No. 18–251
_________________________________________________________________
IN THE
Supreme Court of the United States
________________________
BARKER & TODD, INC.,
Petitioner,
v.
ANTHONY HOPE,
Respondent,
_______________________
On Petition for Writ of Certiorari to the
United States Court of Appeals for the Thirteenth Circuit
_______________________
BRIEF FOR RESPONDENT
_______________________
Date: September 20, 2018 Team # 2727
Counsel for Respondent
Oral Argument Requested
ii
QUESTIONS PRESENTED
1. Article III of the Constitution requires standing to invoke federal
jurisdiction. Standing requires injury-in-fact, causation, and redressability.
The harm alleged must be concrete and particularized and actual or
imminent to qualify as an injury-in-fact. This Court has held that a
substantial risk of future harm can constitute injury-in-fact. B&T argues that
the District Court lacks subject matter jurisdiction under Rule
12(b)(1), because the future risk of identity theft does not satisfy injury-in-
fact. Was the appellate court correct in holding that Hope satisfied injury-in-
fact due to the substantial future risk of identity theft?
2. In absence of pertinent state precedent, multiple Circuits require federal
courts to exercise a reasonable judicial discretion. Missouriana has
recognized that individuals have a general right of privacy in their medical
records, but the state has not yet imposed that right against pharmaceutical
companies. This Court has recognized the ability for courts to use federal
statues to guide the standard of care for state law negligence claims. Did the
appellate court properly rule when it held that Hope stated a plausible state
law negligence claim by looking to HIPAA to establish the standard of care?
iii
TABLE OF CONTENTS
QUESTIONS PRESENTED ..........................................................................................i
TABLE OF AUTHORITIES ........................................................................................iii
OPINIONS
BELOW......................................................................................................vii
CONSTITUTIONAL AND STATUTORY PROVISIONS.............................................x
STATEMENT OF THE CASE .......................................................................................1
SUMMARY OF THE ARGUMENT ..............................................................................3
ARGUMENT .................................................................................................................6
I. The District Court has subject matter jurisdiction to hear Hope’s claim
because the risk of future financial harm is sufficiently concrete and
particularized and imminent to establish injury-in-fact as required to
have standing
.........................................................................................................6
A. Hope’s claim for risk of future financial harm is sufficiently concrete
and particularized because an invasion of one’s privacy traditionally
leads to relief and there was an identifiable data breach of Hope’s
personal information
................................................................................7
B. The risk of Hope’s future financial harm is actual or imminent because
Hope’s personal information has already been taken, found on the dark
web for sale, and downloaded hundreds of times
...................................10
II. Hope stated a claim upon which relief may be granted to the putative
class because B&T’s actions violated the duties and standards established
under HIPAA
..........................................................................................................18
A. Hope is able to bring a claim of negligence per se because B&T violated
the duties created by HIPAA’s statute and regulations ......................18
B. Hope is able to bring a claim of general negligence because HIPAA’s
well-established regulations effectively delineate the standard of care
for how personal information should be stored and secured ...............23
CONCLUSION .............................................................................................................27
iv
APPENDIX
....................................................................................................................A
TABLE OF AUTHORITIES
SUPREME COURT CASES
Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) …………………………….............................................10, 13
Grable & Sons Metal Products, Inc. v. Darue Eng'g & Mfg., 545 U.S. 308 (2005)............................................................................................19
Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) .........................................................................................6, 7
Merrell Dow Pharm. Inc. v. Thompson,
478 U.S. 804 (1986) .......................................................................................19,
21
Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) ................................................................................7, 9,
10
Sprint Comm’ns Co. v. APCC Servs., Inc., 544 U.S. 269 (2008) ............................................................................................6
Susan B. Anthony List v. Driehaus,
134 S. Ct. 2334 (2014) ......................................................................................10
APPELLATE COURT CASES
Attias v. CareFirst, Inc.,
865 F.3d 620 (D.C. Cir. 2017) .............................................................6, 11, 12,
17
Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) ............................................................................15
Bloodsaw v. Lawrence Berkeley Lab.,
v
135 F.3d 1260 (9th Cir. 1998) .........................................................................8, 9
Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384 (6th Cir. 2016)…………………………………………....11, 14,
17
Hetherton v. Sears, Roebuck & Co., 593 F.2d 526 (3d Cir. 1979) ..............................................................................19
In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017) .........................................................................8, 9,
10
In re Nickelodeon Consumer Privacy Litig.,
827 F.3d 262 (3d Cir. 2016) .................................................................................8
In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) .............................................................................15
Ins. Co. of N. Am. v. English,
395 F.2d 854 (5th Cir. 1968) ............................................................................23
Katz v. Donna Karan Co., 872 F.3d 114 (2d Cir. 2017) .................................................................................7
Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) .........................................................................15, 17
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) ..........................................................................12
Lowe v. General Motors Corp.,
624 F.2d 1373 (5th Cir. 1980) ..........................................................................19
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) ................................................................................15
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 668 (7th Cir. 2015)................................................................6, 11, 17,
18
Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014)
................................................................................9
Whalen v. Michaels Stores, Inc., 689 F. App'x 89 (2d Cir. 2017) …………………….........................................15,
17
vi
DISTRICT COURT CASES
Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333 (W.D.N.Y. 2018) ....................................................................16
Grove Fresh Distributors, Inc. v. Flavor Fresh Foods, Inc., 720 F. Supp. 714 (N.D. Ill. 1989) ...........................................................................25
Harmon v. Maury Cnty.,
No. 1:05 CV 0026, 2005 WL 2133697 (M.D. Tenn. Aug. 31, 2005).......................21
In re Adobe Sys. Privacy Litig., 66 F.Supp. 3d 1197 (N.D. Cal. 2014) .....................................................11, 12, 13,
17
In re Cmty. Health Sys., No. 15-CV-222-KOB, 2017 U.S. Dist. LEXIS 21178 (N.D. Ala. 2017) ................11
I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo. June 14, 2011).....................21
K.V. & S.V. v. Women’s Healthcare Network, LLC, No. 07-0228-CV-W-DW, 2007 WL 1655734 (W.D. Mo. June 6, 2007) ...........20
Sackin v. Transperfect Glob., Inc., 278 F.Supp.3d 739 (S.D.N.Y. Oct. 4, 2017) ....................................................16
STATE COURT CASES
Acosta v. Byrum,
638 S.E.2d 246 (N.C. Ct. App. 2006) ..........................................................21, 24
Allen v. Delchamps, Inc.,
624 So. 2d 1065 (Ala. 1993) ..............................................................................20
Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32 (Conn. 2014) .................................................................................24
Conboy v. State,
292 Conn. 642 (Conn. 2009) ..............................................................................18
Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812 (Del. Super. Ct. 2009) .............................................................24,
26
Grey's Ex'r v. Mobile Trade Co.,
vii
55 Ala. 387 (Ala. 1876).......................................................................................20
Hanson v. Jones Medical Ctr.,
199 Mis. 2d 321 (2002)
.......................................................................................23
Harden v. Danek Med., Inc.,
985 S.W.2d 449 (Tenn.
1998).............................................................................20
Martin v. Schroeder,
105 P.3d 577 (Ariz. Ct. App. 2005) ..................................................................20
R.K. v. St. Mary's Med. Ctr., Inc., 735 S.E.2d 715 (W. Va. 2012)............................................................................24
Scheele v. Rains,
874 N.W.2d 867 (Neb. 2016) ............................................................................25
Sheldon v. Kettering Health Network,
40 N.E.3d 661 (Ohio 2015) .........................................................................25, 26
Sorenson v. Barbute,
143 P.3d 295 (Utah Ct. App. 2006) ..................................................................21
Walgreen Co. v. Hinchy,
21 N.E.3d 99 (Ind. Ct. App. 2014) .....................................................................21
West v. Mache of Cochran,
370 S.E.2d 169 (Ga. Ct. App. 1988) ..................................................................20
Young v. Carran,
289 S.W.3d 586 (Ky. Ct. App. 2008) ................................................................24
STATE STATUTES
302 M.C.S. § 3/22-104 (2014) .......................................................................................21
CONSTITUTION
U.S. Const., Art. III, § 2, cl. 1 ........................................................................................6
RULES
Fed. R. Civ. P. 12(b)(1) ............................................................................................1, 3,
6
viii
Fed. R. Civ. P. 12(b)(6) ..........................................................................................1, 3,
18
REGULATIONS
45 C.F.R. §§ 164.302-.318 (2015) .................................................................................21
SECONDARY SOURCES
Lisa Andrews, Plaintiff, v. Family Dollar Stores of Oklahoma, Inc., And Barbara Robinson, Defendants., Labor & Empl. L. P 186938 ..................................................24
OPINIONS BELOW
The United States District Court for the District of Missouriana granted
B&T’s 12(b)(1) motion to dismiss for lack of standing. C.R. 14. Hope alleged that he
and the plaintiff class sufficiently established that they suffered an injury-in-fact
because of the increased risk of fraud and identity theft as well as the steps that
must be taken on the plaintiffs’ part to guard themselves from that future harm
that stems from the data breach that made their electronic personal health
information (“ePHI”) available for sale on the dark web. C.R. 6. However, the
district court pointed to Clapper, where this Court ruled that “threatened injury
must be certainly impending to constitute injury-in-fact.” C.R. 6. The district court
ix
rejected Hope’s allegations due to the lack of allegations of “actual misuse of the
data,” and because the court believed that in order for actual misuse to occur,
“many actions must first take place.” C.R. 7. Consequently, the court found that
Hope lacked standing to file this suit because the plaintiff class failed to show
injury-in-fact, which is required for standing under Article III of the United States
Constitution. C.R. 5.
The district court also granted B&T’s 12(b)(6) motion to dismiss for failure to
state a claim. Hope asserted two legal theories for finding B&T liable for the
injuries resulting from the data leak: negligence per se and general negligence. C.R.
8. Hope alleged that B&T was negligent per se because B&T violated the duties
owed under HIPAA’s statute and regulations. Further, Hope contended that B&T
can be found liable under negligence law generally because HIPAA establishes a
standard of care, which B&T failed to meet. C.R. 8. The district court ruled that it
did not believe Missouriana would find negligence per se or a common law
negligence claim under these circumstances, and thus Hope failed to state a claim
upon which relief may be granted. C.R. 13.
The United States Court of Appeals for the Thirteenth Circuit reversed the
district court’s order dismissing the complaint. C.R. 24. The appellate court found
that the district court erred not only in ruling that the putative class had not shown
injury-in-fact to have standing, but also in holding that Hopes complaint did not
allege a claim upon which relief may be granted. C.R. 16.
x
The appellate court ruled that the putative class suffered an intangible harm
that the appellate court recognizes as sufficiently concrete and particularized to
establish injury-in-fact for standing. Id. Pointing to this Court’s decision in Spokeo,
the appellate court reiterated this Court’s previous holding that intangible injuries
can satisfy standing and found that the risk of future identity theft or fraud arising
from an identifiable data breach may satisfy injury-in-fact. C.R. 19. Thus, the
appellate court held that Hope had established injury-in-fact, because Hope’s ePHI,
along with his Social Security number and date of birth, had been found on the dark
web being downloaded hundreds of times. C.R. 20, 21.
The appellate court also found that the district court erred in ruling that the
plaintiff class failed to state a claim. C.R. 24. The appellate court found that the
appellant properly asserted a state law negligence claim upon which relief could be
granted by claiming that B&T failed to maintain confidentiality of the plaintiff
class’s ePHI, leading to the unauthorized access of that information. Id. The
appellate court also ruled that it is proper for courts to look to the standards of care
established under HIPAA when determining the duty to protect ePHI. Id. Thus, the
appellate court found that the plaintiff class did properly state a claim,
and reversed and remanded to the court below to decide whether B&T complied
with HIPAA. Id.
xi
CONSTITUTIONAL AND STATUTORY PROVISIONS
U.S. Const., Art. III, § 2, Cl. 1
Fed. R. Civ. P. 12(b)(1)
Fed. R. Civ. P. 12(b)(6)
45 C.F.R. § 164.306(a)(1)
45 C.F.R. § 164.312(a)(1)
xii
1
STATEMENT OF THE CASE
Anthony Hope (Hope) filed a common law negligence complaint against
Barker & Todd, Inc. (B&T) on February 15, 2016, in the United States District
Court for Missouriana, alleging B&T violated standards set forth in the Health
Insurance Portability and Accountability Act (HIPAA) by failing to safeguard
Hope’s ePHI. C.R. 4. On March 1, 2016, B&T filed a 12(b)(1) Motion to Dismiss,
asserting that Hope had failed to establish injury-in-fact for purposes of Article II
standing. Additionally, B&T filed a 12(b)(6) Motion to Dismiss, asserting that Hope
may not use HIPAA violations as a basis for either negligence per se or general
negligence claims under Missouriana law. Id.
The district court granted B&T’s motions and found that Hope failed to
establish injury-in-fact for purposes of Article III standing, failed to state a
negligence per se claim a matter of law, and failed to state a common law negligence
claim upon which relief can be granted. C.R. 13. Hope appealed the district court’s
order dismissing his complaint to the United States Court for the Thirteenth
Circuit. C.R. 15-16.
The appellate court reversed the district court’s dismissal of the
complaint. C.R. 16. The court additionally remanded the case for proceedings in line
with its opinion. Id. B&T petitioned this Court for certiorari. C.R. 25. This case calls
upon the Court to resolve the following two issues: (1) whether patients, whose
ePHIs have been stolen, can establish injury-in-fact to confer standing under Article
2
III against the party that failed to safeguard their ePHIs; and (2) whether state law
negligence claims may be based on violations of HIPAA.
3
SUMMARY OF THE ARGUMENT
The appellate court was correct in denying B&T’s motion to dismiss because
Hope has standing to sue and has sufficiently pleaded a claim upon which relief can
be granted. Rule 12(b)(1) requires a court to have subject matter jurisdiction and for
a court to have subject matter jurisdiction, a plaintiff must have standing to sue.
Standing consists of three elements: (1) injury-in-fact, (2) a causal connection
between the injury and the conduct complained of, and (3) a favorable decision
would make it likely that the injury would be redressed. Rule 12(b)(6) requires a
plaintiff to allege facts with sufficient specificity to state a claim for relief that is
permissible on its face. Because Hope has established an injury-in-fact and has
sufficiently pleaded a claim for relief, this Court should affirm the appellate
court's holding.
I. Hope’s Injury-in-fact
The appellate court was correct in holding that Hope has an injury-in-fact as
required by standing. To establish injury-in-fact, the plaintiff must show an
invasion of a legally protected interested which is (a) concrete and particularized
and (b) actual or imminent rather than conjectural or hypothetical. An intangible
harm that has a close relationship to a harm that has traditionally been regarded as
providing a basis for a lawsuit in English or American courts or an intangible harm
identified by Congress meets the requirements of concreteness. An injury is
sufficiently particularized when it is individualized and when the plaintiff alleges a
violation of his own rights. A future injury is imminent if it is certainly impending
4
or there is a substantial risk that harm will occur. However, an injury that relies on
a highly attenuated or highly speculative chain of events to occur does not ripen
into imminence.
In this case, Hope has sufficiently alleged an injury-in-fact because he has
identified a taking of his personal information that was found for sale on the dark
web and has been downloaded hundreds of times. This is not a case in which no
taking of information has been identified and a chain of events that are highly
attenuated and highly speculative need to occur. Rather, Hope’s information has
already been taken deliberately from hackers and found on the Internet thereby
satisfying imminence. Further, the traditional right to privacy and Congress’s
affirmative act in protecting personal information through HIPAA satisfies the
concreteness requirement. Lastly, the future risk of identity theft alleged is
personal to Hope as his information was taken and he is alleging a violation of his
own rights. Thus, Hope has sufficiently alleged an injury-in-fact as required by
standing.
II. B&T’s Violation of Duties Owed to Hope
The appellate court was also correct in holding that Hope has sufficiently
pled a claim upon which relief can be granted. Although HIPAA does not provide a
private right of action, numerous federal courts have held that negligence per se
claims may in fact be based on violations of HIPAA. Further, several federal courts
and state courts have allowed negligence per se claims where there was a violation
of a federal statute. Most tellingly, this Court has accepted the use of different
5
statues that also lack a private right of action as the basis for state law negligence
per se claims. Thus, as the appellate court held, without a clear indication
suggesting otherwise, it cannot be held that HIPAA cannot form
a Missouriana state law claim simply because the issue has yet to be addressed.
Even if this Court finds unpersuasive the theory that a negligence per se
claim may be based on violations of HIPAA, Hope is still able to bring a claim of
general negligence based on the duties outlined in HIPAA. Missouriana has
recognized that individuals have a general right of privacy in their medical records
and just because Missouriana case law has not addressed the right of privacy in the
context of a pharmaceutical company does not lead to foreclosure to use of such a
claim. Rather, this Court has the duty to arrive at the decision which reasons
dictates, with the faith that the state courts will arrive at the same decision. Here,
reason dictates that allowing HIPAA to govern the standard of care would increase
efficiency and provide guidance on the requirements of protection of ePHI.
Further, numerous state courts have allowed HIPAA to guide the standard of
care in other state law negligence cases. Specifically, a state supreme court has held
that HIPAA may be used as a guidepost for determining the applicable standard of
care for a pharmaceutical company. Additionally, federal courts have also allowed
state law negligence claims that looked to a federal statue to determine the
standard of care. Thus, because there are ample examples of numerous courts of
varying jurisdictions approving the use of a federal statute, like HIPAA, to base a
state law negligence claim, this Court should affirm the appellate court’s decision
6
that Hope has a general negligence claim against B&T based on the standards in
HIPAA.
ARGUMENT
I. The District Court has subject matter jurisdiction to hear Hope’s claim
because the risk of future financial harm is sufficiently concrete and
particularized and imminent to establish injury-in-fact.
The Federal Rules of Civil Procedure permit a defendant to move to dismiss a
claim for relief based on lack of subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1).
Courts presume, absent a clear indication to the contrary, that a dismissal for lack
of subject matter jurisdiction under Rule 12(b)(1) is a final, appealable order and a
district court’s decision of whether a plaintiff has standing is reviewed de
novo. Attias v. CareFirst, Inc., 865 F.3d 620, 624-25 (D.C. Cir. 2017); Remijas v.
Neiman Marcus Group, LLC, 794 F.3d 668, 691 (7th Cir. 2015). A federal court has
subject matter jurisdiction only over actual “[c]ases” and “[c]ontroversies.” U.S.
Const., Art. III, § 2, cl. 1; Lujan v. Defenders of Wildlife, 504 U.S. 555, 559 (1992).
For the case or controversy requirement to be satisfied, the plaintiff must meet the
requirements for standing. Sprint Comm’ns Co. v. APCC Servs., Inc., 544 U.S. 269,
273 (2008). Standing consists of three elements: (1) injury-in-fact, (2) a causal
connection between the injury and the conduct complained of, and (3) a favorable
decision would make it likely that the injury would be redressed. Lujan, 504 U.S. at
560-61. B&T has raised no issues about either causation or redressability. C.R. 21
n. 9. Therefore, the issue before the Court is limited to the question of injury-in-
fact.
7
An injury-in-fact is an “invasion of a legally protected interested which is (a)
concrete and particularized” and “(b) actual or imminent” rather than “conjectural
or hypothetical.” Lujan, 504 U.S. at 560. At the pleading stage, general allegations
of injury resulting from the defendant’s conduct can satisfy a plaintiff’s burden to
establish standing, because the court presumes that the general allegations
“embrace those specific facts that are necessary to support the claim.” Id. at 561
(quoting Lujan v. Nat’l Wildlife Federation, 497 U.S. 871, 889 (1990)). A bright-line
rule for injury-in-fact does not exist. Rather, injury-in-fact analysis is a highly case
and fact specific inquiry. Katz v. Donna Karan Co., 872 F.3d 114, 121 (2d Cir.
2017).
A. Hope’s claim for risk of future financial harm is sufficiently concrete and
particularized because an invasion of one’s privacy traditionally leads to
relief, and there was an identifiable data breach of Hope’s personal
information.
For an injury to be concrete, the injury must be “de facto.” Spokeo, Inc. v.
Robins, 136 S. Ct. 1540, 1548 (2016). Thus, the injury must actually exist and be
“real” and not “abstract.” Id. However, an injury does not have to be tangible to be
concrete. Id. at 1549. Rather, this Court has held on numerous occasions that
intangible injuries can be concrete. Id.
To determine whether an intangible harm constitutes injury-in-fact,
the court is instructed to look to the history and the judgement of
Congress. Id. Therefore, an intangible harm that has a close relationship to a harm
that has traditionally been regarded as providing a basis for a lawsuit in English or
American courts or an intangible harm identified by Congress meets the minimum
8
requirements of Article III. Id. Although Article III still requires a concrete injury in
the context of a statutory violation, this Court has held that, in some circumstances,
a plaintiff need not allege additional harm beyond what Congress has identified to
satisfy injury-in-fact. Id. Nor does it follow that the risk of real harm cannot satisfy
the requirement of concreteness. Id. (reasoning that the law has “long permitted
recovery by certain tort victims even if their harms may be difficult to prove or
measure”).
A clear example of risk of real harm deemed to satisfy concreteness would be
the unauthorized disclosure of information. According to the Third Circuit, the
unauthorized disclosure of information has “long been seen as injurious.” In re
Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625, 638 (3d Cir. 2017). The
Third Circuit is not alone on this view. As noted in the Restatement Second, the
common law alone will, on occasion, protect a person’s right to prevent the
disclosure of private information and with privacy torts, improper dissemination of
information itself can constitute a cognizable injury. Id. (citing Restatement
(Second) of Torts § 652A (2016)). Further, Congress has long provided plaintiffs
with “the right to seek redress for unauthorized disclosures of information that, in
Congress’s judgement, ought to remain private.” In re Nickelodeon Consumer
Privacy Litig., 827 F.3d 262, 274 (3d Cir. 2016). Additionally, although HIPAA itself
does not provide for a private right of action, it has been recognized that the
“constitutionally protected privacy interest in avoiding disclosure of personal
9
matters clearly encompasses medical information and its confidentiality.” Bloodsaw
v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998).
In the case at bar, the future risk of identity theft has a close relationship to
a traditionally protected right in English or American Courts – the right of
privacy. See In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d at 638.
Furthermore, the disclosure of ePHI and other personal information protected in
HIPAA’s privacy and security rules directly relates to the “constitutionally
protected privacy interest in avoiding disclosure of
personal matters.” See Bloodsaw, 135 F.3d at 1269. Therefore, there is an intangible
harm protected by HIPAA that has a close relationship to a traditionally regarded
harm, here privacy interest, in English or American Courts thus satisfying
concreteness. See In re Horizon, 846 F.3d at 640.
For an injury to be particularized, it must affect the plaintiff “in a personal
and individual way.” Spokeo, Inc., 136 S. Ct. At 1548. Thus, a plaintiff must (1) be
“among the injured,” in the sense that they allege the defendants violated their
statutory rights, and (2) the statutory right at issue must protect against an
“individual, rather than collective, harm.” Robins v. Spokeo, Inc., 742 F.3d 409, 413
(9th Cir. 2014) rev’d on other grounds. In Robins, the Ninth Circuit held that
because the plaintiff alleged the defendant violated his statutory rights and because
the plaintiff’s personal interest in the handling of his credit information are
individualized rather than collective, the plaintiff had satisfied the injury-in-fact
requirement. Id. at 413-14. On appeal, this Court stated that the Ninth Circuit’s
10
analysis was concerned only with particularization, not concreteness and did not
overrule the Ninth Circuit’s articulation of the requirements of
particularization. Spokeo, S. Ct. 1540 at 1548. Therefore, an injury is sufficiently
particularized when they are (1) individualized, and (2) the plaintiff alleges a
violation of his own rights. Id. at 1556.
An example of this standard being met by the disclosure of private
information is In re Horizon, where the Third Circuit held there was “no doubt” that
the plaintiffs’ complained of a particularized injury, which was the unauthorized
disclosure of their private information. In re Horizon, 846 F.3d at 633 n. 10. In the
case at bar, Hope has alleged the same violation of his rights based on the
disclosure of his own private information. C.R.4. Based off legal precedent and this
Court’s own standard in Spokeo, Hope has satisfied particularization because he
claimed (1) a violation of his own rights and (2) the violation (i.e. the handling of his
credit information) is individualized rather than collective. See Spokeo, S. Ct. 1540
at 1556; In re Horizon, 846 F.3d at 633 n. 10; C.R. 4. Therefore, Hope meets
the Spokeo particularization standard.
B. The risk of Hope’s future financial harm is actual or imminent because
Hope’s information has already been taken, found for sale on the dark
web, and downloaded hundreds of times.
For an injury to be imminent it must be certainly impending or there is a
substantial risk that harm will occur. Susan B. Anthony List v. Driehaus, 134 S. Ct.
2334, 2341 (2014). In terms of data theft, this Court does not require that a plaintiff
must wait to actually suffer identity theft or credit card fraud in order to have
standing, because such a requirement would run counter to the well-established
11
principle that harm need not have already occurred or be literally certain in order to
constitute an injury-in-fact. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n. 5
(2013) (noting that this Court has found standing based on a “substantial risk”). As
this Court articulated, imminence is a “somewhat elastic concept” that should not
be stretched beyond its purpose to “ensure that the alleged injury is not too
speculative for Article III purposes.” Id. at 409. Put another way, a substantial risk
cannot be found where it is based on “the attenuated chain of inferences necessary
to find harm.” Id. at 414 n. 5.
Presently, the circuit courts are divided as to how far imminence stretches. In
terms of unauthorized disclosures of personal data, a circuit split exists on whether
actual misuse of that personal data is required to have standing to assert data
breach claims. In re Cmty. Health Sys., No. 15-CV-222-KOB, 2017 U.S. Dist. LEXIS
21178, at *17 (N.D. Ala. 2017). While there is disagreement as to the elasticity of
the concept, this Court should follow the reasoning of the D.C., Sixth, Seventh,
Ninth, and arguably the Second Courts of Appeals which have all ruled that an
increased risk of future identity theft is sufficient to confer standing.
Numerous courts have found that a “substantial risk that harm will occur” is
shown where there is an increased risk of future harm due to hackers deliberately
targeting a database and stealing private information. In re Adobe Sys. Privacy
Litig., 66 F. Supp.3d 1197, *1215 (N.D. Cal. 2014) (holding that hackers who
deliberately targeted and breached a server resulted in a risk to the plaintiff that
was “immediate and very real” and satisfied standing); Galaria v. Nationwide Mut.
12
Ins. Co., 663 F. App'x 384, 389 (6th Cir. 2016) (holding where a data breach targets
personal information, a reasonable inference can be drawn that the hackers will use
the victim’s data for fraudulent purposes alleged in the complaint and the fact that
the defendants offered to pay for credit monitoring and identity theft monitoring
was telling thus showing a substantial risk of harm); Remijas, 794 F.3d at 694
(ruling that the plaintiffs had shown a substantial risk of harm because,
“presumably, the purpose of the hack is, sooner or later, to make fraudulent charges
or assume those consumers’ identities”); CareFirst, Inc., 865 F.3d at 624-25 (holding
that the cyberattack on defendant’s server which resulted in information hacked
like Social Security and credit card numbers and that the virtue of the hack
presented a risk much more substantial than the risk in Clapper); Krottner v.
Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (ruling that the plaintiffs
had alleged the threat of a real and immediate harm due to the future risk of
identity theft, after the theft of a laptop containing their unencrypted personal
data); In re Adobe Sys. Privacy Litig., 66 F. Supp.3d 1197, *1215 (N.D. Cal. 2014)
(holding that hackers who deliberately targeted and breached a server resulted in a
risk to the plaintiff that was “immediate and very real” and satisfied standing).
In CareFirst, the plaintiffs alleged that a cyberattack on defendant’s servers
gave access to identity thieves the “PII, PHI, ePHI, and other personal and sensitive
information of [p]laintiffs.” CareFirst, Inc., 865 F.3d 620 at 627-28. The D.C.
Circuit noted that, drawing on experience and common sense, a substantial risk of
identity theft is apparent where the information hacked includes
13
“[S]ocial [S]ecurity and credit card numbers.” Id. at 628. Further, the court stated
that it is “much less speculative—at the very least, it is plausible—to infer” that an
unauthorized party with access to personally identifying data has both the “intent
and the ability to use that data for ill.” Id. Thus, that court held that no long
sequence of uncertain contingencies needed to occur before the plaintiffs will suffer
any harm. Id. at 629. Rather, a substantial risk of harm already existed by “virtue
of the hack and the nature of the data that the plaintiffs allege was
taken.” Id. (holding that the risk presented was much more substantial than the
risk presented in Clapper which relied on a highly speculative fear of action).
Additionally, in In re Adobe, the Northern District Court of California held,
unlike the claim of future harm in Clapper that rested on a chain of events that was
both highly attenuated and highly speculative because the actor concerned had not
targeted the plaintiffs, the risk that plaintiffs’ personal data will be misused by
hackers who breached Adobe’s network was “immediate and very real.” In re
Adobe, 66 F.Supp.3d 1197 at *1214. In that case, plaintiffs alleged the hackers
“deliberately targeted” Adobe’s servers and collected “names, usernames,
passwords, email addresses, phone numbers, mailing addresses, and credit card
numbers and expiration dates.” Id. Plaintiffs’ personal information was among the
information taken during the breach. Id. The district court held that there was no
need to speculate “as to whether the hackers intend[ed] to misuse the personal
information stolen” as some of the stolen data had already surfaced on the
internet. Id. at *1215. The court noted this was in stark contrast to Clapper where
14
plaintiffs’ argument rested on the fact that the Government would have to decide to
target the plaintiffs’ communications and then choose to invoke its authority under
the statute in question as well as take numerous other steps for there to be
imminence of harm. Id. at *1214; Clapper, 568 U.S. at 410. Thus, plaintiffs’
allegations of future identity theft was ruled to be a concrete and imminent threat
that satisfied Article III. In re Adobe, 66 F.Supp.3d 1197 at *1216.
Similarly, in the Sixth Court of Appeals, a substantial risk of harm was found
in a case where hackers broke into Nationwide’s database and stole personal data
including dates of birth, marital statuses, genders, occupations, employers, Social
Security numbers, and driver’s license numbers. Galaria, 663 F. App'x 384, 386. The
plaintiffs argued that the theft of their personal data placed them at a “continuing,
increased risk of fraud and identity theft beyond the speculative allegations of
‘possible future injury’ or ‘objectively reasonable likelihood’ of injury.” Id. at 388.
The court agreed and noted that there was no need for speculation where plaintiffs
“allege that their data has already been stolen and is now in the hands of ill-
intentioned criminals.” Id. Further, the court emphasized that a reasonable
inference can be drawn that the hackers will use the victims’ data
for fraudulent purposes where a data breach targets personal
information. Id. Additionally, the court reiterated that it would be unreasonable to
expect plaintiffs to wait for actual misuse before taking steps to ensure security
where plaintiffs already know that they have lost control of their data. Id. This is
true despite the fact that Nationwide offered to provide some services for a limited
15
time to help monitor the victim’s credit, check their bank statements, and modify
their financial accounts, because plaintiffs alleged that the risk is continuing and
that they had incurred costs—namely, credit freezes—not provided by
Nationwide. Id. at 388-89.
The circuit courts that have found no substantial risk in cases alleging future
harm do so for reasons distinguishable from the case at bar. Namely, those circuits
found there is not a substantial risk of harm sufficient to satisfy injury-in-fact
where there is no identifiable taking or where it is not shown that the data breach
was the for the purpose of fraud. In re SuperValu, Inc., 870 F.3d 763, 770 (8th Cir.
2017) (ruling that the plaintiffs did not demonstrate a substantial risk of future
identity theft because the allegedly stolen card information did not include any
personal identifying information, such as Social Security numbers, birth dates, or
driver’s license numbers); Whalen v. Michaels Stores, Inc., 689 F. App'x 89, 90-91
(2d Cir. 2017) (finding insufficient standing where plaintiff did not “allege how she
can plausibly face a threat of future fraud,"—one of her proffered theories of
injury—"because her stolen credit card was promptly canceled after the breach and
no other personally identifying information—such as her birth date
or Social Security number—is alleged to have been stolen”); Beck v. McDonald, 848
F.3d 262, 276 (4th Cir. 2017) (noting no evidence was uncovered that the personal
information contained on a stolen laptop had been accessed or misused or that that
the thief stole the laptop with the intent to steal private information); Reilly v.
Ceridian Corp., 664 F.3d 38, 42-43 (3d Cir. 2011) (holding information taken from a
16
payroll system firewall by an unknown hacker was not enough to satisfy standing
requirements as it was “not known whether the hacker read, copied, or understood”
the system’s information and no evidence suggested past or future misuse of
employee data or that the intrusion was intentional or malicious); Katz v. Pershing,
LLC, 672 F.3d 64, 80 (1st Cir. 2012) (finding no injury-in-fact where the plaintiff did
not allege that her nonpublic personal information had been accessed by any
unauthorized person).
Recently, a Second Circuit case ruled that the above-mentioned Whalen does
not foreclose standing based on an increased risk of identity theft but rather
strongly implies that “the Second Circuit would follow those circuits that have held
that a risk of future identity theft is sufficient to plead an injury-in-fact.” Fero v.
Excellus Health Plan, Inc., 304 F.Supp.3d 333, 340 (W.D.N.Y. 2018). The Fero court
explained that although Whalen was “a payment card case in which the plaintiff did
not have standing based on an increased risk of identity theft,” Whalen’s “favorable
citations to Galaria, Remijas, and Lewert suggest that the Second Circuit would
follow the approach to the standing issue adopted by the Sixth and Seventh
Circuits, which have both found standing based on an increased risk of identity
theft.” Id. at 339.
Further, Fero pointed to another recent Second Circuit case that held, in a
data breach case, an imminent risk of future identity theft satisfies the injury-in-
fact requirement. Id. at 339-40 (citing Sackin v. Transperfect Glob., Inc., 278
F.Supp.3d 739 (S.D.N.Y. 2017)). In Sackin, the court ruled that the allegations that
17
the “Defendant provided Plaintiffs’ names, addresses, date of births, Social Security
numbers and bank account information directly to cyber-criminals creates a risk of
identity theft sufficiently acute so as to fall comfortably into the category of
certainly impending.” Sackin, 278 F.Supp.3d at 746. The Sackin court also
cited Whalen as evidence that the Second Circuit would join the sister circuits in
holding that an increased risk of identity theft is sufficiently imminent to establish
standing. Id.
In the case at bar, Hope has alleged a substantial risk of harm because
Hope’s personal information was taken by hackers found on the dark web
and has been downloaded hundreds of times. See CareFirst, Inc., 865 F.3d 620 at
627-28; In re Adobe Sys. Privacy Litig., 66 F.Supp. 3d 1197 at *1215; C.R. 3. This is
in stark contrast to the case where there is no evidence that the stolen information
has been accessed. See Katz, 672 F.3d at 79. Additionally, the private information
taken by the hackers was not just credit card information, but rather included
Hope’s Social Security number. See Whalen 689 F. App'x 89 at 90; C.R. 3. Although
B&T offered and Hope accepted a year of free credit monitoring, similar to the
plaintiffs in Galaria, Hope will have to pay for continued credit monitoring and had
to put a credit freeze in place without help from B&T. Galaria, 663 F. App'x at 388-
89 (finding substantial harm because plaintiffs’ alleged that the risk is continuing
and that they had incurred costs—namely, credit freezes—not provided by
Nationwide); C.R. 3, 4. Additionally, it is telling that B&T has offered credit
monitoring for a year, showing they do not think the “risk is so ephemeral that it
18
can be safely disregarded.” Remijas, 794 F.3d at 694; C.R.3. Therefore, Hope has
established a substantial risk of harm sufficient to satisfy imminence.
The District Court has subject matter jurisdiction to hear Hope’s claim
because the risk of future financial harm is sufficiently concrete and particularized
and imminent to establish injury-in-fact. Hope has identified a personal privacy
right traditionally recognized in American and English law thus showing the harm
is concrete and particularized. Further, five circuits across the country have ruled
that a future risk of identity theft is a substantial harm as it is more than plausible
to infer that a substantial harm arises from a data breach, because, sooner or later,
the hackers will exploit that information. As the Sixth Court articulated, “Why else
would hackers break into a database and steal private information?” Remijas, 794
F.3d at 693. Thus, this Court should uphold the appellate court’s finding that Hope
has alleged an injury-in-fact as required to confer standing.
II. Hope stated a claim upon which relief may be granted to the putative
class because B&T’s actions violated the duties and standards established
under HIPAA.
Hope stated a claim upon which relief may be granted because B&T’s actions
violated the standards established under HIPAA. Under Rule 12(b)(6), a plaintiff is
obligated to allege facts with sufficient specificity to state a claim for relief that is
permissible on its face and a lower court’s determination of a 12(b)(6) motion should
be reviewed de novo. Fed. R. Civ. P. 12(b)(6); Conboy v. State, 292 Conn. 642, 650
(Conn. 2009). In this case, Hope alleged state law negligence claims while using
HIPAA as a guidepost for the standard of care. Despite case law indicating the
contrary, the district court dismissed Hope’s claims for failure to state a claim.
19
Identifying this error, the appellate court reversed. Because Hope properly stated a
claim for common law negligence and negligence per se, this Court should affirm
the decision of the appellate court to reverse the dismissal.
A. Hope is able to bring a claim of negligence per se because B&T violated a
federal statute that put forth a duty upon B&T.
Missouriana’s negligence per se statute states: “An actor is negligent if,
without excuse, the actor violates a statute that is designed to protect against the
type of accident the actor’s conduct causes, and if the accident victim is within the
class of persons the statute is designed to protect.” C.R. 9-10. Missouriana modeled
this statute directly after the Restatement (Third) of Torts, which explains that
federal statutes and regulations can in fact give rise to a finding of negligence per
se. C.R. 22; See generally Restatement (Third of Torts: Phys. & Emot. Harm §
14 cmt. A (Am. Law Inst. 2010) (stating the section regarding negligence per se
“most frequently applies to statutes adopted by state legislatures, but equally
applies to . . . federal statutes as well as regulations promulgated by federal
agencies”); Grable & Sons Metal Products, Inc. v. Darue Eng'g & Mfg., 545 U.S. 308,
318–19 (2005) (agreeing with the Restatement (Third) of Torts § 14 that “the breach
of a federal statute may support a negligence per se claim as a matter of state law”).
Thus, we ask this Court to affirm the appellate court’s ruling on this point and
allow a negligence per se claim based on the violation of HIPAA’s privacy and
security regulations.
This Court has encountered state law negligence per se claims based on
violations of numerous other federal statutes that do not provide for private causes
20
of actions. Merrell Dow Pharm. Inc. v. Thompson, 478 U.S. 804, 823 (1986)
(addressing the question of jurisdiction in a state law negligence per se claim based
on a violation of the Federal Food, Drug, and Cosmetic Act (FDCA)). Additionally,
other federal courts have also allowed for negligence per se claims in cases where
there was a violation of a federal statute. Lowe v. General Motors Corp., 624 F.2d
1373, 1380 (5th Cir. 1980) (holding that a violation of the National Traffic and
Motor Vehicle Safety Act is evidence of negligence per se); Hetherton v. Sears,
Roebuck & Co., 593 F.2d 526, 529-30 (3d Cir. 1979) (finding negligence per se from a
violation of the Gun Control Act).
State courts have also addressed the issue of utilizing violations of federal
statutes to find state law negligence per se claims and confirmed that this method is
indeed acceptable. Martin v. Schroeder, 105 P.3d 577, 582-83 (Ariz. Ct. App. 2005)
(holding that a firearm sale in violation of the Gun Control Act amounted to
negligence per se); West v. Mache of Cochran, 370 S.E.2d 169, 173 (Ga. Ct. App.
1988) (finding a violation of the Gun Control Act to be negligence per se); Grey's
Ex'r v. Mobile Trade Co., 55 Ala. 387, 402-03 (Ala. 1876) (finding negligence per se
stemming from a violation of a federal law that regulates cotton shipments); Allen
v. Delchamps, Inc., 624 So. 2d 1065, 1067-68 (Ala. 1993) (denying the motion for
summary judgment on the negligence per se claim simply because the FDCA does
not provide a private right of action for damages: “However, the plaintiffs in this
case are not suing directly under the F.D.C.A or its accompanying regulations.
Rather, they are relying on the regulations to establish a duty or standard of
21
care”); Harden v. Danek Med., Inc., 985 S.W. 2d 449, 452 (Tenn. 1998) (stated that
violations of FDCA statute which did not provide for a private right of action could
be the basis of negligence per se action; summary judgment granted on other
grounds).
Other federal courts have also held that negligence per se claims may in fact
be based on violations of HIPAA. See, e.g., K.V. & S.V. v. Women’s Healthcare
Network, LLC, No. 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6,
2007) (holding that plaintiff’s negligence per se claim that relied on HIPAA did
state a cause of action); I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL
2433585, at *2 (E.D. Mo. June 14, 2011) (“[T]he Court finds that Count III may
stand as a state claim for negligence per se despite its exclusive reliance upon
HIPAA.”); Harmon v. Maury Cnty., No. 1:05 CV 0026, 2005 WL 2133697, at *3, *4
(M.D. Tenn. Aug. 31, 2005) (granting a motion to remand to state court for a state
law negligence per se claim based on HIPAA).
State courts have also held that negligence per se claims based on violations
of HIPAA are permissible. See Acosta v. Byrum, 638 S.E.2d 246, 251 (N.C. Ct. App.
2006) (holding that plaintiff’s negligence per se claim that relied on HIPPA
was sufficient); Sorenson v. Barbute, 143 P.3d 295, 300-01, n.2. (Utah Ct. App.
2006), aff’d, 177 P.3d 614 (Utah 2008); See also Walgreen Co. v. Hinchy, 21 N.E.3d
99, 109-110 (Ind. Ct. App. 2014).
In the case at bar, Hope is bringing a claim of Missouriana state law
negligence per se because B&T’s “actions violated the Health Insurance Portability
22
and Accountability Act of 1996 (HIPAA), Pub L. No. 104-191, 110 Stat. 1936
(codified as amended in scattered sections of 42 U.S.C.), and its implementing
regulations, 45 C.F.R. §§ 164.302-.318 (2015), because B&T failed to properly secure
his ePHI.” C.R. 4. The district court in the case at bar relies on a case from the Ohio
Court of Appeals that states that HIPAA cannot be the basis for a negligence per se
claim because of the statute’s lack of private right of action. C.R. 12. However, this
Court has accepted the use of different federal statutes that also lack a private right
of action as the basis for state law negligence per se claims. Merrell Dow. In Merrell
Dow, the Court examined the jurisdiction for a negligence per se claim based on the
mislabeling of the drug Bendectin, which was considered “misbranding” and in
violation of the FDCA. Id at 822. The Court held this despite FDCA not providing a
private right of action. Id. The same approach by this Court should be taken for
HIPAA. Simply because HIPAA does not provide for a private right of action, does
not mean that a state law negligence per se claim based on a violation HIPAA is
barred because it has been accepted by countless courts of law higher than those
cited in the trial court’s opinion.
The district court also claims that aside from the lack of private right of
action, Hope cannot bring his negligence per se claim based on a violation of
HIPAA’s regulations concerning the encryption of ePHI because HIPAA does not
require the records to be encrypted unless the covered entity decides that
implementation of an encryption system is “reasonable and appropriate.” C.R. 13.
However, if an entity decides that the encryption implementation is not reasonable
23
and appropriate, this decision must be documented and explained, in addition to the
implementation of an equivalent alternative measure that is reasonable and
appropriate. APPENDIX II -- ADMINISTRATIVE NOTICES AND GUIDANCE,
2005 WL 4172330. Because B&T implemented the encryption system in lieu of
documenting why that method was neither reasonable nor appropriate given their
circumstances, it can be presumed that B&T evaluated their circumstances and
determined that encryption was reasonable and appropriate and thus are required
under HIPAA to maintain their encryption system. Thus, Hope may bring a claim of
negligence per se based on the violation of the security provisions of HIPAA.
Based on the information provided and the large body of legal precedent,
Hope should be allowed to pursue his state law negligence per se claim based on the
violations of the privacy and security regulations laid forth in HIPAA. Accordingly,
we ask this Court to affirm the lower court’s ruling on this point.
B. Hope is able to bring a claim of general negligence because HIPAA’s well-
established regulations effectively delineate the standard of care for how
personal information should be stored and secured.
In the event that this Court does not find the above argument persuasive,
Hope is still able to sue for general negligence. Missouriana state law imposes a
duty to safeguard personally identifiable health records because Missouriana has
recognized that individuals have a general right of privacy in their medical records.
C.R. 23; Hanson v. Jones Medical Ctr., 199 Mis. 2d 321, 333 (2002) (holding medical
center liable for public disclosure of private facts when it disclosed results of wife’s
pregnancy test to her estranged husband without her consent). The appellate court
points to case law that explains that since Missouriana case law does not have a
24
case that is on point regarding Missouriana’s right of privacy and how it would
apply to a pharmaceutical company, this court has the duty to “arrive at the
decision which reason dictates, with the faith that the state courts will arrive at the
same decision.” C.R. 23; See, e.g., Ins. Co. of N. Am. v. English, 395 F.2d 854
(5th Cir. 1968). Thus, we ask this Court to establish that it is appropriate to look
towards HIPAA as a guidepost for general negligence claims for determining the
standard of care for pharmaceutical companies regarding the protection of the right
of privacy in medical records.
A number of state courts have already allowed HIPAA to be used as a guide
for the standard of care in state law negligence claims. For example, the State of
Delaware has held specifically that HIPAA may be used as a guidepost for
determining the applicable standard of care for a pharmaceutical
company. Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812 (Del. Super. Ct.
2009). Other state courts have also allowed HIPAA to guide the standard of care in
other state law negligence cases. Byrne v. Avery Ctr. for Obstetrics & Gynecology,
P.C., 102 A.3d 32, 42 (Conn. 2014) (concluding that HIPAA regulations may well
inform the applicable standard of care in certain circumstances); Acosta, 638 S.E.2d
at 251 (“Here, defendant has been placed on notice that plaintiff will use... HIPAA
to establish the standard of care. Therefore, plaintiff has sufficiently pled the
standard of care in her complaint.”); Young v. Carran, 289 S.W.3d 586, 589 (Ky. Ct.
App. 2008) (observing that state case law permits use of federal statutes to inform
the standard of care in common-law negligence claims); Sorensen, 143 P.3d at 300-
25
01 no.2 (holding that Sorensen had stated a cause of action for negligence, implying
that the Privacy Rule found in HIPAA can be used to show the standard of
care); R.K. v. St. Mary's Med. Ctr., Inc., 735 S.E.2d 715, 724 (W. Va. 2012) (“state
common-law claims for the wrongful disclosure of medical or personal information .
. . compliment HIPAA by enhancing the penalties for its violation and thereby
encouraging HIPAA compliance”); ¶ 186,938 Lisa Andrews, Plaintiff, v. Family
Dollar Stores of Oklahoma, Inc., And Barbara Robinson, Defendants., Labor
& Empl. L. P 186938 (allowing plaintiff to bring state tort claims using HIPAA to
show the outrageousness of the conduct of defendants). State courts have also
allowed other federal laws to guide the standard of care in state law negligence
cases. Scheele v. Rains, 874 N.W. 2d 867, 872-73 (Neb. 2016) (“This court has
concluded on various occasions that the violation of a regulation or statute is not
negligence per se, but may be evidence of negligence to be considered with all the
other evidence in the case”).
Federal courts have also allowed state law negligence claims that looked to a
federal statute to determine the standard of care applicable. Grove Fresh
Distributors, Inc. v. Flavor Fresh Foods, Inc., 720 F. Supp. 714, 716 (N.D. Ill. 1989)
(allowing claim to proceed where FDCA regulation was basis for standard of
care). Grove Fresh explains that in fact, “[n]othing prohibits Grove Fresh from using
the FDCA or its accompanying regulations in that fashion.” Grove Fresh
Distributors, Inc., 720 F. Supp. at 716.
26
There are cases to the contrary as well; stating that in those cases, the courts
could not look to HIPAA to inform on the standard of care in negligence
cases. Sheldon v. Kettering Health Network, 40 N.E.3d 661, 672 (Ohio
2015). Sheldon is distinguishable from the case at bar because in that case, the
plaintiffs were claiming that HIPAA creates a standard of care that requires the
regular running of “epic clarity reports” to ensure there had not been instances of
improper access to the medical information. Id at ¶16. In the case at bar, Hope is
claiming that HIPAA creates a standard of care for pharmaceutical companies to
adequately encrypt medical information if the company finds that course of action is
reasonable and appropriate. C.R. 11. Because HIPAA’s security standards do guide
companies to take this course of action as alleged by Hope, it is proper to look to
HIPAA in the case at bar to determine the standard of care, despite the fact that it
was inappropriate in Sheldon.
This Court has the duty to arrive at the decision that reason dictates to
ensure that states apply the law uniformly. Missouriana law states that there is a
right to privacy regarding medical records. Reason concludes that this duty would
extend to pharmaceutical companies. Following the reasoning of cases such
as Fanean, and acknowledging the distinction to cases such as Sheldon, this Court
should reach the conclusion that Hope’s claim of general negligence based on a
violation of the duty put forth in HIPAA regulations states a valid claim.
Because it is an accepted practice to apply state law negligence per se claims
to federal statutes despite the lack of a private right of action, Hope properly states
27
a claim for negligence per se. Additionally, since it is reasonable to use HIPAA as a
guide and extend Missouriana’s state law duty to protect medical records to
pharmaceutical companies, Hope also properly states a claim for general negligence.
Accordingly, the court should affirm the lower court’s ruling to reverse the dismissal
of Hope’s claims.
CONCLUSION
For the foregoing reasons, Mr. Anthony Hope respectfully requests this Court
affirm the judgement of the Court of Appeals of the Thirteenth Circuit.
Respectfully Submitted,
Team 2727
Team 2727
Counsel for Respondent
Date: September 20, 2018
28
A
APPENDIX A
US Const. Art. III, § 2, Cl.1
The judicial Power shall extend to all Cases, in Law and Equity, arising
under this Constitution, the Laws of the United States, and Treaties made, or
which shall be made, under their Authority;--to all Cases affecting
Ambassadors, other public Ministers and Consuls;--to all Cases of admiralty
and maritime Jurisdiction;--to Controversies to which the United States shall
be a Party;--to Controversies between two or more States;--between a State
and Citizens of another State;--between Citizens of different States,--between
Citizens of the same State claiming Lands under Grants of different States,
and between a State, or the Citizens thereof, and foreign States, Citizens or
Subjects.
B
APPENDIX B
Fed. Rules Civ. P. R. 12(b)(1)
(b) How to Present Defenses. Every defense to a claim for relief in any
pleading must be asserted in the responsible pleading if one is required. But
a party may assert the following defenses by motion:
(1) lack of subject-matter jurisdiction; . . .
C
APPENDIX C
Fed. R. Civ. P. R. Rule 12(b)(6)
(b) How to Present Defenses. Every defense to a claim for relief in any
pleading must be asserted in the responsive pleading if one is required. But a
party may assert the following defenses by motion:
(6) failure to state a claim upon which relief can be granted; and . . .
D
APPENDIX D
HIPAA Security Standards - 45 C.F.R. § 164.306(a)(1)
(a) General requirements. Covered entities and business
associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity or
business associate creates, receives, maintains, or transmits.
E
APPENDIX E
HIPAA Technical Safeguards - 45 C.F.R. § 164.312(a)(1)
(a) A covered entity or business associate must, in accordance with
§164.306:
(1)Standard: Access control. Implement technical policies and
procedures for electronic information systems that
maintain electronic protected health information to allow access only
to those persons or software programs that have been granted access
rights as specified in § 164.308(a)(4).