Those familiar with the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule are aware that health care providers must take steps to avoid the improper disclosure of their patients’ Protected Health Information (PHI). For two decades, medical providers in Ohio seeking to comply with patient privacy laws have dealt with tension between federal regulation of PHI under HIPAA and state common law. Ohio’s common law sets stricter standards and allows for a private right of action by patients for unauthorized disclosure of their PHI – which HIPAA does not provide for – under the doctrine of Biddle v. Warren General Hospital.[1] On December 15, 2020, a decision issued by the Supreme Court of Ohio, consisting of four separate opinions, brought some clarity to the situation, but practical guidance on how to avoid a privacy-based lawsuit remains murky at best.

In Menorah Park Center for Senior Living v. Rolston,[2] a skilled nursing facility sought to collect a medical debt from a former patient by filing a complaint in small claims court. To comply with Ohio Civil Rule 10(D)(1), which requires a plaintiff to attach a copy of the bill to any complaint seeking to collect a debt, the facility, Menorah Park, attached a copy of the patient’s medical bill to its complaint. The bill contained the medical provider’s name and address, the patient’s name and address, the dates on which services were provided, billing and procedure codes, a description of the general category of services provided (e.g., “PT-MANUAL THERAPY”), and the amounts charged, paid, and due. The bill was not redacted in any way.

The defendant, Irene Rolston, responded to Menorah Park’s complaint by filing a counterclaim under the Biddle doctrine, alleging that the facility violated her privacy rights by committing an unauthorized, unprivileged disclosure of her nonpublic medical information that was located on the bill. More significantly, she sought to have the court certify her complaint as a class action, alleging that the facility had subjected hundreds of similarly situated patients to its practice of attaching unredacted medical bills to debt-collection proceedings. Rolston sought nearly $4 million in damages.[3] The trial court granted the facility’s Rule 12(B)(6) motion to dismiss the counterclaim, but the Eighth District Court of Appeals reversed, ruling that a question of fact existed as to whether the facility used the minimum amount of Rolston’s information necessary to achieve its purpose.

In its appeal to the Ohio Supreme Court, Menorah Park argued that HIPAA conflicts with, and thus preempts, Biddle because HIPAA explicitly disallows a private right of action for the improper disclosure of PHI. In supplemental briefing, Menorah Park further urged the Court to overturn Biddle, arguing that the HIPAA Privacy Rule, which was released shortly after Biddle was decided, provides a comprehensive framework for protecting patient data that renders Biddle unnecessary. Two justices (Fischer and DeWine) agreed that Biddle was no longer necessary and should be overturned; however, the other five justices held that Biddle is compatible with HIPAA because, by providing patients with a private right of action, “Biddle enhances the protection of confidentiality of medical information” and therefore complements, rather than conflicts, with HIPAA. Thus, the Biddle doctrine remains alive in Ohio common law.

That said, the Court’s majority on this issue noted that Biddle and its progeny recognize that situations exist where an unauthorized disclosure of confidential medical information is nevertheless permissible. The Court then looked to the HIPAA Privacy Rule for guidance as to whether the exception applied here, all the while emphasizing that doing so does not amount to creating a private right of action under HIPAA.

Among its many regulations, HIPAA makes a limited exception for disclosure of PHI for purposes of “treatment, payment, or health care operations” with the caveat that “[w]hen using or disclosing protected health information … a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”[4] Guided in part by this element of HIPAA, all five of the justices who agreed to leave Biddle in place also agreed that the use or disclosure of PHI for purposes of obtaining payment for medical services constitutes a qualified privilege that precludes any liability under Biddle. These five justices further stated that this qualified privilege applies when an invoice for medical services is attached to a complaint in a collections lawsuit, as long as the information disclosed on that invoice is limited to the “minimum necessary” to obtain payment.

Despite their agreement on the qualified privilege generally, the justices could not agree on whether Menorah Park satisfied the minimum necessary standard. Justices Kennedy and French concluded the facility met the standard, stating that the invoice disclosing “the medical provider’s name and address, the patient’s name and address, the dates on which services were provided, billing or procedure codes, a description of the general category of services provided, and the amounts charged, paid, and due” was the minimum necessary. Justice Donnelly concluded the opposite, writing that references to “therapy” exceeded the minimum necessary to file a sufficient complaint; for him, “an utterly generic phrase such as ‘services rendered’ and the date the services were rendered” would have sufficed. Chief Justice O’Connor and Justice Stewart reached an even different conclusion and would have remanded the case to the trial court for it to determine whether Menorah Park’s disclosures on the invoice satisfied the minimum necessary standard under the newly announced qualified privilege. In doing so, they noted that Menorah Park did not redact the medical bill in any way, and thus they were “at a loss for what ‘reasonable efforts’” the facility made to limit disclosure of Rolston’s PHI.

Notwithstanding the fractured nature of the Court’s ruling, Menorah Park ultimately won the day. With Justices Fischer and DeWine advocating for an end to Biddle and Justices Kennedy and French finding that the facility met the minimum necessary standard, Menorah Park cobbled together the four votes necessary to affirm the trial court’s dismissal.

For the broader health care community, however, precise clarity remains elusive. While Rolston makes clear that Biddle claims survive and coexist with HIPAA, ambiguity remains as to what PHI may be publicly disclosed when a health care provider seeks to collect a medical debt. True, the HIPAA Privacy Rule serves as a useful guide as to what constitutes “reasonable efforts” to disclose the “minimum necessary” PHI. Equally true, a health care provider would likely fail the minimum necessary standard if it publicly filed documents disclosing diagnoses or prognoses, notes from doctors or therapists, information about specific body parts or specific medical conditions, detailed medical records, or personally identifiable information other than a patient’s name and home address.

But until there is further clarity on the minimum necessary standard, either from the Ohio Supreme Court or from federal regulators, health care providers should proceed cautiously. Any decisions as to what information is minimally necessary should be made with the guidance of counsel and should weigh heavily a patient’s privacy interests. Also, parties to debt-collection litigation should look to the local rules of court before filing public documents that include either PHI or personally identifiable information. Many local rules contain specific instructions on redacting personal information, and any disputes over whether sufficient account information was attached to a complaint can be addressed via in camera inspection. In the wake of Rolston, discretion is the better part of valor.

This Client Alert has been prepared by Tucker Ellis LLP for the use of our clients. Although prepared by professionals, it should not be used as a substitute for legal counseling in specific situations. Readers should not act upon the information contained herein without professional guidance.