Health care providers seeking to collect from nonpaying patients must ensure that neither they nor their debt collectors disclose confidential patient information without first obtaining patient authorization. This is the lesson of a recent California Supreme Court case, Brown v. Mortensen (June 18, 2011).

In 2000, a dentist billed his patient, Brown, $600 for a dental crown. However, Brown never received the crown or entered into an agreement to pay for one.He refused the pay the bill. The dentist then referred the debt to a collection agency owned by defendant Mortensen. As proof of Brown’s debt, the dentist sent Mortensen copies of Brown’s dental chart. The dentist also sent Mortensen the charts of Brown’s minor children. Mortensen, in turn, disclosed these records to the nation’s three major credit reporting agencies. Mortensen also gave the agencies the Browns’ names, dates of birth, addresses, telephone numbers, and Social Security numbers. Despite Brown’s protests to both the dentist and Mortensen, the disclosures continued. When Brown told the credit agencies that Mortensen’s disclosures were inaccurate and incomplete, the agencies asked Mortensen for additional medical information. Mortensen ended up disclosing to the agencies Brown’s entire dental history dating back ten years. The dentist both ratified these disclosures and made further disclosures of confidential information to one of the agencies.

Brown and his wife sued the dentist and Mortensen, alleging violations of various statutes, including California’s Confidentiality of Medical Information Act (Civ. Code. 56 et seq.; the “CMIA”). By the time the case reached the Supreme Court, only the CMIA claims remained.

The CMIA prohibits the unauthorized dissemination of individually identifiable medical information; to legally disclose a patient’s private health information, a provider must obtain the patient’s written authorization.

The CMIA’s protections and remedies overlap with those of two federal laws, HIPAA and the Fair Credit Reporting Act (“FCRA”), which also seek to protect private information. Such an overlap of state and federal law raises the question of possible preemption: under the Constitution’s supremacy clause, federal law is paramount and Congress has the power to preempt state law. Preemption may be explicit, as when a statute plainly states that it displaces all similar state laws. Preemption may also be implied, as when a federal law lacks an express preemption clause but nonetheless clearly conflicts with state law.

Certain areas of law, including the issue of informational privacy, are traditionally regulated by the states. When a federal law attempts to regulate such an area and does not contain an explicit preemption clause, courts interpreting the federal law begin from a presumption against preemption. That is, they assume Congress did not mean to displace state law and meant instead that the federal and state laws should coexist.

In Brown v. Mortensen, Mortensen argued that the Browns’ claims under California’s CMIA were preempted by the two federal laws, HIPAA and the FCRA. The Court of Appeals sided with Mortensen. However, the Supreme Court disagreed. Citing the presumption against preemption, the Court read the FCRA to preempt only state informational privacy laws dealing with dispute resolution and information accuracy. The Browns’ CMIA claims did not address these issues. Rather, the Browns were claiming that the information given to the agencies was private and disclosed without their authorization. Therefore, the Court found that claims were not preempted by the FCRA.

As for whether the Browns’ CMIA claims were preempted by HIPAA, the Court noted that Congress specifically intended that HIPAA leave more stringent state privacy laws undisturbed. Rather than establishing an outer limit for privacy protections, HIPAA sets a floor. Thus, the Browns’ claims under the CMIA were not preempted by HIPAA.

The Supreme Court’s ruling enables the Browns to move forward with their CMIA claims. For providers and billers, it serves as an important reminder of the importance of safeguarding patient privacy even in the event of a payment dispute.If disclosure of patient medical records is necessary to resolve such a dispute, both providers and billers should obtain patient authorization for the disclosure to avoid running afoul of federal and state laws.