Harrold-Jones v. Drury

          Petition for Review from the Superior Court of the State of Alaska, Third Judicial District, Palmer, No. 3PA-16-01470 CI, Gregory Heath, Judge.

          Darryl L. Thompson, Darryl L. Thompson, P.C., Anchorage, for Petitioners.

          DonnaM. Meyers, Whitney L. Traeger, and Timothy J. Lamb, Delaney Wiles, Inc., Anchorage, for Respondents.

          Roger F. Holmes, Biss & Holmes, Anchorage, for Amicus Curiae Alaska State Medical Association.

          Margaret Simonian, Dillon & Findley, P.C., Anchorage, for Amicus Curiae Alaska Trial Lawyers.

          Before: Stowers, Chief Justice, Winfree, Maassen, Bolger, and Carney, Justices.

          OPINION

          WINFREE, JUSTICE.

         I. INTRODUCTION

         We granted this petition for review to consider how the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) - establishing medical privacy standards with specific exceptions - affected our personal injury case law allowing a defendant ex parte contact with a plaintiffs doctors as a method of informal discovery. We requested that the parties specifically brief whether the federal law preempted our case law, or, if not, whether federal law otherwise required us to overrule or modify our case law. We conclude that the federal law does not preempt our existing case law. But we also conclude that we should overrule our case law because its foundations have been eroded by a cultural shift in views on medical privacy and new federal procedural requirements undermining the use of ex parte contact as an informal discovery measure. We therefore hold that - absent voluntary agreement - a defendant may not make ex parte contact with a plaintiffs treating physicians without a court order, which generally should not be issued absent extraordinary circumstances. We believe that formal discovery methods are more likely to comply with the federal law and promote justice and that such court orders rarely, if ever, will be necessary.

         II. FACTS AND PROCEEDINGS

         In August 2014 Tarri Harrold-Jones fractured her clavicle. She visited the emergency room and was referred to Denali Orthopedic Surgery. Dr. Tucker Drury, a Denali physician, later performed corrective surgery. Harrold-Jones experienced continued pain and discomfort following the surgical procedure and she returned to Denali, where Dr. William Pace evaluated her.

         Harrold-Jones ended treatment at Denali and transferred her care to another doctor. Harrold-Jones later retained counsel who sent Denali a letter in early 2015, attaching a draft complaint alleging Drs. Drury's and Pace's malpractice and seeking compensation.^[1] Denali's counsel responded by requesting a medical release authorizing access to Harrold-Jones's "complete medical record or designated record set" and authorizing ex parte contact with her medical providers. Harrold-Jones refused to sign the authorization. Denali's counsel responded by narrowing the request to a release for Harrold-Jones's new doctor's office and to allow counsel to make ex parte contact with the new doctor.^[2] Harrold-Jones refused to sign this authorization and two similar requested authorizations in the following months.

         Harrold-Jones filed a medical malpractice suit against Denali and the two doctors in April 2016. Denali's counsel renewed the request for a release authorizing ex parte contact with Harrold-Jones's new doctor three more times. Harrold-Jones continued to refuse this authorization, and she sought a protective order prohibiting Denali from having ex parte contact with her new treating doctor. Denali opposed and moved to compel Harrold-Jones to authorize such contact. The superior court denied Harrold-Jones's motion and granted Denali's in August 2016, relying on Langdon v. Champion as the basis for its ruling.^[3]

         Harrold-Jones petitioned for review, which we granted to decide whether HIPAA preempts our case law allowing ex parte contact with a plaintiffs treating physician or otherwise requires us to overrule or modify that case law.

         III. STANDARD OF REVIEW

         "Whether a defendant's counsel has the right to engage in informal ex parte interviews with a plaintiff s treating physician is a question of law."^[4] The "interpretation of federal statutes" is a question of law.^[5] "Whether a federal statute preempts a state court rule is also a question of law."^[6] "We review questions of law de novo, 'adopting the rule of law most persuasive in light of precedent, reason, and policy.' "^[7]

         IV. DISCUSSION

         We granted Harrold-Jones's petition for review primarily to decide HIPAA's effect on "our existing case law regarding a plaintiffs waiver of the patient/physician privilege and ex parte communications between defense counsel and the plaintiffs treating physicians."^[8] Having reviewed HIPAA and the regulations promulgated under its authority, we conclude that federal law does not preempt our decisions allowing ex parte communications between defense counsel and a plaintiffs treating physicians. But new procedural requirements HIPAA imposes on ex parte contact - amidst a cultural shift emphasizing medical privacy - significantly undermine the reasoning behind our original decisions. Based on this change in circumstances, we overrule Langdon and hold that - absent agreement by the plaintiff - a defendant or defendant's counsel may not make ex parte contact with a plaintiffs treating physician unless authorized to do so by a court order, which we believe generally should be available only under extraordinary circumstances.

         A. HIPAA Provides Privacy Protections, With Relevant Exceptions.

         We begin our analysis with the federal law in question. Congress enacted HIPAA in 1996 to improve health insurance coverage, combat fraud, and simplify health insurance administration.^[9] Subtitle F of HIPAA addressed patient privacy by defining protected health information, defining entities who must protect health information, and requesting further privacy recommendations from the Department of Health and Human Services (HHS).^[10] Congress instructed HHS to promulgate further privacy regulations if Congress failed to do so within three years of HIPAA's enactment.^[11] After the three years passed without congressional action, HHS promulgated the "Privacy Rule, "^[12] a series of regulations governing permitted uses and disclosures of protected health information. Together, Subtitle F of HIPAA and the Privacy Rule form the federal law at issue in this case, which we will refer to collectively as HIPAA for ease of reference.

         1. Overview of privacy protections

         HIPAA's privacy framework begins with express preemption. HIPAA preempts contrary state laws unless they are more stringent than HIPAA itself.^[13] A state law is "contrary" to HIPAA if a covered entity would find it impossible to comply with both the state and federal requirements or if the state law is an obstacle to the accomplishment of the full purposes of HIPAA section 264.^[14]

         HIPAA then protects a subject individual's privacy with a two-part rule regarding protected health information.^[15] First, HIPAA broadly prohibits any covered entity^[16] from using or disclosing^[17] protected health information.^[18] Denali does not dispute that ex parte contact with Harrold-Jones's treating physician would constitute use or disclosure of protected health information by a covered entity. Second, HIPAA provides specific exceptions to the prohibition for enumerated uses and disclosures.^[19]Only two HIPAA exceptions require disclosure;^[20] the remainder leave the choice of disclosure to the covered entity.^[21] Two of these permissive exceptions are applicable here. First, a covered entity may disclose protected health information with a valid authorization from the subject individual (the authorization exception).^[22] Second, a covered entity may disclose protected health information in the context of a judicial or administrative proceeding (the litigation exception).^[23]

         2. The authorization exception

         The authorization exception allows permissive disclosure once the subject executes a valid authorization.^[24] A valid authorization contains at minimum: (1) a statement of the remuneration, if any is involved; (2) a description of the information to be used or disclosed identified in a specific and meaningful fashion; (3) "[t]he name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure"; (4) "[t]he name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure"; (5) "[a] description of each purpose of the requested use or disclosure"; (6) an expiration date or event related to the subject or the purpose of the use or disclosure; and (7) the date and the subject's signature.^[25] An authorization must be written in plain language^[26] and contain a statement informing the subject of the right to revoke the authorization.^[27] The subject may revoke an authorization at any time.^[28]

         Covered entities making disclosures under HIPAA normally "must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose" of the disclosure.^[29] But the minimum necessary standard does not apply to disclosures made under the authorization exception^[30] because authorizations are "voluntary";^[31] the scope of disclosure is instead governed by the terms of the authorization.^[32]

         3. The litigation exception

         The litigation exception contrastingly allows for permissive disclosure even against the subject's wishes. A covered entity may disclose protected health information if, and only to the extent that, the disclosure is otherwise required by law and the covered entity meets one of three litigation-related requirements.^[33] First, the disclosure can be made in response to an authorizing court order, such as a court-issued subpoena.^[34]HIPAA restricts such orders to "mandate[s] contained in law that compel[] an entity to make a use or disclosure of protected health information and that is enforceable in a court of law"; accordingly state court orders must also comply with state law under HIPAA.^[35]Second, the disclosure can be made in response to a party's subpoena, discovery request, or other lawful process if the covered entity receives "satisfactory assurances" from the requesting party.^[36] "Satisfactory assurances" means the requesting party either has provided the subject notice and opportunity to object^[37] or has received a qualified protective order limiting disclosure to that relevant to the current proceeding.^[38] Third, the disclosure can be made in response to a party's subpoena, discovery request, or other lawful process if the covered entity itself provides the subject with notice and opportunity to object or seeks a qualified protective order.^[39] As with the authorization exception, the covered entity is not obligated by HIPAA to make any disclosure under any of the three litigation exception avenues.^[40]

         The scope of disclosure subtly differs between the authorization exception and the litigation exception, and within the litigation exception's different mechanisms. While the scope of disclosure under the authorization exception is determined by the authorization's language, the scope of disclosure under a court order is determined by the terms of that order - i.e., state law.^[41] But the scope of qualified protective orders is defined by HIPAA itself; all qualified protective orders must contain a prohibition on the use or disclosure of protected health information for any purpose other than the current proceeding and a required return or destruction of the protected health information at litigation's end.^[42] As with the authorization exception, HIPAA's minimum necessary requirements^[43] do not apply to the litigation exception^[44] because "the individual exercises the right to object before the court or other body having jurisdiction over the proceeding."^[45]

         B. HIPAA Does Not Preempt Alaska Law Allowing Ex Parte Contact.

         Under the Supremacy Clause, "the Laws of the United States ... shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding."^[46] This clause mandates federal preemption of state law when a federal law contains express preemptive language, conflicts with a state law, or displaces all state laws by occupying the entire regulated field.^[47] HIPAA contains express preemptive language; therefore the express preemption doctrine governs this case.^[48]

         HIPAA's preemption clause states: "A regulation promulgated under [HIPAA] shall not supercede a contrary provision of State law, if the provision of state law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation."^[49] "Contrary.. .means: (1) A covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or (2) the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA section 264]."^[50] Applying the plain language of HIPAA's two-part test, the Langdon rule is not preempted because it is not contrary to HIPAA.^[51]

         First, a covered entity would not "find it impossible to comply with both the State and Federal requirements."^[52] Though HIPAA broadly prohibits covered entities from disclosing health information without the subject's consent, ^[53] HIPAA expressly contemplates exceptions to this rule. Specifically, the authorization exception allows for "use or disclosure of protected health information" when "a covered entity obtains or receives a valid authorization for its use."^[54] Harrold-Jones's treating physician could thus comply with "both the State and Federal requirements" if Harrold-Jones voluntarily consented to ex parte contact through HIPAA's authorization exception.^[55] Similarly, the litigation exception provides that a "covered entity may disclose protected health information in the course of any judicial or administrative proceeding" in response to a court order.^[56] Ex parte contacts under Alaska law are unquestionably "in the course of a[] judicial proceeding";^[57] Denali could therefore obtain a court order authorizing Harrold-Jones's treating physician's ex parte contact with Denali's counsel. Given these exceptions, a covered entity would not "find it impossible to comply with both the State and Federal requirements."^[58]

         Second, the Langdon rule is not an "obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA section 264]."^[59] HIPAA section 264 directed HHS to promulgate regulations addressing: (1) "rights that an individual who is a subject of individually identifiable health information should have"; (2) "procedures that should be established for the exercise of such rights"; and (3) "uses and disclosures of such information that should be authorized or required."^[60] HHS responded by promulgating a rule that contained no mention of ex parte contact and did not explicitly prevent states from conditioning lawsuits on authorization waivers.^[61] In fact, the rule allowed states to condition public benefits on the execution of an authorization.^[62] HHS's allowance of public benefit conditions - while failing to preclude conditions on lawsuits and only specifically prohibiting conditions on providing treatment - suggests that compelling allowance of ex parte contact with a plaintiffs treating physician is not an "obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA]."^[63] Therefore, because a plaintiffs treating physician can make ex parte contact in Alaska without violating HIPAA or frustrating its full purposes and objectives, HIPAA does not preempt Langdon.

         Harrold-Jones argues that this conclusion cannot be correct because "[s]tate law is preempted unless state law provides for more stringent privacy protections than that provided by HIPAA." But Harrold-Jones misconstrues HIPAA. The threshold step in conducting HIPAA's preemption analysis is whether the state law is "contrary" to HIPAA; if the state law is not contrary, no stringency analysis is required. Harrold- Jones's stringency argument fails.

         We therefore conclude that HIPAA does not preempt our existing case law allowing ex parte contact between defense counsel and a plaintiffs treating physician.

         C. Ex Parte Contact Over The Plaintiffs Objection Is No Longer Appropriate Under Alaska Law.

         Our analysis does not end there. Although the Supremacy Clause may not forbid ex parte contact in Alaska, HIPAA embodies a cultural shift in how medical privacy is viewed and has created a new procedural framework for sharing medical information in litigation. Having considered HIPAA's underpinnings and reviewed this new framework, the legal basis for our ex parte contact jurisprudence, and how ex parte contact operates under this new framework, we no longer are convinced that unrestricted ex parte access to a plaintiffs treating physician over the plaintiffs objection should be allowed.

         Our decision is informed both by HIPAA and the original rationale of the Langdon rule. We first articulated the reasoning behind Langdon in Trans-World Investments v. Drobny, where we noted: "We find no legal impediments ... limit[ing] informal methods of discovery, such as private conferences with the attending physicians[;].... such informal methods are to be encouraged, for they facilitate early evaluation and settlement of cases, with a resulting decrease in litigation costs, and represent further the wise application of judicial resources."^[64] We reaffirmed Drobny in Arctic Motor Freight, Inc. v. Stover, explaining that "the filing of apersonal injury action by the plaintiff results in a waiver of his physician-patient privilege as to all information concerning his health and medical history relevant to the matters which he has placed in issue in the litigation."^[65] The Langdon rule thus began with our recognition that waiver of the physician-patient privilege removed any barrier to informal contact between a plaintiffs treating physician and defense counsel.

         That rationale is no longer sound in light of HIPAA. As explained above, a plaintiffs treating physician could disclose protected information in compliance with HIPAA in one of two ways: either the plaintiff could sign an authorization allowing the physician to disclose protected health information^[66] or the trial court could issue an order authorizing the physician to disclose protected health information.^[67] But both options come with procedural barriers requiring trial court intervention, ...