Citizens for Health v. Secretary HHS

428 F.3d 167, 2005 U.S. App. LEXIS 23516

• Court: Court of Appeals for the Third Circuit
• Decided: October 31, 2005
• Docket: 04-2550
• Status: Published

Opinion

RENDELL, Circuit Judge.

Appellant Citizens for Health, along with nine other national and state associations ' and nine individuals (collectively “Citizens”), brought this action against the Secretary of the United States Department of Health and Human Services (“HHS” or “Agency”) challenging a rule promulgated by the Agency pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub.L. 104-191, 110 Stat. 1936. Citizens allege that the “Privacy Rule”-officially titled “Standards for Privacy of Individually Identifiable Health Information”-is invalid because it unlawfully authorizes health plans, health care clearinghouses, and certain health care providers to use and disclose personal health information for so-called “routine uses” without patient consent. The relevant part of the specific offending provision of the Privacy Rule reads:

(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) [relating to psychotherapy notes] and (3) [relating to marketing], a covered entity may use or disclose protected health information for treatment, payment, or health care operations ... provided that such use or disclosure is consistent with other applicable requirements of this subpart.

(b) Standard: Consent for uses and disclosures permitted. (1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.

(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible' under this subpart.

45 C.F.R. § 164.506 (emphasis added). Citizens challenge subsection (a) as authorizing disclosures that, they contend, violate individual privacy rights.

The District Court granted summary judgment to the Secretary on all of Citizens’ claims based on its conclusions that the promulgation of the . Privacy Rule did not violate the Administrative Procedure Act, that the Secretary did not exceed the scope of authority granted to him by HI-PAA, and that, insofar as the Privacy Rule is permissive and does not compel any uses or disclosures of personal health information by providers, it does not affirmatively interfere with any right protected by the First or Fifth Amendments. Because we reason to the same conclusions reached by the District Court, albeit under a slightly different analysis, we will affirm.

I. Background

The objectionable provision is only one aspect of a complex set of regulations that is the last in a series of attempts by HHS to strike a balance between two competing objectives of HIPAA-improving the efficiency and effectiveness of the national health care system and preserving individual privacy in personal health information.

A. HIPAA

HIPAA was passed by Congress in August 1996 to address a number of issues regarding the national health care and health insurance system. The statutory provisions relevant to the issues in this case are found in Subtitle F of Title II. 1 Aimed at “administrative simplification,” HIPAA Sections 261 through 264 provide for “the establishment of standards and requirements for the electronic transmission of certain health information.” § 261, 110 Stat. at 2021. More specifically, these provisions direct the Secretary to adopt uniform national standards for the secure electronic exchange of health information. § 262,110 Stat. at 2021-26.

Section 264 prescribes the process by which standards regarding the privacy of individually identifiable health information were to be adopted. § 264(a), 110 Stat. at 2033. This process contemplated that, within a year of HIPAA’s enactment, the Secretary would submit detailed recommendations on such privacy standards, including individual rights concerning individually identifiable health information, procedures for exercising such rights, and the “uses and disclosures of such information that should be authorized or required,” to Congress. § 264(a)-(b), 110 Stat. at 2033. If Congress did not enact further legislation within three years of HIPAA’s enactment, the Secretary was directed to promulgate final regulations implementing the standards within 42 months of HIPAA’s enactment. § 264(c)(1), 110 Stat. at 2033. The Act specified that any regulation promulgated pursuant to the authority of Section 264 would provide a federal baseline for privacy protection, but that such regulations would “not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” § 264(c)(2), 110 Stat. at 2033-34. 2

B. The Privacy Rule

Because Congress did not enact privacy legislation by its self-imposed three-year deadline, the Secretary promulgated the privacy standards contemplated in Section 264 through an administrative rulemaking process. During this process, the Rule went through four iterations: the Proposed Original Rule, the Original Rule, the Proposed Amended Rule, and the Amended Rule. 3 The Original Rule required, covered entities to seek individual consent before using or disclosing protected health information for routine uses. Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,810 (Dec. 28, 2000) (codified at former 45 C.F.R. pts. 160, 164 (2002)). Before the Original Rule could take effect, however, the Secretary was inundated with unsolicited criticism, principally from health care insurers and providers, warning that the Original Rule’s mandatory consent provisions would significantly impact the ability of the health care industry to operate efficiently. 4 Standards for Privacy of Individually Identifiable Health Information, 67 Fed.Reg. 14,776, 14,777 (Mar. 27, 2002). He responded by reopening the rulemak-ing process. Id. at 14,776. The final result was the Amended Rule-the currently effective, codified version of the Privacy Rule, see generally 45 C.F.R. pts. 160 & 164, which is the subject of Citizens’ challenge here. 5

The Amended Rule retains most of the Original Rule’s privacy protections. It prohibits “covered entities” 6 -defined as health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by the regulations-from using or disclosing an individual’s “protected health information”defined as individually identifiable héalth information maintained in or transmitted in any form or media including electronic media-except as otherwise provided by the Rule. See 45 C.F.R. §§ 160.103 (defining “covered entities” and “protected health information”), 164.502(a) (“A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.”). Covered entities must seek authorization from individuals before using or disclosing information unless a specific exception applies. Id. § 164.508(a)(1) (“Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section.”). Uses' and disclosures that the Amended Rule allows must be limited to the “minimum necessary” to accomplish the intended purpose. Id. § 164.502(b).

The iknended Rule departs from the Original Rule in one crucial respect. Where the Original Rule required covered entities to seek individual consent to use or disclose health information in all but the narrowest of circumstances, 7 the Amended Rule allows such uses and disclosures without patient consent for “treatment, payment, and health care operations”-so-called “routine uses.” Id. §§ 164.506 (providing routine use exception). “Health care operations,” the broadest category under the routine use exception, refers to a range of management functions of covered entities, including quality assessment, practitioner evaluation, student training programs, insurance rating, auditing services, and business planning and development. Id. § 164.501. The Rule allows individuals the right to request restrictions on uses and disclosures of protected health information and to enter into agreements with covered entities regarding such restrictions, but does not require covered entities to abide by such requests or to agree to any restriction. Id. § 164.522(a). The Rule also permits, but does not require, covered entities to design and implement a consent process for routine uses and disclosures. Id. § 164.506; see also Standards for Privacy of Individually Identifiable Health Information, 67 Fed.Reg. 53,182, 53,211 (Aug. 14, 2002).

Importantly, the Rule contains detailed preemption provisions, which are consistent with HIPAA Sections 1178(a)(2)(B) and 264(c)(2). These provisions establish that the Rule is intended as a “federal floor” for privacy protection, allowing state law to control where a “provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [the Privacy Rule].” 45 C.F.R. § 160.203 (emphasis added). 8

II.Procedural History

Citizens filed this action on April 10, 2003. In its Amended Complaint, Citizens alleged that the Secretary violated the APA and Sections 261 through 264 of HI-PAA in promulgating the Amended Rule, and that, to the extent that the Amended Rule rescinded or eliminated the need for consent for the use and disclosure of individually identifiable health information for “routine uses,” the Amended Rule violated privacy rights protected by the Fifth Amendment and free speech rights protected by the First Amendment of the United States Constitution. Citizens for Health v. Thompson, 2004 WL 765356 (E.D.Pa. Apr. 2, 2004), 2004 U.S. Dist. LEXIS 5745, at *22. Both parties moved for summary judgment, and, after a hearing on December 10, 2003, the District Court granted summary judgment in favor of the Secretary. Id. at *2.

On Citizens’ APA claims, the Court concluded that the Secretary had adequately informed the public regarding the proposed rulemaking, examined the relevant data, responded to public comments, and provided a reasoned analysis that rationally connected the facts with the decision to rescind the consent requirement in the Amended Rule. Id. at *33-43. Regarding Citizens’ claims alleging violations of HI-PAA, the Court concluded that the changes in the Amended Rule were reasonably related to the legislative purpose of Subtitle F of the Act, and, because the Amended Rule was promulgated before the Original Rule took effect, the Amended Rule did not eliminate any “rights” created under the Original Rule. Id. at *43-46. Finally, regarding Citizens’ constitutional claims, the Court concluded that because (1) neither the First Amendment nor the Fifth Amendment places an affirmative obligation on the State to protect individuals’ rights from harm by third parties and (2) the Amended Rule is wholly permissive as to whether covered entities seek consent from an individual before using or disclosing personal health information for routine uses, the Amended Rule did not violate individual rights under either Amendment. Id. at *46-50.

III.Jurisdiction and Standard of Review

The District Court had jurisdiction under 28 U.S.C. § 1331, and we have jurisdiction to review the final decision of the District Court under 28 U.S.C. § 1291. We exercise plenary review over the District Court’s grant of summary judgment, applying the same test as the District Court. Goodman v. Mead Johnson & Co., 534 F.2d 566, 573 (3d Cir.1976). To affirm the grant of summary judgment, we must be convinced that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law when the facts are viewed in the light most favorable to the nonmoving party. Fed.R.Civ.P. 56(c).

IV.Discussion

On appeal, Citizens reassert the claims they made before the District Court, that the Secretary, by promulgating the Privacy Rule, (1) unlawfully infringed Citizens’ fundamental rights to privacy in personal health information under due process principles of the Fifth Amendment of the United States Constitution; (2) unlawfully infringed Citizens’ rights to communicate privately with their medical practitioners under the First Amendment of the Constitution; (3) contravened Congress’s intent in enacting HIPAA by eliminating Citizens’ reasonable expectations of medical privacy; and (4) violated the APA by arbitrarily and capriciously reversing a settled course of behavior and adopting a policy that he had previously rejected.

Before addressing Citizens’ claims on the merits, we note that we raised the issue of justiciability at oral argument, and asked the parties for separate briefing on this issue. Our concern was that, in their complaint, the party plaintiffs do not recount specific instances of violations of their privacy rights traceable to the regulation, but, instead, complain of the regulation’s general effect. After reviewing the parties’ responses to our questions, however, we are satisfied that these specific instances do, in fact, exist, notwithstanding the general allegations in the complaint. 9 We therefore proceed to address each of Citizens’ claims in turn.

A. Fifth Amendment Substantive Due Process Claim

In discussing Citizens’ Fifth Amendment claim, the District Court noted that sub stantive due process bars the government from depriving individuals of life, liberty, or property without due process of law, but it does not “ ‘impose an affirmative obligation on the State to ensure that those interests do not come to harm through other means.’ ” Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *46-47 (quoting DeShaney v. Winnebago County Soc. Servs. Dep’t, 489 U.S. 189, 195, 109 S.Ct. 998, 103 L.Ed.2d 249 (1989)). Applying this principle to the case at hand, the Court reasoned that, even assuming that individuals have a constitutional right to medical privacy, the Amended Rule is “wholly permissive with respect to whether a covered entity should seek consent from a patient before using his or her information for routine purposes. The Amended Rule neither requires nor prohibits that practice.” Id. at *47-48. In short, “[because the Amended Rule is not compulsory in nature, it does not affirmatively interfere with any right.” Id. We agree with the District Court that Citizens’ constitutional claims should ultimately be resolved based on the nature of the state’s involvement in light of the Amended Rule’s permissive character. However, we think that the District Court’s analysis does not go far enough, and that its reliance on DeShaney does not fully explain why Citizens cannot succeed here.

We begin our analysis with the premise that the right to medical privacy asserted by Citizens is legally cognizable under the Due Process Clause of the Fifth Amendment, although, as Citizens themselves concede, its “boundaries ... have not been exhaustively delineated.” (Appellants’ Br. at 12.) 10 Whatever those boundaries may be, it is undisputed that a violation of a citizen’s right to medical privacy rises to the level of a constitutional claim only when that violation can properly be ascribed to the government. The Constitution protects against state interference with fundamental rights. It only applies to restrict private behavior in limited circumstances. Because such circumstances are not present in this case, and because the “violations” of the right to medical privacy that Citizens have asserted, if they amount to violations of that right at all, occurred at the hands of private entities, the protections of the Due Process Clause of the Fifth Amendment are not implicated in this case. We will accordingly affirm the District Court’s finding that the Secretary did not violate Citizens’ constitutional rights when he promulgated the Amended Rule.

“The Constitution structures the National Government, confines its actions, and, in regard to certain individual liberties and other specified matters, confines the actions of the States. With a few exceptions, ... constitutional guarantees of individual liberty and equal protection do not apply to the actions of private entities.” Edmonson, 500 U.S. at 619, 111 S.Ct. 2077. Indeed, it is well established that the substantive component of due process, embodied in both the Fifth and Fourteenth Amendments, 11 “ ‘provides heightened protection against government interference with certain fundamental rights and liberty interests.’ ” Troxel v. Granville, 530 U.S. 57, 65, 120 S.Ct. 2054, 147 L.Ed.2d 49 (2000) (quoting Washington v. Glucksberg, 521 U.S. 702, 720, 117 S.Ct. 2258, 138 L.Ed.2d 772 (1997)) (emphasis added); see also Reno v. Flores, 507 U.S. 292, 301, 113 S.Ct. 1439, 123 L.Ed.2d 1 (1993). As explained in DeShaney, the Due Process Clauses of the Fifth and Fourteenth Amendments were intended to prevent federal and state governments “ ‘from abusing [their] power, or employing it as an instrument of oppression.’ ” 489 U.S. at 196, 109 S.Ct. 998 (quoting Davidson v. Cannon, 474 U.S. 344, 348, 106 S.Ct. 668, 88 L.Ed.2d 677 (1986)). Their “purpose was to protect the people from the State, not to ensure that the State protected them from each other.” Id.

At first glance, the posture of this case seems different from that of most state action cases. The issue of state action usually arises where plaintiffs assert that their rights have been violated by private parties who, they claim, are acting on behalf of the state. E.g., Jackson v. Metro. Edison Co., 419 U.S. 345, 95 S.Ct. 449, 42 L.Ed.2d 477 (1974) (customer suing private utility company for violation of procedural due process on the theory that the utility was a “state actor” by virtue of a state-granted monopoly and extensive state regulation). In this case, by contrast, the action that Citizens challenge-the promulgation of the Amended Rule by the Secretary-is clearly government conduct. As noted above, however, the injury that Citizens allege is that their “personal health information” is being “used and disclosed, without their permission and against their will” by third parties. (Appellants’ Br. at 2.) To support their claims, Citizens point to privacy notices that they received from private health care providers and pharmacies. See Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *27-28. Citizens did not challenge any’use or disclosure by the Secretary himself, or urge that the third parties were somehow acting on the Secretary’s behalf, before the District Court. 12 The relevant question, then, is whether the Secretary, as a state actor, was sufficiently involved in producing the harm Citizens assert to satisfy the Constitution’s state action requirement.

As noted above, the District Court touched on the state action issue when it applied DeShaney’s holding that due process does not impose an affirmative obligation on the State to protect individuals’ interests in life, liberty, or property from harm inflicted by private actors. See 489 U.S. at 195, 109 S.Ct. 998. But the District Court’s analysis in this respect was incomplete. Although the fundamental principle that due process protections apply only to prevent injury attributable to conduct of the State underlies the discussion in DeShaney, the Supreme Court’s analysis in that case did not focus on “state action” as such. There, the Court was presented with a claim against a local government for its failure to prevent a father from physically abusing his son to the point of permanent injury where the local social services agency knew of the abuse but failed to remove the child from the father’s custody. Id. at 191, 109 S.Ct. 998. Plaintiffs argued that the State was “categorically obligated” to protect the child from abuse and that, given this obligation, the State’s failure to act was a proper basis for a due process challenge. Id. at 195, 109 S.Ct. 998. The Court’s analysis thus sought to determine whether due process imposed a “duty” or “obligation” on the State to protect individuals from private harm, not “whether the State was sufficiently involved [in the privately caused harm] to treat that decisive conduct as state action.” Tarkanian, 488 U.S. at 192, 109 S.Ct. 454.

In this case, DeShaney helps resolve a preliminary question: Was the Secretary obliged to prohibit any and all disclosures without consent in order to protect privacy rights across the board? We think the District Court appropriately relied on De-Shaney to answer that question in the negative. But DeShaney does not reach the specific question before us: Is the nonconsensual use or disclosure of individual health information by private parties, as permitted by the Amended Rule, legally attributable to the Secretary? We conclude that it is not.

To answer this question, we must determine “whether there is a sufficiently close nexus between the State and the challenged action of the regulated entity [-the private party-] so that the action of the latter may fairly be treated as that of the State itself.” Jackson, 419 U.S. at 351, 95 S.Ct. 449. Where, as here, plaintiff argues that the State has “authorized” or “empowered” a private entity to act in a way that directly brings about the alleged injury, our inquiry focuses on “whether the State provided a mantle of authority that enhanced the power of the harm-causing individual actor.” Tarkanian, 488 U.S. at 192, 109 S.Ct. 454. Unfortunately, there is no “infallible test” to employ in this analysis. Reitman v. Mulkey, 387 U.S. 369, 378, 87 S.Ct. 1627, 18 L.Ed.2d 830 (1967). Rather, it is “ ‘[o]nly by sifting facts and weighing circumstances’ on a case-by-case basis [that] a ‘nonobvious involvement’ of the State in private conduct [can] be at tributed its true significance.’ ” Id. (quoting Burton v. Wilmington Parking Auth., 365 U.S. 715, 722, 81 S.Ct. 856, 6 L.Ed.2d 45 (1961)).

The Supreme Court provided guidance as to what satisfies the Constitution’s state action requirement in Adickes v. S.H. Kress & Co., 398 U.S. 144, 90 S.Ct. 1598, 26 L.Ed.2d 142 (1970). In that case, the Court explained that actions challenged on constitutional grounds fall somewhere along a continuum, with direct action by the State on one side and action by a “private party not acting against a backdrop of state compulsion' or involvement” on the other. Id. at 168, 90 S.Ct. 1598. Whereas the former meets the state action requirement for constitutional claims, the latter does not (although it could form the basis for a claim on statutory or common law grounds, .depending on the alleged violation). The Court further elaborated that, along this continuum, the enactment of a state law “requiring” violation of individual rights, and “enforcement” of such a law establish the requisite state action. Id. at 170, 90 S.Ct. 1598. “[A] State is responsible for the discriminatory act of a private party when the State, by its law, has compelled the act” or when the State has “commanded” a particular result. Id. (emphasis added) (citing Peterson v. City of Greenville, 373 U.S. 244, 248, 83 S.Ct. 1119, 10 L.Ed.2d 323 (1963); Robinson v. Florida, 378 U.S. 153, 84 S.Ct. 1693, 12 L.Ed.2d 771 (1964); Lombard v. Louisiana, 373 U.S. 267, 83 S.Ct. 1122, 10 L.Ed.2d 338 (1963); Shuttlesworth v. Birmingham, 37 3 U.S. 262, 83 S.Ct. 1130, 10 L.Ed.2d 335 (1963)).

The first inquiry, then, is whether the Amended Rule can fairly be read to “require,” “compel,” or “command” routine use disclosures without consent. We conclude that it cannot. The fact that subsection (b) of the Rule expressly permits covered entities to obtain consent belies such an interpretation. See 45 C.F.R. § 164.506(b)(1) (“A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.”) (emphasis added). Thus, the Amended Rule does not directly “provide a mantle of authority that enhance[s] the power of’ health care providers and other entities, Tarkanian, 488 U.S. at 192, 109 S.Ct. 454.

Citizens argue that the Amended Rule’s grant of “regulatory permission” to make the challenged uses and disclosures, see, e.g., 67 Fed.Reg. at 53,209, 53,211, 53,212 (discussing Amended Rule), indirectly provides the requisite “mantle of authority”. To demonstrate a link between the Amended Rule and private parties’ use and disclosure of Citizens’ health information without their consent, Citizens point to two sources: (1) changes in the privacy policies of covered entities, and (2) evidence that some entities have begun ignoring applicable state privacy laws. On the first point, Citizens have identified at least one covered entity that has adopted a blanket, policy of refusing all requests for restrictions on uses and disclosures of health information since the promulgation of the Amended Rule. 13 They further assert that some covered entities have simply ignored applicable, more restrictive, state laws in making such uses and disclosures. 14

Our reading of the case law discussed below, however, leads us to the conclusion that the fact that a private party changed its behavior in response to a law does not give the law the coercive quality upon which the state action inquiry depends unless the law itself suddenly authorized something that was previously prohibited. Citizens’ argument assumes (1) that covered entities were previously prohibited from making nonconsensual uses or disclosures for routine uses and (2) that the Amended Rule’s “authorization” somehow permits uses or disclosures that were . previously “unauthorized”. But there is no authority for either proposition. Citizens have not shown that federal law prohibited nonconsensual uses or disclosures of health information before the Rule was promulgated. 15 And the preemption provisions of HIPAA and the Amended Rule expressly provide that any state statutes that prohibited such uses and disclosures before the Amended Rule was promulgated remain in effect. 16 Because there is no indication that the nonconsen-sual uses and disclosures permitted by the Amended Rule were prohibited before the Rule went into effect, we have difficulty understanding how the Amended Rule “authorizes” covered entities to take action that they could not have otherwise taken. In the words of the Tarkanian test, Citizens have not shown how, by promulgating the Amended Rule, the Secretary “enhanced the power” of the covered entities to use or disclose health information without patients’ consent; covered entities had this power already.

By way of analogy, assume that Congress were to pass legislation permitting private cinema operators, at their discretion, to search all moviegoers for any reason, without any showing of probable cause or reasonable suspicion. Although the Fourth Amendment would preclude the federal government from conducting such a search, private cinema operators are not bound by the Fourth Amendment, and absent any other law prohibiting it, private cinema operators were already “permitted” to conduct such a search before the new legislation took effect. To the extent that this new legislation changes the legal landscape at all, then, it only codifies a power that cinema operators had already. The codification does not transform the private exercise of the codified power into “state action.” Similarly, although the codification itself is clearly government action, it seems insufficient to endow a moviegoer’s challenge to a search by a cinema operator with constitutional significance given that the codification has neither enhanced nor diminished the individual moviegoer’s rights.

None of the cases that Citizens or amici cite supports the view that a government authorization of conduct that was already legally permissible satisfies the constitutional state action requirement. It is true that these cases find state action based on the enactment of statutes that permit private parties to infringe the constitutional rights of others. 17 But the laws that the Supreme Court has struck down in these cases allowed private parties to take some action (usually discrimination based on race) where they would otherwise have been prohibited from doing so. In other words, the Court found that the state, by enacting these laws, had “empowered” private parties to act in ways that would have been prohibited but for the enactment of the law. As we explained above, that is not the case here.

The Supreme Court’s decision in Reit-man v. Mulkey, 387 U.S. 369, 87 S.Ct. 1627, 18 L.Ed.2d 830 (1967), illustrates this point. That case involved a constitutional challenge to an amendment to the California Constitution that allowed private per sons absolute discretion to refuse to sell, lease, or rent property to another. The amendment effectively nullified California statutes that prohibited racial discrimination in private housing transactions. Id. at 374, 87 S.Ct. 1627. The California Supreme Court reasoned that, because the State had taken affirmative action designed to make private discrimination -legally possible-changing the situation from one in which private discrimination was restricted by statute to one in which it toas encouraged-the State was at least a partner in the challenged discrimination. Id. at 375, 87 S.Ct. 1627. The Court noted that the State could maintain a neutral position regarding private discrimination and was not bound by the Federal Constitution to forbid it. But once the State acted in a way that encouraged private discrimination, even if it stopped short of mandating such action, it crossed the constitutional line. Id.

The United States Supreme Court affirmed the judgment of the California Supreme Court. The Court rejected petitioners’ argument that the state court’s reasoning was flawed because it meant that the mere repeal of a statute that prohibited private racial discrimination could be said to “authorize” or “encourage” discrimination simply because it permitted that which was formerly proscribed, pointing out that the 'challenged state action in case was not “the mere repeal” of prior anti-discrimination laws. Id. at 376, 87 S.Ct. 1627. Rather, the offensive action was the state’s authorization and “constitu-tionalization” (under the state constitution) of the previously forbidden private right to discriminate. Id. Consequently, the amendment had a much broader impact than the mere repeal of existing statutes:

Private discriminations in housing were now not only free from [the previously enacted anti-discrimination statutes] but they also enjoyed a fair different status than was true before the passage of those statutes. The right to discriminate, including the right to discriminate on racial grounds, was now embodied in the State’s basic charter, immune from legislative, executive, or judicial regulation at any level of the state government. Those practicing racial discrimi-nations need no longer rely solely on their personal choice. They could now invoke express [state] constitutional authority, free from censure or interference of any kind from official sources.

Id. at 380-81, 87 S.Ct. 1627 (emphasis added). 18 In other words, the amendment wás constitutionally offensive not only because it now permitted conduct that was previously prohibited, but also because it affirmatively protected such conduct under the state constitution.

The Reitman Court elaborated on this principle by referring to its ruling in Nixon v. Condon, 286 U.S. 73, 52 S.Ct. 484, 76 L.Ed. 984 (1932). It noted that, in Nixon,

the Court was faced with a statute empowering the executive committee of a political party to prescribe the qualifications of its members for voting or for other participation, but containing no di rections with respect to the exercise of that power. This was authority which the committee otherwise might not have had and which was used by the committee to bar Negroes from voting in primary elections. Reposing this power in the executive committee was said to insinuate the State into the self-regulatory, decision-making scheme of the voluntary association; the exercise of the power was viewed as an expression of state authority contrary to the Fourteenth Amendment.

Reitman, 387 U.S. at 379, 87 S.Ct. 1627 (discussing Nixon) (emphasis added). As in Reitman, then, the Nixon Court found that the enactment of the statute satisfied the state action requirement because the challenged law provided the committee with a power that it “otherwise might not have had.” Id. Because the Amended Rule does not endow covered entities with any power that they did not have otherwise, the action of the Secretary that Citizens challenge does not fit the Reitman / Nixon mold.

The Amended Rule has not enhanced covered entities’ power, under federal or state law, to use or disclose confidential health information without patients’ consent. The Rule does not “compel” or “command” or “require” that private entities use information without patients’ consent. See Adickes, 398 U.S. at 170, 90 S.Ct. 1598. Nor has the Rule changed the situation from one in which nonconsensual routine uses and disclosures were prohibited to one in which they are now encouraged, see Reitman, 387 U.S. 369, 87 S.Ct. 1627, 18 L.Ed.2d 830, or conferred authority on health care providers that they might not have had otherwise. See Nixon, 286 U.S. 73, 52 S.Ct. 484, 76 L.Ed. 984. Accordingly, we conclude that the Secretary’s promulgation of the Amended Rule does not satisfy the Constitution’s state action requirement.

The fact that covered entities are construing the “may use” language as constituting a new federal seal of approval, and may be ignoring state laws regarding protections to be afforded to such information, is regrettable and disquieting. That routine requests for privacy are apparently being ignored by covered entities is even more unfortunate. But our task here is to determine the constitutionality of the Amended Rule, not the propriety of covered entities’ actions under state or common law. Because, for all of the reasons stated above, the covered entities’ actions that' Citizens challenge do not implicate the federal government, we reject Citizens’ Fifth Amendment claim.

B. First Amendment Claim

Citizens’ First Amendment claim is that the Amended Rule infringes individuals’ right to confidential communications with health care practitioners, i.e., a right to refrain from public speech regarding private personal health information. Citizens argue that the effect of the Amended Rule is to chill speech between individuals and their health, care practitioners because the possibility of nonconsensual disclosures makes individuals less likely to participate fully in diagnosis and treatment and more likely to be evasive and withhold important information. Further, because the Rule applies to “health information ... whether oral or recorded in any form or medium ...45 C.F.R. § 160.103, Citizens argue that the Rule is a content-based regulation reviewable under strict scrutiny.

We believe that a First Amendment claim is an ill-suited challenge to the Amended Rule. Cf. South Carolina Med. Ass’n v. Thompson, 327 F.3d 346, 355 n. 4 (4th Cir.2003) (“We summarily dispense with appellants’ argument that the Privacy Rule will chill patients’ rights of free speech, as we find this claim to be without merit.”). The cases on which Citizens rely are not authoritative on the precise issue before us. See Bartnicki v. Vopper, 532 U.S. 514, 533, 121 S.Ct. 1753, 149 L.Ed.2d 787 (2001) (suggesting that “the fear of public disclosure of private conversations might well have a chilling effect on private speech,” but ultimately holding that any such interest was outweighed in that case by the media’s countervailing First Amendment interest in publishing truthful information of public concern); Jaffee v. Redmond, 518 U.S. 1, 11-12, 116 S.Ct. 1923, 135 L.Ed.2d 337 (1996) (citing the “public interest” in confidential communications between a psychotherapist and her patient as justification for recognizing a psychotherapist-patient privilege in federal courts). And, more to the point, Citizens’ First Amendment claim fails on the same grounds as their Fifth Amendment claim: the potential “chilling” of patients’ rights to free speech derives not from any action of the government, but from the independent decisions of private parties with respect to the use and disclosure of individual health information. For all of the reasons enumerated above, the decisions of the private parties to use or disclose private health information in rebanee on the Amended Rule, which may or may not “chill” expression between health care providers and their patients, does not implicate the government in a way that gives rise to a constitutional claim. We will therefore affirm the District Court’s grant of summary judgment to the Secretary on Citizens’ First Amendment claim.

C. Claims Alleging Violations of HI-PAA

In claims based on HIPAA’s statutory language, Citizens argue (1) that the Secretary exceeded the regulatory authority delegated by HIPAA because the Act only authorizes the Secretary to promulgate regulations that enhance privacy and (2) that the Amended Rule impermissibly retroactively rescinded individual rights created by the Original Rule and disturbed Citizens’ “settled expectations” in the privacy of their health information. We find the District Court’s analysis of these statutory claims to be cogent. Citizens argue that the Secretary has eliminated their reasonable expectations of medical privacy retroactively and prospectively and that such action is inconsistent with Congress’s intent in enacting HIPAA. However, Citizens’ argument that the controlling policy underlying HIPAA is medical privacy and that the Amended Rule wholly sacrifices this interest to covered entities’ interests in efficiency and flexibility ignores the Act’s stated goals of “simplify[ing] the administration of health insurance,” HIPAA pmbl., 110 Stat. at 1936, and “improvfing] the efficiency and effectiveness of the health care system,” HIPAA § 261 (stating purpose of Subtitle F). As the District Court aptly explained, HIPAA requires the Secretary to “balance privacy protection and the efficiency of the health care system-not simply to enhance privacy.” Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *43. We thus conclude that Citizens’ first HIPAA claim lacks merit.

We also agree with the District Court’s finding that the Amended Rule does not retroactively eliminate rights that Citizens enjoyed under the Original Rule or under various laws or standards of practice that existed before the Amended Rule went into effect. Because the Original Rule was amended before its compliance date, “[c]overed entities were never under a legal obligation to comply with the Original Rule’s consent requirement.” Id. at *45-46. Citizens, therefore, never enjoyed any rights under the Original Rule at all. Nor does the Amended Rule retroactively eliminate Citizens’ reasonable expectations based on state law, standards of medical ethics and established standards of practice because the Amended Rule does not disturb any preexisting, “more stringent” state law privacy rights. ' See id. at *45-46. See also Standards for Privacy of Individually Identifiable Health Information, 67 Fed.Reg. 53,182, 58,212 (Aug. 14, 2002) (“State laws that are more stringent [than the Privacy Rule] remain in place. In order not to interfere with such laws and ethical standards, this Rule permits covered entities to obtain consent. Nor is the Privacy Rule intended to serve as a ‘best practices’ standard. • Thus, professional standards that are more protective of privacy retain their vitality.” (emphasis added)). Accordingly, we reject Citizens’ second HIP-PA claim as well, and will affirm the grant of summary judgment to the Secretary on these claims.

D. APA Claims

Lastly, Citizens challenge the rulemaking process under the APA, contending that (1) the Secretary’s rulemak-ing was arbitrary and capricious, in violation of 5 U.S.C. § 706(2)(A), and (2) the Secretary failed to provide adequate notice of the rescission of the consent requirement of the Original Rule, a violation of 5 U.S.C. § 553(b)(3). Citizens argue that the Secretary acted arbitrarily and capriciously by failing to adequately explain the rescission of the consent requirement, ignoring earlier findings, and failing to respond to public comments.

We dispose of Citizens’ argument that the Secretary did not provide adequate notice to the public of his intention to rescind the consent requirement first. On this point, the District Court correctly pointed out that the APA requires a notice to provide either “the terms or substance of the proposed rule” or “a description of the subjects and issues involved.” Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *42^43 (quoting 5 U.S.C. §■ 553(b)(3)). In this case, the Notice for Proposed Rulemaking did both. See Standards for Privacy of Individually Identifiable Health Information, 64 Fed.Reg. 14,776, 14,810-14,815 (Mar. 27, 2002) (setting forth the language of the Proposed Amended Rule); id. at 14,778-14,783 (describing the subjects and issues involved in the proposed modification). We will therefore affirm the District Court’s grant of summary judgment to the Secretary on this claim.

We also reject Citizens’ claim that the Secretary acted arbitrarily and capriciously in promulgating the Amended Rule. Citizens argue that the Secretary acted arbitrarily and capriciously in promulgating the Amended Rule by improperly reversing a “settled course of behavior” established in the Original Rule and adopting a policy that he had previously rejected. When an agency rejects a “settled course of behavior,” however, it need only supply a “reasoned analysis” for the change to overcome any presumption that the settled rule best carries out the policies committed to the agency by Congress. Motor Vehicle Mfrs. Ass’n v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 41-42, 103 S.Ct. 2856, 77 L.Ed.2d 443 (1983) (quoting Atchison, T. & S.F.R. Co. v. Wichita Bd. of Trade, 412 U.S. 800, 807-08, 93 S.Ct. 2367, 37 L.Ed.2d 350 (1973)). Such an analysis requires the agency to “examine the relevant data and articulate a satisfactory explanation for its action including a ‘rational connection between the facts found and the choice made.’ ” Id. at 43, 103 S.Ct. 2856 (quoting Burlington Truck Lines, Inc. v. United States, 371 U.S. 156, 168, 83 S.Ct. 239, 9 L.Ed.2d 207 (1962)).

Here, the Secretary examined the relevant data, see Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *39-41, and gave adequate consideration to the large volume of public comments that HHS received during the rulemaking process. Id. at *41-42. The Secretary considered other alternatives and explained why they were unworkable. Id. at *35-38. The Secretary also considered Congress’s dual goals in devising the privacy standards, ie., protecting the confidentiality of personal health information and improving the efficiency and effectiveness of the national health care system. Id. at *41-42.

In sum, the Secretary’s decision to respond to the unintended negative effects and administrative burdens of the Original Rule by rescinding the consent requirement for routine uses and implementing more stringent notice requirements was explained in a detailed analysis that rationally connected the decision to the facts. “Normally, an agency rule would be arbitrary and capricious if the agency has relied on factors which Congress has not intended it to consider, entirely failed to consider an important aspect of the problem, offered an explanation for its decision that runs counter to the evidence before the agency, or is so implausible that it could not be ascribed to a difference in view or the product of agency expertise.” Id. at *43. The Secretary has not failed in any of these respects, and, hence, we agree with the District Court’s analysis and conclusion that the Secretary’s decision was reasonable given the findings and that the Secretary did not act arbitrarily and capriciously in violation of the APA. Accordingly, we will affirm the grant of summary judgment to the Secretary on these claims.

V. Conclusion

For the reasons set forth above, we will AFFIRM the judgment of the District Court.

1 . HIPAA Title II, Subtitle F comprises sections 261 through 264. Section 261, codified at 42 U.S.C. § 1320d note, states the purpose of the Subtitle. Section 262 amends Title XI of the Social Security Act, 42 U.S.C. § 1301 et seq., to add Part C, "Administrative Simplification,” with sections 1171-1179, codified at 42 U.S.C. §§ 1320d to 1320d-8. Section 263 amends the Public Health Service Act at 42 U.S.C. § 242k(k). Section 264, discussed infra, is codified at 42 U.S.C. § 1320d-2 note. See South Carolina Med. Ass'n v. Thompson, 327 F.3d 346, 348 n. 1 (4th Cir.2003) (explaining effect of HIPAA administrative simplification provisions).

2 . Section 264(c)(2) is cross-referenced in HI-PAA § 1178, which provides that HIPAA generally preempts provisions of state law except, inter alia, where a provision of state law, "subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.” § 1178(a)(2)(B), 110 Stat. at 2030.

3 . The District Court explored the regulatory history of the Privacy Rule in detail. See Citizens for Health v. Thompson, 2004 WL 765356 (E.D.Pa. Apr. 2, 2004), 2004 U.S. Dist. LEXIS 5745, at *6-21. Because our decision here turns mostly on the effect of the Rule as amended, we have chosen not to repeat that discussion here.

4 . According to the Secretary, some of the “more significant examples and concerns" that commenters raised in connection with the Original Rule were that the prior consent requirement for routine disclosures would bar pharmacists from filling prescriptions and searching for potential drug interactions before patients arrived at the pharmacy, it would interfere with the practice of emergency medicine in cases where it would be difficult or impossible to obtain patient consent before treatment, and it would delay the scheduling of and preparation for hospital procedures until the patient provided the required consent. Standards for Privacy of Individually Identifiable Health Information, 67 Fed.Reg. 53,182, 53,209 (Aug. 14, 2002).

5 . The Amended Rule took effect on April 14, 2003, the same date that had been set for compliance with the Original Rule. 45 C.F.R. § 164.534.

6 . The statutory language, as well as the Rule, limits the applicability of the provisions of the Rule to "covered entities”. See HIPAA § 262(a) (amending § 1172(a) of the Social Security Act) (codified at 42 U.S.C. § 1320d-1).

7 . Health care providers who had indirect treatment relationships with an individual and those who created or received health information in the course of treating inmate patients were exempt from the Original Rule's consent requirement. 65 Fed.Reg. 82,462, 82,810. In addition, the Original Rule allowed providers to proceed without consent in situations where they had a legal obligation to provide treatment and attempts to obtain consent had failed, e.g., in emergency situations, or where a provider's attempts to obtain explicit consent were thwarted by a substantial communication barrier, but the provider could properly infer such consent from the circumstances. Id.

45 C.F.R. § 160.202.

8 . The regulations define the following terms with the following meanings:

“More stringent" means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under [the Privacy Rule], a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchap-ter; or

(ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.

(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

"Relates to the privacy of individually identifiable health information" means, with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way. "State law" means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

9 . To satisfy Article Ill's justiciability requirement, "plaintiffs must demonstrate that they have suffered an injury-in-fact, that the injury is causally connected and traceable to an action of the defendant, and that it is redressable.” The Pitt News v. Fisher, 215 F.3d 354, 359 (3d Cir.2000) (citing Doe v. Nat’l Bd. of Med. Exam'rs, 199 F.3d 146, 152-53 (3d Cir.1999)). To support his or her standing at the summary judgment stage, "plaintiff ... must 'set forth' by affidavit or other evidence 'specific facts’ ... which for purposes of the summary judgment motion will be taken to be true.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (quoting Fed.R.Civ.P. 56(e)). A plaintiff satisfies the injuiy-in-fact prong of the justiciability requirement where he or she alleges an injuxy that affects him or her "in a personal and individual way." Id. at 561 n. 1, 112 S.Ct. 2130. We agree with the District Court that Citizens have met this burden through affidavits, letters, and other documentary evidence demonstrating that at least one individual plaintiff's health information has been, or will imminently be, disclosed without her consent by private health care providers and drugstore chains, and that she and her family will avoid seeking medical care to prevent further disclosures of medical information without their consent. See Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *27-30. An injury is redressable for justiciability purposes where plaintiff can show that "it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 181, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). According to Citizens' affidavits, at least one individual plaintiff had successfully restricted the use of her health information before the Privacy Rule took effect on April 14, 1003. Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *27. Accepting these facts as true, as we must at this stage in the litigation, it follows that invalidating the Privacy Rule is likely to redress her alleged injury by restoring the status quo ante.

With respect to the "traceability” prong of the justiciability requirement, we conclude that Citizens' alleged injury is traceable to the promulgation of the Privacy Rule for two reasons. First, notices that plaintiffs received from covered entities such as Kaiser Perma-nente, Eckerd Drugs and Genovese Drugs, and Blue Cross/Blue Shield of Delaware explain the entities' intent to use and disclose plaintiffs' health information without consent (i.e., the sources of the alleged injury at the heart of this case) using language lifted directly from the Privacy Rule itself. Second, plaintiff's statement in her affidavit that her ability to restrict the use and disclosure of her health information changed after April 14, 2003, the Privacy Rule's effective date, Citizens for Health, 2004 U.S. Dist. LEXIS 5745, at *28-30, implies that the Rule is a "cause in fact” of her alleged injury.

We emphasize that, as justiciability is a “threshold” matter, The Pitt News, 215 F.3d at 360, our analysis for these purposes is distinct from our analysis of the merits of plaintiffs' claims. As a result, our determination that Citizens' alleged injuries are "fairly traceable” to the Secretary’s promulgation of the Privacy Rule and that rescission of the Rule is likely to redress plaintiffs’ alleged injuries in no way amounts to a determination that the decisions of private entities to disclose or use plaintiffs’ health care information without their consent are legally attributable to the federal government in such a way as to constitute state action. See id. at 361 n. 4. In fact, we reach the opposite conclusion below.

10 . We express no opinion here on the scope of the federal constitutional right to medical privacy, or on whether the injury asserted by Citizens, if it were directly attributable to a state actor, would amount to a constitutional violation. Citizens assert in their brief that “the right ... to not have [ones’] personal and identifiable health information made public or disclosed to numerous government employees in routine situations is a fundamental right implicit in the concept of ordered liberty and deeply rooted in the Nation's history.” (Appellants’ Br. at 20.) But the question of the scope of the constitutional right to privacy in one's medical information is largely unresolved. See, e.g., Whalen v. Roe, 429 U.S. 589, 602, 97 S.Ct. 869, 51 L.Ed.2d 64 (1977) (recognizing that, despite constitutionally protected interest in avoiding disclosure of personal matters, “disclosures of private medical information to doctors, to hospital personnel, to insurance companies, and to public health agencies are often an essential part of modern medical practice even when the disclosure may reflect unfavorably on the character of the patient”); United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 (3d Cir.1980) ("[T]he right of an individual to control access to his or her medical history is not absolute.”). And, although Citizens contend that "governmental intrusions” on the right to privacy are subject to “heightened scrutiny,” the standard of review we would apply would depend on the specific nature of the asserted violation. See Fraternal Order of Police v. City of Philadelphia, 812 F.2d 105, 110 (3d Cir.1987) ("Most circuits appear to apply an 'intermediate standard of review' for the majority of confidentiality violations, ... with a compelling interest analysis reserved for 'severe intrusions’ on confidentiality.” (citations omitted)). Because we conclude that Citizens' claims are more appropriately resolved through application of the state action doctrine, we do not decide these difficult questions now.

11 . In a due process claim brought under the Fifth Amendment, the "State” in the state action analysis is the federal government. See Malloy v. Hogan, 378 U.S. 1, 26, 84 S.Ct. 1489, 12 L.Ed.2d 653 (1964) (" 'Due process of law is secured against invasion by the federal Government by the Fifth Amendment, and is safeguarded against state action in identical words by the Fourteenth.’ ”) (quoting Betts v. Brady, 316 U.S. 455, 462, 62 S.Ct. 1252, 86 L.Ed. 1595 (1942)); see also Public Utilities Comm'n v. Pollak, 343 U.S. 451, 461-62, 72 S.Ct. 813, 96 L.Ed. 1068 (1952).

12 . To be sure, Citizens and amici curiae have referred to other actions on the part of the federal government besides the promulgation of the Amended Rule that they believe violate the Fifth Amendment in their arguments before this court. For instance, they argue in ' their briefs that, as the supervisor of a number of federal programs that qualify as "health plans” under HIPAA-including Medicare, Medicaid, and the Indian Health Services Programs-under the Amended Rule, HHS could make disclosures of protected health information as a covered entity. (Ami-ci Supp. Br. at 6.) However, Citizens here challenge the Secretary's promulgation of the Privacy Rule, not specific disclosures by HHS or any of the federal agency "health plans” that it supervises. Whether a challenge to such specific disclosures would satisfy the Constitution's state action requirement thus remains outside the scope of this appeal.

13 . (See Appellants’ Br. at 26 (quoting Kaiser Permanente's Notice of Privacy Practices ("You may request that we limit our uses and disclosures of your [personal health information] for treatment, payment, and health care operations purposes. However, by law, we do not have to agree to your request. Because we strongly believe that this information is needed to appropriately manage the care of our members/patients, it is our policy to not agree to requests for restrictions.”)).)

14 . Citizens noted in their Reply Brief:

As Plaintiffs noted at oral argument before the District Court, covered entities in Pennsylvania and Delaware are using and disclosing Plaintiffs' health information without consent under the authority granted by the Amended Rule despite a Delaware law that prohibits such disclosures without "informed consent of the individual” and a Pennsylvania law that deems it “unprofessional conduct” and a licensure violation for a licensed health professional to "depart from or fail[] to conform to an ethical or quality standard of the profession.”

(Appellants’ Reply Br. at 6 n.7 (citations omitted).) We note that, to the extent that these contentions are accurate, Citizens are free to pursue these covered entities directly under state law. That private entities are violating Citizens’ state statutory rights does not in any way imply that the Secretary has violated Citizens' constitutional rights.

15 . Citizens rely on Federal Rule of Evidence 501 and the recognition of common law evi-dentiary privileges establishing special treatment for such information to establish that the uses and disclosures "authorized” by the Rule were prohibited before its promulgation. (Appellants' Reply Br. at 15.) But the Rule of Evidence and the common law of privilege are just evidentiary rules. They are not Acts of Congress or regulations that prohibit disclosure outside of court proceedings or otherwise provide Citizens with some affirmative "right” against disclosure of their information by private parties without their consent.

16 . Citizens contend that a number of otherwise "more stringent” state laws provide exceptions for disclosures that are "authorized" or "permitted” by federal law. (See Appellants’ Reply Br. at 13-14 & n.9.) Whether or not that is the case, the fact remains that the Secretary has repeatedly emphasized that the Privacy Rule defers to states that impose stringent consent requirements. See, e.g., Standards for Privacy of Individually Identifiable Health Information, 67 Fed.Reg. 53,182, 53,212 (Aug. 14, 2002) ("The Privacy Rule provides a federal floor of privacy protection. State laws that are more stringent remain in force.”); Notice of Proposed Rulemaking, Standards for Privacy of Individually Identifiable Health Information, 64 Fed.Reg. 59,918, 59,997 (Nov. 3, 1999) (“We recognize that many State laws require patients to authorize or consent to disclosures of their health information for treatment and/or payment purposes. We consider individual authorization generally to be more protective of privacy interests than the lack of such authorization, so such State requirements would generally stand....”). We take the Secretary’s assurances that the Privacy Rule leaves pre-existing state law privacy rights in place at face value, particularly in light of the express non-preemption provisions for "more stringent” state laws in HIPAA and the Privacy Rule. As such, we do not read the Rule to "authorize” or "permit” disclosures that state laws would otherwise prohibit. Cf. Fidelity Fed. Sav. & Loan Ass’n v. de la Cuesta, 458 U.S. 141, 154, 102 S.Ct. 3014, 73 L.Ed.2d 664 (1982) ("When the administrator promulgates regulations intended to pre-empt state law, the court's inquiry is ... limited: 'If [h]is choice represents a reasonable accommodation of conflicting policies that were committed to the agency’s care by the statute, we should not disturb it unless it appears from the statute or its legislative history that the accommodation is not one that Congress would have sanctioned.'” (quoting United States v. Shimer, 367 U.S. 374, 383, 81 S.Ct. 1554, 6 L.Ed.2d 908 (1961))).

17 . (Amicus Br. of Texas Civil Rights Project at 11-14 (citing Reitman v. Mulkey, 387 U.S. 369, 87 S.Ct. 1627, 18 L.Ed.2d 830 (1967) (California Constitution could not provide that all persons have the absolute discretion to refuse to sell, lease, or rent property to another); Gilmore v. City of Montgomery, 417 U.S. 556, 94 S.Ct. 2416, 41 L.Ed.2d 304 (1974) (city could not allow private groups to use and control city facilities where those private groups could deny access to the facility on the basis of race); Nixon v. Condon, 286 U.S. 73, 52 S.Ct. 484, 76 L.Ed. 984 (1932) (state statute could not permit political parties to deny party membership on the basis of race); McCabe v. Atchison, Topeka, & Santa Fe Railway Co., 235 U.S. 151, 35 S.Ct. 69, 59 L.Ed. 169 (1914) (state statute could not permit railway to provide accommodations for Caucasian patrons, but not African American patrons)).)

18 . The Court reiterated this reasoning at the conclusion of the majority opinion:

Here we are dealing with a provision which does not just repeal an existing law forbidding private racial discriminations. [The amendment] was intended to authorize, and does authorize, racial discrimination in the housing market. The right to discriminate is now one of the basic policies of the State. The California Supreme Court believes that the [amendment] will significantly encourage and involve the State in private dis-criminations. We have been presented with no persuasive considerations indicating that these judgments should be overturned.

Reitman, 387 U.S. at 380-81, 87 S.Ct. 1627.