W. Va. Dept. of Health and Human Resources/Behavioral Health v. E.H.
W. Va.10/15/2015
AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
IN THE SUPREME COURT OF APPEALS OF WEST VIRGINIA September 2015 Term FILED __________ October 15, 2015 released at 3:00 p.m. No. 14-0965 RORY L. PERRY II, CLERK SUPREME COURT OF APPEALS __________ OF WEST VIRGINIA WEST VIRGINIA DEPARTMENT of HEALTH and HUMAN RESOURCES, BUREAU for BEHAVIORAL HEALTH and HEALTH FACILITIES, Petitioners v. E.H., et al., Respondents ______________________________________________________ Appeal from the Circuit Court of Kanawha County Honorable Louis H. Bloom Civil Action No. 81-MISC-585 AFFIRMED ________________________________________________________ Submitted: September 15, 2015 Filed: October 15, 2015 Patrick Morrisey, Esq. Jennifer S. Wagner, Esq. Attorney General Mountain State Justice, Inc. Elbert Lin, Esq. Clarksburg, West Virginia Solicitor General Julie Marie Blake, Esq. Lydia C. Milnes, Esq. Assistant Attorney General Mountain State Justice, Inc. Charleston, West Virginia Charleston, West Virginia Counsel for DHHR Counsel for Respondents JUSTICE LOUGHRY delivered the Opinion of the Court. JUSTICE DAVIS dissents and reserves the right to file a dissenting opinion. SYLLABUS 1. âIn the context of institutional reform litigation, this Court may choose to exercise its appellate jurisdiction over an order entered by the circuit court that it deems to approximate a final order by its nature and effect.â Syl. Pt. 1, West Virginia Depât of Health and Human Servs. v. E.H., Nos. 14-0664, 14-0845, __ W.Va. __, __ S.E.2d __ (Oct. 7, 2015). 2. A written agreement between the Department of Health and Human Resources and the provider of patient advocacy services that specifies the legal obligations of the parties, including the manner of payment and the duties associated with the provision of patient advocacy services, constitutes a contract within the meaning of 64 C.S.R. § 59 11.5.1.d. for purposes of permitting patient advocates to access records without the written consent of individuals hospitalized with mental health issues in state facilities. LOUGHRY, Justice: The West Virginia Department of Health and Human Resources, the Bureau for Behavioral Health and Health Facilities (âDHHRâ), seeks to reverse the August 27, 2014, order of the Circuit Court of Kanawha County, through which the DHHR was directed to immediately restore access to patients and patient records to the patient advocates working at this stateâs two psychiatric hospitals.1 In challenging this ruling, the DHHR argues that the circuit courtâs order violates both the patientsâ constitutional rights to privacy and the Federal Health Insurance Portability and Accountability Act (âHIPAAâ). The respondent advocates for patients at Sharpe and Bateman Hospitals (sometimes referred to as the âhospitalsâ) insist that the directives of the circuit court should be affirmed due to the clear lack of constitutional or HIPAA violations. Having reviewed the record in this case to verify the absence of constitutional infirmity as well as the lack of state or federal privacy law violations stemming from the access historically afforded to patient advocates at these facilities, we affirm the circuit courtâs decision to restore the access afforded to the patient advocates to the level they experienced prior to the abrupt change of course in June 2014. Given the lower courtâs partial reliance on certain HIPAA definitions and exclusions that we find to be wholly inapplicable, our decision to affirm is grounded solely on state law rather than an amalgam of state and federal law.2 1 Mildred Mitchell Bateman (âBatemanâ) and William R. Sharpe, Jr. (âSharpeâ). 2 See Syl. Pt. 3, Barnett v. Wolfolk, 149 W.Va. 246, 140 S.E.2d 466 (1965) (âThis Court may, on appeal, affirm the judgment of the lower court when it appears that such 1 I. Factual and Procedural Background The underlying litigation had its genesis in 1981 with a petition for a writ of mandamus filed by a group of institutionalized individuals to address the civil rights of patients with mental disabilities.3 See E.H. v. Matin (known as âHartleyâ or âMatin Iâ), 168 W.Va. 248, 284 S.E.2d 232 (1981). This Court remanded the Hartley case to the Kanawha County Circuit Court to achieve the legislative mandate of providing appropriate care and treatment to those individuals who are involuntarily hospitalized. See W.Va. Code § 27-5-9 (2013). To that end, the West Virginia Behavioral Health System Plan (âBHSPâ), a comprehensive mental health plan, which addressed the various standards, conditions, and facilities, was accepted by the circuit court in 1983.4 See E.H. v. Matin â(âMatin IIâ), 189 W.Va, 102, 104, 428 S.E.2d 523, 525 (1993). As part of the BHSP, the DHHR was required to establish a patient advocacy system within the state hospitals to protect the rights of institutionalized patients on an ongoing basis. Originally, the patient advocates were DHHR employees who maintained offices within the hospitals. Due to issues that arose in the late 1980s stemming from improper personal relationships between the patient advocates and the judgment is correct on any legal ground disclosed by the record, regardless of the ground, reason or theory assigned by the lower court as the basis for its judgment.â). 3 See W.Va. Code § 27-5-9 (2013) (providing, inter alia, that â[e]ach patient of a mental health facility . . . shall receive care and treatment that is suited to his or her needs and administered in a skillful, safe and humane manner with full respect for his or her dignity and personal integrityâ). 4 This plan, a 330-page document, was reached by agreement among the parties. See Matin II, 189 W.Va. at 104 n.2, 428 S.E.2d at 525 n.2. 2 hospital administrators, the court monitor formally recommended that the DHHR be required to contract with an external entity to perform the patient advocacy services. No one objected to this proposal and the recommendation was adopted by order, entered on February 20, 1990 (the â1990 orderâ).5 In accordance with its obligations under the 1990 order, the DHHR immediately contracted with Legal Aid of West Virginia (âLegal Aidâ) to provide patient advocacy services. In this role, which it has occupied since its selection in 1990, Legal Aid assists with and investigates individual grievances, conducts abuse and neglect investigations, educates staff and patients about patient civil rights, and monitors Sharpe and Bateman for the purpose of ensuring compliance with this stateâs guarantee of patient civil rights. See W.Va. Code § 27-5-9. Legislative rules expressly designed to âestablish[] the rights of clients of State-operated behavioral health facilitiesâ were adopted in 1995.6 See 64 C.S.R. § 59-1.1. Those rules specify procedures that pertain to the mandated provision of patient advocacy services7 and delineate a litany of patient rights that the hospitals are required to observe, including confidentiality. See id. at §§ 59-1 to -20. 5 Pursuant to that order, the DHHR was directed to âcontract with an entity outside State government for the provision of advocacy.â 6 These rules were adopted under authority of West Virginia Code § 27-5-9(g). 7 âThere shall be persons designated as client (or patient or resident) advocates who are independent of the facility management in every behavioral health facility.â 64 C.S.R. § 59-20.1. 3 Court monitoring of the Hartley case continued until 2002 when, by agreement of the parties, the case was removed from the active docket of the court.8 See E.H. v. Matin (âMatin IIIâ), 189 W.Va. 445, 432 S.E.2d 207 (1993) (approving continued circuit court monitoring). In that same year, the DHHR decided to create the Office of the Ombudsman (âOmbudsmanâ)âan office charged with overseeing compliance with the statutory duties related to operation of the state hospitals. As the direct result of the Ombudsmanâs July 3, 2008, report, documenting deplorable conditions and treatment of patients at Sharpe and Bateman, the circuit court reopened the Hartley case. See State ex rel. Matin v. Bloom (âMatin IVâ), 223 W.Va. 379, 383-84, 674 S.E.2d 240, 244-45 (2009) (identifying issues of overcrowding, lack of privacy, and denial of patientsâ daily grooming and cleanliness needs). Systemic violations of patient rights, including the use of âchemical restraints,â were demonstrated during a two-day evidentiary hearing held before the circuit court in April 2009. At the conclusion of the hearing, the trial court ordered the parties to participate in mediation which resulted in an agreement between the parties covering multiple issues. Under that court-approved agreement, commonly referred to as the â2009 Agreed Order,â the Ombudsman is charged with the duty to oversee implementation of the specific terms of 8 Court monitoring was resumed in 2009 based on reports of both the conditions and treatment of patients at Sharpe and Bateman. 4 the agreement. Included in those terms is a provision requiring Sharpe and Bateman to fully comply with the state regulations that address issues of patient care and patient advocacy services. See 64 C.S.R. §§ 59-1 to -20. The 2009 Agreed Order requires that â[p]eriodic review shall be established for compliance with [specified] sections.â9 In recognition of this duty, the DHHR contracted with Legal Aid to âproduce a report to inform Judge Bloom, [and] the Hartley Court Monitor . . . of any progress or lack of progress in implementing areas of Legislative Rule Title 64 Code of State Rules (CSR) Series 59 . . . within Sharpe and Bateman by the end of the grant period.â10 On January 5, 2010, the parties agreed that the patient advocates would create an assessment tool for the hospital audits necessary to enable the DHHR to comply with the periodic review contemplated by the 2009 Agreed Order. On March 31, 2010, the DHHR agreed that quarterly audits should be conducted by providing the patient advocates with complete access to at least two patients from each unit independent of any actual grievances filed. On May 5, 2010, the parties agreed that the audit instrument was finalized and the patient advocates were instructed âto begin implementation.â 9 Those sections are 64 C.S.R. §§ 59-12, -13, -14, -15.1.7, -15.1.12, -15.2, -15.3, and -16.4.2. 10 This language appears in each of the annual grant documents in the record of this case. Those documents set forth the duties of Legal Aid in relation to the patient advocacy services and provide the necessary funding for such services. 5 For more than a decade, the DHHR provided the patient advocates with full access to computerized patient records, to the patient wards, and other areas of the hospitals. Then, in June 2014, with no prior notice, the DHHR began requiring the patient advocates to obtain signed releases from each patient, the patientâs guardian, and/or the person with the medical power of attorney before obtaining any information from or about the patient.11 Under the altered procedures, a newly-executed release specifying the basis of inquiry was required each time the advocates sought to review a patientâs records. Legal Aid stated that even if the inquiry pertained to a previously-authorized matter, a new release was required for each successive day a patient advocate sought access to a patientâs records.12 In addition to this novel procedure of requiring a release in advance of any records inspection, Legal Aid was denied access to the network of patient recordsâaccess required for conducting the systemic reviews or audits of the two facilities. In response to this abrupt change of policy regarding access to patient records, the patient advocates filed a motion for emergency relief with the circuit court and a hearing was held on August 1, 2014. After finding no violation of federal or state law, the circuit 11 The decision to alter access was made by the DHHRâs Privacy Officer, Lindsey McIntosh. Before making this change in tack, Ms. McIntosh acknowledged she did not investigate the role or needs of the advocates; she did not visit Bateman or Sharpe; she did not speak to Legal Aid; and she did not review any of the orders pertaining to this case. 12 According to the DHHRâs representation in its response to the Motion for Emergency Relief, each authorization was good for 180 days. 6 court directed the DHHR, by order of August 24, 2014, to immediately restore Legal Aid to the previous levels of access at Sharpe and Bateman. On August 29, 2014, the circuit court denied the DHHRâs motion for stay of the August 27, 2014, amended ruling.13 By order of September 14, 2014, this Court stayed the lower courtâs order and granted the appeal filed by the DHHR. II. Standard of Review Given our conclusion that the August 27, 2014, amended ruling constitutes a final order notwithstanding the trial courtâs contrary ruling,14 we review the subject order pursuant to our well-established standard of examining questions of law de novo while reversing factual determinations only upon a showing of clear error. See Syl. Pt. 2, Walker v. W.Va. Ethics Commân, 201 W.Va. 108, 492 S.E.2d 167 (1997). This Court recently 13 Minor changes were made to the previous ruling. The only substantive amendments were to remove the reference to the patient advocates as having been created by both federal and state law (they were created solely under state law) and to recognize that grievances may be initiated independently by a patient advocate separate from a patientâs allegation of abuse or assertion of a civil rights violation. 14 By order entered on August 29, 2014, the circuit court refused to grant the DHHRâs request to have the August 27, 2014, order deemed a final order. The rationale for its ruling is clear: the trial court was trying to prevent the DHHR from belatedly seeking relief from its previously unappealed 1990 Order. Because the courtâs ruling was not impelled by the need to address additional issues arising from reduced access (i.e. a lack of finality) and because there are no further issues to be resolved concerning access, we deem the August 27, 2014, ruling to be final for purposes of allowing this Court to address the issues before us through the subject appeal. 7 dispelled any concerns with regard to its right to consider this matter by means of an appeal15 with our recent holding in syllabus point one of West Virginia Department of Health and Human Services et al. v. E.H., __ W.Va. __, __ S.E.2d __ , Nos. 14-0664, 14-0845 (Oct. 7, 2015), wherein we held that â[i]n the context of institutional reform litigation, this Court may choose to exercise its appellate jurisdiction over an order entered by the circuit court that it deems to approximate a final order by its nature and effect.â Accordingly, we proceed to determine whether the trial court erred in issuing the ruling under review. III. Discussion A. Constitutional Privacy Rights In support of its position that the lower courtâs order improperly requires unfettered disclosure of patient records to the patient advocates, the DHHR maintains that the Fourteenth Amendment has been recognized to protect an individualâs right to privacy with regard to avoiding disclosure of personal matters. See Whalen v. Roe, 429 U.S. 589, 599 (1977); accord Doe v. City of New York, 15 F.3d 264, 267 (2d Cir. 1994) (âExtension of the right to confidentiality to personal medical information recognizes there are few matters that are quite so personal as the status of oneâs health, and few matters the dissemination of which one would prefer to maintain greater control over.â). Because the trial court failed to employ a balancing test to assess the reasonableness of the privacy 15 Cf. Syl. Pt. 5, Riffe v. Armstrong, 197 W.Va. 626, 477 S.E.2d 535 (1996). 8 intrusion that flows from the sweeping access mandated by the order at issue, the DHHR argues that the constitutional rights of patients at Sharpe and Bateman outweigh Legal Aidâs interest in accessing patient files. See Nixon v. Admâr of Genâl Servs., 433 U.S. 425, 458-60 (1977) (utilizing balancing test to measure privacy intrusion against reasonableness of governmental actions). Emphasizing the enhanced need to conduct this inquiry when a realistic probability of public disclosure exists as in this case, the DHHR posits that the circuit court erred by failing to consider the applicability of constitutionally-based protections for the health information contained in the patient records. Legal Aid contends that the DHHR improperly seeks to inject constitutional error into this matter with an issue never addressed by the circuit court.16 Not only does Legal Aid concur with the tenets of privacy law articulated by the DHHR, but it fully agrees with the petitionersâ statement that âthe Fourteenth Amendmentâs right to informational privacy forbids the indiscriminate disclosure of state psychiatric records.â Legal Aid emphasizes that the patient advocates neither seek the indiscriminate disclosure of patient records nor do they conduct their advocacy services in a manner inconsistent with the 16 Legal Aid asserts that the DHHR did not raise the issue of constitutional error at the August 1, 2014, hearing. In response, the DHHR states that the evidentiary proceeding was not the forum in which to assert legal error. The record demonstrates that the DHHR advanced the issue of constitutional error in its response to Legal Aidâs Motion for Emergency Relief. Citing Griswold v. Connecticut, 381 U.S. 479 (1965), the DHHR asserted that unlimited access to patient records absent patient consent is a violation of the right to privacy judicially deemed to arise under the First Amendment. 9 patientsâ privacy rights. Dismissing the need for an extended discourse about the existence of privacy rights, Legal Aid states that the issue presented is simply whether the disclosure of patient records pursuant to state and federal laws enacted to protect patient rights runs afoul of those acknowledged rights. Or stated in the converse, do provisions of federal and/or state law permit the disclosure of patient records to the patient advocates under contract with DHHR to provide advocacy services at Bateman and Sharpe. At the outset, we observe that the constitutional concerns raised by the DHHR are confined to the previous longstanding practice of permitting the advocates to review patient records for purposes of assessing overall hospital conditions.17 The DHHR does not raise the possibility of constitutionally-based privacy violations with regard to individual grievances or complaints of abuse and neglect.18 What the DHHR challenges is the circuit courtâs directive that allows the advocates to have access to patient files unrelated to specific complaints or grievances. This access was authorized, consistent with past practice and the agreement of the parties, for purposes of discerning systemic issues related to the patient 17 It is difficult for this Court to avoid the conclusion that, while seeking to prevent access to the patient advocates under the guise of privacy concerns, the DHHRâs true objective is to make the discovery of systemic problems more difficult for the advocates to identify. 18 Legal Aid asserts that the new policy implemented by the DHHR prevents Legal Aid from complying with the time constraints pertaining to the investigation of abuse and neglect complaints under state law. See 64 C.S.R. § 59-20.2.9 (requiring submission of written report by patient advocate â[w]ithin the next eight (8) regular working hoursâ of receipt of abuse or neglect grievance). 10 rights established by state regulation.19 See 64 C.S.R. §§ 59-1 to -20. Pursuant to the governing Grant Agreement that outlines the duties the DHHR requires of the patient advocates, an annual report reflecting the results of the systemic review is required to be tendered to the circuit court judge, court monitor, the DHHR, and Mountain State Justice.20 Inherent in the DHHRâs argument is a presumption that the systemic review of patientsâ records necessarily results in the wrongful disclosure of medical information. Given that the first and only complaint concerning an alleged violation of HIPAA was filed in 2014 by the DHHRâalmost twenty years after the federal act became lawâit is clear that inappropriate disclosure of patient information has not been taking place as implied by the DHHR. Not only have there been no complaints filed until the DHHR instituted one,21 but the state privacy officers whose responsibility it is to oversee these matters have failed to 19 These periodic reviews, required by the 2009 Agreed Order, have been performed by the patient advocates. Additionally, as noted by the trial court in both its August 18 and 27, 2014, rulings, the âRespondents [DHHR] agreed to the Formal Recommendations [of the Court Monitor], which set forth that systemic advocacy will be pursued by LAWV [Legal Aid], without objection, thereby allowing them to take on the force of Court Order.â 20 During the evidentiary hearing held in this matter on August 1, 2014, the DHHRâs privacy officer, Lindsey McIntosh, was questioned as to how the patient advocates were going to do the systemic audits âwithout access to records or patients or have conversations with staff without individual releases specifying specific grievances.â She answered the query by stating, âI donât know how youâre going to conduct audits if you have to do that.â 21 Finding it to be baseless, the trial court ordered the DHHR to dismiss its complaint. A review of the complaint demonstrates that even the DHHR was dubious about the violation given its statement in the complaint that the âlevel of harmâwas unclear. 11 either independently identify or confirm the existence of any issues concerning the level of access historically afforded to the patient advocates. In seeking to convince this Court that the provision of advocacy services over the past two decades has just recently become a matter of constitutional significance, the DHHR ignores the annual HIPAA training, the executed confidentiality agreements, and state law provisions all designed for the purpose of, and apparently successful at, imposing a high level of confidentiality upon the patient advocates with regard to their review of sensitive health information. As Legal Aid explained, the review undertaken by the patient advocates is conducted in confidence without public disclosure of any protected health information. Critically, there has never been any complaint filed by a Bateman or Sharpe patient, or the patientâs representative, associated with the wrongful dissemination of confidential health information.22 Because the record in this case wholly fails to demonstrate the indiscriminate disclosure of confidential information by the patient advocatesâlet alone any disclosure of protected health information, we are not persuaded that a meritorious issue exists with regard to Legal Aidâs dissemination of confidential health information.23 22 In contrast, there have been patient-initiated complaints since the DHHR imposed the new, limited access provisions. According to Legal Aid, the patients were frustrated by their inability to gain immediate access to the advocates, who were no longer permitted to freely roam the facilities where patients could easily seek them out when needed. 23 As Legal Aid observes, there is no greater risk posed by the patient advocates than by any of the Hospital employees who have access to patient records. 12 Accordingly, we reject the DHHRâs contention that the trial court erred in failing to address whether the access afforded to Legal Aid violates the constitutionally-based rights of privacy of patients at Sharpe and Bateman. B. HIPAA Pursuant to HIPAAâs Privacy Rule (âPrivacy Ruleâ), â[a] covered entity or business associate may not use or disclose24 protected health informationâ barring either a regulatory exemption or written authorization from the subject of the information or his/her representative. 45 C.F.R. § 164.502(a) (2014) (footnote added). The DHHR argues that the patient advocates do not come within any exemptions provided under HIPAA that would eliminate the need to obtain patient consent before viewing medical records. Specifically, the DHHR disagrees with the trial courtâs decision that Legal Aid falls within the HIPAA definition for a âbusiness associate,â a âhealth oversight agency,â or âhealth care operations.â The DHHR also objects to the trial courtâs reliance on the HIPAA exemption pertaining to disclosures ârequired by law.â Each of these HIPAA definitions and its respective applicability to the matter before us will be examined in turn. 24 Disclosure is âthe release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.â 45 C.F.R. § 160.103 (2014). 13 1. âBusiness Associateâ Under HIPAA, a âbusiness associateâ relates to and is defined in reference to a âcovered entity.â The Privacy Ruleâs construct of a âcovered entityâ extends to: (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a covered transaction. See 45 C.F.R. § 160.103 (2014). As the circuit court correctly ruled in its August 27th order, both Bateman and Sharpe qualify as covered entities under HIPAA. With scant analysis,25 the trial court and Legal Aid simply adopted the position that the patient advocates necessarily meet the HIPAA definition of a âbusiness associate.â An examination of the pertinent regulations addressing the nature of a âbusiness associateâ clearly refutes this conclusion. Legal Aid repeatedly refers to itself as a âbusiness associateâ of the DHHR. Because the DHHR is not a âcovered entityâ under HIPAA, the relationship between Legal Aid and the DHHR is not controlling. To come within HIPAAâs exclusionary language, Legal Aid must be a âbusiness associateâ of Sharpe and Bateman. In further explanation of what is necessary to qualify as a âbusiness associate,â the regulations provide that it is a 25 The trial court ruled that Legal Aid is a âbusiness associateâ as set forth in its contract with the DHHR and also due to its receipt of protected health information for quality assurance, patient safety, and other health care operations. As discussed infra, the DHHRâS description of Legal Aid as a âbusiness associateâ is neither controlling nor accurate. The review of protected health information as part of the provision of advocacy services at Sharpe and Bateman does not impel the conclusion that Legal Aid is a âbusiness associate.â 14 person who: (i) On behalf of such covered entity . . . but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 320, billing, benefit management, practice management, and repricing; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation . . . , management, administrative, accreditation, or financial services to or for such covered entity . . . . 45 C.F.R. § 160.103. The DHHR argues, and we agree, that the patient advocacy services performed at Bateman and Sharpe are not performed on behalf of either of those facilities within the meaning of the Privacy Rule. See id. In purveying the list of activities that constitute services typically performed by a âbusiness associateâ for a âcovered entity,â patient advocacy is noticeably absent. Rather than serving the interests of the hospitals in terms of providing managerial assistance with their operations, the patient advocates serve the personal interests of the patients who reside at those facilities. From the beginning, the provision of patient advocacy services was created to protect the interests of individual patients. See W.Va. Code § 27-5-9; 64 C.S.R. § 59-20.1 (mandating patient advocates in every behavioral health facility who are independent of facility management). Despite the 15 expanded role of the patient advocates with regard to systemic auditing, the primary objective in conducting these reviews is compliance with patient-oriented rights.26 While it might be tempting to view the provision of patient advocacy services as improving the operations of the facilities under discussion, the pivotal inquiry is whether the advocacy services are being offered by Legal Aid on behalf of the hospitals. That Legal Aid is not operating on behalf of Sharpe and Bateman is easily demonstrated by considering the adversity inherent to the role the patient advocates occupy in relation to those facilities. Rather than advancing the hospitalsâ interests, the advocates are responsible for investigating individual grievances against the hospitals and identifying instances of the hospitalsâ failure to comply with the civil rights afforded to institutionalized patients under state law. By design, the patient advocates operate independently of the hospitalsâ interests and, most decidedly, not on their behalves. We further observe that the improper characterization of Legal Aid as âbusiness associatesâ in the Grant Agreement does not serve to repair the underlying definitional disconnect.27 As the DHHR properly acknowledges, its identification of Legal Aid as a âbusiness associate,â in an admitted and overly-expansive 26 The fact that the institutions may benefit from the provision of these auditing services does not alter the wholly independent and individual-oriented nature of the advocacy actions at issue. 27 The Grant Agreement makes clear that âBusiness Associate shall have the meaning given to such term in 45 CFR § 160.103.â 16 attempt to comply with HIPAA,28 has no corresponding ability to make the characterization a reality under the law. Based on the foregoing, we conclude that the trial court erred in finding that Legal Aid is a âbusiness associateâ of a âcovered entityâ under HIPAA. 2. âHealth Oversight Agencyâ Cherry picking parts of the HIPAA definition of a âhealth oversight agency,â29 the trial court concluded that Legal Aid is such an agency because it âis authorized by law to oversee the health care system . . . or government programs . . . or to enforce civil rights laws for which health information is relevant.â The DHHR argues that no state law invests Legal Aid, a private entity, with public oversight authority. The individualized advocate role that Legal Aid performs, emphasizes the DHHR, is not on par with the public health 28 The DHHR stated that boilerplate business associate addendums were regularly attached to all grant agreements, even when unnecessary, in an effort to comply with HIPAAâs âstern mandate to have an agreement in place with any business associate.â 29 A âhealth oversight agencyâ is defined as an agency or authority of the United States, a State, . . . or a person or entity acting under a grant of authority from or contract with such public agency, . . . that is authorized by law to oversee the health care system . . . or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. 45 C.F.R. § 164.501 (2014). 17 concerns that a health oversight agency is charged to superintend. With regard to the auditing function that Legal Aid performs, that duty is similarly not authorized by state law. Furthermore, Legal Aid has no enforcement power with regard to the civil rights of the patients. From the list of agencies recognized to engage in health oversight activities, such as state insurance commissions, state health professional licensure agencies, state Medicaid fraud control units, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights,30 it is clear that Legal Aid does not qualify as such an agency. Inherent to the concept of a âhealth oversight agencyâ is a charge by law to oversee matters involving public health or for which public health information is intrinsic to the public- oriented duties at hand. Here, the advocacy duties Legal Aid provides do not have at their core a concern for public health or a need to review public health information for eligibility purposes. See 45 C.F.R. § 164.512(d) (2014) (approving disclosure to health oversight agency of protected health information to determine eligibility for government benefit programs). While state regulations authorize patient advocates to investigate and ensure 30 See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462-01, 82492. 18 compliance with civil rights guaranteed by West Virginia Code § 27-5-9, that authority does not imbue Legal Aid with health oversight authority within the meaning of HIPAA. See 64 C.S.R. § 59-20. Unlike the United States Department of Justice, the HHS Office for Civil Rights, and the United States Equal Employment Opportunity Commission, Legal Aid has no enforcement powers pertinent to the patient civil rights it is charged with overseeing. See 65 Fed. Reg. 82462-01, 82492 (identifying entities with civil rights enforcement powers). In the instance of a civil rights violation, Legal Aid lacks authority to sua sponte correct the deficiencies giving rise to the violation or to impose sanctions or penalties. Consequently, we conclude that the trial court committed error in ruling that Legal Aid comes within the definition of a âhealth oversight agencyâ under HIPAA. 3. âHealth Care Operationsâ An additional HIPAA provision that the trial court found applicable is the exemption which permits a âcovered entityâ to âuse or disclose protected health care information for its own treatment, payment, or health care operations.â 45 C.F.R. § 164.506(c)(1) (2014) (emphasis added). Because âhealth care operationsâ are defined to include â[c]onducting quality assessment,â âauditing functions, including . . . abuse detection and compliance programs,â and â[r]esolution of internal grievances,â the trial court ruled that the advocacy and auditing services provided by Legal Aid are part of the hospitalsâ covered health care operations. See 45 C.F.R. § 164.501 (2014). 19 Once again, the trial court has deemed a HIPAA exemption to apply based on a flawed interpretation of the subject definition. Reading from the bottom up, the trial court simply concludes that because auditing and compliance functions are part of âhealth care operations,â then the services performed by Legal Aid must necessarily be covered by this exemption. What the trial court overlooks is the critical distinction, similar to the limitation imposed on a âbusiness associate,â that these services, by definition, are those that are performed at the direction of or on behalf of the facility as part of its own internal operating procedures. â[H]ealth care operations are the listed activities undertaken by the covered entity that maintains the protected health information.â 65 Fed. Reg. 82462-01, 82490 (emphasis supplied). The auditing and compliance functions performed by an independent entity such as Legal Aidâan entity charged by law to uncover violations of patient rights by the facilities rather than to assist a facility with the management of its operationsâdo not fall within the meaning of âhealth care operationsâ as that term is defined by HIPAA. See 45 C.F.R. § 164.501. Further distinguishing between the activities that constitute âhealth care operationsâ and those that do not, the DHHR explains that a hospital can access patient records within the meaning of the subject exemption to resolve internal grievances. In contrast, the initiation of a grievance by Legal Aid is an activity external to the facility and thus beyond the scope of the exemption. In the same vein, a facility may access patient 20 records for its own internal audits, but external audits such as those performed by Legal Aid fall outside the scope of the facilityâs operations and thus the applicability of the exemption. Accordingly, we find that the trial court erred in reasoning that the âhealth care operationsâ exemption under HIPAA is available to Legal Aid. 4. âRequired by Lawâ In generalized fashion, the trial court relied upon the HIPAA exemption that permits disclosure without written consent where âsuch use or disclosure is required by law.â 45 C.F.R. § 164.512(a). For more specific support, the trial court cited the provision of HIPAA that permits a covered entity to disclose protected health information to a government authority when the covered entity reasonably believes that the information pertains to a victim of abuse or neglect.31 See id. at § 164.512(c). Seeking further authority for its ruling, the trial court concluded that âthe disclosure may be made in response to an express authorization by court order.â See 45 C.F.R. § 164.512(e)(1)(i). As the DHHR clarifies, the exemption laced to a legal directive both contemplates and requires âa mandate contained in law that compels a covered entity to 31 The trial court looked additionally to the subsection permitting disclosure in the instance of incapacity when awaiting consent would materially and adversely impact an immediate enforcement activity. See 45 C.F.R. § 164.512(c)(1)(iii)(B). 21 make a use or disclosure of protected health information . . . that is enforceable in a court of law.â 65 Fed. Reg. 82462-01, 82497. Application of this exemption is specifically constrained by the requirement that âthe use or disclosure complies with and is limited to the relevant requirements of such law.â 45 C.F.R. § 164.512(a). The DHHR contends that this exemption does not apply because there is no state law that requires the hospitals to disclose patient records in the unfettered fashion decreed by the trial court. We agree. While state regulations authorize patient advocates to gain access to patient records in the process of investigating grievances without express consent, there is no state-enacted law or regulation that expansively directs facilities such as Bateman and Sharpe to disclose all patient records to Legal Aid without consent. See 64 C.S.R. § 59-11.5.1.d. The abuse and neglect provision is similarly inapplicable as it concerns disclosure to a governmental authority rather than to a private entity such as Legal Aid. In its reach to come within the parameters of the ârequired by lawâ exemption, the trial court suggests that HIPAAâs requirements may be avoided with the entry of a court order. Not only is this deduction erroneous but it ignores the additional requirement that a court-directed disclosure applies only to âexpressly authorizedâ disclosures made âin the course of any judicial or administrative proceeding.â 45 C.F.R. § 164.512(e)(1)(i). A ruling that seeks to broadly sanction disclosure not expressly linked to a specific judicial or administrative matter falls outside the framework of the HIPAA exemption which permits 22 disclosure pursuant to judicial authorization. See id. Morever, as HIPAA makes clear, the provision for directives issued in the course of specific judicial and administrative proceedings âdo[es] not supersede other provisions of this section that otherwise permit or restrict use or disclosure of protected health information. 45 C.F.R. § 164.512(e)(2). We have little difficulty concluding that the HIPAA exemption premised on a judicial ruling has no application to the prospective disclosures contemplated by the August 27th decree as such disclosures would be made outside the framework of an ongoing proceeding. Accordingly, we find that the trial court erred in its reliance on the HIPAA exemptions pertaining to legal mandates or rulings. See 45 C.F.R. §§ 164.512(a), 512(e)(1)(i). C. State Law Having determined that federal law does not provide the necessary authority for disclosure of patientsâ records to Legal Aid without consent, we proceed to determine if our state law provides an independent basis to support the lower courtâs ruling. As the DHHR acknowledges, HIPAAâs preemption clause provides that the federal act âshall supersede any contrary provision of State law,â unless state law is more stringent or if one of several other exceptions applies. 42 U.S.C. § 1320d-7 (2012); 45 C.F.R. §§ 160.202,  203 (2014) (listing exceptions to preemption). If no exception applies, âState laws are contrary to HIPAA if: (1) it would be impossible for the health care provider to comply simultaneously with HIPAA and the state directive; or (2) the state provision stands as an 23 obstacle to the accomplishment of the full objectives of HIPAA.â Wade v. Vabnick-Wener, 922 F.Supp.2d 679, 686 (W.D. Tenn. 2010). From the record of this case, it is clear that this state undertakes to examine our codified law on an annual basis to analyze whether our state laws are more stringent than HIPAAâs for preemption purposes.32 Because the HIPAA Privacy Rule is viewed as a floor of privacy protections for individuals, state laws may provide greater or more stringent protections. In those instances where state law is determined to be more stringent because it imposes enhanced or more detailed protections, the state law is not preempted by HIPAA. From the record submitted in this case, the protections set forth in Title 64, Series 59 have been determined to be more stringent than those required by federal law.33 Accordingly, our state regulations set forth in Title 64, Series 59 are not preempted by HIPAA. See 45 C.F.R. §§ 160.202, -203. Within our state regulations that were adopted to provide âskillful, safe and humaneâ care to incarcerated patients with mental health issues, the confidentiality of patient 32 This annual analysis is required by HIPAA. 33 Analyses completed in 2013 and 2014 entitled West Virginia Health Care Privacy Laws and HIPPA Preemption Analysis for the DHHR conclude that our state regulations set forth in 64 C.S.R. § 59 are not preempted by HIPPA as our provisions are more stringent. The 2015 analysis reached the same conclusion. 24 records is addressed at length. W.Va. Code § 27-5-9. The regulations specify in detail what information is deemed confidential and when a patientâs records may be disclosed. See 64 C.S.R. § 59-11.1. While a patient may authorize the release of his or her records to any person or entity, those records may also be obtained by the âproviders of health, social, or welfare services involved in caring for or rehabilitating the client.â 64 C.S.R. § 59-11.5.1.d. Under this same provision, it is provided that â[n]o written consent is necessary for employees of the department, comprehensive behavioral health centers serving the client or advocates under contract with the department.â Id. (emphasis supplied). In an obvious attempt to thwart legislative intent, the DHHR denies that it has a contract with Legal Aid. The DHHR maintains that the Grant Agreement pursuant to which it employs Legal Aid on an annual basis to provide advocacy services for the patients at Sharpe and Bateman does nothing but address the exchange of money. Our review of the record demonstrates quite the opposite. In the initial sixteen pages of the Grant Agreement, standard contractual matters such as scope, term, cancellation, remedies, and assignment are addressed. Through a separate but expressly incorporated, ten-page document, the services and activities required of Legal Aid are delineated. A review of the Grant Exhibit, along with the multiple attached exhibits, wholly disproves the DHHRâs position that the document fails to address the legal obligations of the parties. As a result, we hold that a written agreement between the DHHR and the provider of patient advocacy services that 25 specifies the legal obligations of the parties, including the manner of payment and the duties associated with the provision of patient advocacy services, constitutes a contract within the meaning of 64 C.S.R. § 59-11.5.1.d. for purposes of permitting patient advocates to access records without the written consent of individuals hospitalized with mental health issues in state facilities. This conclusion is specifically premised on the fact that the DHHR is required by the 1990 Order to employ external patient advocates for purposes of complying with the mandate contained in West Virginia Code § 27-5-9. Returning to the trial courtâs ruling, we affirm the lower courtâs ruling that the DHHRâs revocation of patient advocate access to patients, staff, and patient records absent express written consent violates state law. The long term practice of providing unlimited record access to the patient advocates, agreed to by the parties and sanctioned by the court through the 2009 Agreed Order, has become part of the rule of this case. See generally Keller v. Norfolk & W. Ry. Co., 113 W.Va. 286, 167 S.E. 448 (1932). Thus, for the DHHR to act in violation of that established practice was contrary to the rule of law which governs this case. Furthermore, the policy adopted by the DHHR is not required by HIPAA as this stateâs laws set forth in 64 C.S.R. § 59-1 to -20 are more stringent than those set forth in HIPAA.34 As a result, we are convinced that the confidentiality protections, including the 34 See supra note 33. 26 annual training that the patient advocates undergo along with hospital staff, all combine as designed to protect the interests of the patients at Sharpe and Bateman. We further affirm the trial courtâs ruling that the patient advocates shall have access to patient records without limitation except when patients expressly request limitations on the disclosure of their individual, identifiable health information. There is a clear need for non-grievance related review of patient records to identify systemic issues of noncompliance with the regulations that address issues of patient care. Furthermore, the inclusion of language in the Grant Agreement that requires the preparation and submission of a report to both the circuit court judge and the court monitor, as well as the parties, documents the duty imposed on Legal Aid to review patient records independent of specific grievances. A common thread that exists in both West Virginia § 27-5-9 and HIPAA is the improvement of the quality of health care.35 That objective was undeniably blocked when the DHHR instituted wholly unwarranted roadblocks in the path of the patient advocates. Without unrestricted access to patient records, access that the Legislature expressly approved, the patient advocates were effectively blocked from discovering violations of the patientsâ civil rights. HIPAA was never intended to serve as a hindrance to patient services or civil rights; it was designed to prevent the inappropriate use or dissemination of protected 35 See 65 Fed. Reg. 82462-01, 82463. 27 health information.36 In the case before us, the DHHR has failed to demonstrate that Legal Aid has disseminated any protected health information in violation of federal or state law. IV. Conclusion Based on the foregoing, the August 27, 2014, order of the Circuit Court of Kanawha County is affirmed with regard to its multiple directives concerning the restoration of access without limitation by patient advocates to patients at Sharpe and Bateman.37 Affirmed. 36 See supra note 35. 37 Consistent with the trial courtâs directives, that access is subject to the right of patients to place limitations on the disclosure of their health information. 28
[by Loughry]
*282 LOUGHRY, Justice: The West Virginia Department of Health and Human Resources, the Bureau for Behavioral Health and Health Facilities (âDHHRâ), seeks to reverse the August 27, 2014, order of the Circuit Court of Kana-wha County, through which the DHHR was directed to immediately restore access to patients and patient records to the patient advocates working at this stateâs two psychiatric hospitals. 1 In challenging this ruling, the DHHR argues that the circuit courtâs order violates both the patientsâ constitutional rights to privacy and the Federal Health Insurance Portability and Accountability Act (âHIPAAâ). The respondent advocates for patients at Sharpe and Bateman Hospitals (sometimes referred to as the âhospitalsâ) insist that the directives of the circuit court should be affirmed due to the clear lack of constitutional or HIPAA violations. Having reviewed the record in this case to verify the absence of constitutional infirmity as well as the lack of state or federal privacy law violations stemming from the access historically afforded to patient advocates at these facilities, we affirm the circuit courtâs decision to restore the access afforded to the patient advocates to the level they experienced prior to the abrupt change of course in June 2014. Given the lower courtâs partial reliance on certain HIPAA definitions and exclusions that we find to be wholly inapplicable, our decision to affirm is grounded solely on state law rather than an amalgam of state and federal law. 2 I. Factual and Procedural Background The underlying litigation had its genesis in 1981 with a petition for a writ of mandamus filed by a group of institutionalized individuals to address the civil rights of patients with mental disabilities. 3 See E.H. v. Matin (known as âHartleyâ or âMatin Iâ), 168 W.Va. 248 , 284 S.E.2d 232 (1981). This Court remanded the Hartley case to the Kanawha County Circuit Court to- achieve the legislative mandate of providing appropriate care and treatment to those individuals who are involuntarily hospitalized. See W.Va.Code § 27-5-9 (2013). To that end, the West Virginia Behavioral Health System Plan (âBHSPâ), a comprehensive mental health plan, which addressed the various standards, conditions, and facilities, was accepted by the' circuit court â in 1983. 4 See E.H. v. Matin (âMatin IIâ), 189 W.Va. 102, 104 , 428 S.E.2d 523, 525 (1993). As part of the BHSP, the DHHR was required'to estab-' lish a patient advocacy system within the state hospitals to protect the rights of institutionalized patients on an ongoing basis. Originally, the patient advocates were DHHR employees who maintained offices within the hospitals.' Due to issues' that arose in the late 1980s stemming from improper personal relationships between the patient advocates and the hospital administrators, the court monitor formally recommended that the DHHR be required to contract with an external entity to perform the patient advocacy services. No one objected to this proposal and the recommendation was adopted by order, entered on February 20,1990 (the â1990 orderâ). 5 In accordance with its obligations under the 1990 order, the DHHR immediately contracted with Legal Aid of West Virginia (âLegal Aidâ) to provide patient advocacy services. In this role, which it has occupied since its selection in 1990, Legal Aid assists with and investigates individual grievances, *283 conducts abuse and neglect investigations, educates staff and patients about patient civil rights, and monitors Sharpe and Bateman for the purpose of ensuring compliance with this stateâs guarantee of patient civil rights. See W.Va.Code § 27-5-9. Legislative rules expressly designed to âestablish[ ] the rights of clients of State-operated tĂehavioral health facilitiesâ were adopted in 1995. 6 See 64 C.S.R. § 59-1.1. Those rules specify procedures that pertain to the mandated provision of patient advocacy services 7 and delineate a litany of patient rights that the hospitals are required to observe, including confidentiality. See id. at §§ 59-1 to -20. Court monitoring of the Hartley case continued until 2002 when, by agreement of the parties, the case was removed from the active docket of the court. 8 See E.H. v. Matin (ââMatin III â), 189 W.Va. 445 , 432 S.E.2d 207 (1993), (approving continued circuit court monitoring). In that same year, the DHHR decided to create the Office of the Ombudsman (âOmbudsmanâ)-an office charged with overseeing compliance with the statutory duties related to operation of the state hospitals. As the direct result of the Ombudsmanâs July 3, 2008, report, documenting deplorable conditions and treatment of patients at Sharpe and Bateman, the circuit court reopened the Hartley case. See State ex rel. Matin v. Bloom (âMatin IVâ), 223 W.Va. 379, 383-84 , 674 S.E.2d 240, 244-45 (2009) (identifying issues of overcrowding, lack of privacy, and denial of patientsâ daily grooming and cleanliness needs). Systemic violations of patient rights, including the use of âchemical restraints,â were demonstrated during a two-day evidentiary hearing held before the circuit court in April 2009. At the conclusion of. the hearing, the trial court ordered the parties to participate in mediation which resulted in an agreement between the parties covering multiple issues. Under that court-approved agreement, commonly referred to as the â2009 Agreed Order,â the Ombudsman is charged with the duty to oversee implementation of the specific terms of the agreement. Included in those terms is a provision requiring Sharpe and Bateman to fully comply with the state regulations that address issues of patient care and patient advocacy services. See 64 C.S.R. §§ 59-1 to -20. The 2009 Agreed Order requires that â[p]eriodic review shall be established for compliance with [specified] sections.â 9 In recognition of this duty, the DHHR contracted with Legal Aid to âproduce a report to inform Judge Bloom, [and] the Hartley Court Monitor .... of any progress or lack of progress in implementing areas of Legislative Rule Title 64 Code of State Rules (CSR) Series 59 ... within Sharpe and Bateman by the end of the grant period.â 10 On January 5, 2010, the parties agreed that the patient advocates would create an assessment tool for the hospital audits necessary to enable the DHHR to comply with the periodic review contemplated by the 2009 Agreed Order. On March 31, 2010, the DHHR agreed that quarterly audits should be conducted by providing the patient advocates with complete access to at least two patients from each unit independent of any actual grievances filed. On May 5, 2010, the parties agreed that the audit instrument was finalized and the patient advocates were instructed âto begin implementation.â âąFor more than a decade, the DHHR provided the- patient advocates with full access to computerized patient records, to the patient wards, and other areas of the hospitals. Then, in June 2014, with no prior notice, the DHHR began requiring the patient advocates to obtain signed releases from each *284 patient, the patientâs guardian, and/or the person with the medical power of attorney before obtaining any information 'from or about the patient. 11 Under the altered procedures, a' newly-executed release specifying the basis of inquiry was required each time the advocates sought to review a patientâs records. Legal Aid stated that even if the inquiry pertained to a previously-authorized matter, a new release was required for each successive day a patient advocate sought access to a patientâs records. 12 In addition to. this novel procedure of requiring a release in advance of any records inspection, Legal Aid was denied accessâto the network of patient records â access required for conducting the systemic reviews or audits of the'two facilities. In response to this abrupt change of policy regarding access to patient records, the patient advocates filed a motion for emergency relief with the circuit court and a hearing was held on August 1, 2014. After finding no violation of federal or state law, the circuit court directed the DHHR, by order of August 24, 2014, to immediately restore Legal Aid to the previous levels of access at Sharpe and Bateman. On August 29, 2014, the circuit court denied the DHHRâs motion for stay of the August 27, 2014, amended ruling. 13 By order of September 14, 2014, this Court stayed the lower courtâs, order and granted the appeal filed by the DHHR. . II. Standard of Review Given our conclusion that the August 27, 2014, amended ruling constitutes a final order notwithstanding the trial courtâs contrary ruling, 14 we review the subject order pursuant to our well-established' standard of examining questions of law de novo while reversing factual determinations only upon a showing of clear error. See Syl. Pt. 2, Walker v. W.Va. Ethics Commân, 201 W.Va. 108 , 492 S.E.2d 167 (1997). This Court recently dispelled any concerns with regard to its right to consider this matter by means of an appeal 15 with our recent holding in syllabus point one of West Virginia Department of Health and Human Resources et al. v. E.H., 236 W.Va. 194 , 778 S.E.2d 643 , Nos. 14-0664, 14-0845, 2015 WL 5928503 (Oct. 7, 2015), wherein we held that â[i]n the context of institutional reform litigation, this Court may choose to exercise its appellate jurisdiction over an order entered by the. circuit court that it deems to approximate a final order by its nature and effect.â Accordingly, we proceed to determine whether the trial court erred in issuing the ruling under review. III. Discussion A. Constitutional Privacy Rights In support of its position that the lower courtâs order improperly requires unfettered disclosure of patient records to the patient advocates, the DHHR maintains that the *285 Fourteenth Amendment has been recognized to protect an individualâs right to privacy with regard to avoiding disclosure Of personal matters. See Whalen v. Roe, 429 U.S. 589, 599 , 97 S.Ct. 869 , 51 L.Ed.2d 64 (1977); accord Doe v. City of New York, 15 F.3d 264 , 267 (2d Cir.1994) (âExtension of the right to confidentiality to personal medical information recognizes there are few matters that are quite so personal as the status of oneâs health, and few matters the dissemination of which one would prefer to maintain greater control over.â). Because the trial court failed to employ a balancing test -to- assess the reasonableness of the privacy intrusion that flows from the sweeping access mandated by the order at issue, the DHHR argues- that the constitutional rights of patients at Sharpe and Bateman outweigh Legal Aidâs interest in accessing patient files. See Nixon v. Admâr of Genâl Servs., 433 U.S. 425, 458-60 , 97 S.Ct. 2777 , 53 L.Ed.2d 867 (1977) (utilizing balancing test to measure privacy intrusion against reasonableness of governmental actions). Emphasizing the enhanced need to conduct this inquiry when a realistic probability of public disclosure exists as in this case, the.DHHR posits that the circuit court erred by failing to consider the applicability of constitutionally-based protections for the health information contained in the patient records. Legal -Aid contends that the DHHR improperly seeks to inject constitutional error into this matter with an issue never addressed by the circuit court. 16 Not only does Legal Aid concur with the tenets of privacy law articulated by the DHHR, but it fully agrees with the petitionersâ statement that âthe Fourteenth Amendmentâs right to informational privacy forbids the indiscriminate disclosure of state psychiatric records.â Legal Aid emphasizes that the patient advocates neither seek the indiscriminate disclosure of patient records nor do they conduct their advocacy services in a manner inconsistent with the patientsâ privacy rights. Dismissing the need for an extended discourse about the existence of privacy rights, Legal Aid states that the issue presented is simply whether the disclosure of patient records pursuant to state and federal laws enacted to protect patient rights runs afoul of those acknowledged rights. Or stated in' the converse, do provisions of federal and/or state law permit the disclosure of patient records to the patient advocates under contract with DHHR to provide advocacy services at Bate-man and Sharpe. At the outset, we. observe that the constitutional concerns raised by the DHHR are confined to the previous longstanding practice of permitting the advocates to review patient records for purposes of assessing overall hospital Conditions. 17 The DHHR does not raise the possibility of constitutionally-based privacy violations with regard to individual grievances or complaints of abuse and neglect; 18 What the DHHR challenges is the circuit courtâs directive that allows the advocates to have access to patient files unrelated to specific complaints or grievances. This access was authorized, consistent with past practice and the agreement of the parties, for purposes of discerning systemic issues related to the patient rights established by state regulation. 19 See 64 C.S.R.'§§ 59-1 *286 to -20. Pursuant to the governing Grant Agreement that outlines the duties the DHHR requires of the patient advocates, an annual report reflecting the results of the systemic review is required to be tendered to the circuit court judge, court monitor, the DHHR, and Mountain State Justice. 20 Inherent in the DHHRâs argument is a presumption that the systemic review of patientsâ records necessarily results in the wrongful disclosure of medical information. Given that the first and only complaint concerning an alleged violation of HIPAA was filed in 2014 by the DHHR â almost twenty years after the federal act became law â it is clear that inappropriate disclosure of patient information has not been taking place as implied by the DHHR. Not only have there been no complaints filed until the DHHR instituted one, 21 but the state .privacy officers whose responsibility it is to oversee these matters have failed to either independently identify or confirm the existence of any issues concerning the level of access historically afforded to the patient advocates. In seeking to convince this Court that the provision of advocacy services over the past two decades has just recently become a matter of constitutional significance, the DHHR ignores the annual HIPAA training, the executed confidentiality agreements, and state law provisions all designed for the purpose of, and apparently successful at, imposing a high level of confidentiality upon the patient advocates with regard to their review of sensitive health information. As Legal Aid explained, the review undertaken by the patient advocates is conducted in confidence without public disclosure of any protected health information. Critically, there has never been any complaint filed by a Bateman or Sharpe patient, or the patientâs representative, associated with the wrongful dissemination of confidential health information 22 Because the record in this case wholly fails to demonstrate the indiscriminate disclosure of confidential information.by the patient advocates â let alone any disclosure of protected health information, 'we are not persuaded that a meritorious issue exists with regard to Legal Aidâs dissemination of confidential health information. 23 Accordingly, we reject the DHHRâs contention that the trial court erred in failing to address whether the access afforded to Legal Aid violates the constitutionally-based rights of privacy of patients at Sharpe and Bateman. B. HIPAA Pursuant to HIPAAâs Privacy Rule (âPrivacy Ruleâ), â[a] covered entity or business' associate may hot use or disclose 24 protected health informationâ barring either a regulatory exemption or written authorization from the subject of the information or his/her representative. 45 C.P.R. § 164.502(a) (2014) (footnote added). The DHHR argues that the patient advocates do not come within any *287 exemptions provided under HIPAA that would eliminate the need to obtain patient consent before viewing medical records. Specifically, the DHHR disagrees with the trial courtâs decision that Legal Aid falls within the HIPAA definition for a âbusiness associateâ a âhealth oversight agency,â or âhealth care operations.â The DHHR-also objects to the trial courtâs reliance on the HIPAA exemption pertaining to disclosures ârequired by law.â Each of these HIPAA definitions and its respective applicability to the matter before us will be examined in turn. 1. âBusiness Associateâ Under HIPAA, a âbusiness associateâ relates to and is defined in reference to a âcovered entity.â The , Privacy Ruleâs construct of a âcovered .entityâ extends to: â (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a covered transaction. See 45 C.F.R. § 160.103 (2014). As the -circuit court correctly ruled in its August 27th order, both Bateman and Sharpe qualify as covered entities under HIPAA With scant analysis, 25 the trial court and Legal Aid simply adopted the position that the patient advocates necessarily meet the HIPAA definition of a âbusiness associate.â An examination of the pertinent regulations .addressing the nature of a âbusiness associateâ clearly refutes this conclusion. Legal Ad repeatedly refers to itself as a âbusiness associateâ of the DHHR. Because the DHHR is not a âcovered entityâ under HIPAA, the relationship between Legal Ad and the DHHR is not controlling. To come within HIPAAâs exclusionary language, Legal Ad must be a âbusiness associateâ of Sharpe and Bateman. In further explanation of what is necessary to qualify as a âbusiness associate,â the regulations provide that it is a person who: (i) On behalf of such covered entity ,.. but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or-transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 320, - billing; benefit management, practice management, and repricing; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation ..., management, administrative, accreditation, orâfinancial services to or for such covered entity.... 45 C.F.R. § 160.103 . The DHHR argues, and we agree, that the patient advocacy services performed at Bateman and Sharpe are not performed on behalf of either of those facilities within the meaning of the Privacy Rule. See id. . In purveying the list of activities that constitute services typically performed by a âbusiness associateâ for a âcovered entity,â patient advocacy is noticeably absent. Rather than serving the interests' of the hospitals in terms of providing managerial assistance with their operations, the patient advocates serve the personal interests of the patients who .reside at those facilities. From the beginning, the provision of. patient advocacy services .was created to protect the interests of individual patients. See W.Va.Code § 27-5-9; 64 C.S.R. § 59-20.1 (mandating patient advocates in every behavioral health facility who are independent of facility management). Despite the expanded role of the patient advocates with regard to systemic auditing, the primary objective in conducting these reviews is compliance with patient-oriented rights. 26 *288 While it might be tempting to view the provision of patient advocacy services as improving the operations of the facilities under discussion, the pivotal inquiry is whether the advocacy services are being offered by Legal Aid on behalf of the 'hospitals. That Legal Aid is-not operating on behalf of Sharpe and Bateman is easily demonstrated by considering the adversity inherent to the role the patient advocates occupy in relation to those facilities. . Rather than- advancing the hospitalsâ interests, the advocates are. responsible for investigating individual grievances against the hospitals and identifying instances of the hospitalsâ failure to comply with the civil rights afforded to institutionalized patients under state law. By design, the patient advocates operate independently of the hospitalsâ interests and, most decidedly, not on their behalves. We further observe that the improper eharacterizatioii of Legal Aid as âbusiness associatesâ in the Grant Agreement does not serve to repair the underlying definitional disconnect. 27 As the DHHR properly acknowledges, its identification of Legal Aid as a âbusiness' associate,?â in an admitted and overly-expansive attempt to comply with HIPAA, 28 has no corresponding ability to make the characterization a reality under the law. , Based on the foregoing, we conclude that the trial court erred in finding that. Legal Aid is a âbusiness associateâ of a âcovered entityâ under HIPAA. 2. âHealth Oversight Agencyâ Cherry picking parts of the HIPAA definition of a âhealth oversight agency,â 29 the trial court concluded that Legal Aid is such an agency because it âis authorized by law-to oversee the health Care system ... or government programs ... or to enforce civil rights laws'for-which health information- is relevant.â The DHHR argues that no state law invests Legal Aid, a private entity, with public oversight authority. The individualized advocate role that Legal Aid performs, emphasizes the DHHR, is not on par with the public health concerns that a health oversight agency is charged to superintend. With' regard to the auditing function that Legal Aid performs, that duty is similarly not authorized by state law. Furthermore, Legal Aid has no enforcement power with regard to the civil rights of the patients. From the list of agencies recognized to engage in health oversight activities, such as state âą insurance commissions, state health professional licensure agencies, state Medicaid fraud control units, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights, 30 it is clear that Legal Aid does not- qualify as. such an agency. Inherent to the concept of a âhealth oversight agencyâ is.a charge by law to oversee matters involving public' health or for which public health information is intrinsic to the public-oriented- duties at. hand. Here, the advocacy â duties Legal Aid provides do not have at their core. a concern for public health or s, need to review public health information for eligibility purposes. See ' 45 C.F.R. § 164.512 (d) (2014) (approving disclosure to health over-sight -agency of protected health information' to determine eligibility for government benefit programs). While state regulations authorize- patient advocates to investigate and ensure compliance with! civil rights guaranteed by West Virginia Code' § 27-5-9, that authority does not imbue 'Legal Aid with health oversight *289 authority within the- meaning of HIPAA. See 64 C.S.R. § 59-20. Unlike the United States Department of Justice, the HHS Office for Civil Rights, and the United States Equal Employment Opportunity Commission, Legal Aid has no enforcement powers pertinent to the patient civil rights it is charged with overseeing. See 65 Fed. Reg. 82462 -01, 82492 (identifying entities with civil rights enforcement powers). In the instance of a civil rights violation, Legal Aid lacks authority to su a sponte correct the deficiencies giving rise to the violation or to impose sanctions or penalties. Consequently, we conclude that the trial court committed error in ruling that Legal Aid comes within the definition of a âhealth oversight agencyâ under HIPAA. 3. âHealth Care Operationsâ An additional HIPAA provision that the trial court found applicable is the exemption which permits a âcovered entityâ to âuse or disclose protected health care information for its own treatment, payment, or health care operations.â 45 C.F.R. § 164.506 (c)(1) (2014) (emphasis added).. Because âhealth care operationsâ., are defined ,to include âConducting quality assessment,â âauditing .functions, including .,. abuse detection and compliance programs,â and â[rjesolution of internal grievances,â the trial court ruled that the advocacy and auditing services provided by Legal Ad are part of .the hospitalsâ .covered health care operations. See 45 C.F.R. § 164.501 (2014). Once again, the trial court has deemed a HIPAA exemption to apply based on a flawed interpretation of the subject definition. Reading from the bottom up, the trial court simply concludes that because auditing and compliance functions are part of âhealth care operations,â then the services performed by LĂ©gal Ad must necessarily be covered by this exemption. What the trial court overlooks is the critical distinction, similar to the limitation imposed on a âbusiness associateââ that these services, by definition, are those that are performed at the direction of or on behalf of the facility as part of its own internal operating procedures. â[Hjealth care operations are the listed activities undertaken by the covered entity that maintains the, protected health information.â 65 Fed. Reg. 82462 -01, 82490 (emphasis supplied). The auditing and compliance functions performed by an independent entity such as Legal Ad-an entity Charged by law to uncover violations of patient rights by the facilities rather than to assist a facility with the management of its operations â do not fall within the meaning of âhealth care operationsâ as that term is .defined by HIPAA See 45 C.F.R. § 164.501 . Further distinguishing between the activities that constitute âhealth care operationsâ and those that do not, the DHHR explains that a hospital can access patient records within the meaning of the subject exemption to resolve internal grievances. In contrast, the initiation of a grievance, by Legal Ad is an activity external to the facility and thus beyond the scope of the exemption.. In the same.vein, a facility may access patient records for its own internal audits, but external audits such as those performed by Legal Ad fall outside the scope of the facilityâs operations and thus the applicability of the exemption. Accordingly, we -find that the trial court erred in reasoning that the âhealth care operationsâ exemption under HIPAA. is available to Legal Ad. 4. â âRequired by Lawâ In generalized fashion, the trial court relied upon the HIPAA exemption that permits disclosure without written consent where âsuch use or disclosure is required by law.â 45 C.F.R. § 164.512 (a). For more specific support,' the trial court cited the provision of HIPAA that permits a covered entity to disclose protected health information to' a government authority when the covered entity reasonably believes âą that the information pertains to a victim of abuse or neglect. 31 See id. at § 164.512(c). Seeking further authority for its ruling, the trial court concluded that âthe disclosure may be made in response to an express authorization by *290 court order.â See 45 C.F.R. § 164.512 (e)(l)(i). As the DHHR clarifies, the exemption laced to a legal directive both contemplates and requires âa mandate contained in law that compels a covered entity to make a use or disclosure of 'protected health information ... that is enforceable in a court of law.â 65 Fed. Reg. 82462 -01, 82497. Application of this exemption is specifically constrained by the requirement that âthe use or disclosure complies with and is limited to the relevant requirements of such law.â 45 C.F.R. § 164.512 (a). The DHHR contends that this exemption does not apply because there is no state law that requires the hospitals to disclose patient records in the unfettered fashion decreed by the trial court. We agree. While state regulations authorize patient advocates to gain access to patient records in the process of investigating grievances without express consent, there is no state-enacted law or regulation that expansively directs facilities such as Bateman and Sharpe to disclose all patient records to Legal Aid without' consent. See 64 C.S.R. § 59-11.5.1.d. The abuse and neglect provision is similarly inapplicable as it concerns disclosure to a governmental authority rather than to a private entity such as Legal Aid. In its reach to come within the parameters of the ârequired by lawâ exemption, the trial court suggests that HIPAAâs requirements may be avoided with the entry of a court order, Not only is this deduction erroneous but it ignores the additional requirement that a court-directed disclosure applies only to âexpressly authorizedâ disclosures made âin the course of any judicial or administrative proceeding.â 45 C.F.R. § 164.512 (e)(l)(i).' A ruling that seeks to broadly sanction disclosure not expressly linked to a specific judicial or administrative matter falls outside the framework of the HIPAA exemption which permits disclosure pursuant to judicial authorization. See id. Moreover, as HIPAA makes clear, the provision for directives issued in the course of specific judicial and administrative proceedings âdo[es] not supersede other provisions of this section that otherwise permit or restrict use or disclosure of protected health information. 45 C.F.R. § 164.512 (e)(2).. We have little difficulty concluding that the HIPAA exemption premised on a judicial ruling has no application to the prospective disclosures contemplated by the August 27th decree as such disclosures would be made outside the framework of an ongoing proceeding. Accordingly, we find that the. trial court erred in its reliance on the HIPAA exemptions pertaining to legal mandates or â rulings. See 45 C.F.R. §§ 164.512 (a), 512(e)(l)(i). C. State Law Having determined that federal law does not provide the necessary authority for disclosure of patientsâ records to Legal Aid without consent, we proceed to determine if our state law provides an independent basis to support the lower courtâs ruling. As the DHHR acknowledges, HIPAA?s preemption clause provides that the' federal act âshall supersede any contrary provision of State law,â unless state law is more stringent or-if one of several other exceptions applies: 42 U.S.C. § 1320d-7 (2012); 45 C.F.R. §§'160.202,-203 (2014) (listing exceptions'to preemption). If no exception applies, âState laws are contrary to HIPAA if: (1) it would be impossible for the health care provider to comply simultaneously with HIPAA and the state directive; or (2) the state provision stands as an obstacle to the accomplishment of the full objectives of HIPAA.â Wade v. Vabnick-Wener, 922 F.Supp.2d 679, 686 (W.D.Tenn.2010). From the record of this case, it is clear that this state undertakes to examine our codified law on an annual basis to analyze whether our state laws are more stringent than HIPAAâs for preemption purposes. 32 Because the HIPAA. Privacy Rule is viewed as a floor of privacy protections for individuals, state laws may provide greater of more stringent protections. In those instances where state law is determinĂ©d to be more stringent because it imposes enhanced or more detailed protections, the state law is not preempted by HIPAA. From the record submitted in this case, the protections set forth in Title 64, Series 59 have been deter *291 mined to be more stringent than those required by federal law. 33 Accordingly, our state regulations set forth in Title 64, Series 59 are not preempted by HIPAA. âą See 45 C.F.R. §§ 160.202 , -203. Within our state regulations that were adopted to provide âskillful, safe and humaneâ care to incarcerated patients' with mental health issues, the confidentiality of patient records is addressed at length. W.Va.Code § 27-5-9. The regulations specify in detail what information is deemed confidential and when a patientâs records may be disclosed. See 64 C.S.R. § 59-11.1. While a patient may authorize the release of his or her records to any person or entity, those records may also be obtained by the âproviders of health, social, or welfare services involved in caring for or rehabilitating the client." 64 C.S.R. § 59-11.5.1.d. Under this same provision, it is provided that â[n]o written consent is necessary for employees of the department, comprehensive behavioral health centers serving the client or advocates under contract with the department.â Id. (emphasis supplied). In an obvious attempt to thwart legislative intent, the DHHR denies that it has a contract with Legal Aid. The DHHR maintains that the Grant Agreement pursuant to which it employs Legal Aid on an annual basis to provide advocacy services for the patients at Sharpe and Bateman does nothing but address the exchange of money. Our review of the record demonstrates quite the opposite. In the initial sixteen pages of the Grant Agreement, standard contractual matters such as scope, term, cancellation, remedies, and assignment are addressed. Through a separate but expressly incorporated, ten-page document, the services and activities required of Legal Aid are delineated. A review of the Grant Exhibit, along with the multiple attached exhibits, wholly disproves the DHHRâs position that the document fails to address the legal obligations of the parties. As a result, we hold that a written agreement between the DHHR and the provider of patient advocacy services that specifies the legal obligations of the parties, including the manner of payment and the duties associated with the provision of patient advocacy services, constitutes a contract within the meaning of 64 C.S.R. § 59-11.5.1.d. for purposes of permitting patient advocates to access records without the written. consent of individuals hospitalized with mental health issues in state facilities. This conclusion is specifically premised on the fact that the DHHR is required by the 1990 Order to employ external patient advocates for purposes of complying with the mandate contained in West Virginia Code § 27-5-9.- Returning to the trial courtâs ruling, we affirm the lower courtâs ruling that the DHHRâs revocation of patient advocate access to patients, staff, and patient records absent express written consent violates state law. The long term practice of providing unlimited record access to the patient advocates, .agreed to by the parties and sanctioned by the court through the 2009 Agreed Order, has become part of the rule of this, case. See generally Keller v. Norfolk & W. Ry. Co., 113 W.Va. 286 , 167 S.E. 448 (1932). Thus, for the DHHR to act in violation of that established practice was contrary to the rule of law which governs this case. Furthermore, the policy adopted by the DHHR is not required by HIPAA as this stateâs laws set forth in 64 C.S.R. § 59-1 to -20 are more stringent than those set forth in HIPAA. 34 As a result, we are convinced that the confidentiality protections, including the annual training that the patient advocates undergo along with hospital staff, all combine as designed to protect the interests of the patients at Sharpe and Bateman. We further affirm the trial courtâs ruling that the patient advocates shall have access to patient records without limitation except when patients expressly request limitations on the disclosure of their individual, identifiable health information. There is a clear need for non-grievance related review of pa *292 Rent records to identify systemic issues of noncompliance with the regulations that address issues of patient care. Furtherrhore, the inclusion of language in the Grant Agreement that requires the preparation and submission of a report to both the circuit court judge and the court monitor, as well as the parties, documents the duty imposed on Legal Aid to review patient records independent of specific grievances. A common thread that exists ÂĄin both West Virginia § 27-5-9' and HIPAA is the improvement of the quality of health care. 35 That objective was undeniably blocked when the DHHR instituted wholly unwarranted roadblocks in the path of the patient advocates. Without unrestricted access to patient records, access that the Legislature expressly approved, the patient advocates were effectively blocked from discovering violations of the patientsâ civil rights. HIPAA was never intended to' serve as a hindrance to patient services or civil rights; it was designed to prevent the inappropriate use or. dissemination of protected health information. 36 In the case before us, the DHHR has failed to demonstrate that Legal Aid has disseminated any protected health information in violation of federal or state law. IV. Conclusion Based on the foregoing, the August 27, 2014, order, of the Circuit Court of Kanawha County is affirmed with regard to its multiple directives concerning the restoration of access without limitation by patient advocates to patients at Sharpe and Bateman. 37 Affirmed. . Mildred Mitchell Bateman ("Batemanâ) and William R. Sharpe, Jr. ("Sharpeâ). . See Syl. Pt. 3, Barnett v. Wolfolk, 149 W.Va. 246 , 140 S.E.2d 466 (1965) ("This Court may, on appeal, affirm the judgment of the lower court when it appears that such judgment is correct on any legal ground disclosed by the record, regardless of the ground, reason or theory assigned by the lower court as the basis for its judgment.â). . See W.Va.Code § 27-5-9 (2013) (providing, inter alia, that "[Âżjach patient of a mental health facility ... shall receive care and treatment that is suited to his or her needs and administered in a skillful, safe and humane manner with full respect for his or her dignity and personal integrityâ). . This plan, a 330-page document, was reached by agreement among the parties. See Matin II, 189 W.Va. at 104 n. 2, 428 S.E.2d at 525 n. 2. . Pursuant to that order, the DHHR was directed to âcontract with an entity outside State government for the provision of advocacy.â . These rules were adopted under authority of West Virginia Code § 27 â 5â9(g). . "There shall be persons designated as client (or patient or resident) advocates who are independent of the facility management in every behavioral health facility.â 64 C.S.R. § 59-20.1. . Court monitoring was resumed in 2009 based on reports of both the conditions and treatment of patients at Sharpe and Bateman. . Those sections are 64 C.S.R. §§ 59-12, -13, - 14, -15.1.7, -15.1.12,--15.2, -15.3, and -16.4.2. . ThiĂĄ language appears in each of the annual grant documents in â the record of this case. Those documents set forth the duties of Legal Aid in relation to the patient advocacy services and provide the necessary funding for such services. . The decision to alter access was made by the DHHRâs Privacy Officer, Lindsey McIntosh. Before making this change in tack, Ms. McIntosh acknowledged she did not investigate the role or needs- of the advocates; she did not visit Bate- , man or Sharpe; shp did not speak- to Legal Aid; and she did not review any of the orders pertaining to this case. . According to the DHHRâs representation in its response to the Motion for Emergency Relief,- - each authorization was good for 180 days. . Minor changes were made to the previous ruling. The only substantive amendments were to remove the reference to the patient advocates as having been created by both federal and state law (they were created solely under state law) and to recognize that grievances may be initiated independently by a patient advocate separate from a patientâs allegation of abuse or assertion of a civil rights violation. . By order entered on August 29, 2014, the . circuit court refused to grant the DHHRâs request to have the August 27, 2014, order deemed a final order. The rationale for its ruling is clear; the trial court was trying to prevent the DHHR from belatedly seeking relief from its previously unappealed 1990 Order. Because the courtâs ruling was not impelled by the need to address additional issues arising from reduced access (i.e. a .lack of finality) and because there are no further issues to be resolved concerning 1 access, we deem the August 27, 2014, ruling to be final for purposes of allowing this Court to ' address the issues before us through the subject appeal. . Cf. Syl. Pt. 5, Riffe v. Armstrong, 197 W.Va. 626 , 477 S.E.2d 535 (1996). . Legal Aid asserts that the DHHR did not raise the issue of constitutional error at the August 1, 2014, hearing. In response, the DHHR states that the evidentiary proceeding was not the forum in which to assert legal error. The record demonstrates that the DHHR advanced the issue of constitutional error in its response to Legal Aid's Motion for Emergency Relief. Citing Griswold v. Connecticut, 381 U.S. 479 , 85 S.Ct. 1678 , 14 L.Ed.2d 510 (1965), the DHHR asserted that unlimited access to patient records absent patient consent is a violation of the right to privacy judicially deemed to arise under the First Amendment. . It is difficult for this Court to avoid the conclusion that, while seeking to prevent access to the patient advocates under the guise of privacy concerns, the DHHR's true objective is to make the discovery of systemic problems more difficult for the advocates to identify. . Legal'Aid asserts that the new policy implemented by the DHHR- prevents Legal Aid from complying with the time constraints pertaining to the investigation of abusĂ© and neglect complaints under state law.- See 64 C.S.R. § 59--20.2.9 (requiring submission of written report by patient advocate â[wjithin the next eight (8) regular working hoursâ of receipt-of abuse-or neglect grievance). . These periodic reviews, required by the 2009 Agreed Order, have been performed by the patient advocates. Additionally,- as noted by the *286 trial court in both its August 18 and 27, 2014, rulings; the "Respondents [DHHR] agreed to the Formal Recommendations [of the Court Monitor], which set forth that systemic advocacy will be pursued by LAWV [Legal Aid], without objection, thereby allowing them to take on the force of Court Order." . During the evidentiary hearing held in this matter on August 1, 2014, the DHHRâs privacy officer, Lindsey McIntosh, - was questioned as to how the patient advocates-were going to do the â systemic audits "without access to records or patients or have conversations with staff without individual releases specifying specific grievances." She answered tire query by stating, "I don't know how you're going to conduct audits if you have to do that.â . Finding it to be baseless, the trial court ordered the DHHR to dismiss its complaint. A .review of the complaint demonstrates that even the DHHR was dubious about the violation given its statement in the complaint that the "level of harmââ was unclear. . In contrast, there have been patient-initiated complaints since the DHHR imposed the new, limited access provisions. According to Legal Aid, the patients were frustrated by their inability to gain immediate access to the advocates, who were no longer permitted to freely roam the facilities where patients could easily seek them out when needed. . As Legal Aid observes, there is no greater risk posed by the patient advocates than by any of the Hospital employees who have access to patient records. . Disclosure is "the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information." 45 C.F.R. § 160.103 (2014). . The trial court ruled that Legal Aid is a âbusiness associateâ as set forth in its contract with the DHHR and also due to its receipt of protected health information for quality assurance, patient safety, and other health care operations. As discussed infra, the DHHR'S description of Legal Aid as a "business associateâ is neither controlling nor accurate. The review of protected health information as part of the provision of advocacy services at Sharpe and Bateman does not impel the conclusion that Legal Aid is a "business associate.â . The fact that the institutions may benefit from the provision of these auditing services does not *288 alter the wholly independent and individual-oriented nature of the advocacy actions at issue. . The Grant Agreement makes' clear that "'Business Associate shall have the meaning given to such term in 45 CFR § 160.103 .", , . The DHHR stated that boilerplate business associate addendums were regularly attached to all grant agreements, even when unnecessary, in an effort to comply with HIPAAV"stern mandate to have an agreement in place with any business associate.â . A-"health oversight agencyâ is defined as an agency or authority of the United States, a State, ...â'of a person or entity acting under a grant of authority from or contract with such public, agency, . -.. that is authorized by law to oversee the health care system ... or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. 45 C.F.R. § 164.501 (2014). .Sge Standards for Privacy of Inclividually Identifiable Health Information, 65 Fed. Reg. 82462 -01,82492., . The trial court looked additionally to the subsection permitting disclosure in the instance of incapacity when awaiting consent would materially and adversely impact an immediate enforcement activity. See 45 C.F.R. § 164.512 (c)(l)(iii)(B). . This annual analysis is required by HIPAA. . Analyses completed in 2013 and 2014 entitled West Virginia Health Care Privacy Laws and HIPPA Preemption Analysis for the DHHR conclude that our state regulations set forth in 64 C.S.R. § 59 are not preempted by HIPPA as our provisions are more stringent. The 2015 analysis reached the same conclusion. . See supra note 33. . See 65 Fed, Reg. 82462-01,82463. . See supra note 35. .Consistent with the trial courtâs directives, that access is subject to the right of patients to place limitations on the disclosure of their health information. . Actually, "HIPAA mandated the passage of comprehensive privacy legislation by Congress within three years, otherwise the Department of Health and Human Services was required to step in and create privacy regulations.â Guthrie, "Time Is Running Out," 12 Annals Health L. at 144.
[Dissent by Davis]
DAVIS, Justice, dissenting; In this proceeding, Legal Aid sought to force DHHR to continue to allow Legal Aid to have complete access to patient records, without patient consent, at the Bateman and Sharpe psychiatric facilities. Before this Court, DHHR argued that it was violating federal law, specifically HIPAA, when it previously authorized Legal Aid' to have complete access to patient "records without the consent of the patients. The circuit court and majority opinion disagreed with DHHR. The circuit court found that Legal Aid did not need patient consent to have unfettered access to patient records, because Legal Aid came under the following exceptions recognized by HIPAA: business associate, health oversight agency, health care operations, and legal requirement. The majority opinion correctly found that not one of the exceptions relied upon, by the trial court applied to Legal Aid. Rather than stopping there and reversing the circuit courtâs order, the majority opinion affirmed the circuit court on a different ground. With absolutely no legal analysis, the majority opinion determined that Legal Aid could have unfettered access to patient information because of the âmore stringentâ State law exception found under HIPAA As I will demonstrate below, if the majority opinion had performed but a scintilla of the legal analysis that is required to determine whether a State law is more stringent than HIPAA, it would have reversed the circuit courtâs order. Consequently, for the reasons set out below, I dissent. The Majority Decision Authorizes Legal Aid to Violate Federal Law Because of the arrogant and complete disregard of federal law by the majority opinion, I must start my dissent with a review of some basic legal principles. To begin, it has been noted that â[t]he preemption doctrine has its origin in the Supremacy Clause of the United States Constitution!;.]â Hartley Marine Corp. v. Mierke, 196 W.Va. 669, 673 , 474 S.E.2d 599, 603 (1996). See also Harrison v. Skyline Corp., 224 W.Va. 505, 510 , 686 S.E.2d 735, 740 (2009) (â[T]he preemption doctrine has. its roots in the supremacy clause of the United States Constitution and is based on the premise that federal law can supplant inconsistent state law.â). The Supremacy Clause of the federal constitution provides that the laws of the United States âshall be the supreme law of the Land; ... *293 anything in the Constitution or laws of any state to the Contrary notwithstanding.â U.S. Const. Art. VI, Cl. 2.We have recognized that â[t]he Supremacy Clause of the United States Constitution, Article VI, Clause 2, invalidates state laws that interfere with or are contrary to federal law.â Syl. pt. 1, Cutright v. Metropolitan Life Ins. Co., 201 W.Va. 50 , 491 S.E.2d 308 (1997). Pursuant to the Supremacy Clause, federal preemption of state law occurs if; (1) Congress expressly preempts state law; (2) Congress has completely supplanted state law in that field; (3) adhering to both state and federal law is not possible; or (4) state law impedes the achievement of the objectives of Congress; See Crosby v. Nat'l Foreign Trade Council, 530 U.S. 363, 372 , 120 S.Ct. 2288, 2293-94 , 147 L.Ed.2d 352 (2000). âAlthough Congressional intent is commonly the starting point for federal preemption analysis, the existence of an express preemption provision in a statute nullifies the need for further analysis.â Wade v. Vabnick-Wener, 922 F.Supp.2d 679, 686 (internal citations omitted). See also Syl. pt. 4, Morgan v. Ford Motor Co., 224 W.Va. 62 , 680 S.E.2d 77 (2009) (âWhĂ©n it is argued that a state law is preempted by a federal law, the focus of analysis is upon congressional intent. Preemption is compelled whether Congressâ command is explicitly stated in the statuteâs language or implicitly contained in its structure and purpose.â). HIPAA sets out an express preemption provision; therefore, no further analysis is necessary to discern Congressional intent. See Cipollone v. Liggett Grp., Inc., 505 U.S. 504, 517 , 112 S.Ct. 2608, 2618 , 120 L.Ed.2d 407 (1992) (âWhen Congress has considered .the issue of pre-emption and has included in the enacted legislation a provision explicitly addressing that issue, and when that provision provides a reliable indicium of congressional intent with respect to state authority, there is no need to infer congressional intent to pre-empt state laws from the substantive provisions of the legislation.... Therefore, we need only identify the domain expressly pre-empted by each of those sections.â (internal quotations and citations omitted)). Congress enacted HIPAA in 1996, in part, to protect the privacy of individually identifiable health information. See Jennifer Guthrie, âTime Is Running Out-The Burdens and Challenges of HIPAA Compliance: Aâ Look at Preemption Analysis, the âMinimum Necessaryâ Standard, and the Notice of PrivĂĄey Practices,â 12 Annals Health L. 143 , 146 (2003) (âThe main premise of HI-PAA is to protect individually identifiable health- information. This means that certain information will not be revealed without a patientâs express authorization, in an effort to'contain important information tĂł as few people a's possible.â). For purposes' of 'HI-PAA, 'protected hĂ©alth information âis any health information, oral or recorded, that is individually identifiable ĂĄnd transmitted or-maintained by a covered entity in any form or medium.â Holman v. Rasak, 486 Mich. 429, 435-36 , 785 N.W.2d 98, 102 (2010). The Secretary of Health and Human Services was directed by Congress to promulgate regulations setting privacy standards for health information. See Northwestern Memâl Hosp. v. Ashcroft, 362 F.3d 923, 924 (7th Cir.2004) (âSection 264 of HIPAA, 42 U.S.C. § 1320d ..., -directs the Secretary of Health and Human Services to promulgate regulations to protect the privacy of medical records!.]â). 1 In 2000, the Secretary responded by issuing the Standards for Privacy of Individually Identifiable Health Information, known as the âPrivacy Ruleâ and codified at 45 C.F.R. 160, 164. See Smith v. Am. Home Prods. Corp. Wyeth-Ayerst Pharm., 372 N.J.Super. 105 , 111 n. 2, 855 A.2d 608 , 612 n. 2 (2003) (âOn December 28, 2000, pursuant to a mandate under the âadr ministrative simplificationâ provisions of HI-PAA, the Department of Health and Human Services issued new standards for privacy of individually identifiable health information (IIHI) called âThe Final Privacy Ruleâ as published in the Federal Register.â). 2 Com *294 pliance with the Privacy.Rule was-not required until 2003. 3 See United States v. Sutherland, 143 F.Supp.2d 609, 612 (W.D.Va.2001) (âAlthough the Standards were effective April 14, 2001, compliance is not required until April 14, 2003.â). Specific to the case at hand, the Secretary promulgated a federal regulation on HIPAAâs preemptive effect. See Morgan v. Ford Motor Co., 224 W.Va. 62, 70 , 680 S.E.2d 77, 86 (2009) (â[T]he U.S. Supreme Court has recognized that an agency regulation with the force of law can explicitly or implicitly preempt conflicting state regulations.â). This regulation states that â[a] standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law.â 45 C.F.R. § 160.203 . 4 See Natâl Abortion Fedân v. Ashcroft, No. 03 Civ. 8695 (RCC), 2004 WL 555701 , at *3 (S.D.N.Y., March 19, 2004) (âRecognizing that HIPAAâs privacy provisions' might differ from state regulations, Congress directed that all state laws contrary to the regulations promulgated by HHS be preempted, unless the state laws fall within the exception created by HI-PAA[.]â). It has been recognized that the' regulations ârestrict and define the ability of health plans, health care clearinghouses, and most health care providers to divulge patient medical records.â United States v. Sutherland, 143 F.Supp.2d 609, 612 (W.D.Va.2001). â[T]he intent of HIPAA is to ensure the integrity and confidentiality of patientsâ [medical] information and to protect against unauthorized uses or disclosures of the infor-mationf.]â In re Antonia E., 16 Misc.3d 637 , 838 N.Y.S.2d 872 , 874-75 (2007) (internal quotations and citations omitted). Under HIPAA, the general rule is that a covered entity may not use or disclose protected health information without a written authorization from the' individual. See 45 CFR 164.508. However, as recognized by the majority opinion, HIPAA enumerates several specific situations in which a covered entity may use or disclose protected health information without the written authorization of the individual. See Pal v. New York Univ., No. 06Civ.5892(BSJ)(FM), 2007 WL 1522618 , at *3 (S.D.N.Y. May 22, 2007) (âHIPAA permits the disclosure of âprotected health informar tionâ without a patientâs consent in a variety of circumstances.â). The majority opinion found that only one of HIPAAâs exceptions to the general privacy of health information applied to the facts of this case. 5 That exception involves a State law that is âmore stringentâ . than HIPAA. See 45 C.F.R. § 160.203 (b) (âThe provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E *295 of part 164 of this subchapter.â). That is, âcourts have recognized that HIPAA does not preempt âmore stringentâ privacy protections guaranteed under state law.â Pac. Radiation Oncology, LLC v. Queenâs Med. Ctr., 47 F.Supp.3d 1069, 1081 (D.Haw.2014). Accord Citizens for Health v. Leavitt, 428 F.3d 167, 174 (3d Cir.2005). The majority opinion reached the conclusion that our State law was more stringent than HIPAA without performing any legal analysis of this complex issue. The majority opinion, in a rather awkward way, merely pointed out that DHHR had annually âeon-clud[ed] that our state laws' set forth in 64 CSR § 59 are not preempted by HIPAA as our provisions are more stringent.â The majority opinion then went on to provide:' From the record submitted; in this' case, the protections set forth in Title 64, Series 59 have been determined to be more stringent than those required by federal law. Accordingly, our state regulations set forth in Title 64, Series 59 are not preempted by HIPAA. This was the sum total of how and why the majority opinion determined that our State law was more stringent than HIPAA. This total lack of analysis makes no sense.' It is illogical to rely on a general finding by DHHR that its regulations are more stringent than HIPAA, when DHHR already had realized its disclosureâs to Legal Aid violated HIPAA, and DHHR tried to correct the violation by asserting that no authority exists for Legal Aid to indiscriminately access patient information. More fundamĂ©ntally, the yard stick used by the majority opinion , to determine whether a State law is more stringent than HIPAA is absurd! â Under the majority opinionâs mind-boggling yardstick, all that any state must do to get around HIPAA is unilaterally proclaim that its laws are more stringent than HIPAA. Surely Congress did not mean for HIPAA and the Supremacy Clause to be defeated in such a self-serving manner. Indeed, as I will dem-onstete below, this absolutely was not what Congress intended. â[A] standard is more stringent if it provides greater privacy protection for the individual who is the subject of the individually identifiable health information than the standard set forth in the rules and regulations.â Bayne v. Provost, 359 F.Supp.2d 234, 237-38 (N.D.N.Y.2005) (internal quotations and citations omitted). See also Wade v. Vabnick-Wener, 922 F.Supp.2d 679, 686 (âTo meet the âmore stringentâ .requirement, a state law must âprovide greater protection for the individual who is the subject of the individually identifiable health informationâ than the standard set forth by HIPAA and its regulations.â). More importantly, it has been recognized that, under federal law, ââ[m]ore stringent,â as defined in 45 C.F.R. § 160.202 , means, that the state law meets any one of six criteria.â Law v. Zuckerman, 307 F.Supp.2d 705, 709 (D.Md.2004). See also Webb v. Smart Document Sols., LLC, 499 F.3d 1078, 1087 (9th Cir.2007) (ââMore stringentâ laws are defined.â). The six criteria under HIPAA that define âmore stringent,â have been summarized by the Fourth Circuit as follows: â [1] the state law prohibits or restricts a use or a disclosure of information where. HI-PAA would. allow it; [2] the state law provides an individual with greater-rights of access .or amendment to his medical information than provided under HIPAA; [3] the state law provides an individual vvith a greater amount of information about a use, a disclosure,, rights and remedies; [4] [state law -provides requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of .the circumstances surrounding the express legal permission of an individual to disclose information]; [5] the state law provides for the retention or reporting of more detailed information or for a longer duration; or [6] the state law provides greater privacy protection for the individual who is the subject of the individually identifiable health information. South Carolina Med. Assân v. Thompson, 327 F.3d 346, 355 (4th Cir.2003). Accord In re Antonia E., 838 N.Y.S.2d 872 , 876 (2007). Simply put, in order for a court to determine that a State law is more stringent than HIPAA, it must find that the'State law satisfies one of the six definitions of âmore stringentâ contained under 45 C.F.R. § 160.202 . *296 The majority opinion in this ease literally failed to even cite, let alone discuss, the mandatory six criteria set out under 45 C.F.R. § 160.202 . Ignoring the law, or pretending the law does not exist,- should not be a license to manipulate and corrupt the law. ' My research revealed that other courts called upon to decide whether a State law was more stringent than HIPAA have complied with federal law and applied the six criteria under 45 C.F.R. § 160.202 . For example, a case which examined all six criteria under 45 C.F.R. § 160.202 is State v. La Cava, No. CR060128258S, 2007 WL 1599888 (Conn.Super.Ct. May 17, 2007). In La Cava , the court was asked to decide whether a Connecticut statute, whieh authorized disclosure of patient information in a judicial proceeding and in certain other circumstances, was more stringent than HIPAA. The Connecticut statute allowed: (1) any patient who has been treated in a private hospital, public hospital society or corporation receiving state aid to, upon the demand, examine and/or copy her hospital record, including the history, bedside notes, charts, pictures and plates kept in connection with her treatment and authorize her physician or attorney to do the same; (2) a hospital, society or corporation that is served with a subpoena issued by competent authority directing the production of a hospital record to deliver such record or a copy thereof to the clerk of such court where it willâ remain sealed except upon the order of a judge of the court concerned; (S) any and all parts of the hospital record or copy that is not otherwise inadmissible to be admitted in evidence without the necessity of having a witness from the hospital identity the ârecords as ones kept in the usual course of business by the- hospital: La Cava, 2007 WL 1599888 , at *3. The decision in La Cava summarily applied the six criteria under 45 C.F.R; § 160.202 and determined that the Connecticut statute was not more stringent than HIPAA: In comparison to - [HIPAAâs require.ments for disclosures for judicial and ad.ministrative proceedings], [the state statute] does not: (1) prohibit or restrict a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under the federal rule; (2) permit greater rights of access or amendment to the individual who is the subject of the -individually identifiable health information; (3) provide -a greater amount of information to the individual who is the subject of â the individually identifiable health information about a use, a disclosure, rights, and remedies; (4) provide requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the need for express legal permission from the individual who is the subject of the individually identifiable health information with respect. to the form, substance, or the need for express legal permission; (5) provide for the retention or reporting of more detailed information or for a longer duration with respect to recordkeeping or requirements relating to accounting of disclosures; and (6) provide greater privacy protection for the individual who is the subject of the individually identifiable health information with respect to any other matter. Accordingly, the state statute is not more stringent than the federal regulation. Because [the state statute] is a contrary state law that is not, more stringent than the Privacy Rule, it is preempted in accordance with 45 C.F.R. § 160.203 (2007). La Cava , 2007 WL. 1599888, at *3. In U.S. ex rel. Stewart v. Louisiana Clinic, No. CivA. 99-1767, 2002 WL 31819130 (E.D.La. Dec. 12, 2002), the defendants attempted to prevent disclosure, of patient information in a judibial proceeding by invoking the protections of a Louisiana statute. The â disclosure was allowed under HIPAA, but was not, allowed under Louisiana law. The--opinion in Stewart framed the issue as follows: . . Defendants argue that HIPAA does not preempt Louisiana law concerning disclosure of nonparty patient records without patient consent_ Defendants focus solely on the âmore stringentâ,â -element of this -regulatory test and- on paragraph (4) of the .definition of *297 âmore stringent.â âMore stringentâ means a State law that meets one or more of the following criteria: ,â (4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable. Defendants argue that the Louisiana health care provider/patient privilege law is more stringent than the- federal regulations.- They contend that-the Louisiana statute increases the privacy protections afforded to individual patients by-requiring either patient consent for the disclosure or, in the absence of consent, that a âcourt shall, issue an order for the production and disclosure of a patientâs records ... only: after a contradictory hearing with the patient ... and after a finding by the court that the release of the lâequested information is proper.â Stewart, 2002 WL 31819130 , at *4-5. The court in Stewart found that, based upon the defendantsâ reliance solely on- the fourth criterion of 45 C.F.R. § 160.202 , Louisiana law was not more stringent than HIPAA: Defendantsâ argument fails because this provision of Louisiana law does not address âthe form, substance, or the need for express legal permission from an- individual,â as required by 45 O.F.R. § 160.202 for the exception to apply. Rather, the Louisiana statute provides-a way of negating the need for such permission. In other words, although the individual patient, may attend the contradictory hearing, the Louisiana provision states that the court shall issue an order for disclosure (despite the patientâs'lack of consent), if the court finds that release of the information is proper. Because the Louisiana statute does not fit within the exception from preemption cited by defendants, it is preempted by the HI-PAA regulations. Therefore, Louisiana law does not apply in this pure federal question case. Stewart, 2002 WL 31819130 , at *5. A case which illustrates a' State statute that was actually found to be more stringent than HIPAA is Wade v. Vabnick-Wener, 922 F.Supp.2d 679 . In Wade , the court was called upon to decide whether Tennesseeâs privacy law, oii ex parte communication with' a plaintiffs treating physician was more stringent than HIPPA The opinion relied upon âą the sixth' criterion of 45 C.F.R. § 160.202 .- That is, âa state law must âprovide greater protection for the individual who is the subject of the individually identifiable health informationâ than the standard set forth by HIPAA and its regulations.â Wade, 922 F.Supp.2d at 686 . The opinion determined that, based .upon the sixth criterion, Tennesseeâs law was more stringent than HIPAA: < . . It is therefore clear that Tennessee law is more stringent than HIPAAâs privacy rules concerning ex parte communications with health care providers. Absent a plaintiffs express consent, Tennessee law prohibits informal communications with the plaintiffs treating physician to obtain health information. On the contrary, HI-PAA only bars such communications prior to the entry of a qualified protective order. After the requisite protective order is entered, whether by â consent or over the plaintiffs objection, defendant is free to utilize informal discovery, including specifi.cally ex parte interviews, under HIPAA. Accordingly, because the laws of Tennessee are more stringent than HIPAA concerning defense counsels ability to make use of informal discovery methods, HIPAA does not preempt Tennesseeâs ban ori ex parte communications with a plaintiffs non-party treating physician. Wade, 922 F.Supp.2d at 691-92 . See Natâl Abortion Fedân v. Ashcroft, No. 04 C 55, 2004 WL 292079 , at *4 (N.D.Ill. Feb. 6, 2004) (âBecause -we find that Illinois law is more stringent than HIPAAâs disclosure requirements and that it would be impossible for Northwestern to comply with both Judge Caseyâs HIPAA-pursuant Order and various provisions of Illinois law, Illinoisâs nonparty *298 patient privacy laws ai'e not preempted by HIPAA and its subsequent regulations.â); Pal v. New York Univ., 2007 WL 1522618 , at *3 (âBecause New York law requires patient consent before disclosure and HIPAA provides for certain exceptions to that rule, New York law is more stringent.â); Tyson v. Warden, No. CV064001202, 2007 WL 4171583 , at *2 (Conn.Super.Ct. Nov. 6, 2007) (âIt is clear to this court that § 52-146k and 52-146o prohibit disclosure where the HIPAA regulation relied upon by the petitioner would allow it. Sections 52-146k and 52-146o provide greater protection of the victimâs private health information and are therefore not preempted by HIPAA.â); In re Antonia E., 838 N.Y.S.2d 872 , 876 (2007) (âUpon consideration of the physician-patient privilege and the broad provisions for court ordered disclosure under HIPAA, this Court finds that HIPAA provisions do not supersede New York law.â). The above cases clearly demonstrate that a court cannot determine that a State statute is more stringent' than HIPAA by relying solely on a state agencyâs statement that a particular state law is more stringent than HIPAA If that was true, as the majority opinion concludes, then there would have been no reason to define âmore stringentâ under 46 C.P.R. § 160.202. The term âmore stringentâ is defined for a purpose. That purpose, to me, is quite clear. The definition is designed to harrow the circumstances in which a state law may be categorized as more stringent than HIPAA. â[W]e are not free to rewrite HIPAAâs mandates; we are required to follow them.â Holman v. Rasak, 486 Mich. 429, 458 , 785 N.W.2d 98, 114 (2010) (Hathaway, J., dissenting). The majority opinion in this case has made a mockery of the unambiguous and mandatory language contained in 45 C.P.R. § 160.202. I can surmise only that the majority opinion ignored the law as dictated under 45 C.P.R. § 160.202 because it wanted to reach a result that simply could not be reached by following the law. A cursory review of what the relevant state law allowed in this case clearly shows that it was not more stringent than HIPAA. What should be clearly understood is that, for purposes of the âmore stringentâ requirement of HIPAA, âany state law providing greater privacy protection for the individual who is the. subject of the individually identifiable health information is a more stringent state law.â Natalie P. Weiss, âTo Release or Not to Release: An Analysis of the HIPAA Subpoena Exception,â 15 Mich. St. U.J. Med. & L. 253, 260 (2011) (emphasis added). This point needs, to be emphatically understoodâ the âmore, stringentâ requirement under HI-PAA. can never, be. satisfied by a State law that provides lesser privacy protection.. In this case, the majority opinion has indicated that the applicable state law is. found in 64 C.S.R. § 59-11,5.1.d, which provides: No written consent is necessary for employees of the department, comprehensive behavioral centers serving the client or advocates under contract with the department. In sum, this state regulation allows Legal Ad, as an âadvocate,â to have complete access to patient information without the consent of the patient. On its face, it is clear that this law does not provide greater privacy protection. Instead, it exposes all patient information to a private legal entity in the absence- of patient consent for either representation by the agency or the disclosure of their medical records to the agency. Itâ has correctly been observed that â[i]f state law can force disclosure without a court order, or the patientâs consent, it is not âmore stringentâ than the HIPAA regulations.â Law v. Zuckerman, 307 F.Supp.2d 705, 711 (D.Md.2004). Through a summary application of HIPAAâs she criteria, it -is clear that the state regulation at issue in this matter does not: (1) prohibit or restrict a use or a disclosure of information where HIPAA would allow it; (2) provide an individual with greater rights of access or amendment to his medical information than provided under HI-PAA; (3) provide an individual with a greater amount of information about a use, a disclosure, rights and remedies; (4) provide requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal *299 permission of an individual to disclose information; (5) provide for the retention or reporting of more detailed information or for a longer duration; or (6) provide greater privacy protection for the individual who is the subject of the individually identifiable health information. Insofar as the state regulation does not satisfy any of the above six factors contained in 45 C.F.R. § 160.202 , the state law is not more stringent than HIPAA. The majority knew this, and that is why its opinion completely ignored 45 C.F.R. § 160.202 . See In re Funderburke, No. 687-0026, 1988 WL 1607927 , at *4 (S.D.Ga. Jan. 18, 1988) (â[T]he record shows that the [majority] did nothing except to assume the position of an ostrich with its head in the sand and ignore [the law] which [was] readily available to itâ). Finally, I wish to point out that the majority opinion conceivably has opened the floodgates for civil litigation, because of the unlawful access it has given Legal Aid to patient hospital information. This Court recently held that â[c]ommon-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by the Health Insurance Portability and Accountability Act of 1996.â Syl. pt. 3, R.K. v. St. Maryâs Med. Ctr., Inc., 229 W.Va. 712 , 735 S.E.2d 715 (2012). If the majority opinion is not appealed to the United States Supreme Court, I have no doubt that civil law suits will follow in the wake of the misguided majority opinion. For the reasons so stated, I dissent. . It is important that I point out the significance of the year in whi.ch HIPAA was created, 1996, *294 and the date the Privacy Rule was created, 2000, because this will help explain the initial broad authority DHHR gave to Legal Aid. When the litigation originally began in this case, 1981, HI-PAA did not exist â no expansive patient privacy rights existed. It was in 1990, pre-HIPAA, that DHHR first contracted to have Legal Aid monitor patient health care services at Bateman and Sharpe. It was only after the creation of HIPAA that DHHR realized that, in order for Legal Aid to continue to have access to patient records without patient' consent, Legal Aid had to come under an exception to HIPAA. It appears that, initially, DHHR believed that Legal Aid came under the "business associateâ exception created by the Privacy Rule. The majority opinion acknowledged this fact in footnote 28. However, in 2014, an astute Privacy Officer at DHHR realized that it was permitting Legal Aid to violate HIPAA, because Legal Aid did not come under the "business associateâ exception to the privacy requirements. It was only after this determination, which even the majority opinion conceded was correct, that DHHR began requiring Legal Aid comply with HIPAA by obtaining patient consent before it could review patient records. There was nothing sinister in this, as was suggested by the majority opinion. DHHR simply was trying to comply with federal lawâ something the majority believes is not necessary in spite of the Supremacy Clause. . For ease in understanding, I will refer to HI-PAA and the Privacy Rule collectively as HIPAA. . The regulations define State law as "a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.â 45 C.F.R. § 160.202 , See Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1028 (S.D.Cal.2004). . I previously noted that the majority opinion correctly found that the exceptions for business associate, health, oversight agency, health care operations, and required by law did not apply. Case Information
- Court
- W. Va.
- Decision Date
- October 15, 2015
- Status
- Precedential