W. Va. Dept. of Health and Human Resources/Behavioral Health v. E.H. ( 2015 )

No. 14-0965 -        West Virginia Department of Health and Human Resources, Bureau for
Behavioral Health and Health Facilities v. E.H., et al.
FILED
October 22, 2015
RORY L. PERRY II, CLERK
Davis, Justice, dissenting:                                           SUPREME COURT OF APPEALS
OF WEST VIRGINIA
In this proceeding, Legal Aid sought to force DHHR to continue to allow Legal
Aid to have complete access to patient records, without patient consent, at the Bateman and
Sharpe psychiatric facilities. Before this Court, DHHR argued that it was violating federal
law, specifically HIPAA, when it previously authorized Legal Aid to have complete access
to patient records without the consent of the patients. The circuit court and majority opinion
disagreed with DHHR. The circuit court found that Legal Aid did not need patient consent
to have unfettered access to patient records, because Legal Aid came under the following
exceptions recognized by HIPAA: business associate, health oversight agency, health care
operations, and legal requirement. The majority opinion correctly found that not one of the
exceptions relied upon by the trial court applied to Legal Aid. Rather than stopping there and
reversing the circuit court’s order, the majority opinion affirmed the circuit court on a
different ground. With absolutely no legal analysis, the majority opinion determined that
Legal Aid could have unfettered access to patient information because of the “more
stringent” State law exception found under HIPAA.
As I will demonstrate below, if the majority opinion had performed but a
1
scintilla of the legal analysis that is required to determine whether a State law is more
stringent than HIPAA, it would have reversed the circuit court’s order. Consequently, for
the reasons set out below, I dissent.
The Majority Decision Authorizes Legal Aid to Violate Federal Law
Because of the arrogant and complete disregard of federal law by the majority
opinion, I must start my dissent with a review of some basic legal principles. To begin, it has
been noted that “[t]he preemption doctrine has its origin in the Supremacy Clause of the
United States Constitution[.]” Hartley Marine Corp. v. Mierke, 

, 673, 

, 603 (1996). See also Harrison v. Skyline Corp., 

, 510, 

, 740 (2009) (“[T]he preemption doctrine has its roots in the supremacy clause of
the United States Constitution and is based on the premise that federal law can supplant
inconsistent state law.”). The Supremacy Clause of the federal constitution provides that the
laws of the United States “shall be the supreme law of the Land; . . . anything in the
Constitution or laws of any state to the Contrary notwithstanding.” U.S. Const. Art. VI, Cl.
2. We have recognized that “[t]he Supremacy Clause of the United States Constitution,
Article VI, Clause 2, invalidates state laws that interfere with or are contrary to federal law.”
Syl. pt. 1, Cutright v. Metropolitan Life Ins. Co., 

, 

 (1997).
Pursuant to the Supremacy Clause, federal preemption of state law occurs if: (1) Congress
expressly preempts state law; (2) Congress has completely supplanted state law in that field;
(3) adhering to both state and federal law is not possible; or (4) state law impedes the
2
achievement of the objectives of Congress. See Crosby v. Nat’l Foreign Trade Council, 

, 372, 

, 2293-94, 

 (2000).                   “Although
Congressional intent is commonly the starting point for federal preemption analysis, the
existence of an express preemption provision in a statute nullifies the need for further
analysis.” Wade v. Vabnick-Wener, 

, 686 (internal citations omitted).
See also Syl. pt. 4, Morgan v. Ford Motor Co., 

, 

 (2009) (“When
it is argued that a state law is preempted by a federal law, the focus of analysis is upon
congressional intent. Preemption is compelled whether Congress’ command is explicitly
stated in the statute’s language or implicitly contained in its structure and purpose.”).
HIPAA sets out an express preemption provision; therefore, no further analysis is necessary
to discern Congressional intent. See Cipollone v. Liggett Grp., Inc., 

, 517, 

, 2618, 

 (1992) (“When Congress has considered the issue of
pre-emption and has included in the enacted legislation a provision explicitly addressing that
issue, and when that provision provides a reliable indicium of congressional intent with
respect to state authority, there is no need to infer congressional intent to pre-empt state laws
from the substantive provisions of the legislation. . . . Therefore, we need only identify the
domain expressly pre-empted by each of those sections.” (internal quotations and citations
omitted)).
Congress enacted HIPAA in 1996, in part, to protect the privacy of individually
identifiable health information. See Jennifer Guthrie, “Time Is Running Out–The Burdens
3
and Challenges of HIPAA Compliance: A Look at Preemption Analysis, the ‘Minimum
Necessary’ Standard, and the Notice of Privacy Practices,” 

, 146
(2003) (“The main premise of HIPAA is to protect individually identifiable health
information. This means that certain information will not be revealed without a patient’s
express authorization, in an effort to contain important information to as few people as
possible.”). For purposes of HIPAA, protected health information “is any health information,
oral or recorded, that is individually identifiable and transmitted or maintained by a covered
entity in any form or medium.” Holman v. Rasak, 

, 435-36, 

,
102 (2010). The Secretary of Health and Human Services was directed by Congress to
promulgate regulations setting privacy standards for health information. See Northwestern
Mem’l Hosp. v. Ashcroft, 

, 924 (7th Cir. 2004) (“Section 264 of HIPAA, 42
U.S.C. § 1320d . . . , directs the Secretary of Health and Human Services to promulgate
regulations to protect the privacy of medical records[.]”).1         In 2000, the Secretary
responded by issuing the Standards for Privacy of Individually Identifiable Health
Information, known as the “Privacy Rule” and codified at 45 C.F.R. 160, 164. See Smith v.
Am. Home Prods. Corp. Wyeth-Ayerst Pharm., 

, 111 n.2, 

,
612 n.2 (2003) (“On December 28, 2000, pursuant to a mandate under the ‘administrative
simplification’ provisions of HIPAA, the Department of Health and Human Services issued
1
Actually, “HIPAA mandated the passage of comprehensive privacy legislation
by Congress within three years, otherwise the Department of Health and Human Services
was required to step in and create privacy regulations.” Guthrie, “Time Is Running Out,” 12
Annals Health L. at 144.
4
new standards for privacy of individually identifiable health information (IIHI) called ‘The
Final Privacy Rule’ as published in the Federal Register.”).2   Compliance with the Privacy
Rule was not required until 2003.3    See United States v. Sutherland, 

,
612 (W.D. Va. 2001) (“Although the Standards were effective April 14, 2001, compliance
is not required until April 14, 2003.”). Specific to the case at hand, the Secretary
promulgated a federal regulation on HIPAA’s preemptive effect. See Morgan v. Ford Motor
Co., 

, 70, 

, 85 (2009) (“[T]he U.S. Supreme Court has
recognized that an agency regulation with the force of law can explicitly or implicitly
preempt conflicting state regulations.”).      This regulation states that “[a] standard,
2
It is important that I point out the significance of the year in which HIPAA
was created, 1996, and the date the Privacy Rule was created, 2000, because this will help
explain the initial broad authority DHHR gave to Legal Aid. When the litigation originally
began in this case, 1981, HIPAA did not exist–no expansive patient privacy rights existed.
It was in 1990, pre-HIPAA, that DHHR first contracted to have Legal Aid monitor patient
health care services at Bateman and Sharpe. It was only after the creation of HIPAA that
DHHR realized that, in order for Legal Aid to continue to have access to patient records
without patient consent, Legal Aid had to come under an exception to HIPAA. It appears
that, initially, DHHR believed that Legal Aid came under the “business associate” exception
created by the Privacy Rule. The majority opinion acknowledged this fact in footnote 28.
However, in 2014, an astute Privacy Officer at DHHR realized that it was permitting Legal
Aid to violate HIPAA, because Legal Aid did not come under the “business associate”
exception to the privacy requirements. It was only after this determination, which even the
majority opinion conceded was correct, that DHHR began requiring Legal Aid comply with
HIPAA by obtaining patient consent before it could review patient records. There was
nothing sinister in this, as was suggested by the majority opinion. DHHR simply was trying
to comply with federal law–something the majority believes is not necessary in spite of the
Supremacy Clause.
3
For ease in understanding, I will refer to HIPAA and the Privacy Rule
collectively as HIPAA.
5
requirement, or implementation specification adopted under this subchapter that is contrary
to a provision of State law preempts the provision of State law.” 

 See
Nat’l Abortion Fed’n v. Ashcroft, No. 03 Civ. 8695(RCC), 

, at *3 (S.D.N.Y.
March 19, 2004) (“Recognizing that HIPAA’s privacy provisions might differ from state
regulations, Congress directed that all state laws contrary to the regulations promulgated by
HHS be preempted, unless the state laws fall within the exception created by HIPAA[.]”).
It has been recognized that the regulations “restrict and define the ability of health plans,
health care clearinghouses, and most health care providers to divulge patient medical
records.” United States v. Sutherland, 

, 612 (W.D. Va. 2001).
“[T]he intent of HIPAA is to ensure the integrity and confidentiality of
patients’ [medical] information and to protect against unauthorized uses or disclosures of the
information[.]” In re Antonia E., 

, 874-75 (2007) (internal quotations and
citations omitted). Under HIPAA, the general rule is that a covered entity may not use or
disclose protected health information without a written authorization from the individual.
See 45 CFR 164.508. However, as recognized by the majority opinion, HIPAA enumerates
several specific situations in which a covered entity may use or disclose protected health
information without the written authorization of the individual. See Pal v. New York Univ.,
4
The regulations define State law as “a constitution, statute, regulation, rule,
common law, or other State action having the force and effect of law.” 

.
See Crenshaw v. MONY Life Ins. Co., 

, 1028 (S.D. Cal.2004).
6
No. 06Civ.5892 (BSJ)(FM), 

, at *3 (S.D.N.Y. May 22, 2007) (“HIPAA
permits the disclosure of ‘protected health information’ without a patient’s consent in a
variety of circumstances.”). The majority opinion found that only one of HIPAA’s
exceptions to the general privacy of health information applied to the facts of this case.5
That exception involves a State law that is “more stringent” than HIPAA. See 

(b) (“The provision of State law relates to the privacy of individually identifiable
health information and is more stringent than a standard, requirement, or implementation
specification adopted under subpart E of part 164 of this subchapter.”). That is, “courts have
recognized that HIPAA does not preempt ‘more stringent’ privacy protections guaranteed
under state law.” Pac. Radiation Oncology, LLC v. Queen’s Med. Ctr., 

,
1081 (D. Haw. 2014). Accord Citizens for Health v. Leavitt, 

, 174 (3d Cir.
2005).
The majority opinion reached the conclusion that our State law was more
stringent than HIPAA without performing any legal analysis of this complex issue. The
majority opinion, in a rather awkward way, merely pointed out that DHHR had annually
“conclud[ed] that our state laws set forth in 64 CSR § 59 are not preempted by HIPAA as our
provisions are more stringent.” The majority opinion then went on to provide:
5
I previously noted that the majority opinion correctly found that the exceptions
for business associate, health oversight agency, health care operations, and required by law
did not apply.
7
From the record submitted in this case, the protections set forth in Title 64,
Series 59 have been determined to be more stringent than those required by
federal law. Accordingly, our state regulations set forth in Title 64, Series 59
are not preempted by HIPAA.
This was the sum total of how and why the majority opinion determined that our State law
was more stringent than HIPAA. This total lack of analysis makes no sense. It is illogical
to rely on a general finding by DHHR that its regulations are more stringent than HIPAA,
when DHHR already had realized its disclosures to Legal Aid violated HIPAA, and DHHR
tried to correct the violation by asserting that no authority exists for Legal Aid to
indiscriminately access patient information. More fundamentally, the yard stick used by the
majority opinion to determine whether a State law is more stringent than HIPAA is absurd!
Under the majority opinion’s mind-boggling yardstick, all that any state must do to get
around HIPAA is unilaterally proclaim that its laws are more stringent than HIPAA. Surely
Congress did not mean for HIPAA and the Supremacy Clause to be defeated in such a self-
serving manner. Indeed, as I will demonstrate below, this absolutely was not what Congress
intended.
“[A] standard is more stringent if it provides greater privacy protection for the
individual who is the subject of the individually identifiable health information than the
standard set forth in the rules and regulations.” Bayne v. Provost, 

,
237-38 (N.D.N.Y. 2005) (internal quotations and citations omitted). See also Wade v.
Vabnick-Wener, 

, 686 (“To meet the ‘more stringent’ requirement, a state
8
law must ‘provide greater protection for the individual who is the subject of the individually
identifiable health information’ than the standard set forth by HIPAA and its regulations.”).
More importantly, it has been recognized that, under federal law, “‘[m]ore stringent,’ as
defined in 45 C.F.R.§ 160.202, means, that the state law meets any one of six criteria.” Law
v. Zuckerman, 

, 709 (D. Md. 2004). See also Webb v. Smart Document
Sols., LLC, 

, 1087 (9th Cir. 2007) (“‘More stringent’ laws are defined.”). The
six criteria under HIPAA that define “more stringent,” have been summarized by the Fourth
Circuit as follows:
[1] the state law prohibits or restricts a use or a disclosure of information
where HIPAA would allow it; [2] the state law provides an individual with
greater rights of access or amendment to his medical information than
provided under HIPAA; [3] the state law provides an individual with a greater
amount of information about a use, a disclosure, rights and remedies; [4] [state
law provides requirements that narrow the scope or duration, increase the
privacy protections afforded, or reduce the coercive effect of the circumstances
surrounding the express legal permission of an individual to disclose
information]; [5] the state law provides for the retention or reporting of more
detailed information or for a longer duration; or [6] the state law provides
greater privacy protection for the individual who is the subject of the
individually identifiable health information.
South Carolina Med. Ass’n v. Thompson, 

, 355 (4th Cir. 2003). Accord In re
Antonia E., 

, 876 (2007).
Simply put, in order for a court to determine that a State law is more stringent
than HIPAA, it must find that the State law satisfies one of the six definitions of “more
stringent” contained under 45 C.F.R.§ 160.202. The majority opinion in this case literally
9
failed to even cite, let alone discuss, the mandatory six criteria set out under 

. Ignoring the law, or pretending the law does not exist, should not be a license to
manipulate and corrupt the law.
My research revealed that other courts called upon to decide whether a State
law was more stringent than HIPAA have complied with federal law and applied the six
criteria under 45 C.F.R.§ 160.202. For example, a case which examined all six criteria under

 is State v. La Cava, No. CR060128258S, 

(Conn. Super. Ct. May 17, 2007). In La Cava, the court was asked to decide whether a
Connecticut statute, which authorized disclosure of patient information in a judicial
proceeding and in certain other circumstances, was more stringent than HIPAA. The
Connecticut statute allowed:
(1) any patient who has been treated in a private hospital, public
hospital society or corporation receiving state aid to, upon the
demand, examine and/or copy her hospital record, including the
history, bedside notes, charts, pictures and plates kept in
connection with her treatment and authorize her physician or
attorney to do the same; (2) a hospital, society or corporation
that is served with a subpoena issued by competent authority
directing the production of a hospital record to deliver such
record or a copy thereof to the clerk of such court where it will
remain sealed except upon the order of a judge of the court
concerned; (3) any and all parts of the hospital record or copy
that is not otherwise inadmissible to be admitted in evidence
without the necessity of having a witness from the hospital
identity the records as ones kept in the usual course of business
by the hospital.
La Cava, 

, at *3. The decision in La Cava summarily applied the six
10
criteria under 45 C.F.R.§ 160.202 and determined that the Connecticut statute was not more
stringent than HIPAA:
In comparison to [HIPAA’s requirements for disclosures
for judicial and administrative proceedings], [the state statute]
does not: (1) prohibit or restrict a use or disclosure in
circumstances under which such use or disclosure otherwise
would be permitted under the federal rule; (2) permit greater
rights of access or amendment to the individual who is the
subject of the individually identifiable health information; (3)
provide a greater amount of information to the individual who
is the subject of the individually identifiable health information
about a use, a disclosure, rights, and remedies; (4) provide
requirements that narrow the scope or duration, increase the
privacy protections afforded, or reduce the coercive effect of the
circumstances surrounding the need for express legal permission
from the individual who is the subject of the individually
identifiable health information with respect to the form,
substance, or the need for express legal permission; (5) provide
for the retention or reporting of more detailed information or for
a longer duration with respect to recordkeeping or requirements
relating to accounting of disclosures; and (6) provide greater
privacy protection for the individual who is the subject of the
individually identifiable health information with respect to any
other matter. Accordingly, the state statute is not more stringent
than the federal regulation.
Because [the state statute] is a contrary state law that is
not more stringent than the Privacy Rule, it is preempted in
accordance with 

 (2007).
La Cava, 

, at *3.
In U.S. ex rel. Stewart v. Louisiana Clinic, No. CivA. 99-1767, 

 (E.D. La. Dec. 12, 2002), the defendants attempted to prevent disclosure of patient
information in a judicial proceeding by invoking the protections of a Louisiana statute. The
11
disclosure was allowed under HIPAA, but was not allowed under Louisiana law. The
opinion in Stewart framed the issue as follows:
Defendants argue that HIPAA does not preempt
Louisiana law concerning disclosure of nonparty patient records
without patient consent. . . .
Defendants focus solely on the “more stringent” element
of this regulatory test and on paragraph (4) of the definition of
“more stringent.” “More stringent” means a State law that meets
one or more of the following criteria: . . .
(4) With respect to the form, substance, or the need for express
legal permission from an individual, who is the subject of the
individually identifiable health information, for use or disclosure
of individually identifiable health information, provides
requirements that narrow the scope or duration, increase the
privacy protections afforded (such as by expanding the criteria
for), or reduce the coercive effect of the circumstances
surrounding the express legal permission, as applicable.
Defendants argue that the Louisiana health care
provider/patient privilege law is more stringent than the federal
regulations. They contend that the Louisiana statute increases
the privacy protections afforded to individual patients by
requiring either patient consent for the disclosure or, in the
absence of consent, that a “court shall, issue an order for the
production and disclosure of a patient’s records . . . only: after
a contradictory hearing with the patient . . . and after a finding
by the court that the release of the requested information is
proper.”
Stewart, 

, at *4-5. The court in Stewart found that, based upon the
defendants’ reliance solely on the fourth criterion of 

, Louisiana law was
not more stringent than HIPAA:
Defendants’ argument fails because this provision of
Louisiana law does not address “the form, substance, or the need
12
for express legal permission from an individual,” as required by

 for the exception to apply. Rather, the
Louisiana statute provides a way of negating the need for such
permission. In other words, although the individual patient may
attend the contradictory hearing, the Louisiana provision states
that the court shall issue an order for disclosure (despite the
patient’s lack of consent), if the court finds that release of the
information is proper. Because the Louisiana statute does not fit
within the exception from preemption cited by defendants, it is
preempted by the HIPAA regulations. Therefore, Louisiana law
does not apply in this pure federal question case.
Stewart, 

, at *5.
A case which illustrates a State statute that was actually found to be more
stringent than HIPAA is Wade v. Vabnick-Wener, 

. In Wade, the court
was called upon to decide whether Tennessee’s privacy law, on ex parte communication with
a plaintiff’s treating physician was more stringent than HIPPA. The opinion relied upon the
sixth criterion of 

. That is, “a state law must ‘provide greater protection
for the individual who is the subject of the individually identifiable health information’ than
the standard set forth by HIPAA and its regulations.” Wade, 922 F. Supp. 2d at 686. The
opinion determined that, based upon the sixth criterion, Tennessee’s law was more stringent
than HIPAA:
It is therefore clear that Tennessee law is more stringent
than HIPAA’s privacy rules concerning ex parte
communications with health care providers. Absent a plaintiff's
express consent, Tennessee law prohibits informal
communications with the plaintiff’s treating physician to obtain
health information. On the contrary, HIPAA only bars such
communications prior to the entry of a qualified protective
13
order. After the requisite protective order is entered, whether by
consent or over the plaintiff’s objection, defendant is free to
utilize informal discovery, including specifically ex parte
interviews, under HIPAA.
Accordingly, because the laws of Tennessee are more
stringent than HIPAA concerning defense counsels ability to
make use of informal discovery methods, HIPAA does not
preempt Tennessee’s ban on ex parte communications with a
plaintiff’s non-party treating physician.
Wade, 922 F. Supp. 2d at 691-92. See Nat’l Abortion Fed’n v. Ashcroft, No. 04 C 55, 

, at *4 (N.D. Ill. Feb. 6, 2004) (“Because we find that Illinois law is more
stringent than HIPAA’s disclosure requirements and that it would be impossible for
Northwestern to comply with both Judge Casey’s HIPAA-pursuant Order and various
provisions of Illinois law, Illinois’s nonparty patient privacy laws are not preempted by
HIPAA and its subsequent regulations.”); Pal v. New York Univ., 

, at *3
(“Because New York law requires patient consent before disclosure and HIPAA provides for
certain exceptions to that rule, New York law is more stringent.”); Tyson v. Warden, No.
CV064001202, 

, at *2 (Conn. Super. Ct. Nov. 5, 2007) (“It is clear to this
court that § 52-146k and 52-146o prohibit disclosure where the HIPAA regulation relied
upon by the petitioner would allow it. Sections 52-146k and 52-146o provide greater
protection of the victim’s private health information and are therefore not preempted by
HIPAA.”); In re Antonia E., 

, 876 (2007) (“Upon consideration of the
physician-patient privilege and the broad provisions for court ordered disclosure under
HIPAA, this Court finds that HIPAA provisions do not supersede New York law.”).
14
The above cases clearly demonstrate that a court cannot determine that a State
statute is more stringent than HIPAA by relying solely on a state agency’s statement that a
particular state law is more stringent than HIPAA. If that was true, as the majority opinion
concludes, then there would have been no reason to define “more stringent” under 

. The term “more stringent” is defined for a purpose. That purpose, to me, is quite
clear. The definition is designed to narrow the circumstances in which a state law may be
categorized as more stringent than HIPAA. “[W]e are not free to rewrite HIPAA’s mandates;
we are required to follow them.” Holman v. Rasak, 

, 458, 

, 114
(2010) (Hathaway, J., dissenting). The majority opinion in this case has made a mockery of
the unambiguous and mandatory language contained in 

.
I can surmise only that the majority opinion ignored the law as dictated under

 because it wanted to reach a result that simply could not be reached by
following the law. A cursory review of what the relevant state law allowed in this case
clearly shows that it was not more stringent than HIPAA.
What should be clearly understood is that, for purposes of the “more stringent”
requirement of HIPAA, “any state law providing greater privacy protection for the individual
who is the subject of the individually identifiable health information is a more stringent state
law.” Natalie F. Weiss, “To Release or Not to Release: An Analysis of the HIPAA Subpoena
Exception,” 15 Mich. St. U. J. Med. & L. 253, 260 (2011) (emphasis added). This point
15
needs to be emphatically understood–the “more stringent” requirement under HIPAA can
never be satisfied by a State law that provides lesser privacy protection. In this case, the
majority opinion has indicated that the applicable state law is found in 64 C.S.R. § 59-11-
5.1.d, which provides:
No written consent is necessary for employees of the
department, comprehensive behavioral centers serving the client
or advocates under contract with the department.
In sum, this state regulation allows Legal Aid, as an “advocate,” to have complete access to
patient information without the consent of the patient. On its face, it is clear that this law
does not provide greater privacy protection. Instead, it exposes all patient information to a
private legal entity in the absence of patient consent for either representation by the agency
or the disclosure of their medical records to the agency.
It has correctly been observed that “[i]f state law can force disclosure without
a court order, or the patient’s consent, it is not ‘more stringent’ than the HIPAA regulations.”
Law v. Zuckerman, 

, 711 (D. Md. 2004). Through a summary
application of HIPAA’s six criteria, it is clear that the state regulation at issue in this matter
does not: (1) prohibit or restrict a use or a disclosure of information where HIPAA would
allow it; (2) provide an individual with greater rights of access or amendment to his medical
information than provided under HIPAA; (3) provide an individual with a greater amount of
information about a use, a disclosure, rights and remedies; (4) provide requirements that
narrow the scope or duration, increase the privacy protections afforded, or reduce the
16
coercive effect of the circumstances surrounding the express legal permission of an
individual to disclose information; (5) provide for the retention or reporting of more detailed
information or for a longer duration; or (6) provide greater privacy protection for the
individual who is the subject of the individually identifiable health information. Insofar as
the state regulation does not satisfy any of the above six factors contained in 

, the state law is not more stringent than HIPAA. The majority knew this, and that
is why its opinion completely ignored 

. See In re Funderburke, No. 687-
0026, 

, at *4 (S.D. Ga. Jan. 18, 1988) (“[T]he record shows that the
[majority] did nothing except to assume the position of an ostrich with its head in the sand
and ignore [the law] which [was] readily available to it.”).
Finally, I wish to point out that the majority opinion conceivably has opened
the floodgates for civil litigation, because of the unlawful access it has given Legal Aid to
patient hospital information. This Court recently held that “[c]ommon-law tort claims based
upon the wrongful disclosure of medical or personal health information are not preempted
by the Health Insurance Portability and Accountability Act of 1996.” Syl. pt. 3, R.K. v. St.
Mary’s Med. Ctr., Inc., 

, 

 (2012). If the majority opinion is
not appealed to the United States Supreme Court, I have no doubt that civil law suits will
follow in the wake of the misguided majority opinion.
For the reasons so stated, I dissent.
17
18