical information.
C. Hope Suffered Actual or Imminent Injuries Because B&T’s Data Breach
Increased Hope’s Risk of Identity Theft and Attackers Sold His Sensitive
Personal Information on the Dark Web.
Hope alleged actual or imminent injuries because attackers placed his sensitive personal
information for sale on the dark web and increased his risk of identity theft. The threat of future
harm or an act by the defendant which increases the plaintiff’s risk of future harm may satisfy
the injury-in-fact requirement for standing. Pisciotta, 499 F.3d at 634.
When analyzing an increased-risk-of harm claim, courts consider the ultimate alleged
harm as the concrete and particularized injury and then determine whether the increased risk of
14
such harm makes injury to an individual citizen sufficiently imminent. See Attias v. Carefirst,
Inc., 865 F.3d 620, 627 (D.C. Cir. 2017). In Attias, the putative class’s information was stolen
during a cyberattack. Id. at 622. The plaintiffs alleged that the information included members’
names, birth dates, social security numbers, and credit card numbers. Id. at 623. The court held
that the plaintiffs had sufficiently pleaded injury for purposes of standing. Id. at 629.
“Experience and common sense” supported that the putative class faced a substantial risk of
identity theft. Id. at 628. Moreover, based on the type of information taken, “the purpose of the
hack [was], sooner or later, to make fraudulent charges or assume those consumers’ identities.”
Id. at 628-29.
Additionally, a substantial risk of harm coupled with reasonably incurred mitigation costs
establishes a cognizable Article III injury. Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x
384, 388 (6th Cir. 2016). In Galaria, hackers stole the putative class’s names, dates of birth, and
social security numbers from the defendant’s computer network. Id. at 386. The court held that
the plaintiffs had alleged a cognizable Article III injury. Id. at 388. Even if identity theft was
not “literally certain,” the plaintiffs faced a substantial risk of such harm and would incur
reasonable mitigation costs. Id. at 388. The court noted expecting the plaintiffs to wait for
actual fraud would be unfair. Id. Moreover, the defendant recognized the severity of the risk by
offering the plaintiffs credit-monitoring and theft-protection services for a year. Id. at 389. As
these protective services were offered for a limited time, the risk of identity theft was continuing
and plaintiffs would incur additional expenses. Id.
Hope alleges an imminent injury because B&T’s data breach made Hope substantially
more susceptible to the ultimate harm of identity theft. Like in Attias, attackers accessed Hope’s
sensitive personal information including his social security number, birth date, and insurance
15
information. (R. at 3.) This information can be used to access more of Hope’s sensitive personal
information. See Social Security Administration, Identity Theft and Your Social Security
Number 2 (2018), available at http:// www.ssa.gov/pubs/10064.pdf. For example, an identity
thief could use Hope’s social security number to apply for credit cards in his name and damage
his credit score. See id. Additionally, Hope’s account user name and password for his B&T
account would give an identity thief access to his private medical information. (R. at 3.)
“Experience and common sense” further support that the unauthorized access to Hope’s
information created a material risk of identity theft. See Attias, 865 F.3d at 628; see also Erin
Fuchs, Identity theft now costs far more than all other property crimes combined, Business
Insider (Dec. 12, 2013), (available at https://www.businessinsider.com/bureau-of-justice-
statistics-identity-theft-report-2013-12) (noting that those whose information has been stolen are
9.5 times more likely to suffer identity fraud or identity theft). Hope must now carefully monitor
his finances to protect himself.
Also, Hope faces imminent injury because he alleged a substantial risk of harm coupled
with reasonably incurred mitigation costs. Hope’s future harm need not be “literally certain.”
See Galaria, 663 F. App’x at 388. Hope’s information on the dark web was similar to the
putative class’s information in Galaria. (R. at 3). Like in Galaria, B&T recognized this risk by
offering Hope free credit-monitoring for the year. (R. at 3.) B&T did not specify that this
service would be available to Hope after the year and Hope will plausibly incur additional costs
by paying for his own credit monitoring services in the future. (See R. at 3, 7.) Hope’s personal
information has been downloaded hundreds of times already. (R. at 3.) It is entirely possible
that his information could be fraudulently used in the future. See Lewert v. P.F. Chang’s China
16
Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (noting that the primary incentive for a breach is
to commit fraud).
Thus, Hope has alleged an injury which is “actual or imminent” and not “conjectural.”
B&T’s data breached substantially increased Hope’s risk of identity theft, and Hope will incur
costs in protecting his identity.
III. THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT HOPE STATED
PLAUSIBLE CLAIMS ENTITLED TO RELIEF UNDER MISSOURIANA
NEGLIGENCE LAW THAT ARE NOT PREEMPTED BY HIPAA.
The Thirteenth Circuit correctly held that Hope stated plausible state law negligence
claims upon which relief can be granted. The Tenth Amendment permits Missouriana to
exercise “[t]he powers not delegated to the United States by the Constitution, nor prohibited by
it.” Powers traditionally reserved to the states include establishing law related to health, safety,
morals, and welfare. See, e.g., Vill. of Euclid, Ohio v. Ambler Realty Co., 272 U.S. 365, 395
(1926). Protection of privacy interests also falls within the states’ police powers. See, e.g., State
v. Lee, 957 P.2d 741, 752-53 (Wash. 1998). Although Congress created federal law related to
privacy interests by drafting HIPAA, the states may exercise concurrent power where they are
not preempted. See Arkansas Elec. Co-op. Corp. v. Arkansas Pub. Serv. Comm’n, 461 U.S. 375,
390 (1983) (recognizing that Congress and the states concurrently share the power to regulate
interstate commerce in “an infinite variety of cases”);1 see also Byrne v. Avery Ctr. for Obstetrics
& Gynecology, P.C., 102 A.3d 32, 42-43 (Conn. 2014); R.K. v. St. Mary’s Med. Ctr., Inc., 735
S.E.2d 715, 724 (W. Va. 2012); Yath v. Fairview Clinics, 767 N.W.2d 34, 50 (Minn. Ct. App.
2009).
1 Congress derived its authority to pass HIPAA from the Commerce Clause. See HIPAA, Pub. L. No. 104-191, §
195, 110 Stat 1936 (1996).
17
This Court granted certiorari to resolve whether Hope’s general negligence and
negligence per se claims may be informed by HIPAA. (R. at 25.) This question may be divided
into two issues: 1) whether HIPAA allows the states to provide negligence claims based on its
violation and 2) whether Missouriana has provided such causes of action. The Thirteenth Circuit
Court correctly answered both questions affirmatively, reversing the district court and remanding
this case to proceed to discovery. (R. at 24.)
Accordingly, Hope’s pleadings state plausible claims upon which relief may be granted.
Rather than preempting the present negligence actions, Congress drafted HIPAA to leave room
for states to protect their citizens’ privacy. Moreover, Missouriana law imposed a general
negligence duty upon B&T to protect the putative class’s ePHI. Finally, when properly
construed, Missouriana’s negligence per se statute imposed a negligence per se duty upon B&T
based on HIPAA’s body of regulations.
A. HIPAA Allows Missouriana to Protect Its Citizens’ Privacy Interests Because Its
Preemption Clause Only Applies to Contrary State Law.
HIPAA allows Missouriana to protect the putative class’s privacy interests via tort-based
causes of action. Both courts being reviewed found that HIPAA did not preempt Hope’s claims,
albeit for different reasons.2 HIPAA’s preemption clause, 45 C.F.R. § 160.203(b), interpreted in
view of HIPAA’s legislative history, exempts Hope’s negligence claims from preemption.
In evaluating whether federal law preempts state law, courts consider Congressional
intent. See Astra USA, Inc. v. Santa Clara Cty., 563 U.S. 110, 117 (2011). Courts first look to
statutory language to determine whether preemptive intent exists. Dan’s City Used Cars, Inc. v.
Pelkey, 569 U.S. 251, 260 (2013) (“[T]he Court focuses first on the statutory language, which
2 The district court found that Hope did not identify any state law basis to be preempted. (R. at 13.) The Thirteenth
Circuit found that Missouriana law supplied Hope’s causes of action, which HIPAA did not preempt. (R. at 22-23.)
18
necessarily contains the best evidence of Congress' pre-emptive intent.”); see also Byrne, 102
A.3d at 42-43. Regulatory records may provide another source for determining Congressional
intent. See Exelon Generation Co., LLC v. Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO, 676
F.3d 566, 573-75 (7th Cir. 2012) (“Where an agency has authoritatively interpreted its own rule,
courts generally defer to that reading.”)
This Court presumes against preemption when evaluating Congressional intent.
Medtronic, Inc. v. Lohr, 518 U.S. 470, 485 (1996) (“States are independent sovereigns in our
federal system, we have long presumed that Congress does not cavalierly pre-empt state-law
causes of action.”). Preemption of areas of law traditionally occupied by the states requires
“clear and manifest” Congressional intent. English v. Gen. Elec. Co., 496 U.S. 72, 79 (1990).
Hope’s claims relate to the protection of privacy—an area of law traditionally occupied
by the States. See, e.g., Lee, 957 P.2d at 752-53. These claims are presumptively not preempted.
In view of this presumption, HIPAA’s preemption provision, and HIPAA’s regulatory record,
HIPAA does not preempt Hope’s general negligence and negligence per se claims.
1. Hope’s General Negligence Claims Are Not Preempted.
HIPAA does not preempt Hope’s general negligence claims. HIPAA’s preemption
provision sets forth that federal provisions, requirements, standards, and implementation
specifications supersede “contrary provisions of State law.” 42 U.S.C. § 1320d-7 (emphasis
added). State law is “contrary” to HIPAA when “[a] covered entity or business associate would
find it impossible to comply with both the State and Federal requirements” or “[t]he provision of
State law stands as an obstacle to the accomplishment and execution of the full purposes and
objectives [of HIPAA].” 45 C.F.R. § 160.203.
19
State-law based civil lawsuits that protect privacy are not “contrary” to HIPAA. See
R.K., 735 S.E.2d at 724 (holding that common-law tort claims based on the wrongful disclosure
of information “complement HIPAA by enhancing the penalties for its violation and thereby
encouraging HIPAA compliance”); Sheldon v. Kettering Health Network, 40 N.E.3d 661, 672
(Ohio Ct. App. 2015) (“[W]e fail to see how [a tort claim for the unauthorized, unprivileged
disclosure to a third party of nonpublic medical information] conflicts with HIPAA.”); Byrne,
102 A.3d at 46 (explaining that negligence claims in state courts support “at least one of
HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care
record”); cf. English, 496 U.S. at 89 (“[O]rdinarily, state causes of action are not pre-empted
solely because they impose liability over and above that authorized by federal law.”).
Regulatory intent further supports the availability of such causes of action. See Standards for
Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,582 (December
28, 2000) (“[T]he fact that a state law allows an individual to file a lawsuit to protect privacy
does not conflict with the HIPAA penalty provisions.”); Byrne, 102 A.3d at 49 (Conn. 2014)
(“[T]he regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing
regulations were intended to preempt tort actions under state law arising out of the unauthorized
release of a plaintiff’s medical records.”).
Accordingly, laws that discourage wrongful disclosure of medical records do not conflict
with HIPAA. See Yath, 767 N.W.2d at 50. In Yath, the plaintiff’s health care provider disclosed
her positive test for a sexually-transmitted disease to her husband without authorization. Id. at
37. Minn. Stat. 144.335 (2006) provided a private cause of action based on this wrongful
disclosure. Id. The court held that HIPAA did not preempt Section 144.335. Id. at 50. The
court noted that “[i]t would not be impossible for [defendants] Fairview or Phat to comply with
20
both HIPAA and Minnesota Statutes section 144.335 because both laws, in complementary
rather than contradictory fashion, discourage a person from wrongfully disclosing information
from another person’s health record.” Id. at 49.
Here, Hope’s general negligence claim complements HIPAA rather than conflicts with it.
The Complaint alleges that B&T failed to maintain confidentiality of the putative class’s ePHI,
resulting in unauthorized access. (R. at 1.) Like in Yath, allowing Missouriana law to impose a
duty of care upon B&T to safeguard such information serves to discourage its wrongful
disclosure. HIPAA aims to protect this type of ePHI from events like B&T’s data breach. See
HIPAA, Pub. L. No. 104-191, § 201, 110 Stat 1936 (1996) (“[HIPAA’s] guidelines shall include
procedures to assure that such information is provided and utilized in a manner that appropriately
protects the confidentiality of the information and the privacy of individuals receiving health
care services and items”). B&T could have protected the putative class’s information while still
complying with HIPAA. Thus, allowing Missouriana to adjudicate Hope’s general negligence
claim serves the goals of HIPAA set forth by Congress.
2. Hope’s Negligence Per Se Claims Are Not Preempted.
HIPAA does not preempt Hope’s negligence per se claim for the same reasons as Hope’s
general negligence claim. The negligence per se claim asserts violation of HIPAA as an element
of negligence. A state-law cause of action may assert violation of a federal statute as an element,
even when the federal statute does not provide a private cause of action. See Merrell Dow
Pharm., Inc. v. Thompson, 478 U.S. 804, 817 (1986). This Court has noted that “[t]he violation
of federal statutes and regulations is commonly given negligence per se effect in state tort
proceedings.” Grable & Sons Metal Products, Inc. v. Darue Engineering & Mfg., 545 U.S. 308,
318 (2005) (citing Restatement (Third) of Torts § 14 cmt. a (Am. Law Inst. 2001)).
21
Accordingly, various courts have held that violation of HIPAA may form the basis of
negligence per se. See, e.g., Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d 718, 721
(E.D. Pa. 2011) (explaining that a HIPAA-based negligence per se claim “can and should be
decided by a state court”); I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at
*5 (E.D. Mo. June 14, 2011) (holding that a negligence per se claim may be based on HIPAA);
Harmon v. Maury Cty., TN, No. 1:05 CV 0026, 2005 WL 2133697, at *3 (M.D. Tenn. Aug. 31,
2005) (explaining that a HIPAA-based negligence per se claim “fall[s] within that broad class of
state law claims based on federal regulations in the state court”). The district court noted that the
Ohio Court of Appeals declined to consider a negligence per se claim based on violation of
HIPAA. (R. at 10 (citing Sheldon, 40 N.E.3d at 672).) However, the Sheldon court came to this
conclusion in part because violation of a federal regulation cannot be negligence per se under
Ohio law. Sheldon, 40 N.E.3d at 672. In contrast, Missouriana law allows such causes of action.
See infra Part III.C.1.
Enforcing a federal regulation is distinct from enforcing a negligence per se claim based
on violation of that federal regulation. See Howard v. Zimmer, Inc., 299 P.3d 463, 472 (Okla.
2013). In Howard, the plaintiff alleged negligence per se based on the defendant’s violation of
the Federal Food, Drug, and Cosmetic Act (“FDCA”). Id. at 466. Although the FDCA provided
that its violations shall be prosecuted in the name of the United States, the court held that the
negligence per se claim was not preempted. Id. at 469, 472 (citing 21 U.S.C. § 337 (2012)). The
court reasoned that “negligence per se does not equate to liability per se” and noted that the
plaintiff would need to prove proximate causation. Id. at 474.
HIPAA does not preempt Hope’s negligence per se claim for the same reasons as his
general negligence claim. Although the negligence per se claim frames B&T’s duty as a
22
violation of HIPAA, Merrell Dow and Grable support that violation of a federal regulation may
be an element of a state law tort claim. See Merrell Dow, 478 U.S. at 817; Grable, 545 U.S. at
318. Regardless of whether B&T breached a general negligence duty informed by HIPAA or a
negligence per se duty defined by a HIPAA violation, providing a cause of action serves to
discourage future wrongful disclosure. To the extent that this difference affects the scope of
B&T’s duty, Hope’s claim still does not conflict with HIPAA for any apparent reason.
Moreover, like the FDCA claim in Howard, Hope’s negligence per se action does not equate to a
private cause of action to enforce HIPAA because Hope must establish proximate causation and
injury. As such, HIPAA does not preempt either of Hope’s negligence claims.
B. B&T Had a General Negligence Duty to Protect the Putative Class’s Health
Information Based on the Surrounding Circumstances and B&T’s Undertaking.
The Thirteenth Circuit correctly held that Missouriana law imposed a general negligence
duty upon B&T to protect the putative class’s health information. A legal duty supporting a
claim of negligence may be imposed by a statutory enactment or a recognized common law
principle. See, e.g., New Star Realty, Inc. v. Jungang PRI USA, LLC, 816 S.E.2d 501, 511 (Ga.
Ct. App. 2018). While the existence of a duty is a legal question, the scope of that duty informed
by the standard of care owed to another party is a question of fact. Potvin v. Speedway LLC, 891
F.3d 410, 414 (1st Cir. 2018).
As a preliminary matter, 58 M.C.S. § 10/5-101 does not absolve pharmaceutical
companies like B&T from protecting their customers’ ePHI. Although § 10/5-101 lists various
types “health care providers” without specifically mentioning pharmaceutical companies,
Missouriana has imposed a duty of care upon B&T through other means.
The surrounding circumstances and policy concerns imposed a common law duty and
B&T voluntarily assumed a duty by collecting and encrypting the putative class’s ePHI. The
23
district court’s reasons for dismissing Hope’s Complaint pertain to questions of fact about the
scope of B&T’s duty that should be resolved on remand.
1. Missouriana Common Law Imposed a Duty upon B&T Because
Harm Was Foreseeable, the Parties Formed a Relationship, and the
Circumstances Raise Policy Concerns.
Missouriana common law imposed a duty of care upon B&T to safeguard the putative
class’s ePHI. Factors for determining whether a common law duty of care exists between parties
include 1) the reasonable foreseeability of harm to the person injured, 2) the relationship between
the parties, and 3) public policy concerns. See, e.g., In re Target Corp. Customer Data Sec.
Breach Litig., 64 F. Supp. 3d 1304, 1309 (D. Minn. 2014) (holding that retailer owed issuer
banks a duty to disclose weaknesses in its data security system); Barnhill v. Teva Pharm. USA,
Inc., 819 F. Supp. 2d 1254, 1260 (S.D. Ala. 2011) (holding that pharmaceutical company had a
duty to warn prescribing physician of any dangers of drug). Courts may place additional weight
on the foreseeability of harm when determining whether a duty exists. See, e.g., Greater
Houston Transp. Co. v. Phillips, 801 S.W.2d 523, 525 (Tex. 1990) (explaining that foreseeability
of harm is “the foremost and dominant consideration” in finding a duty); Barnhill, 819 F. Supp.
2d at 1263 (“The ultimate test of the existence of a duty to use due care is found in the
foreseeability that harm may result if care is not exercised.”). Regardless of the relative
importance assigned to various factors in establishing a duty, the facts at hand strongly invoke
each one.
a. Harm to the Putative Class Was Reasonably Foreseeable.
B&T should have reasonably foreseen the data breach and should be held accountable for
this harm to the putative class. This Court has recognized that “a man is held to intend the
foreseeable consequences of his conduct.” N.L.R.B. v. Brown, 380 U.S. 278, 287 (1965).
24
B&T’s security measures to prevent the data breach, albeit performed negligently,
circumstantially support the reasonable foreseeability of injury. B&T encrypted the consumers’
information and implemented a sign-in process to prevent unauthorized access. (R. at 2.) When
B&T left the information unprotected, it was downloaded within only eight hours. (R. at 2.)
Based on leaving the system unprotecting for this short amount of time, B&T found a
sufficiently high likelihood of harm to investigate, contact patients, and offer credit monitoring
services before even knowing whether the information had been accessed. (See R. at 3.)
Moreover, the laws and regulations that applied to B&T would have informed a
reasonable party as to the possibility of harm. As the Thirteenth Circuit noted, drug companies
should be familiar with their obligations under HIPAA. (R. at 23.) Likewise, under
Missouriana’s Data Breach Notification Act, “a commercial entity that conducts business in
Missouriana and that owns or licenses computerized data that includes personally identifiable
information about a resident of Missouriana” must investigate breaches such as the one at issue.
410 M.C.S § 22/46-101(a). Both provisions clearly relate to the possibility of the unauthorized
disclosure of sensitive information. B&T should have been aware of these provisions and
reasonably foreseen the possibility of causing harm to the putative class. This foreseeability of
harm weighs heavily in favor of imposing a duty of care relative to other factors. See Phillips,
801 S.W.2d 523 at 525; Barnhill, 819 F. Supp. 2d at 1263.
b. B&T’s Relationship with the Putative Class Imposed a Duty.
The relationship between B&T and members of the putative class imposed a duty of care.
A relationship between parties may be established by statute, contractual relationship, or
indirectly and impliedly based on the circumstances. E.g., Heckman v. Ryder Truck Rental, Inc.,
962 F. Supp. 2d 792, 800 (D. Md. 2013). For example, a relationship may give rise to a duty
25
“where the plaintiff is particularly vulnerable and dependent upon the defendant who,
correspondingly, has some control over the plaintiff’s welfare.” Regents of Univ. of California v.
Superior Court, 413 P.3d 656, 665 (Cal. 2018). When a disparity in circumstances exposes one
party in a relationship to unreasonable risk, the law may create a duty. See Mower v. Baird, 422
P.3d 837, 849 (Utah 2018).
B&T created a relationship that imposed a duty of care by choosing to form imbalanced
relationships with members of the putative class. B&T asked economically vulnerable patients
to provide ePHI to receive financial assistance. (See R. at 2.) The eligibility determination
evaluated patients’ monthly income and whether patients had insurance. (Id.) By participating
in the program, the patients had to trust B&T to protect their information. (See id.) B&T had no
obligation to form such a relationship, but the putative class needed financial assistance to obtain
the arthritis medication. (See id.)
Additionally, the Missouriana Data Breach Notification Act statutorily created a
relationship. The Act broadly applies to “[an] individual or a commercial entity that conducts
business in Missouriana and that owns or licenses computerized data that includes personally
identifiable information about a resident of Missouriana” and requires action in the case of a
breach. 410 M.C.S § 22/46-101(a) (2005). The district court noted that “that statute clearly
applies to B&T and the electronic records in this case.” (R. at 12.) Thus, B&T cannot validly
argue that it owed no duty to the putative class.
c. B&T’s Conduct Implicates Public Policy Concerns Recognized Under
Missouriana Law.
B&T’s failure to safeguard the putative class’s ePHI implicates public policy concerns
sufficiently important to Missouriana to impose a duty of care. In determining whether a duty
should exist, courts consider whether policy supports entitling the plaintiff to protection. See,
26
e.g., Target, 64 F. Supp. 3d at 1309. Considerations include the consequences and the overall
public interest in imposing a duty. See Ford v. Oliver, 176 A.3d 891, 906 (Pa. Super. Ct. 2017).
For example, courts consider which party is in the best position to prevent injury. See, e.g.,
Staggs ex rel. Coulter v. ADS Logistics Co., LLC, 102 N.E.3d 319 (Ind. Ct. App. 2018). Courts
also aim to discourage future harm by “by imposing the costs of negligent conduct upon those
responsible.” Regents, 413 P.3d at 672.
Confidentiality of patients’ information raises policy concerns that warrant imposing a
duty. See Biddle v. Warren Gen. Hosp., 715 N.E.2d 518, 523 (Ohio 1999). In Biddle, the court
recognized an independent tort for “unauthorized, unprivileged disclosure to a third party of
nonpublic medical information that a physician or hospital has learned within a physician-patient
relationship.” Id. The court discussed the need for a remedy for “so palpable a wrong” as
breaching confidentiality. Id. at 522-23.
Here, Missouriana law manifests policy concerns related to protection of patients’ health
information in both statutory and judicial contexts. For example, Missouriana recognizes that
individuals have a general right of privacy in their medical records. See Hanson v. Jones
Medical Ctr., 199 Mis. 2d 321, 333 (2002). The Thirteenth Circuit found this aspect of
Missouriana law persuasive in imposing a duty. (See R. at 23.) Allowing B&T to freely
disregard the putative class’s privacy by not imposing a duty would undermine this general right.
Missouriana statutory law further reflects the state’s concern for privacy. The
Missouriana Data Breach Notification Act broadly protects the privacy of all residents of
Missouriana. See 58 410 M.C.S § 22/46-101(a) (2005). The Act reflects the significance of
protecting privacy by requiring “prompt investigation” and notice to affected parties “as soon as
possible.” Id. Similarly, 58 M.C.S. § 10/5-101 reflects Missouriana’s interest in protecting
27
patient information by requiring health care providers to maintain patient record confidentiality.
Allowing pharmaceutical companies like B&T to freely release patients’ information would
undermine both 58 410 M.C.S § 22/46-101(a) and 58 M.C.S. § 10/5-101.
B&T’s negligence raises policy concerns well-founded in Missouriana law, and a duty of
care should be imposed to prevent future harm. Like in Biddle, B&T breached confidentiality
and “palpably wrong[ed]” the putative class in doing so. The putative class trusted B&T to
safeguard its ePHI, but B&T left that information vulnerable. (R. at 2-3.) Imposing a duty upon
B&T to exercise reasonable care in protecting the putative class’s ePHI serves to avoid future
breaches.
The facts alleged in the Complaint support the presence of foreseeability, a relationship
between parties, and significant policy concerns. Accordingly, the Thirteenth Circuit correctly
held that Missouriana common law imposed a duty upon B&T to exercise reasonable care in
safeguarding the putative class’s ePHI.
2. B&T Voluntarily Assumed a Duty to Protect the Putative Class’s
Information by Collecting, Storing, and Encrypting That Information.
Even if Missouriana law did not affirmatively impose a duty upon B&T, Hope’s
complaint shows that B&T voluntarily assumed one. The source of a duty may be voluntary
assumption by a defendant. See, e.g., D.H. ex rel. A.M.J. v. Whipple, 103 N.E.3d 1119, 1130
(Ind. Ct. App. 2018). Under the Second Restatement of Torts, a party has a duty of reasonable
care in providing services when the recipient relies on the party. Restatement (Second) of Torts
§ 323 (Am. Law Inst. 1965). A party voluntary placing itself in a position of protecting a
patient’s health information assumes a duty to that party. See Fanean v. Rite Aid Corp. of
Delaware, 984 A.2d 812, 823 (Del. Super. Ct. 2009) (explaining that the defendant voluntarily
undertook a duty by deciding to be the plaintiff’s pharmacy and breached that duty by disclosing
28
sensitive medical information to third parties); Weinberg v. Advanced Data Processing, Inc., 147
F. Supp. 3d 1359, 1366 (S.D. Fla. 2015) (explaining that the defendant assumed a duty to protect
patients’ information by voluntarily agreeing to provide medical billing services).
Here, B&T voluntarily assumed a duty of care by placing itself into the circumstances at
hand. B&T had no obligation to provide the prescription assistance program. (See R. at 2.)
Also, B&T had no obligation to require participants to complete such a detailed application form
that required participants’ social security numbers and medical histories. (See id.) Alternatively,
B&T could have implemented a prescription assistance program without storing the putative
class’s health information electronically. For example, the information could have been
destroyed after review or maintained in paper form. The putative class relied upon B&T to
safeguard their ePHI. B&T held their information, thereby taking responsibility for its
protection.
Thus, Hope’s Complaint pleaded facts showing that B&T voluntarily assumed a duty to
prevent a breach of confidentiality. Like in Fanean and Weinberg, B&T voluntarily assumed a
duty to protect sensitive medical information and should be held accountable.
3. The Scope of B&T’s Duty Is Question of Fact.
Finally, much of the district court’s reasoning in dismissing Hope’s Complaint relates to
the applicable standard of care rather than whether a duty existed under Missouriana law.
“‘Duty’ and the ‘standard of care’ are separate and distinct concepts.” E.g., Oakey ex rel. Lucero
v. May Maple Pharmacy, Inc., 399 P.3d 939, 946-47 (N.M. Ct. App. 2017). Whether a duty
exists is a question of law. Id. at 947. Where a duty does exist, whether a person has conformed
to a standard of care must be determined as a question of fact. Id.
29
In ostensible support of the absence of a duty, the district court improperly focused on
B&T’s standard of care. The district court criticized Hope’s Complaint for stating a negligence
theory that allegedly extends beyond HIPAA’s requirements. (See R. at 12.) Also, the district
court stressed that “Hope’s problem [is that] he does not point to an independent state law basis
for finding the pharmaceutical company owed the plaintiff class a duty to maintain their records
in encrypted form at all times.” (R. at 13.)
However, even taking the district court’s assertions as true, Hope’s claim should survive
the Fed. R. Civ. P. 12(b)(6) motion to dismiss. The scope of Hope’s duty relative to HIPAA’s
requirements and the way B&T should have maintained the putative class’s records are factual
questions that should be resolved on remand.
C. B&T Had a Duty to Protect the Class’s Health Information Under
Missouriana’s Negligence Per Se Statute.
The Thirteenth Circuit correctly held that under Missouriana law Hope’s negligence per
se claims could be based on B&T violating HIPAA. The negligence per se doctrine recognizes
that parties should be held liable for negligently harming others by violating prescribed laws.
See Martin v. Herzog, 126 N.E. 814, 815-15 (N.Y. 1920) (“[T]o omit, wilfully or heedlessly, the
safeguards prescribed by law . . . is to fall short of the standard of diligence to which those who
live in organized society are under a duty to conform.”). The Missouriana legislature codified
the negligence per se doctrine by adopting the language of the Third Restatement of Torts
verbatim. Compare 302 M.C.S. § 3/22-104, with Restatement (Third) of Torts § 14 (Am. Law
Inst. 2010).
The Thirteenth Circuit reviewed the language of Missouriana’s negligence per se statute
and correctly held that HIPAA could provide the standard of care. Specifically, Hope’s
Complaint stated a valid negligence per se claim because the Missouriana legislature drafted §
30
3/22-104 to include violation of a federal regulation as a basis for finding negligence, and Hope’s
negligence per se claim relates to provisions of HIPAA that definitively required B&T’s
compliance.
1. Missouriana’s Negligence Per Se Statute Allows Federal Statutes and
Regulations to Define the Standard of Care.
B&T’s violation of a federal regulation amounts to negligence under Missouriana’s
negligence per se statute. This Court has recognized that violation of a federal statute may be an
element of a state negligence claim, even where Congress has not provided a private, federal
cause of action. See Merrell Dow, 478 U.S. at 817 (remanding negligence claim based on
violation of the FDCA, which does not provide a private cause of action, to state court based on
lack of federal question jurisdiction). This Court has recognized that negligence per se may be
based on Federal regulations. See Grable, 545 U.S. at 318. Negligence per se claims based on
violation of HIPAA have been found to be permissible. See, e.g., K.V. & S.V. v. Women’s
Healthcare Network, LLC, No. 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June
6, 2007). Similarly, courts have entertained negligence per se claims based on violations of
OSHA regulations. See, e.g., Pratico v. Portland Terminal Co., 783 F.2d 255, 265 (1st Cir.
1985); Dixon v. Int’l Harvester Co., 754 F.2d 573, 581 (5th Cir. 1985).
Under Missouriana law, HIPAA may form the basis for negligence per se because the
state legislature intentionally adopted the negligence per se doctrine set forth in the Third
Restatement of Torts that allows claims to be based on violation of a federal regulation, and
HIPAA’s regulations operate upon B&T like statutory law.
a. Interpretation of Missouriana’s Negligence Per Se Statute Should
Be Guided by the Restatement of Torts.
By adopting the negligence per se doctrine in the Third Restatement of Torts verbatim,
Missouriana’s legislature intended to include negligence per se causes of action based on federal
31
regulations. When courts adopt model laws, the courts also adopt the corresponding comments.
See, e.g., Basileh v. Alghusain, 912 N.E.2d 814, 821 (Ind. 2009) (“The comments to a uniform
act are indicative of the Legislature's intent in enacting a statute based on the uniform act.”);
State v. Slavens, 190 S.W.3d 410, 413 (Mo. Ct. App. 2006) (“It has been well established that
when the legislature adopts a model act, we must presume that the General Assembly intended to
adopt the interpretation of that section contained in the applicable comments.”).
Here, the comments in the Third Restatement unambiguously include federal laws and
regulations within the negligence per se doctrine. Comment a of the Restatement indicates that §
14 “equally applies to . . . federal statutes as well as regulations promulgated by federal
agencies.” Restatement (Third) of Torts § 14 cmt. A (Am. Law Inst. 2010). By not only
adopting this provision, but doing so verbatim, Missouriana also adopted the Restatement’s
interpretation. Accordingly, Hope properly based his negligence per se claim on B&T’s
violation of a federal regulation.
b. HIPAA’s Regulations at Issue Are Analogous to Statutory Law.
Moreover, HIPAA’s regulations function like statutory law, and B&T was just as
negligent for violating these regulations as they would be for violating statutory law. By
drawing a distinction between statutory law and regulatory law, the district court put form over
substance.
This Court has provided that “[l]egislative regulations generally fall within the meaning
of the word ‘law’ unless there is a ‘clear showing of contrary legislative intent.’” Dep’t of
Homeland Sec. v. MacLean, 135 S. Ct. 913, 915 (2015) (citing Chrysler Corp. v. Brown, 441
U.S. 281, 282 (1979)). Legislative regulations issued to implement statutory law have “the force
and effect of law.” Batterton v. Francis, 432 U.S. 416, 425 n. 9 (1977). Legislative-type rules
are those that affect individual rights and obligations. Chrysler, 441 U.S. at 282.
32
Here, Hope’s Complaint cites provisions of HIPAA that function like statutory law and
should have the same effect for purposes of negligence per se. Congress left HHS to promulgate
rules to implement HIPAA. HIPAA, Pub. L. No. 104-191, § 264, 110 Stat 1936 (1996).
Covered entities must follow these rules when managing health information, and the federal
government can impose penalties for noncompliance. See 45 C.F.R. § 164.102-164.534
(providing security and privacy standards); 45 C.F.R. § 160.300-160.552 (providing processes
for enforcing HIPAA’s regulatory scheme). As such, HIPAA’s rules have the force and effect of
law by affecting the rights and obligations of patients and covered entities. B&T acted
negligently by violating HIPAA’s requirements, regardless of their source.
2. B&T Was Required to Follow Sections of HIPAA Cited in Hope’s
Complaint.
The district court also erred in dismissing Hope’s Complaint for citing an addressable
standard because HIPAA required B&T to implement that standard, and Hope cited required
standards alongside that addressable standard. Courts consider the entirety of a regulatory
scheme when interpreting a regulation. See Alaska Ass’n of Naturopathic Physicians v. State
Dep’t of Commerce, 414 P.3d 630, 636 (Alaska 2018).
HIPAA’s addressable standards require action on the part of a covered entity. See 45
C.F.R. § 164.306(d)(3). A covered entity “must assess whether each implementation
specification is a reasonable and appropriate safeguard.” Id. (emphasis added). If the covered
entity determines that the specification is reasonable and appropriate, it must implement the
addressable standard. Id. (emphasis added). Even if the specification is not reasonable and
appropriate, the covered entity must document why and implement “an equivalent alternative
measure.” Id. (emphasis added). HHS enforces this rule and has imposed monetary penalties.
See HHS OCR Imposition of CMP Against Children’s Medical Center of Dallas for Lack of
33
Timely Action Risks Security and Costs Money, Healthcare Compl. Rep. ¶ 480033 (2016)
(discussing OCR’s imposition of a penalty of $3,217,000.00 against Children’s Medical Center
of Dallas for failing to comply with § 164.306(d)(3)).
Here, B&T had no discretion in deciding whether to continue encrypting the putative
class’s ePHI. That B&T initially chose to encrypt the putative class’s ePHI plausibly shows that
B&T considered encryption reasonable and appropriate under § 164.306(d)(3). (See R. at 2.)
After making this determination, § 164.306(d)(3) unambiguously required B&T to implement an
encryption mechanism pursuant to § 164.312(a)(2)(iv).
Also, Hope’s Complaint goes beyond alleging that B&T violated the standard set forth in
§ 164.312(a)(2)(iv). The Complaint alleges that B&T failed to comply with 45 C.F.R. §§
164.302-164.318. These regulations include “required” specifications. For example, a covered
entity must “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a
reasonable and appropriate level to comply with § 164.306(a).” 45 C.F.R. §
164.308(a)(1)(ii)(B). Hope has plausibly shown that B&T failed to do so.
Accordingly, Hope based his negligence per se claim on provisions of HIPAA that
required B&T’s compliance. The Thirteenth Circuit correctly noted that “the district court took a
far too cabined view of the nature of Hope’s assertions.” (R. at 22.) Considering the entirety of
HIPAA’s regulatory scheme, B&T cannot assert that its compliance was merely optional.
34
CONCLUSION
For the foregoing reasons, Hope respectfully asks this Court to affirm the Thirteenth
Circuit’s decision denying B&T’s motions to dismiss under Fed. R. Civ. P. 12(b)(1) and Fed. R.
Civ. P. 12(b)(6).
Respectfully Submitted,
Team 2720
Attorneys for Respondent
35
APPENDIX A
45 C.F.R. §§ 164.306, 164.312
45 C.F.R. § 164.306 Security standards: General rules.
(a) General requirements. Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health
information the covered entity or business associate creates, receives, maintains, or
transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity
of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that
are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities and business associates may use any security measures that allow the
covered entity or business associate to reasonably and appropriately implement the
standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity or business associate must
take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business
associate.
(ii) The covered entity's or the business associate's technical infrastructure,
hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health
information.
(c) Standards. A covered entity or business associate must comply with the applicable standards
as provided in this section and in §§164.308, 164.310, 164.312, 164.314 and 164.316 with
respect to all electronic protected health information.
(d) Implementation specifications. In this subpart:
(1) Implementation specifications are required or addressable. If an implementation
specification is required, the word “Required” appears in parentheses after the title of the
implementation specification. If an implementation specification is addressable, the word
“Addressable” appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316
includes required implementation specifications, a covered entity or business associate
must implement the implementation specifications.
(3) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316
includes addressable implementation specifications, a covered entity or business associate
must—
36
(i) Assess whether each implementation specification is a reasonable and
appropriate safeguard in its environment, when analyzed with reference to the
likely contribution to protecting electronic protected health information; and
(ii) As applicable to the covered entity or business associate—
(A) Implement the implementation specification if reasonable and
appropriate; or
(B) If implementing the implementation specification is not reasonable and
appropriate—
(1) Document why it would not be reasonable and appropriate to
implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and
appropriate.
(e) Maintenance. A covered entity or business associate must review and modify the security
measures implemented under this subpart as needed to continue provision of reasonable and
appropriate protection of electronic protected health information, and update documentation
of such security measures in accordance with §164.316(b)(2)(iii)
45 C.F.R. § 164.312 Technical safeguards.
A covered entity or business associate must, in accordance with §164.306:
(a) (1) Standard: Access control. Implement technical policies and procedures for electronic
information systems that maintain electronic protected health information to allow access
only to those persons or software programs that have been granted access rights as
specified in §164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/or number
for identifying and tracking user identity.
(ii) Emergency access procedure (Required). Establish (and implement as
needed) procedures for obtaining necessary electronic protected health
information during an emergency.
(iii) Automatic logoff (Addressable). Implement electronic procedures that
terminate an electronic session after a predetermined time of inactivity.
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt
and decrypt electronic protected health information.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that contain or use electronic protected
health information.
(c) (1) Standard: Integrity. Implement policies and procedures to protect electronic protected
health information from improper alteration or destruction.
(2) Implementation specification: Mechanism to authenticate electronic protected health
information (Addressable). Implement electronic mechanisms to corroborate that
37
electronic protected health information has not been altered or destroyed in an
unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or
entity seeking access to electronic protected health information is the one claimed.
(e) (1) Standard: Transmission security. Implement technical security measures to guard against
unauthorized access to electronic protected health information that is being transmitted
over an electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that
electronically transmitted electronic protected health information is not
improperly modified without detection until disposed of.
(ii) (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic
protected health information whenever deemed appropriate.