i

No. 18-251

________________

IN THE

Supreme Court of the United States

October Term, 2018

________________

BARKER & TODD, INC.,

Petitioner,

v.

Anthony HOPE,

Respondent.

________________

On Writ of Certiorari to the

Thirteenth Circuit Federal Court of Appeals

________________

BRIEF FOR RESPONDENT

________________

Attorneys for Respondent

Team 2720

ii

QUESTIONS PRESENTED

I. Whether Hope satisfied the injury-in-fact requirement of standing where attackers

placed Hope’s electronic protected health information (“ePHI”) for sale on the dark

web and his ePHI was downloaded hundreds of times.

II. Whether HIPAA may inform the standard of care for Hope’s general negligence and

negligence per se claims under Missouriana law where B&T collected and failed to

safeguard the putative class’s ePHI.

iii

TABLE OF CONTENTS

Page TABLE OF CONTENTS ............................................................................................................... iii

TABLE OF AUTHORITIES .......................................................................................................... v

OPINIONS BELOW ....................................................................................................................... 1

STATUTORY AND REGULATORY PROVISIONS INVOLVED ............................................. 1

STATEMENT OF THE CASE ....................................................................................................... 2

SUMMARY OF THE ARGUMENT ............................................................................................. 5

I. Hope Suffered an Injury-In-Fact Sufficient to Confer Standing. ........................................ 5

II. Hope Can Sue B&T for Negligence Under Missouriana Law. ........................................... 6

ARGUMENT .................................................................................................................................. 7

I. STANDARD OF REVIEW ................................................................................................. 7

II. THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT THE PUTATIVE CLASS

SATISFIED THE INJURY-IN-REQUIREMENT. ...................................................... 8

A. Hope Suffered a Particularized Injury Because His Personal Information

Was Targeted in a Data Breach That Affected a Finite Group of

Consumers................................................................................................... 9

B. Hope Suffered a Concrete Injury Because His Injury Is Closely Linked to

the Traditionally Recognized Harm of Invasion of Privacy and Congress

Has Emphasized the Importance of Protecting Private Medical

Information. .............................................................................................. 11

C. Hope Suffered Actual or Imminent Injuries Because B&T’s Data Breach

Increased Hope’s Risk of Identity Theft and Attackers Sold His Sensitive

Personal Information on the Dark Web. ................................................... 13

III.THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT HOPE STATED

PLAUSIBLE CLAIMS ENTITLED TO RELIEF UNDER MISSOURIANA

NEGLIGENCE LAW THAT ARE NOT PREEMPTED BY HIPAA. ...................... 16

A. HIPAA Allows Missouriana to Protect Its Citizens’ Privacy Interests

Because Its Preemption Clause Only Applies to Contrary State Law. ..... 17

B. B&T Had a General Negligence Duty to Protect the Putative Class’s

Health Information Based on the Surrounding Circumstances and B&T’s

Undertaking............................................................................................... 22

iv

C. B&T Had a Duty to Protect the Class’s Health Information Under

Missouriana’s Negligence Per Se Statute. ................................................ 29

CONCLUSION ............................................................................................................................. 34

APPENDIX A ............................................................................................................................... 35

v

TABLE OF AUTHORITIES

Cases Page(s)

Alaska Ass’n of Naturopathic Physicians v. State Dep’t of Commerce,

414 P.3d 630 (Alaska 2018)...............................................................................................32

Arkansas Elec. Co-op. Corp. v. Arkansas Pub. Serv. Comm’n,

461 U.S. 375 (1983) ...........................................................................................................16

Ashcroft v. Iqbal,

556 U.S. 662 (2009) .............................................................................................................8

Astra USA, Inc. v. Santa Clara Cty.,

563 U.S. 110 (2011) ...........................................................................................................17

Attias v. Carefirst, Inc.,

865 F.3d 620 (D.C. Cir. 2017) .....................................................................................14, 15

Baker v. Carr,

369 U.S. 186 (1962) .............................................................................................................9

Barnhill v. Teva Pharm. USA, Inc.,

819 F. Supp. 2d 1254 (S.D. Ala. 2011)........................................................................23, 24

Basileh v. Alghusain,

912 N.E.2d 814 (Ind. 2009) ...............................................................................................31

Baum v. Keystone Mercy Health Plan,

826 F. Supp. 2d 718 (E.D. Pa. 2011) .................................................................................21

Batterton v. Francis,

432 U.S. 416 (1977) ...........................................................................................................31

Bell Atl. Corp. v. Twombly,

550 U.S. 544 (2007) .........................................................................................................7, 8

Biddle v. Warren Gen. Hosp.,

715 N.E.2d 518 (Ohio 1999) ......................................................................................26, 27

Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C.,

102 A. 3d 32 (Conn. 2014) ....................................................................................16, 18, 19

Chrysler Corp. v. Brown,

441 U.S. 281 (1979) ...........................................................................................................31

vi

Dan’s City Used Cars, Inc. v. Pelkey,

569 U.S. 251 (2013) ...........................................................................................................17

Dep’t of Homeland Sec. v. MacLean,

135 S. Ct. 913 (2015) .........................................................................................................31

D.H. ex rel. A.M.J. v. Whipple,

103 N.E.3d 1119 (Ind. Ct. App. 2018)...............................................................................27

Dixon v. Int’l Harvester Co.,

754 F.2d 573 (5th Cir. 1985) .............................................................................................30

English v. Gen. Elec. Co.,

496 U.S. 72 (1990) .......................................................................................................18, 19

Exelon Generation Co., LLC v. Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO,

676 F.3d 566 (7th Cir. 2012) .............................................................................................18

Fanean v. Rite Aid Corp. of Delaware,

984 A.2d 812 (Del. Super. Ct. 2009) ...........................................................................27, 28

Ford v. Oliver,

176 A.3d 891 (Pa. Super. Ct. 2017) ..................................................................................26

Fraley v. Facebook,

830 F. Supp. 2d 785 (N.D. Cal. 2011)9, 10 ...................................................................9, 10

Galaria v. Nationwide Mut. Insurance Co.,

663 F. App’x 384 (6th Cir.) .........................................................................................14, 15

Gill v. Whitford,

138 S.Ct. 1916 (2018)9 ........................................................................................................9

Grable & Sons Metal Products, Inc. v. Darue Engineering & Mfg.,

545 U.S. 308 (2005) ...............................................................................................20, 22, 30

Gratz v. Bollinger,

539 U.S. 244 (2003)8 ...........................................................................................................8

Greater Houston Transp. Co. v. Phillips,

801 S.W.2d 523 (Tex. 1990) ..............................................................................................23

Hanson v. Jones Medical Ctr.,

199 Mis. 2d 321 (2002) ......................................................................................................26

vii

Heckman v. Ryder Truck Rental, Inc.,

962 F. Supp. 2d 792 (D. Md. 2013) ...................................................................................24

In Re Horizon Healthcare Serv. Inc. Data Breach,

846 F.3d 625 (3rd Cir. 2017) .................................................................................11, 12, 12

Howard v. Zimmer, Inc.,

299 P.3d 463 (Okla. 2013) ...........................................................................................21, 22

I.S. v. Washington Univ.,

No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo. June 14, 2011) ...............................21

K.V. & S.V. v. Women’s Healthcare Network, LLC,

No. 07-0228-CV-W-DW, 2007 WL 1655734 ...................................................................30

State v. Lee,

957 P.2d 741 (Wash. 1998)................................................................................................16

Lewert v. P.F. Chang’s China Bistro, Inc.,

819 F.3d 963 (7th Cir. 2016) .............................................................................................15

Lujan v. Def. of Wildlife,

504 U.S. 555 (1992) .............................................................................................................8

Martin v. Herzog,

126 N.E. 814 (N.Y. 1920) ..................................................................................................29

Medtronic, Inc. v. Lohr,

518 U.S. 470 (1996) ...........................................................................................................18

Merrell Dow Pharm., Inc. v. Thompson,

478 U.S. 804 (1986) ...............................................................................................20, 22, 30

Mower v. Baird,

422 P.3d 837 (Utah 2018) ..................................................................................................25

Muskrat v. United States,

219 U.S. 346 (1911) .............................................................................................................8

N.L.R.B. v. Brown,

380 U.S. 278 (1965) ...........................................................................................................23

New Star Realty, Inc. v. Jungang PRI USA, LLC,

816 S.E.2d 501 (Ga. Ct. App. 2018) ..................................................................................22

viii

In re Nickelodeon Consumer Privacy Litig.,

827 F.3d 262 (3d Cir. 2016)...........................................................................................9, 11

Oakey ex rel. Lucero v. May Maple Pharmacy, Inc.,

399 P.3d 939 (N.M. Ct. App. 2017) ..................................................................................28

Petruska v. Gannon Univ.,

462 F.3d 294 (3d Cir. 2006).................................................................................................7

Pisciotta v. Old Nat’l Bancorp.,

499 F.3d 629 (7th Cir. 2007) .........................................................................................8, 13

Potvin v. Speedway LLC,

891 F.3d 410 (1st Cir. 2018) ..............................................................................................22

Pratico v. Portland Terminal Co.,

783 F.2d 255 (1st Cir. 1985) ..............................................................................................30

R.K. v. St. Mary’s Med. Ctr., Inc.,

735 S.E.2d 715 (W. Va. 2012) .....................................................................................16, 19

Regents of Univ. of California v. Superior Court,

413 P.3d 656 (Cal. 2018) .............................................................................................25, 26

Remijas v. Neiman Marcus Grp., LLC,

794 F.3d 688 (7th Cir. 2015) .............................................................................................10

United States. v. Richardson,

418 U.S. 166 (1974) .............................................................................................................9

Sheldon v. Kettering Health Network,

40 N.E.3d 661 (Ohio Ct. App. 2015) ...........................................................................19, 21

State v. Slavens,

190 S.W.3d 410 (Mo. Ct. App. 2006) ................................................................................31

Spokeo v. Robins,

136 S.Ct. 1540 (2016) ....................................................................................................8, 11

Staggs ex rel. Coulter v. ADS Logistics Co., LLC,

102 N.E.3d 319 (Ind. Ct. App. 2018).................................................................................26

In re Target Corp. Customer Data Sec. Breach Litig.,

64 F. Supp. 3d 1304 (D. Minn. 2014) ..........................................................................23, 26

ix

Vill. of Euclid, Ohio v. Ambler Realty Co.,

272 U.S. 365 (1926) ...........................................................................................................16

Weinberg v. Advanced Data Processing, Inc.,

147 F. Supp. 3d 1359 (S.D. Fla. 2015) ..............................................................................28

Yath v. Fairview Clinics,

767 N.W.2d 34 (Minn. Ct. App. 2009) ..................................................................16, 19, 20

Statutes

42 U.S.C. § 1320d-7 ......................................................................................................................18

Pub. L. No. 104-191 .......................................................................................................2, 16, 20, 32

Rules

45 C.F.R. § 160 ............................................................................................................10, 17, 18, 32

45 C.F.R. § 164 ............................................................................................................1, 3, 4, 32, 33

58 M.C.S. § 10/5-101 .....................................................................................................1, 22, 26, 27

302 M.C.S. § 3/22-104 .....................................................................................................1, 4, 29, 32

410 M.C.S § 22/46-101(a) ...................................................................................1, 3, 24, 25, 26, 27

Fed. R. Civ. P. 12 ......................................................................................................4, 7, 12, 29, 33

Other Authorities

Black’s Law Dictionary (9th ed. 2009) ............................................................................................8

Erin Fuchs, Identity theft now costs far more than all other property crimes combined, Business

Insider (Dec. 12, 2013), (available at https://www.businessinsider.com/bureau-of-justice-

statistics-identity-theft-report-2013-12) .............................................................................15

HHS OCR Imposition of CMP Against Children’s Medical Center of Dallas for Lack of Timely

Action Risks Security and Costs Money, Healthcare Compl. Rep. ¶ 480033 ..............32, 33

HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research (Sharyl J. Nass

et al. eds., 2009) .................................................................................................................13

x

Restatement (Second) of Torts § 323 (Am. Law Inst. 1965) .........................................................27

Restatement (Second) of Torts § 652A (Am. Law Inst. 1977) ......................................................12

Restatement (Third) of Torts § 14 (Am. Law Inst. 2001) ..................................................20, 29, 31

Social Security Administration, Identity Theft and Your Social Security Number 2 (2018),

available at http:// www.ssa.gov/pubs/10064.pdf .............................................................15

Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462

(December 28, 2000) .........................................................................................................19

1

OPINIONS BELOW

The unreported opinion of the United States Court of Appeals for the Thirteenth Circuit

appears on pages 15-24 of the record. The unreported opinion of the United States District Court

for the District of Missouriana appears on pages 1-14 of the record.

STATUTORY AND REGULATORY PROVISIONS INVOLVED

HIPAA regulations cited by Hope as informing the standard of care, 45 C.F.R. §§

164.306, 164.312 (2016), are located at Appendix A.

302 M.C.S. § 3/22-104 provides that “[a]n actor is negligent if, without excuse, the actor

violates a statute that is designed to protect against the type of accident the actor’s conduct

causes, and if the accident victim is within the class of persons the statute is designed to protect.”

302 M.C.S. § 3/22-104 (2014).

58 M.C.S. § 10/5-101 requires “health care providers” to maintain patient record

confidentiality and defines “health care provider” to include “physicians; surgeons; podiatrists;

dentists; optometrists; psychologists; physical or occupational therapists; marriage, family and

child counselors; clinical social workers, and any other health care professional licensed under

Missouriana law.” 58 M.C.S. § 10/5-101 (2008).

The Missouriana Data Breach Notification Act requires “[an] individual or a commercial

entity that conducts business in Missouriana and that owns or licenses computerized data that

includes personally identifiable information about a resident of Missouriana” to “conduct in good

faith a reasonable and prompt investigation to determine the source of the breach and give notice

as soon as possible to the affected Missouriana resident.” Missouriana Data Breach Notification

Act, 410 M.C.S § 22/46-101(a) (2005).

2

STATEMENT OF THE CASE

This case involves a dispute over whether a data breach constitutes injury-in-fact for

purposes of Article III standing and whether wrongful disclosure of electronic protected health

information (“ePHI”) covered by the Health Insurance Portability and Accountability Act of

1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered

sections of 42 U.S.C.) may form the basis for state law negligence claims. Anthony Hope

(“Hope”) complains that Baker & Todd, Inc.’s (“B&T”) negligently failed to update its servers to

protect its customers’ ePHI including medical history information and social security numbers.

(R. at 1.) Due to B&T’s failure to safeguard this ePHI, attackers accessed the customers’

information and placed it for sale on a “darknet market” website, where it was downloaded

hundreds of times. (R. at 3.) The total number of potentially affected participants was 426. (Id.)

Hope and other affected participants brought this class action lawsuit, seeking recovery from

B&T for the wrongful disclosure and related injuries. (R. at 4.)

B&T’s Pharmaceutical Program

B&T manufactures prescription drugs that several of its customers cannot afford. (R. at

2.) Moreover, medical insurance only partially covers the cost of a number of these drugs. (R. at

2.) While B&T offers a prescription assistance program to offset these costs, B&T requires

participants to complete an application which asks for personal information including income,

date of birth, social security number, medical insurance policy numbers, and medical history

regarding the prescribed medication. (R. at 3.) Based on factors such as income and availability

of insurance, B&T determines whether to reduce individual patients’ costs for obtaining its

drugs. (R. at 2.)

3

Hope and other members of the putative class participated in a prescription drug access

program for B&T’s new arthritis drug, Flexacor. (R. at 3.). As with B&T’s other prescription

assistance programs, members of the putative class provided B&T with their incomes, dates of

birth, social security numbers, medical insurance policy numbers, and medical histories. (R. at

2.) B&T stored this ePHI on its servers. (R. at 2.)

B&T’s Failure to Safeguard the Class’s ePHI

Attackers first accessed the putative class’s ePHI on B&T’s servers on October 26, 2015.

(R. at 2.) Although the ePHI was encrypted and password-protected due to the risk of an exploit,

B&T left the information vulnerable to attackers while transferring it from local servers to

upgraded cloud-based servers it purchased from an outside vendor. (R. at 2.) Specifically, B&T

failed to install the vendor’s upgrade to patch a hole in the cloud-based servers’ security that

would have prevented attackers from accessing B&T’s customers’ ePHI without a decryption

key. (R. at 2.)

By moving the ePHI to the new the servers without installing the update, B&T left the

putative class’s data vulnerable for about eight hours. (R. at 3.) During this time attackers

utilized an exploit that rendered encryption ineffective and accessed the putative class’s ePHI.

(R. at 3.) Afterward, B&T installed the outside vendor’s patch but would later learn that the data

had already been compromised. (R. at 3.)

On November 8, 2015, B&T notified members of the putative class about the possibility

of a breach, pursuant to HIPAA’s regulations, 45 C.F.R. § 164.404(b), and Missouriana’s Data

Breach Notification Act, 410 M.C.S. § 22/45–101(a). (R. at 3.) B&T offered the affected

participants a year of free credit monitoring due to their increased risk of identity theft and

continued to investigate whether a breach had occurred. (R. at 3.) Hope signed up for the credit

4

monitoring. (R. at 3.) On November 30, 2015, Hope learned that his B&T account user name

and password, date of birth, and social security number had been placed for sale on the dark web

and downloaded hundreds of times. (R. at 3.)

Hope has experienced fear and anxiety about identity theft, especially considering that he

will soon be married and combine finances with his new husband. (R. at 4.) While Hope had

not yet experienced fraudulent charges or other instances of identity theft at the time of initiating

this suit, his information remained for sale on the dark web. (R. at 4.)

Procedural History

Hope filed this class action suit on February 15, 2016 under the federal court’s diversity

jurisdiction. (R. at 4.) The putative class includes B&T customers who, like Hope, found their

information on the dark web. (R. at 4.) Hope alleges that B&T negligently handled the

consumers’ ePHI by failing to protect the privacy of their ePHI. (R. at 4.) Hope cites to 45

C.F.R. §§ 164.306-164.312, which provide HIPAA’s privacy standards, as evidence of the

standard of care in a general negligence claim. (R. at 4.) Hope also argues that HIPAA defines

the standard of care in a separate cause of action based on Missouriana’s negligence per se law,

302 M.C.S. § 3/22-104. (R. at 4.)

B&T moved to dismiss Hope’s complaint under Fed. R. Civ. P. 12(b)(1), arguing that the

breach of his ePHI on B&T’s server and its dissemination on the dark web, along with the

downloads, do not constituent injury for purposes of Article III standing. (R. at 4.) B&T also

moved to dismiss under Fed. R. Civ. P. 12(b)(6), arguing that Missouriana negligence law does

not provide Hope a cause of action based on its failure to protect the putative class’s ePHI. (R. at

4.)

5

While the United States District Court for the District of Missouriana granted B&T’s

motions and dismissed the complaint without prejudice, the Thirteenth Circuit reversed and

remanded the matter. (R. at 14, 24.) The Thirteenth Circuit held that the district court dismissed

Hope’s complaint in error as to both grounds. (R. at 24.)

On July 16, 2018, this Court granted certiorari. (R. at 25.) On appeal, this Court

considers: 1) whether Hope established injury-in-fact to confer standing under Article III and 2)

whether Hope’s Missouriana negligence claims may be based on violations of HIPAA. (R. at

25.)

SUMMARY OF THE ARGUMENT

I. Hope Suffered an Injury-In-Fact Sufficient to Confer Standing.

Hope’s injuries resulting from B&T’s negligent failure to safeguard his electronic

protected health information (“ePHI”) constitute injury-in-fact for purposes of Article III

standing. To establish standing, a plaintiff must allege an injury which is concrete and

particularized and actual or imminent.

Hope’s suffered a particularized injury when attackers targeted his personal, identifiable

information. Rather than being a universal harm, the breach affected a finite group of

consumers. Hope had a personal stake in keeping his personal information away from the dark

web. Because attackers downloaded his ePHI hundreds of times, Hope faces a threat of identity

theft unique to him. Due to this misappropriation of his sensitive personal information, Hope

must now carefully monitor his credit for fraudulent acts.

Next, Hope suffered a concrete injury. Courts have traditionally recognized a person’s

interest in freedom from invasion of privacy. The data breach resulted in a similar type of

6

concrete harm. Also, Congress has expressed the importance of protecting the privacy of

patients like Hope by passing HIPAA.

Finally, the data breach imminently and substantially increased Hope’s risk of future

harm from identity theft and other fraudulent activities. Attackers generally instigate data

breaches like the one at issue to commit fraudulent activities. Considering that attackers sold

Hope’s personal information on the dark web hundreds of times, its further misuse is imminent.

II. Hope Can Sue B&T for Negligence Under Missouriana Law.

The putative class stated plausible claims which entitle Hope to relief under Missouriana

law. In passing HIPAA, Congress left the states to provide additional protections for patients’

privacy. While HIPAA preempts contrary state laws, Hope’s claims complement the goals of

HIPAA by encouraging those entrusted with ePHI, such as B&T, to protect patients’ privacy.

Also, Missouriana common law affirmatively required B&T to exercise reasonable care

in protecting Hope’s ePHI. The surrounding circumstances imposed a common law duty upon

B&T to protect its customers’ sensitive information. B&T reasonably foresaw the possibility of

a data breach like the one that occurred and kept patients’ ePHI in encrypted form, albeit

negligently. Also, B&T created relationships with members of the putative class by asking them

to provide sensitive information to receive financial assistance. Likewise, the Missouriana Data

Breach Notification Act statutorily created a relationship between B&T and the putative class.

Moreover, Missouriana has recognized the importance of protecting medical patients’

information, and the state’s public policy favors imposing a duty of care. B&T also voluntarily

assumed a duty of care toward the putative class by obtaining the class’s information and storing

it in encrypted form.

7

Finally, Missouriana statutory law provides Hope a cause of action based on negligence

per se. Missouriana’s negligence per se statute uses the language of the Third Restatement of

Torts, showing the legislature’s intent to follow the Restatement’s approach of allowing federal

regulations like HIPAA to define B&T’s standard of care. Although Hope’s negligence claims

refer to regulatory provisions, their legislative-type nature makes them like statutory law. Based

on the allegations in the Complaint, B&T had an affirmative obligation to follow HIPAA’s

standards cited by Hope but failed to do so.

ARGUMENT

Hope states claims upon which relief may be granted by the federal courts. While the

District Court dismissed Hope’s claims, the Court of Appeals for the Thirteenth Circuit reversed,

holding that Hope’s Complaint established injury-in-fact for Article III standing and pleaded

claims for which relief could be granted under Missouriana negligence law. (R. at 24.)

The Thirteenth Circuit correctly held that the putative class’s injuries related to attackers

placing its electronic protected health information (“ePHI”) for sale on the dark web confer

standing under Article III. The Thirteenth Circuit also correctly held that Hope stated plausible

general negligence and negligence per se claims under Missouriana law by asserted that B&T

failed to properly safeguard the class’s ePHI.

I. STANDARD OF REVIEW

This Court reviews decisions on a motion to dismiss under Fed. R. Civ. P. 12(b)(6) de

novo. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 556 (2007). A motion to dismiss under

Fed. R. Civ. P. 12(b)(1) is reviewed under the same standard. Petruska v. Gannon Univ., 462

F.3d 294, 299 (3d Cir. 2006). “[A] complaint must contain sufficient factual matter, accepted as

8

true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678

(2009) (citing Twombly, 550 U.S. at 570). “[O]nce a claim has been stated adequately, it may be

supported by showing any set of facts consistent with the allegations in the complaint.”

Twombly, 550 U.S. at 563.

II. THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT THE PUTATIVE

CLASS SATISFIED THE INJURY-IN-REQUIREMENT.

The Thirteenth Circuit correctly held that the putative class satisfied the injury-in-fact

requirement to confer standing. Article III limits this Court’s exercise of judicial power to cases

and controversies. Muskrat v. United States, 219 U.S. 346, 356 (1911). The standing to sue

doctrine, rooted in this “case or controversy” doctrine, further limits the jurisdiction of federal

courts. Spokeo v. Robins, 136 S.Ct. 1540, 1547 (2016). To establish standing, a plaintiff must

establish they have suffered an injury-in-fact, traceable to the acts of the defendant, where the

court may fashion a possible remedy. Lujan v. Def. of Wildlife, 504 U.S. 555, 590 (1992). In a

class action, injury for standing requires the named plaintiff to demonstrate that they have been

injured, independent of unidentified members of the class. Gratz v. Bollinger, 539 U.S. 244, 289

(2003).

To establish injury-in-fact, a plaintiff must allege an injury which is “concrete and

particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at

590. A particularized injury affects the plaintiff in a personal and individual way. Spokeo, 136

S.Ct. at 1548. A concrete injury must be “de facto”, that is it must “actually exist”, and it cannot

be abstract. Id. (citing Black’s Law Dictionary 479 (9th ed. 2009)). Threat and increased risk of

future harm may meet the injury-in-fact requirement. Pisciotta v. Old Nat’l Bancorp., 499 F.3d

629, 634 (7th Cir. 2007) (“As many of our sister circuits have noted, the injury-in-fact

requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff

9

only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent

the defendant’s actions.”). Hope has alleged injuries which are concrete, particularized, and

actual or imminent.

A. Hope Suffered a Particularized Injury Because His Personal Information Was

Targeted in a Data Breach That Affected a Finite Group of Consumers.

The putative class alleged a particularized injury because attackers accessed a finite

group of consumers’ sensitive personal information, disseminated the information on the dark

web, and that information was downloaded. To establish a particularized injury, the plaintiff

must have a “personal stake in the outcome.” Gill v. Whitford, 138 S.Ct. 1916, 1923 (2018). A

plaintiff clearly demonstrating a “plain, direct and adequate interest” in the result of a case due to

an injury pleads a particularized injury. See Baker v. Carr, 369 U.S. 186, 208 (1962). The

plaintiff must suffer a direct injury as the result of the defendant’s actions. United States. v.

Richardson, 418 U.S. 166, 179-80 (1974). A universal harm or “general interest common to all

members of the public” does not confer standing. Id. at 177-78.

Misappropriation of identifiable information about an individual in an identifiable

manner constitutes a particularized injury. Fraley v. Facebook, 830 F. Supp. 2d 785, 797 (N.D.

Cal. 2011); see also In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 274 (3d Cir.

2016) (“The purported injury here is clearly particularized, as each plaintiff complains about the

disclosure of information relating to his or her online behavior.”). In Fraley, a class of users of a

social network website sued the owner of the website for violating their statutory right of

publicity when their names and pictures were placed on users’ pages for advertising purposes.

Id. at 790. The court held that each individual plaintiff had alleged a particularized injury

because they had described exactly what information belonging to each named plaintiff was used

by the defendant, how the defendant used that information, and to whom that information was

10

published. Id. 797. In this way, the plaintiffs were able to precisely describe the alleged

commercial misappropriation and how it affected them personally. Id.

The putative class has suffered a direct injury rather than a “generalized grievance.” The

group of potentially affected consumers only includes 426 participants in the prescription drug

access program for Flexacor. (R. at 3.). Harm to these consumers does not constitute a universal

harm.

Hope has a personal stake in the outcome of this case because his sensitive personal

information has been placed on the dark web and downloaded hundreds of times. (R. at 3.) He

must now carefully monitor his credit due to B&T’s data breach. (R. at 4.) B&T has provided

no guarantee that it will continue paying for Hope’s credit monitoring services beyond one year.

(R. at 3.) Considering that attackers repeatedly downloaded Hope’s data within about a month of

the breach, Hope may have to pay for additional credit monitoring services in the future. See

Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015) (noting that it is

plausible to infer that plaintiffs are at a substantial risk of harm from a data breach because it is

presumably the purpose of the hack to, sooner or later, make fraudulent charges or assume those

consumers’ identities). Moreover, this experience has already caused Hope a considerable

amount of fear and anxiety. (R. at 4.) Therefore, Hope has clearly demonstrated he has a

personal stake in the outcome of this case.

Moreover, like in Fraley, Hope’s injury relates to information about an individual that

attackers misappropriated in an identifiable manner. In fact, ePHI must allow for individual

identification. 45 C.F.R. § 160.103 (defining “protected health information” as “individually

identifiable health information”). Attackers misappropriated the information in an identifiable

manner by placing it for sale on the dark web, where Hope was able to see how many times his

11

personal information had been downloaded. (R. at 3.) The credit monitoring company alerted

Hope based on his individual risk of harm because his account user name and password for his

B&T account, date of birth, and social security number had been placed on the dark web and

downloaded hundreds of times. (R. at 3.). Hope’s ePHI being placed on the dark web is not a

“generalized grievance.” Thus, Hope has alleged a particularized injury.

B. Hope Suffered a Concrete Injury Because His Injury Is Closely Linked to the

Traditionally Recognized Harm of Invasion of Privacy and Congress Has

Emphasized the Importance of Protecting Private Medical Information.

Hope has sufficiently alleged a concrete injury because Hope has experienced harm

closely linked to the traditionally recognized harm of invasion of privacy and Congress has

emphasized the importance of protecting private medical information. A concrete injury must

“actually exist” and cannot be abstract. Spokeo, 136 S.Ct. at 1548. However, an intangible

injury may still be concrete. Id. at 1549.

Courts consider history and the judgment of Congress when determining whether an

intangible harm constitutes injury-in-fact. Id. A harm having “a close relationship to a harm that

has traditionally been regarded as proving a basis for a lawsuit in English or American courts”

weighs in favor of concreteness. See id. Congressional recognition of an injury through

legislation also suggests that the injury is concrete. Id. (noting that Congress has the power to

“define injuries and articulate chains of causation that will give rise to a case or controversy

where none existed before.”); see also Nickelodeon, 827 F.3d at 274 (“Congress has long

provided plaintiffs with the right to seek redress for unauthorized disclosures of information that,

in Congress’s judgment, ought to remain private.”).

Unauthorized disclosure and improper dissemination of information constitute a

cognizable injury. See In Re Horizon Healthcare Serv. Inc. Data Breach, 846 F.3d 625, 638-39

12

(3rd Cir. 2017). In Horizon, a putative class sued its insurer under the Fair Credit Reporting Act

(“FCRA”) for failing to encrypt personal information, resulting in a data breach. Id. at 629.

Attackers obtained the information, which included names, dates of birth, social security

numbers, medical histories, and insurance information, by stealing laptops at the defendant’s

headquarters. Id. Although the defendant offered a year of credit monitoring services and

plaintiffs did not allege that identity theft had occurred, plaintiffs argued that both the breach

itself and the resulting increased risk of harm constituted concrete injury. Id. at 634.

The court denied the defendant’s motion to dismiss under Fed. R. Civ. P. 12(b)(1),

holding that the plaintiffs suffered a cognizable injury. Id. The court reasoned that a person’s

right to guard against the dissemination of private information has been recognized by the

American legal system. Id. at 638-39. The type of injury at issue was the same type that

Congress intended to prevent by passing the FCRA. Id. at 640. The court noted that Congress’s

creation of a private right of action to enforce the FCRA “clearly illustrates that Congress

believed that the violation of FCRA causes a concrete harm to consumers.” Id.

Hope suffered a concrete intangible harm which closely resembles the historically

recognized tort of invasion of privacy. Hope’s sensitive personal information, which was like

the information involved in Horizon, was compromised due to B&T’s negligence. (R. at 3.)

B&T left attackers to access Hope’s personal information such as his income, date of birth,

social security number, medical insurance policy numbers, and medical history. (R. at 2.) Like

in Horizon, Hope must now carefully monitor his finances to guard against potential identity

theft. (R. at 3.) This unauthorized disclosure of Hope’s information closely resembles the tort of

invasion of privacy. See Restatement (Second) of Torts § 652A (Am. Law Inst. 1977) (“One

who invades the right of privacy of another is subject to liability for the resulting harm to the

13

interests of the other”). Therefore, Hope alleged a concrete injury that has a close relationship to

a traditionally recognized harm.

Furthermore, Hope’s injury is concrete because Congress has recognized a plaintiff’s

right to seek redress for unauthorized disclosures of information. Congress enacted HIPAA with

the intention of better protecting health information given advances in electronic technology.

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, 63-

64 (Sharyl J. Nass et al. eds., 2009). HIPAA helped create nationwide security standards and

safeguards for the use of electronic health care information, as well as privacy standards for

protected health information. Id. Hope’s injury relates to the unauthorized disclosure of his

ePHI—the type of information that Congress emphasized the importance of protecting.

Therefore, Hope’s alleged injury is concrete because Congress has recognized the importance of

protecting private medical information.

Thus, Hope has alleged a concrete injury that resembles historically recognized privacy

torts. Additionally, Hope’s alleged injury is concrete because Congress has recognized the

importance of protecting private medical information.

C. Hope Suffered Actual or Imminent Injuries Because B&T’s Data Breach

Increased Hope’s Risk of Identity Theft and Attackers Sold His Sensitive

Personal Information on the Dark Web.

Hope alleged actual or imminent injuries because attackers placed his sensitive personal

information for sale on the dark web and increased his risk of identity theft. The threat of future

harm or an act by the defendant which increases the plaintiff’s risk of future harm may satisfy

the injury-in-fact requirement for standing. Pisciotta, 499 F.3d at 634.

When analyzing an increased-risk-of harm claim, courts consider the ultimate alleged

harm as the concrete and particularized injury and then determine whether the increased risk of

14

such harm makes injury to an individual citizen sufficiently imminent. See Attias v. Carefirst,

Inc., 865 F.3d 620, 627 (D.C. Cir. 2017). In Attias, the putative class’s information was stolen

during a cyberattack. Id. at 622. The plaintiffs alleged that the information included members’

names, birth dates, social security numbers, and credit card numbers. Id. at 623. The court held

that the plaintiffs had sufficiently pleaded injury for purposes of standing. Id. at 629.

“Experience and common sense” supported that the putative class faced a substantial risk of

identity theft. Id. at 628. Moreover, based on the type of information taken, “the purpose of the

hack [was], sooner or later, to make fraudulent charges or assume those consumers’ identities.”

Id. at 628-29.

Additionally, a substantial risk of harm coupled with reasonably incurred mitigation costs

establishes a cognizable Article III injury. Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x

384, 388 (6th Cir. 2016). In Galaria, hackers stole the putative class’s names, dates of birth, and

social security numbers from the defendant’s computer network. Id. at 386. The court held that

the plaintiffs had alleged a cognizable Article III injury. Id. at 388. Even if identity theft was

not “literally certain,” the plaintiffs faced a substantial risk of such harm and would incur

reasonable mitigation costs. Id. at 388. The court noted expecting the plaintiffs to wait for

actual fraud would be unfair. Id. Moreover, the defendant recognized the severity of the risk by

offering the plaintiffs credit-monitoring and theft-protection services for a year. Id. at 389. As

these protective services were offered for a limited time, the risk of identity theft was continuing

and plaintiffs would incur additional expenses. Id.

Hope alleges an imminent injury because B&T’s data breach made Hope substantially

more susceptible to the ultimate harm of identity theft. Like in Attias, attackers accessed Hope’s

sensitive personal information including his social security number, birth date, and insurance

15

information. (R. at 3.) This information can be used to access more of Hope’s sensitive personal

information. See Social Security Administration, Identity Theft and Your Social Security

Number 2 (2018), available at http:// www.ssa.gov/pubs/10064.pdf. For example, an identity

thief could use Hope’s social security number to apply for credit cards in his name and damage

his credit score. See id. Additionally, Hope’s account user name and password for his B&T

account would give an identity thief access to his private medical information. (R. at 3.)

“Experience and common sense” further support that the unauthorized access to Hope’s

information created a material risk of identity theft. See Attias, 865 F.3d at 628; see also Erin

Fuchs, Identity theft now costs far more than all other property crimes combined, Business

Insider (Dec. 12, 2013), (available at https://www.businessinsider.com/bureau-of-justice-

statistics-identity-theft-report-2013-12) (noting that those whose information has been stolen are

9.5 times more likely to suffer identity fraud or identity theft). Hope must now carefully monitor

his finances to protect himself.

Also, Hope faces imminent injury because he alleged a substantial risk of harm coupled

with reasonably incurred mitigation costs. Hope’s future harm need not be “literally certain.”

See Galaria, 663 F. App’x at 388. Hope’s information on the dark web was similar to the

putative class’s information in Galaria. (R. at 3). Like in Galaria, B&T recognized this risk by

offering Hope free credit-monitoring for the year. (R. at 3.) B&T did not specify that this

service would be available to Hope after the year and Hope will plausibly incur additional costs

by paying for his own credit monitoring services in the future. (See R. at 3, 7.) Hope’s personal

information has been downloaded hundreds of times already. (R. at 3.) It is entirely possible

that his information could be fraudulently used in the future. See Lewert v. P.F. Chang’s China

16

Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (noting that the primary incentive for a breach is

to commit fraud).

Thus, Hope has alleged an injury which is “actual or imminent” and not “conjectural.”

B&T’s data breached substantially increased Hope’s risk of identity theft, and Hope will incur

costs in protecting his identity.

III. THE THIRTEENTH CIRCUIT CORRECTLY HELD THAT HOPE STATED

PLAUSIBLE CLAIMS ENTITLED TO RELIEF UNDER MISSOURIANA

NEGLIGENCE LAW THAT ARE NOT PREEMPTED BY HIPAA.

The Thirteenth Circuit correctly held that Hope stated plausible state law negligence

claims upon which relief can be granted. The Tenth Amendment permits Missouriana to

exercise “[t]he powers not delegated to the United States by the Constitution, nor prohibited by

it.” Powers traditionally reserved to the states include establishing law related to health, safety,

morals, and welfare. See, e.g., Vill. of Euclid, Ohio v. Ambler Realty Co., 272 U.S. 365, 395

(1926). Protection of privacy interests also falls within the states’ police powers. See, e.g., State

v. Lee, 957 P.2d 741, 752-53 (Wash. 1998). Although Congress created federal law related to

privacy interests by drafting HIPAA, the states may exercise concurrent power where they are

not preempted. See Arkansas Elec. Co-op. Corp. v. Arkansas Pub. Serv. Comm’n, 461 U.S. 375,

390 (1983) (recognizing that Congress and the states concurrently share the power to regulate

interstate commerce in “an infinite variety of cases”);1 see also Byrne v. Avery Ctr. for Obstetrics

& Gynecology, P.C., 102 A.3d 32, 42-43 (Conn. 2014); R.K. v. St. Mary’s Med. Ctr., Inc., 735

S.E.2d 715, 724 (W. Va. 2012); Yath v. Fairview Clinics, 767 N.W.2d 34, 50 (Minn. Ct. App.

2009).

1 Congress derived its authority to pass HIPAA from the Commerce Clause. See HIPAA, Pub. L. No. 104-191, §

195, 110 Stat 1936 (1996).

17

This Court granted certiorari to resolve whether Hope’s general negligence and

negligence per se claims may be informed by HIPAA. (R. at 25.) This question may be divided

into two issues: 1) whether HIPAA allows the states to provide negligence claims based on its

violation and 2) whether Missouriana has provided such causes of action. The Thirteenth Circuit

Court correctly answered both questions affirmatively, reversing the district court and remanding

this case to proceed to discovery. (R. at 24.)

Accordingly, Hope’s pleadings state plausible claims upon which relief may be granted.

Rather than preempting the present negligence actions, Congress drafted HIPAA to leave room

for states to protect their citizens’ privacy. Moreover, Missouriana law imposed a general

negligence duty upon B&T to protect the putative class’s ePHI. Finally, when properly

construed, Missouriana’s negligence per se statute imposed a negligence per se duty upon B&T

based on HIPAA’s body of regulations.

A. HIPAA Allows Missouriana to Protect Its Citizens’ Privacy Interests Because Its

Preemption Clause Only Applies to Contrary State Law.

HIPAA allows Missouriana to protect the putative class’s privacy interests via tort-based

causes of action. Both courts being reviewed found that HIPAA did not preempt Hope’s claims,

albeit for different reasons.2 HIPAA’s preemption clause, 45 C.F.R. § 160.203(b), interpreted in

view of HIPAA’s legislative history, exempts Hope’s negligence claims from preemption.

In evaluating whether federal law preempts state law, courts consider Congressional

intent. See Astra USA, Inc. v. Santa Clara Cty., 563 U.S. 110, 117 (2011). Courts first look to

statutory language to determine whether preemptive intent exists. Dan’s City Used Cars, Inc. v.

Pelkey, 569 U.S. 251, 260 (2013) (“[T]he Court focuses first on the statutory language, which

2 The district court found that Hope did not identify any state law basis to be preempted. (R. at 13.) The Thirteenth

Circuit found that Missouriana law supplied Hope’s causes of action, which HIPAA did not preempt. (R. at 22-23.)

18

necessarily contains the best evidence of Congress' pre-emptive intent.”); see also Byrne, 102

A.3d at 42-43. Regulatory records may provide another source for determining Congressional

intent. See Exelon Generation Co., LLC v. Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO, 676

F.3d 566, 573-75 (7th Cir. 2012) (“Where an agency has authoritatively interpreted its own rule,

courts generally defer to that reading.”)

This Court presumes against preemption when evaluating Congressional intent.

Medtronic, Inc. v. Lohr, 518 U.S. 470, 485 (1996) (“States are independent sovereigns in our

federal system, we have long presumed that Congress does not cavalierly pre-empt state-law

causes of action.”). Preemption of areas of law traditionally occupied by the states requires

“clear and manifest” Congressional intent. English v. Gen. Elec. Co., 496 U.S. 72, 79 (1990).

Hope’s claims relate to the protection of privacy—an area of law traditionally occupied

by the States. See, e.g., Lee, 957 P.2d at 752-53. These claims are presumptively not preempted.

In view of this presumption, HIPAA’s preemption provision, and HIPAA’s regulatory record,

HIPAA does not preempt Hope’s general negligence and negligence per se claims.

1. Hope’s General Negligence Claims Are Not Preempted.

HIPAA does not preempt Hope’s general negligence claims. HIPAA’s preemption

provision sets forth that federal provisions, requirements, standards, and implementation

specifications supersede “contrary provisions of State law.” 42 U.S.C. § 1320d-7 (emphasis

added). State law is “contrary” to HIPAA when “[a] covered entity or business associate would

find it impossible to comply with both the State and Federal requirements” or “[t]he provision of

State law stands as an obstacle to the accomplishment and execution of the full purposes and

objectives [of HIPAA].” 45 C.F.R. § 160.203.

19

State-law based civil lawsuits that protect privacy are not “contrary” to HIPAA. See

R.K., 735 S.E.2d at 724 (holding that common-law tort claims based on the wrongful disclosure

of information “complement HIPAA by enhancing the penalties for its violation and thereby

encouraging HIPAA compliance”); Sheldon v. Kettering Health Network, 40 N.E.3d 661, 672

(Ohio Ct. App. 2015) (“[W]e fail to see how [a tort claim for the unauthorized, unprivileged

disclosure to a third party of nonpublic medical information] conflicts with HIPAA.”); Byrne,

102 A.3d at 46 (explaining that negligence claims in state courts support “at least one of

HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care

record”); cf. English, 496 U.S. at 89 (“[O]rdinarily, state causes of action are not pre-empted

solely because they impose liability over and above that authorized by federal law.”).

Regulatory intent further supports the availability of such causes of action. See Standards for

Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,582 (December

28, 2000) (“[T]he fact that a state law allows an individual to file a lawsuit to protect privacy

does not conflict with the HIPAA penalty provisions.”); Byrne, 102 A.3d at 49 (Conn. 2014)

(“[T]he regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing

regulations were intended to preempt tort actions under state law arising out of the unauthorized

release of a plaintiff’s medical records.”).

Accordingly, laws that discourage wrongful disclosure of medical records do not conflict

with HIPAA. See Yath, 767 N.W.2d at 50. In Yath, the plaintiff’s health care provider disclosed

her positive test for a sexually-transmitted disease to her husband without authorization. Id. at

37. Minn. Stat. 144.335 (2006) provided a private cause of action based on this wrongful

disclosure. Id. The court held that HIPAA did not preempt Section 144.335. Id. at 50. The

court noted that “[i]t would not be impossible for [defendants] Fairview or Phat to comply with

20

both HIPAA and Minnesota Statutes section 144.335 because both laws, in complementary

rather than contradictory fashion, discourage a person from wrongfully disclosing information

from another person’s health record.” Id. at 49.

Here, Hope’s general negligence claim complements HIPAA rather than conflicts with it.

The Complaint alleges that B&T failed to maintain confidentiality of the putative class’s ePHI,

resulting in unauthorized access. (R. at 1.) Like in Yath, allowing Missouriana law to impose a

duty of care upon B&T to safeguard such information serves to discourage its wrongful

disclosure. HIPAA aims to protect this type of ePHI from events like B&T’s data breach. See

HIPAA, Pub. L. No. 104-191, § 201, 110 Stat 1936 (1996) (“[HIPAA’s] guidelines shall include

procedures to assure that such information is provided and utilized in a manner that appropriately

protects the confidentiality of the information and the privacy of individuals receiving health

care services and items”). B&T could have protected the putative class’s information while still

complying with HIPAA. Thus, allowing Missouriana to adjudicate Hope’s general negligence

claim serves the goals of HIPAA set forth by Congress.

2. Hope’s Negligence Per Se Claims Are Not Preempted.

HIPAA does not preempt Hope’s negligence per se claim for the same reasons as Hope’s

general negligence claim. The negligence per se claim asserts violation of HIPAA as an element

of negligence. A state-law cause of action may assert violation of a federal statute as an element,

even when the federal statute does not provide a private cause of action. See Merrell Dow

Pharm., Inc. v. Thompson, 478 U.S. 804, 817 (1986). This Court has noted that “[t]he violation

of federal statutes and regulations is commonly given negligence per se effect in state tort

proceedings.” Grable & Sons Metal Products, Inc. v. Darue Engineering & Mfg., 545 U.S. 308,

318 (2005) (citing Restatement (Third) of Torts § 14 cmt. a (Am. Law Inst. 2001)).

21

Accordingly, various courts have held that violation of HIPAA may form the basis of

negligence per se. See, e.g., Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d 718, 721

(E.D. Pa. 2011) (explaining that a HIPAA-based negligence per se claim “can and should be

decided by a state court”); I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at

*5 (E.D. Mo. June 14, 2011) (holding that a negligence per se claim may be based on HIPAA);

Harmon v. Maury Cty., TN, No. 1:05 CV 0026, 2005 WL 2133697, at *3 (M.D. Tenn. Aug. 31,

2005) (explaining that a HIPAA-based negligence per se claim “fall[s] within that broad class of

state law claims based on federal regulations in the state court”). The district court noted that the

Ohio Court of Appeals declined to consider a negligence per se claim based on violation of

HIPAA. (R. at 10 (citing Sheldon, 40 N.E.3d at 672).) However, the Sheldon court came to this

conclusion in part because violation of a federal regulation cannot be negligence per se under

Ohio law. Sheldon, 40 N.E.3d at 672. In contrast, Missouriana law allows such causes of action.

See infra Part III.C.1.

Enforcing a federal regulation is distinct from enforcing a negligence per se claim based

on violation of that federal regulation. See Howard v. Zimmer, Inc., 299 P.3d 463, 472 (Okla.

2013). In Howard, the plaintiff alleged negligence per se based on the defendant’s violation of

the Federal Food, Drug, and Cosmetic Act (“FDCA”). Id. at 466. Although the FDCA provided

that its violations shall be prosecuted in the name of the United States, the court held that the

negligence per se claim was not preempted. Id. at 469, 472 (citing 21 U.S.C. § 337 (2012)). The

court reasoned that “negligence per se does not equate to liability per se” and noted that the

plaintiff would need to prove proximate causation. Id. at 474.

HIPAA does not preempt Hope’s negligence per se claim for the same reasons as his

general negligence claim. Although the negligence per se claim frames B&T’s duty as a

22

violation of HIPAA, Merrell Dow and Grable support that violation of a federal regulation may

be an element of a state law tort claim. See Merrell Dow, 478 U.S. at 817; Grable, 545 U.S. at

318. Regardless of whether B&T breached a general negligence duty informed by HIPAA or a

negligence per se duty defined by a HIPAA violation, providing a cause of action serves to

discourage future wrongful disclosure. To the extent that this difference affects the scope of

B&T’s duty, Hope’s claim still does not conflict with HIPAA for any apparent reason.

Moreover, like the FDCA claim in Howard, Hope’s negligence per se action does not equate to a

private cause of action to enforce HIPAA because Hope must establish proximate causation and

injury. As such, HIPAA does not preempt either of Hope’s negligence claims.

B. B&T Had a General Negligence Duty to Protect the Putative Class’s Health

Information Based on the Surrounding Circumstances and B&T’s Undertaking.

The Thirteenth Circuit correctly held that Missouriana law imposed a general negligence

duty upon B&T to protect the putative class’s health information. A legal duty supporting a

claim of negligence may be imposed by a statutory enactment or a recognized common law

principle. See, e.g., New Star Realty, Inc. v. Jungang PRI USA, LLC, 816 S.E.2d 501, 511 (Ga.

Ct. App. 2018). While the existence of a duty is a legal question, the scope of that duty informed

by the standard of care owed to another party is a question of fact. Potvin v. Speedway LLC, 891

F.3d 410, 414 (1st Cir. 2018).

As a preliminary matter, 58 M.C.S. § 10/5-101 does not absolve pharmaceutical

companies like B&T from protecting their customers’ ePHI. Although § 10/5-101 lists various

types “health care providers” without specifically mentioning pharmaceutical companies,

Missouriana has imposed a duty of care upon B&T through other means.

The surrounding circumstances and policy concerns imposed a common law duty and

B&T voluntarily assumed a duty by collecting and encrypting the putative class’s ePHI. The

23

district court’s reasons for dismissing Hope’s Complaint pertain to questions of fact about the

scope of B&T’s duty that should be resolved on remand.

1. Missouriana Common Law Imposed a Duty upon B&T Because

Harm Was Foreseeable, the Parties Formed a Relationship, and the

Circumstances Raise Policy Concerns.

Missouriana common law imposed a duty of care upon B&T to safeguard the putative

class’s ePHI. Factors for determining whether a common law duty of care exists between parties

include 1) the reasonable foreseeability of harm to the person injured, 2) the relationship between

the parties, and 3) public policy concerns. See, e.g., In re Target Corp. Customer Data Sec.

Breach Litig., 64 F. Supp. 3d 1304, 1309 (D. Minn. 2014) (holding that retailer owed issuer

banks a duty to disclose weaknesses in its data security system); Barnhill v. Teva Pharm. USA,

Inc., 819 F. Supp. 2d 1254, 1260 (S.D. Ala. 2011) (holding that pharmaceutical company had a

duty to warn prescribing physician of any dangers of drug). Courts may place additional weight

on the foreseeability of harm when determining whether a duty exists. See, e.g., Greater

Houston Transp. Co. v. Phillips, 801 S.W.2d 523, 525 (Tex. 1990) (explaining that foreseeability

of harm is “the foremost and dominant consideration” in finding a duty); Barnhill, 819 F. Supp.

2d at 1263 (“The ultimate test of the existence of a duty to use due care is found in the

foreseeability that harm may result if care is not exercised.”). Regardless of the relative

importance assigned to various factors in establishing a duty, the facts at hand strongly invoke

each one.

a. Harm to the Putative Class Was Reasonably Foreseeable.

B&T should have reasonably foreseen the data breach and should be held accountable for

this harm to the putative class. This Court has recognized that “a man is held to intend the

foreseeable consequences of his conduct.” N.L.R.B. v. Brown, 380 U.S. 278, 287 (1965).

24

B&T’s security measures to prevent the data breach, albeit performed negligently,

circumstantially support the reasonable foreseeability of injury. B&T encrypted the consumers’

information and implemented a sign-in process to prevent unauthorized access. (R. at 2.) When

B&T left the information unprotected, it was downloaded within only eight hours. (R. at 2.)

Based on leaving the system unprotecting for this short amount of time, B&T found a

sufficiently high likelihood of harm to investigate, contact patients, and offer credit monitoring

services before even knowing whether the information had been accessed. (See R. at 3.)

Moreover, the laws and regulations that applied to B&T would have informed a

reasonable party as to the possibility of harm. As the Thirteenth Circuit noted, drug companies

should be familiar with their obligations under HIPAA. (R. at 23.) Likewise, under

Missouriana’s Data Breach Notification Act, “a commercial entity that conducts business in

Missouriana and that owns or licenses computerized data that includes personally identifiable

information about a resident of Missouriana” must investigate breaches such as the one at issue.

410 M.C.S § 22/46-101(a). Both provisions clearly relate to the possibility of the unauthorized

disclosure of sensitive information. B&T should have been aware of these provisions and

reasonably foreseen the possibility of causing harm to the putative class. This foreseeability of

harm weighs heavily in favor of imposing a duty of care relative to other factors. See Phillips,

801 S.W.2d 523 at 525; Barnhill, 819 F. Supp. 2d at 1263.

b. B&T’s Relationship with the Putative Class Imposed a Duty.

The relationship between B&T and members of the putative class imposed a duty of care.

A relationship between parties may be established by statute, contractual relationship, or

indirectly and impliedly based on the circumstances. E.g., Heckman v. Ryder Truck Rental, Inc.,

962 F. Supp. 2d 792, 800 (D. Md. 2013). For example, a relationship may give rise to a duty

25

“where the plaintiff is particularly vulnerable and dependent upon the defendant who,

correspondingly, has some control over the plaintiff’s welfare.” Regents of Univ. of California v.

Superior Court, 413 P.3d 656, 665 (Cal. 2018). When a disparity in circumstances exposes one

party in a relationship to unreasonable risk, the law may create a duty. See Mower v. Baird, 422

P.3d 837, 849 (Utah 2018).

B&T created a relationship that imposed a duty of care by choosing to form imbalanced

relationships with members of the putative class. B&T asked economically vulnerable patients

to provide ePHI to receive financial assistance. (See R. at 2.) The eligibility determination

evaluated patients’ monthly income and whether patients had insurance. (Id.) By participating

in the program, the patients had to trust B&T to protect their information. (See id.) B&T had no

obligation to form such a relationship, but the putative class needed financial assistance to obtain

the arthritis medication. (See id.)

Additionally, the Missouriana Data Breach Notification Act statutorily created a

relationship. The Act broadly applies to “[an] individual or a commercial entity that conducts

business in Missouriana and that owns or licenses computerized data that includes personally

identifiable information about a resident of Missouriana” and requires action in the case of a

breach. 410 M.C.S § 22/46-101(a) (2005). The district court noted that “that statute clearly

applies to B&T and the electronic records in this case.” (R. at 12.) Thus, B&T cannot validly

argue that it owed no duty to the putative class.

c. B&T’s Conduct Implicates Public Policy Concerns Recognized Under

Missouriana Law.

B&T’s failure to safeguard the putative class’s ePHI implicates public policy concerns

sufficiently important to Missouriana to impose a duty of care. In determining whether a duty

should exist, courts consider whether policy supports entitling the plaintiff to protection. See,

26

e.g., Target, 64 F. Supp. 3d at 1309. Considerations include the consequences and the overall

public interest in imposing a duty. See Ford v. Oliver, 176 A.3d 891, 906 (Pa. Super. Ct. 2017).

For example, courts consider which party is in the best position to prevent injury. See, e.g.,

Staggs ex rel. Coulter v. ADS Logistics Co., LLC, 102 N.E.3d 319 (Ind. Ct. App. 2018). Courts

also aim to discourage future harm by “by imposing the costs of negligent conduct upon those

responsible.” Regents, 413 P.3d at 672.

Confidentiality of patients’ information raises policy concerns that warrant imposing a

duty. See Biddle v. Warren Gen. Hosp., 715 N.E.2d 518, 523 (Ohio 1999). In Biddle, the court

recognized an independent tort for “unauthorized, unprivileged disclosure to a third party of

nonpublic medical information that a physician or hospital has learned within a physician-patient

relationship.” Id. The court discussed the need for a remedy for “so palpable a wrong” as

breaching confidentiality. Id. at 522-23.

Here, Missouriana law manifests policy concerns related to protection of patients’ health

information in both statutory and judicial contexts. For example, Missouriana recognizes that

individuals have a general right of privacy in their medical records. See Hanson v. Jones

Medical Ctr., 199 Mis. 2d 321, 333 (2002). The Thirteenth Circuit found this aspect of

Missouriana law persuasive in imposing a duty. (See R. at 23.) Allowing B&T to freely

disregard the putative class’s privacy by not imposing a duty would undermine this general right.

Missouriana statutory law further reflects the state’s concern for privacy. The

Missouriana Data Breach Notification Act broadly protects the privacy of all residents of

Missouriana. See 58 410 M.C.S § 22/46-101(a) (2005). The Act reflects the significance of

protecting privacy by requiring “prompt investigation” and notice to affected parties “as soon as

possible.” Id. Similarly, 58 M.C.S. § 10/5-101 reflects Missouriana’s interest in protecting

27

patient information by requiring health care providers to maintain patient record confidentiality.

Allowing pharmaceutical companies like B&T to freely release patients’ information would

undermine both 58 410 M.C.S § 22/46-101(a) and 58 M.C.S. § 10/5-101.

B&T’s negligence raises policy concerns well-founded in Missouriana law, and a duty of

care should be imposed to prevent future harm. Like in Biddle, B&T breached confidentiality

and “palpably wrong[ed]” the putative class in doing so. The putative class trusted B&T to

safeguard its ePHI, but B&T left that information vulnerable. (R. at 2-3.) Imposing a duty upon

B&T to exercise reasonable care in protecting the putative class’s ePHI serves to avoid future

breaches.

The facts alleged in the Complaint support the presence of foreseeability, a relationship

between parties, and significant policy concerns. Accordingly, the Thirteenth Circuit correctly

held that Missouriana common law imposed a duty upon B&T to exercise reasonable care in

safeguarding the putative class’s ePHI.

2. B&T Voluntarily Assumed a Duty to Protect the Putative Class’s

Information by Collecting, Storing, and Encrypting That Information.

Even if Missouriana law did not affirmatively impose a duty upon B&T, Hope’s

complaint shows that B&T voluntarily assumed one. The source of a duty may be voluntary

assumption by a defendant. See, e.g., D.H. ex rel. A.M.J. v. Whipple, 103 N.E.3d 1119, 1130

(Ind. Ct. App. 2018). Under the Second Restatement of Torts, a party has a duty of reasonable

care in providing services when the recipient relies on the party. Restatement (Second) of Torts

§ 323 (Am. Law Inst. 1965). A party voluntary placing itself in a position of protecting a

patient’s health information assumes a duty to that party. See Fanean v. Rite Aid Corp. of

Delaware, 984 A.2d 812, 823 (Del. Super. Ct. 2009) (explaining that the defendant voluntarily

undertook a duty by deciding to be the plaintiff’s pharmacy and breached that duty by disclosing

28

sensitive medical information to third parties); Weinberg v. Advanced Data Processing, Inc., 147

F. Supp. 3d 1359, 1366 (S.D. Fla. 2015) (explaining that the defendant assumed a duty to protect

patients’ information by voluntarily agreeing to provide medical billing services).

Here, B&T voluntarily assumed a duty of care by placing itself into the circumstances at

hand. B&T had no obligation to provide the prescription assistance program. (See R. at 2.)

Also, B&T had no obligation to require participants to complete such a detailed application form

that required participants’ social security numbers and medical histories. (See id.) Alternatively,

B&T could have implemented a prescription assistance program without storing the putative

class’s health information electronically. For example, the information could have been

destroyed after review or maintained in paper form. The putative class relied upon B&T to

safeguard their ePHI. B&T held their information, thereby taking responsibility for its

protection.

Thus, Hope’s Complaint pleaded facts showing that B&T voluntarily assumed a duty to

prevent a breach of confidentiality. Like in Fanean and Weinberg, B&T voluntarily assumed a

duty to protect sensitive medical information and should be held accountable.

3. The Scope of B&T’s Duty Is Question of Fact.

Finally, much of the district court’s reasoning in dismissing Hope’s Complaint relates to

the applicable standard of care rather than whether a duty existed under Missouriana law.

“‘Duty’ and the ‘standard of care’ are separate and distinct concepts.” E.g., Oakey ex rel. Lucero

v. May Maple Pharmacy, Inc., 399 P.3d 939, 946-47 (N.M. Ct. App. 2017). Whether a duty

exists is a question of law. Id. at 947. Where a duty does exist, whether a person has conformed

to a standard of care must be determined as a question of fact. Id.

29

In ostensible support of the absence of a duty, the district court improperly focused on

B&T’s standard of care. The district court criticized Hope’s Complaint for stating a negligence

theory that allegedly extends beyond HIPAA’s requirements. (See R. at 12.) Also, the district

court stressed that “Hope’s problem [is that] he does not point to an independent state law basis

for finding the pharmaceutical company owed the plaintiff class a duty to maintain their records

in encrypted form at all times.” (R. at 13.)

However, even taking the district court’s assertions as true, Hope’s claim should survive

the Fed. R. Civ. P. 12(b)(6) motion to dismiss. The scope of Hope’s duty relative to HIPAA’s

requirements and the way B&T should have maintained the putative class’s records are factual

questions that should be resolved on remand.

C. B&T Had a Duty to Protect the Class’s Health Information Under

Missouriana’s Negligence Per Se Statute.

The Thirteenth Circuit correctly held that under Missouriana law Hope’s negligence per

se claims could be based on B&T violating HIPAA. The negligence per se doctrine recognizes

that parties should be held liable for negligently harming others by violating prescribed laws.

See Martin v. Herzog, 126 N.E. 814, 815-15 (N.Y. 1920) (“[T]o omit, wilfully or heedlessly, the

safeguards prescribed by law . . . is to fall short of the standard of diligence to which those who

live in organized society are under a duty to conform.”). The Missouriana legislature codified

the negligence per se doctrine by adopting the language of the Third Restatement of Torts

verbatim. Compare 302 M.C.S. § 3/22-104, with Restatement (Third) of Torts § 14 (Am. Law

Inst. 2010).

The Thirteenth Circuit reviewed the language of Missouriana’s negligence per se statute

and correctly held that HIPAA could provide the standard of care. Specifically, Hope’s

Complaint stated a valid negligence per se claim because the Missouriana legislature drafted §

30

3/22-104 to include violation of a federal regulation as a basis for finding negligence, and Hope’s

negligence per se claim relates to provisions of HIPAA that definitively required B&T’s

compliance.

1. Missouriana’s Negligence Per Se Statute Allows Federal Statutes and

Regulations to Define the Standard of Care.

B&T’s violation of a federal regulation amounts to negligence under Missouriana’s

negligence per se statute. This Court has recognized that violation of a federal statute may be an

element of a state negligence claim, even where Congress has not provided a private, federal

cause of action. See Merrell Dow, 478 U.S. at 817 (remanding negligence claim based on

violation of the FDCA, which does not provide a private cause of action, to state court based on

lack of federal question jurisdiction). This Court has recognized that negligence per se may be

based on Federal regulations. See Grable, 545 U.S. at 318. Negligence per se claims based on

violation of HIPAA have been found to be permissible. See, e.g., K.V. & S.V. v. Women’s

Healthcare Network, LLC, No. 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June

6, 2007). Similarly, courts have entertained negligence per se claims based on violations of

OSHA regulations. See, e.g., Pratico v. Portland Terminal Co., 783 F.2d 255, 265 (1st Cir.

1985); Dixon v. Int’l Harvester Co., 754 F.2d 573, 581 (5th Cir. 1985).

Under Missouriana law, HIPAA may form the basis for negligence per se because the

state legislature intentionally adopted the negligence per se doctrine set forth in the Third

Restatement of Torts that allows claims to be based on violation of a federal regulation, and

HIPAA’s regulations operate upon B&T like statutory law.

a. Interpretation of Missouriana’s Negligence Per Se Statute Should

Be Guided by the Restatement of Torts.

By adopting the negligence per se doctrine in the Third Restatement of Torts verbatim,

Missouriana’s legislature intended to include negligence per se causes of action based on federal

31

regulations. When courts adopt model laws, the courts also adopt the corresponding comments.

See, e.g., Basileh v. Alghusain, 912 N.E.2d 814, 821 (Ind. 2009) (“The comments to a uniform

act are indicative of the Legislature's intent in enacting a statute based on the uniform act.”);

State v. Slavens, 190 S.W.3d 410, 413 (Mo. Ct. App. 2006) (“It has been well established that

when the legislature adopts a model act, we must presume that the General Assembly intended to

adopt the interpretation of that section contained in the applicable comments.”).

Here, the comments in the Third Restatement unambiguously include federal laws and

regulations within the negligence per se doctrine. Comment a of the Restatement indicates that §

14 “equally applies to . . . federal statutes as well as regulations promulgated by federal

agencies.” Restatement (Third) of Torts § 14 cmt. A (Am. Law Inst. 2010). By not only

adopting this provision, but doing so verbatim, Missouriana also adopted the Restatement’s

interpretation. Accordingly, Hope properly based his negligence per se claim on B&T’s

violation of a federal regulation.

b. HIPAA’s Regulations at Issue Are Analogous to Statutory Law.

Moreover, HIPAA’s regulations function like statutory law, and B&T was just as

negligent for violating these regulations as they would be for violating statutory law. By

drawing a distinction between statutory law and regulatory law, the district court put form over

substance.

This Court has provided that “[l]egislative regulations generally fall within the meaning

of the word ‘law’ unless there is a ‘clear showing of contrary legislative intent.’” Dep’t of

Homeland Sec. v. MacLean, 135 S. Ct. 913, 915 (2015) (citing Chrysler Corp. v. Brown, 441

U.S. 281, 282 (1979)). Legislative regulations issued to implement statutory law have “the force

and effect of law.” Batterton v. Francis, 432 U.S. 416, 425 n. 9 (1977). Legislative-type rules

are those that affect individual rights and obligations. Chrysler, 441 U.S. at 282.

32

Here, Hope’s Complaint cites provisions of HIPAA that function like statutory law and

should have the same effect for purposes of negligence per se. Congress left HHS to promulgate

rules to implement HIPAA. HIPAA, Pub. L. No. 104-191, § 264, 110 Stat 1936 (1996).

Covered entities must follow these rules when managing health information, and the federal

government can impose penalties for noncompliance. See 45 C.F.R. § 164.102-164.534

(providing security and privacy standards); 45 C.F.R. § 160.300-160.552 (providing processes

for enforcing HIPAA’s regulatory scheme). As such, HIPAA’s rules have the force and effect of

law by affecting the rights and obligations of patients and covered entities. B&T acted

negligently by violating HIPAA’s requirements, regardless of their source.

2. B&T Was Required to Follow Sections of HIPAA Cited in Hope’s

Complaint.

The district court also erred in dismissing Hope’s Complaint for citing an addressable

standard because HIPAA required B&T to implement that standard, and Hope cited required

standards alongside that addressable standard. Courts consider the entirety of a regulatory

scheme when interpreting a regulation. See Alaska Ass’n of Naturopathic Physicians v. State

Dep’t of Commerce, 414 P.3d 630, 636 (Alaska 2018).

HIPAA’s addressable standards require action on the part of a covered entity. See 45

C.F.R. § 164.306(d)(3). A covered entity “must assess whether each implementation

specification is a reasonable and appropriate safeguard.” Id. (emphasis added). If the covered

entity determines that the specification is reasonable and appropriate, it must implement the

addressable standard. Id. (emphasis added). Even if the specification is not reasonable and

appropriate, the covered entity must document why and implement “an equivalent alternative

measure.” Id. (emphasis added). HHS enforces this rule and has imposed monetary penalties.

See HHS OCR Imposition of CMP Against Children’s Medical Center of Dallas for Lack of

33

Timely Action Risks Security and Costs Money, Healthcare Compl. Rep. ¶ 480033 (2016)

(discussing OCR’s imposition of a penalty of $3,217,000.00 against Children’s Medical Center

of Dallas for failing to comply with § 164.306(d)(3)).

Here, B&T had no discretion in deciding whether to continue encrypting the putative

class’s ePHI. That B&T initially chose to encrypt the putative class’s ePHI plausibly shows that

B&T considered encryption reasonable and appropriate under § 164.306(d)(3). (See R. at 2.)

After making this determination, § 164.306(d)(3) unambiguously required B&T to implement an

encryption mechanism pursuant to § 164.312(a)(2)(iv).

Also, Hope’s Complaint goes beyond alleging that B&T violated the standard set forth in

§ 164.312(a)(2)(iv). The Complaint alleges that B&T failed to comply with 45 C.F.R. §§

164.302-164.318. These regulations include “required” specifications. For example, a covered

entity must “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a

reasonable and appropriate level to comply with § 164.306(a).” 45 C.F.R. §

164.308(a)(1)(ii)(B). Hope has plausibly shown that B&T failed to do so.

Accordingly, Hope based his negligence per se claim on provisions of HIPAA that

required B&T’s compliance. The Thirteenth Circuit correctly noted that “the district court took a

far too cabined view of the nature of Hope’s assertions.” (R. at 22.) Considering the entirety of

HIPAA’s regulatory scheme, B&T cannot assert that its compliance was merely optional.

34

CONCLUSION

For the foregoing reasons, Hope respectfully asks this Court to affirm the Thirteenth

Circuit’s decision denying B&T’s motions to dismiss under Fed. R. Civ. P. 12(b)(1) and Fed. R.

Civ. P. 12(b)(6).

Respectfully Submitted,

Team 2720

Attorneys for Respondent

35

APPENDIX A

45 C.F.R. §§ 164.306, 164.312

45 C.F.R. § 164.306 Security standards: General rules.

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health

information the covered entity or business associate creates, receives, maintains, or

transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity

of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that

are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

(b) Flexibility of approach.

(1) Covered entities and business associates may use any security measures that allow the

covered entity or business associate to reasonably and appropriately implement the

standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must

take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business

associate.

(ii) The covered entity's or the business associate's technical infrastructure,

hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health

information.

(c) Standards. A covered entity or business associate must comply with the applicable standards

as provided in this section and in §§164.308, 164.310, 164.312, 164.314 and 164.316 with

respect to all electronic protected health information.

(d) Implementation specifications. In this subpart:

(1) Implementation specifications are required or addressable. If an implementation

specification is required, the word “Required” appears in parentheses after the title of the

implementation specification. If an implementation specification is addressable, the word

“Addressable” appears in parentheses after the title of the implementation specification.

(2) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316

includes required implementation specifications, a covered entity or business associate

must implement the implementation specifications.

(3) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316

includes addressable implementation specifications, a covered entity or business associate

must—

36

(i) Assess whether each implementation specification is a reasonable and

appropriate safeguard in its environment, when analyzed with reference to the

likely contribution to protecting electronic protected health information; and

(ii) As applicable to the covered entity or business associate—

(A) Implement the implementation specification if reasonable and

appropriate; or

(B) If implementing the implementation specification is not reasonable and

appropriate—

(1) Document why it would not be reasonable and appropriate to

implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and

appropriate.

(e) Maintenance. A covered entity or business associate must review and modify the security

measures implemented under this subpart as needed to continue provision of reasonable and

appropriate protection of electronic protected health information, and update documentation

of such security measures in accordance with §164.316(b)(2)(iii)

45 C.F.R. § 164.312 Technical safeguards.

A covered entity or business associate must, in accordance with §164.306:

(a) (1) Standard: Access control. Implement technical policies and procedures for electronic

information systems that maintain electronic protected health information to allow access

only to those persons or software programs that have been granted access rights as

specified in §164.308(a)(4).

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number

for identifying and tracking user identity.

(ii) Emergency access procedure (Required). Establish (and implement as

needed) procedures for obtaining necessary electronic protected health

information during an emergency.

(iii) Automatic logoff (Addressable). Implement electronic procedures that

terminate an electronic session after a predetermined time of inactivity.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt

and decrypt electronic protected health information.

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that

record and examine activity in information systems that contain or use electronic protected

health information.

(c) (1) Standard: Integrity. Implement policies and procedures to protect electronic protected

health information from improper alteration or destruction.

(2) Implementation specification: Mechanism to authenticate electronic protected health

information (Addressable). Implement electronic mechanisms to corroborate that

37

electronic protected health information has not been altered or destroyed in an

unauthorized manner.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or

entity seeking access to electronic protected health information is the one claimed.

(e) (1) Standard: Transmission security. Implement technical security measures to guard against

unauthorized access to electronic protected health information that is being transmitted

over an electronic communications network.

(2) Implementation specifications:

(i) Integrity controls (Addressable). Implement security measures to ensure that

electronically transmitted electronic protected health information is not

improperly modified without detection until disposed of.

(ii) (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic

protected health information whenever deemed appropriate.