 |
HIPAA The Privacy Rules Under The Health Insurance
Portability And Accountability Act
By Georgia Akers and Jean Ann Kelly
Anyone going to a doctor, hospital or clinic, or anyone requesting information from such entities, has encountered the new Privacy Rule found in the Standards for Privacy of Individually Identifiable Health Information in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 The deadline for compliance with the rule was April 14, 2003. The rule has created a new industry of consultants who are advising medical institutions and doctors. This paper is designed to give an overview of the law as it relates to the Privacy Rule that clients and attorneys are encountering when requesting information from a doctor, hospital or clinic.
Introduction
HIPAA amended the Internal Revenue Code to “improve portability and continuity of health insurance coverage.”2 The Privacy Rule was later added, going into effect on April 14, 2001, with the deadline for compliance of April 14, 2003.3 Small health plans have until April 14, 2004 to comply.4
The Privacy Rule nationalized standards to protect patients’ medical records and other personal health information (PHI). According to the Office for Civil Rights of the Department of Health & Human Services (DHHS), the Privacy Rule:
“[G]ives patients more control over their health information, sets boundaries on use and release of health records, establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information, [and] holds violators accountable.”5
HIPAA provides the first comprehensive federal protection of privacy of an individual’s health information. Failure to comply with the regulation can result in civil penalties ranging from $100 to $250,000 and, in extreme cases, criminal penalties and imprisonment.
The Rule explicitly mandates the individual’s rights regarding their PHI. The individual may request restrictions on certain uses and disclosures of the PHI.6 Prior to HIPAA, individuals did not have the right to inspect the originals of their own medical records. The individual has the right to receive confidential communications of his or her PHI from covered entities.7 The Rule gives the individual the right to inspect, copy, and amend the PHI.8 The individual may demand an accounting of disclosures of his or her PHI.9 Upon request, the individual may obtain a paper copy of any electronic notice of the covered entity’s privacy policies that individuals receive.10
As the Rule gives rights to individuals, it also imposes duties upon covered entities, a category that includes health care providers (HCPs), health plans, and health care clearinghouses. The definition of “health plan” under the Rule includes individual and group health plans.11 All health care providers, regardless of size, that electronically transmit PHI for certain transactions are covered by the Rule.12 Clearinghouses process information received from another entity, and only certain provisions of the Privacy Rule apply to their uses and disclosures of PHI.13
Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media (electronic, paper or oral) is protected by the Privacy Rule.14 Individually identifiable health information is that which identifies (or reasonably could be used to identify) the individual and that which relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care.15 This includes demographic data and information that includes common identifiers such as name, social security number, medical record number, specific dates such as birth, admission, discharge, or death; or any information that may be used to identify a patient. This may include information about past, present, or future physical or mental conditions and the provided health care.16 The Privacy Rule does not limit the use or disclosure of de-identified health information.17
The Rule establishes certain administrative requirements for covered entities to meet. A covered entity must designate a privacy officer in charge of developing and implementing the entity’s privacy policies and procedures.18 These policies must be written or in electronic form, and must be reasonably fashioned (in light of the size and type of activities of the covered entity) to bring the entity into compliance with the Rule.19 A covered entity must also designate a contact person for receiving privacy complaints and to provide further information on the entity’s privacy policies.20 A covered entity must provide training for its employees on Privacy Rule compliance, and must implement reasonable safeguards to protect PHI.21 The Privacy Rule prohibits uses and disclosures of an individual’s PHI except as the Rule allows or as the individual authorizes in writing.22
Required Disclosures
The Rule requires disclosure in certain situations, including upon the request of the individual for access to or an accounting of his protected PHI.23 It also requires disclosure to the DHHS when it is investigating compliance with the Rule or other enforcement actions.24
Permissive Uses and Disclosures
The Rule allows certain permissive disclosures of an individual’s PHI without that individual’s authorization, such as to the individual (unless disclosure is required, per above). Permissive disclosure is also allowed under the Rule for the covered entity’s own treatment, payment, and health care operations.25
Treatment, as defined by the statute, can include a broad range of activities – at its most basic it is the “provision, coordination or management of health care and related services by one or more HCPs.”26 This definition includes the coordination and management of health care by an HCP with a third party, consultation between HCPs in reference to a patient’s care, or the referral of a patient from one HCP to another.27 A primary care provider may, without having to obtain written authorization, send a copy of a patient’s medical record to a specialist who will treat the individual.28 A hospital may send health care instructions about a patient to the nursing home where that patient is being transferred.29 HCPs and pharmacies may leave messages for patients at their homes (on answering machines or with family members) and they may mail reminders of check-ups or refills to the patients’ homes because the communication relates to the treatment of the individual.30
Payment includes all the various activities that health plans and HCPs undertake to determine coverage issues and seek reimbursement for services provided.31 This includes risk adjusting, billing, claims management, collection activities, and reviewing of medical decisions for medical necessity/appropriateness of care determinations.32 An HCP may send a patient’s health plan coverage information to a laboratory that needs the information to bill for services it provided on the provider’s request.33 Similarly, a hospital may give a patient’s payment information to an EMS service for payment for transportation.34
The Rule permits a covered entity to disclose (without authorization) PHI to another covered entity for the health care operations of the recipient entity, provided that both entities have had a relationship with the patient (and the information is germane to those relationships), and that the disclosure is for a “quality-related health care operations activity.”35 The term “health care operations” under the statute can include conducting quality assessment and improvement activities; reviewing the competence/qualifications of health care professionals; underwriting, premium rating, and other activities relating to health insurance contracts and benefits; arranging for medical reviews, legal services, and auditing functions; business planning and development; and business management and administrative activities (including customer service).36 Uses and disclosures between covered entities are also allowed for the detection of health care fraud and abuse, or for compliance with the Rule, as these activities are considered to be health care operations.37 The Rule permits covered-entity members of organized health care arrangements (OHCA) to disclose PHI about a patient to another covered-entity member of the OHCA for the joint health care operations of the OHCA.38
Permissive use or disclosure is also allowed in situations in which the individual has had the opportunity to informally agree to that disclosure.39 A covered entity may use or disclose PHI if it has orally informed the individual in advance of the use or disclosure and the individual has had an opportunity to orally agree, deny, or restrict the use or disclosure.40 This applies to hospitals’ patient directories, which may include the patient’s name, location, general condition and religious affiliation.41 The directory information may then be disclosed to members of the clergy, or those (other than the clergy) who ask for the patient by name.42 In emergency situations, or when the patient is incapacitated and no one else is present to consent, the covered entity may, in the exercise of its professional judgment, use and disclose the patient’s information for its directory.43 At the conclusion of the emergency or incapacity, the HCP must inform the patient of his right to agree or object to the use.44 A covered entity may also disclose PHI directly relevant to the patient’s current treatment to a family member or close friend, subject to getting the patient’s informal approval first.45 This provision allows a friend or family member to pick up a prescription for the patient at a pharmacy – the fact that that person arrives and asks for the prescription suggests consent (the patient does not have to provide the pharmacy with a list of those who may pick up prescriptions).46 A covered entity may also use or disclose PHI to notify or to assist in notifying a family member, personal representative or friend of the individual’s location, general condition or death.47
Uses and disclosures that are incidental to a permitted use or disclosure by a covered entity are permitted, provided that the entity had implemented reasonable safeguards to prevent such disclosures, and the information transmitted was held to the minimum necessary standards.48
The last type of permissive use or disclosure of PHI involves public benefit and public health activities. A limited data set (PHI with certain identifiers redacted) may be used and disclosed for research and public health purposes.49 The Privacy Rule allows certain uses and disclosures of PHI without the individual’s authorization or opportunity to agree or object for 12 national priority purposes.50 These uses and disclosures include those required by law,51 for public health activities,52 when abuse, neglect, or domestic violence is involved,53 for health oversight activities,54 for judicial and administrative proceedings,55 for law enforcement purposes,56 to funeral directors,57 to facilitate the donation of organs and tissue,58 for research,59 to prevent a serious threat to health or safety,60 when required by essential government functions,61 and for worker’s compensation matters.62
A Closer Look at Disclosures in Judicial and Administrative Proceedings
A covered entity may disclose protected health information in the course of any judicial or administrative proceeding in response to a court order provided that the entity only discloses the information authorized by such order. The order should (or if stipulation by the parties) prohibit the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested and should require that the information be returned to the entity or the protected information and any copies made be destroyed at the end of the litigation or proceeding.63
The covered entity may disclose protected health information in response to a subpoena or discovery request that is not accompanied by an order if the entity receives satisfactory proof that notice has been given to the individual and the time for the individual to object has elapsed or if objected has been resolved. The entity may make reasonable effort to provide notice to the individual or to seek a qualified protective order.64
Uses and Disclosures with Consent
A consent is a general document limited in applicability to one HCP, and treatment may be provisioned on the giving of this consent.65 Authorizations are more customized documents giving permission to use specified PHI for specified purposes that are usually not treatment, payment or health care operations (TPO).66 The Privacy Rule establishes that a covered entity may voluntarily obtain an individual’s consent before using or disclosing PHI for treatment, payment, or health care operations (TPO).67 The operative language in the statute is “may,” not “must,” which makes obtaining consent permissive, not mandatory. A previous draft of the Rule had required mandatory consent, but revisions have since made obtaining consent discretionary. A covered entity that chooses to implement a consent procedure has complete discretion under the Rule to structure that procedure.68 When the consent was mandatory, one consent per covered entity was sufficient for all future treatment by that entity, until the individual revoked that consent.69 Since consent is no longer mandatory, the Privacy Rule does not discuss the duration of a consent – the assumption could be made that the entity would have discretion to tailor the length of time its consent is applicable. Consents are not substitutes for authorizations that the Rule requires.70 Getting a consent does not preclude the covered entity’s requirement to obtain written acknowledgement of the notice of its privacy policies.71
Authorized Uses and Disclosures
The Privacy Rule mandates that a covered entity must obtain an individual’s written authorization for any use or disclosure of PHI that is not an otherwise required or permitted use or disclosure.72 A covered entity does not need to obtain an authorization to use or disclose PHI for its own TPO purposes.73
An authorization must be written in plain language and it must contain specific terms regarding the information to be disclosed, the entities disclosing and receiving the information, and the right to revoke.74 The OCR gives examples of when an authorization would be required: disclosures to a life insurer for coverage matters, disclosures to an employer of the results of a pre-employment drug test, and disclosures to a pharmaceutical company for its own marketing purposes.75
An HCP must obtain an authorization (and not a consent) to use or disclose PHI in psychotherapy notes for TPO by someone other than the writer of the notes, except as specified in § 164.508(a)(2). A covered entity may use or disclose, without the individual’s authorization, its self-created psychotherapy notes for treating the individual, for its own training, for its legal defense, for a DHHS compliance investigation, to avert a serious threat to public health, or to a medical examiner.76
A covered entity must obtain an authorization for the use or disclosure of PHI for marketing.77 The Rule defines marketing as communicating about a product or service to encourage recipients of the communication to purchase or use the product or service.78 For such communications to lawfully occur, the entity must first receive an authorization from the individual. Such communications include a hospital’s communicating (when outside the context of treatment advice) to former patients about a cardiac facility (that is not part of the hospital) that can provide a low-cost EKG.79 Another example would be a health insurer promoting its home insurance policies.80 The Rule also defines marketing as an arrangement between a covered entity and a third party whereby the covered entity discloses PHI to the third party for remuneration, and the third party uses that PHI for marketing.81
The second definition of marketing has no exceptions to the authorization requirement, but the first definition has several. There is an exception that allows a covered entity to make communications about its own products or services, as marketing is not communications that describe a product or service provided by a health plan (including communications about the entities participating in a health plan network, or enhancements to a health plan and health-related products and services) that add value to that health plan.82 It is not marketing when a hospital mails out to its patient list announcements of the arrivals of new doctors or equipment.83 Nor is it marketing when a health plan sends its insured that are reaching retirement age information on its Medicare supplement plan.84
The communication is not marketing if it is for the purpose of treatment (e.g., a pharmacy mailing out refill reminders, a doctor’s office mailing out reminders for follow up visits).85 Communications made for care coordination or case management for the individual, or to direct or recommend alternative treatments, therapies, HCPs, or settings of care to the individual are not marketing.86 A covered entity may use PHI to confer with nursing homes, rehabilitation centers, et al., to decide upon the best continuing treatment for the patient.87 For these three exceptions to the marketing definition to operate, the activity must otherwise be permitted by the Rule and meet the Rule’s various other requirements.
If an activity is deemed to be marketing, there are further exceptions that might make getting an authorization not necessary.88 No prior authorization is required for a face-to-face communication by a covered entity to an individual (e.g., an insurance agent sells a health insurance policy to an individual in person and then, in the same meeting, markets a life insurance policy).89 A promotional gift of nominal value provided by the covered entity does not require a prior authorization (e.g., a hospital provides its maternity patients with a package of diapers upon check out).90
Right to Request Privacy Protection
The Privacy Rule gives individuals the right to request restrictions on a covered entity’s use and disclosure of her PHI for TPO purposes.91 The covered entity does not have to agree with the individual’s request but is bound by those restrictions to which it agrees.92 Patients may also request that communications with the covered entity be confidential, and to receive the communications at alternative locations (e.g., calling at the office, rather than at home) or through alternative means.93 A health care provider must honor an individual’s “reasonable request” for confidential communications, but a health plan must only accommodate such requests if the individual clearly states that a failure to do so would endanger her.94 DHHS considers requesting appointment reminders be sent in a closed envelope (and not a post card) to be a reasonable request that should be observed.95
The “Minimum Necessary” Standard
The Privacy Rule charges covered entities with the responsibility to, within reason, limit the use or disclosure of PHI to the minimum amount necessary to accomplish the intended purpose.96 This standard does not apply to: disclosures to/requests by an HCP for treatment purposes, uses/disclosures to patient of her PHI, disclosures authorized by an authorization, and uses/disclosures required to comply with HIPAA transactions or other law.97
For internal use of PHI, covered entities must classify employees and define the access to PHI that each strata is allowed.98 For example, hospitals may allow nurses and doctors complete access to the entire medical record, but its policies and procedures must expressly state that, and must include a justification.99 For routine disclosures of PHI, the covered entity must establish policies and procedures to restrict such disclosures to the minimum necessary standard.100 The covered entity may develop standard protocols for these routine disclosures–individual review of each disclosure is not necessary.101 For non-routine disclosures, the covered entity must develop criteria for determining only the minimum amount of PHI necessary to accomplish the purpose.102 Under reasonable circumstances, a covered entity may rely on the judgment of the party requesting the disclosure in determining the minimum information necessary, if the requesting party is a public official, a professional business associate, or a researcher.103
There has been much concern regarding how compliance with the Privacy Rule’s minimum necessary standard would affect the daily operations of hospitals and doctors’ offices. Covered entities may allow medical trainees and nursing students complete access to entire medical records.104 The minimum necessary standard does not prohibit keeping patients’ charts at their bedsides or on exam room doors, so long as the minimum necessary and reasonable safeguards requirements are met.105 Reasonable safeguards would include limiting access to the areas where the exam rooms are, placing the chart in a way that obscures the PHI.106 Sign-in sheets and calling out patient names in waiting rooms are allowed, as long as the information disclosed complies with the minimum necessary standard and the entity has used reasonable safeguards.107
Patient names may be posted next to their hospital room door, provided that the disclosure is incidental to a permitted disclosure (such as to identify the patient for treatment).108
Incidental Uses and Disclosures
Covered entities must make reasonable efforts to prevent uses and disclosures of PHI not permitted by the Privacy Rule.109 Incidental uses or disclosures are those that are secondary to those permitted by the Rule, and that cannot reasonably be prevented. Covered entities must establish reasonable safeguards to guarantee privacy, and DHHS will ascertain whether the safeguards are reasonable, taking into account all circumstances, including the potential effects on patient care and the administrative/financial burden imposed by the safeguards.110 The covered entities are not required to eliminate all risk of prohibited disclosures – they must merely provide reasonable safeguards to avoid such disclosures.111
Health care providers should make sure to speak quietly when discussing the patient’s condition with family members in waiting rooms, and avoid using patients’ names in public hallways and elevators.112 Health care staff may coordinate services at the hospital nursing stations and similar places, and HCPs may also discuss a patient’s condition over the phone to that patient, his family or another HCP.113 HCPs may discuss lab test results with the patient or another provider in a joint treatment area, and the patient’s condition may be discussed in training rounds in an academic setting (e.g., medical and nursing school rounds).114 In such permitted situations, the discussions must take place with lowered voices, talking apart from third parties, and generally taking precautions to prevent disclosures. The Privacy Rule does not require retrofitting of offices and hospitals with soundproof walls or more private rooms.115
Notice
The Privacy Rule requires that a covered entity develop and distribute to patients notice of its privacy practices and the patients’ privacy rights.116 An adequate notice includes the uses and disclosures that a covered entity may make of the individual’s PHI and the individual’s rights regarding the PHI. Health care clearinghouses, correctional institutions and group health plans that provide benefits only through contracts with health insurance issuers/HMOs are not required to develop a notice.117
The notice must state in plain language what uses and disclosures of PHI the covered entity may make, the individual’s rights with respect to PHI, and how the individual may use these rights.118 It must also include how the individual may complain about privacy rights infractions and whom she should contact for further information about the entity’s privacy policy.119 The covered entity’s legal duties with respect to the information should be clearly outlined in the notice.120 An effective date should also be included.121 When the entity changes its privacy practices, it must promptly revise its privacy notice.122 Notice must be provided to any person who asks for it, and a covered entity must prominently post notice on a Web site that provides information about its customer service or benefits.123 There is no generic notice. The notice must be drafted for the specific entity.
Direct treatment providers must abide by additional notice provisions. Notice must be given to the patient when she first presents for service after the compliance date (except in emergency situations), and the patient’s written acknowledgement of the notice should be obtained (or at least a good faith effort to obtain written acknowledgment must be made).124 If acknowledgement could not be obtained, the reasons for its absence must be documented in the patient’s record.125 When the first service occurs via the Internet, the provider must send electronic notice at the same time, and must make a good faith effort to get an acknowledgement of receipt of that notice.126 As soon as practicable after providing emergency treatment, privacy notice should be given to the patient.127 The latest notice should always be posted visibly in the provider’s office or facility.128
In the pharmacy setting, the notice requirement may be satisfied by the individual’s signature or initialing a log book, as long as the individual was clearly informed of what she was acknowledging, and the signature does not have an additional purpose as a waiver for another matter (e.g., waiver of consultation with the pharmacist).129
Parents and Minors
The rights that individuals have under the Privacy Rule are shared by their personal representatives.130 Parents usually have the authority to make health care decisions about their minor children, and as such are considered personal representatives under the Privacy Rule.131 This is also true for legal guardians or those acting in loco parentis of a minor.132 As such, parents are entitled to access to and disclosure of their child’s medical records, with the exceptions enumerated below.133 The Privacy Rule does not trump state law that specifically addresses disclosures of PHI about a minor to a parent.134
The Privacy Rule acknowledges certain exceptions to the general rule of treating parents as personal representatives of their minor children. When state law allows minors to obtain a particular health care service without the consent of a parent (e.g., some states allow adolescents the right to consent to mental health treatment or HIV testing on their own behalf), the parent is not the personal representative under the Privacy Rule.135 When a court authorizes someone other than a parent to make treatment decisions for a minor, the parent is not the personal representative for that treatment.136 When the parent agrees to a confidential relationship between the minor and her physician, the parent does not have access to the PHI related to that treatment.137
When the covered entity reasonably believes in its professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative may endanger the child, the physician may choose not to treat the parent as such.138 But in instances in which state law requires the disclosure of information to the parent of a minor, the covered entity may make such disclosure and not violate the Privacy Rule.139 If the child receives emergency medical care, the parents may generally have access to the records of that treatment, even though they did not give consent. If the child provided consent before undergoing treatment, and no other consent was required, then the parents could not have access to those records as personal representative.140
Personal Representatives
Personal representatives are to be treated as the individual under the Privacy Rule with respect to uses and disclosure of PHI and the individual’s rights per the Rule.141 Qualification for personal representative status under the Privacy Rule is dependent upon state law qualifications.142 Generally speaking, for a patient who is an adult or an emancipated minor, a personal representative for HIPAA purposes is a holder of a health care power of attorney, a court appointed legal guardian, or the holder of a general power of attorney.143 Harris County Protective Services has outlined that proof of the authority to act as a personal representative includes a valid (under Texas law) power of attorney for health-care purposes, a court order appointment as guardian or conservator, or being the parent of a minor child.144
For a power of attorney to give authority to act as a personal representative under the Privacy Rule, it must include power over decisions relating to health care–a power of attorney over property matters will not grant any rights as personal representative to protected health information.145 Where the authority to act for the individual is limited to a specific health care decision, the person will be treated as a personal representative only with respect to PHI relevant to that specific treatment.146 If a patient were to sign a medical power of attorney allowing her mother to act on her behalf in case of complications during a specific surgery, that would not entitle the mother to be treated as a holder of a general medical power of attorney. The daughter-patient’s medical records not directly relating to the current surgery should not be disclosed to the mother (e.g., HIV status, psychological records). Comparing 45 C.F.R. § 164.502(g) with 45 C.F.R. § 164.508(i) leads to some confusion. For example, 45 C.F.R. § 164.508(i) is a section defining valid authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization 45 C.F.R. § 164.508(b)(3). This prohibits a covered entity from acting on an authorization required under this rule that is combined with any other document including any other written legal permission from the individual.147 Attorneys may want to revise the durable power of attorney for health care and/or have a separate document to include the specific language that includes the HIPAA requirements of 45 C.F.R. § 164.508(i) that includes a description of the information to be used or disclosed; the name of person authorized to make the requested use or disclosure; the name to whom entity may make the disclosure (this is elective and can just state “at the request of the individual”); an expiration date or expiration event that recites to the individual or purpose (the principal can state “none”); and the signature of the individual and the date, or if signed by a personal representative, a description of such representative’s authority.148
The authorization must contain the following mandatory elements: the individual’s right to revoke the authorization; that the entity cannot condition treatment, payment, enrollment or eligibility on whether the individual signs the authorization; the consequences of refusal to sign; and the potential that information disclosed is no longer protected.
The covered entity does have discretion on whether to disclose health information. The covered entity may elect not to treat a person as the personal representative if the entity has a reasonable belief that: there has been domestic violence, abuse or neglect by such person; that it would endanger the individual; or in the exercise of professional judgment it would not be in the best interest of the individual to treat the person as the individual’s personal representative.149
An executor, administrator or other personal representative of an estate must be treated as the deceased person with respect to PHI relevant to the personal representation.150 A person’s PHI is subject to the Privacy Rule even after the person’s death, and a covered entity must comply with the Rule’s requirements in handling the decedent’s PHI.151
The covered entity must exercise professional judgment and discretion in releasing PHI to personal representatives. If the covered entity suspects abuse or neglect at the hands of the personal representative, it should not disclose any PHI to that person.152 The covered entity may, in its professional judgment, decide that the best interest of the patient will not be served by treating that person as the patient’s personal representative.153 This clause provides some discretion for covered entities to deny personal representative’s access to the PHI of their wards. The construction of the statute suggests, however, that the Rule only intends for this discretion to be exercised when there is actual endangerment of the patient at issue.
Business Associates
Most covered entities contract out some of the functions of their business, so the Privacy Rule places conditions upon the disclosure of PHI to such business associates.154 The covered entity must obtain by contract a satisfactory assurance that the associate will use the PHI only for the purposes that it was contracted for, and that it will safeguard the information from misuse.155 The business associate must cooperate with the covered entity’s compliance with the Privacy Rule (most importantly in giving the patient access to his records and disclosure history).156 Business associates do not have to comply with the Privacy Rule to the extent that covered entities do – there is no requirement for them to appoint a privacy officer, or develop PHI disclosure policies.157 The covered entity is not liable for the disclosures of a business associate, nor is it required to monitor or oversee the privacy safeguards of its associate.158 The associate’s breach of a privacy term of the contract is not a violation of the Privacy Rule by the covered entity, as long as the contract requires the associate to notify the covered entity of violations.159 If there is a pattern of violations by the associate, the covered entity must try to cure the breach, or sever relationships with that associate.160 A business associate could be considered an attorney contracted by the covered entity. There should be a written “business associate” agreement executed between the parties.
State Law Preemption
State laws that are contrary to the Privacy Rule are preempted, and the federal requirements apply rather than the state ones. A law is contrary if a covered entity could not comply with both the state and federal requirements, or if the law impedes the execution of the full objectives of the Administration Simplification Provisions of HIPAA.161 There are several exceptions to this general preemption, the main being that if the state law is more stringent than the Rule (and the law relates to the privacy of PHI), the state law will govern the transaction.162 There is another exception if the state law provides for the reporting of disease or injury, child abuse, birth, death, or for the conduct of public health investigation or surveillance.163 The Rule also excepts a state law that requires a health plan to report or provide access to information for management and financial audits.164
There are additional exceptions available upon determination of DHHS in response to a request from a state or other entity or person. If DHHS determines the state law is necessary to prevent fraud and abuse stemming from provision or payment for health care, it will not be preempted.165 The Rule allows DHHS to except a state law that ensures appropriate state regulation of insurance and health plans, and for state reporting on health care delivery or costs.166 There is also an exception for a contrary State law that serves a compelling state interest related to public health, safety or welfare.167 The last of these DHHS-determined exceptions is for a law whose principal purpose is the regulation of the manufacture, registration, distribution and dispensing of any controlled substance.168
The Texas Rules of Civil Procedure medical records provisions do not appear to be contrary to the Privacy Rule. Rule 194.2(j) provides that in a suit alleging physical or mental injury from the act that is the subject of the case, all medical records and bills that are reasonably related to the injuries asserted may be requested for disclosure. In the alternative, the party may respond with an authorization permitting the disclosure of the records.169 All medical records and bills obtained by the responding party by virtue of an authorization furnished by the requesting party may be requested as well.170 The Texas Rules of Evidence provide an exception to the physician-patient privilege when the patient’s condition is part of a party’s claim or defense.171 There is not a requirement to get an authorization before this disclosure, however. There is provision under Texas Rule of Evidence 509 that does provide for a consent for the release, but it is not an authorization per the Privacy Rule.172 There is a similar exception to the confidentiality of mental health information in civil cases per Texas Rule of Evidence 510(d)(5). Attorneys wishing to obtain client records will need to revise their authorization forms to comply with the specific language HIPAA requires. Sample authorizations can be found at www.ama-assn.org/ama/pub/category/ 6900.html
The Privacy Rule does not address specific discovery disclosure questions. It does allow permissive disclosure without an individual’s authorization where “required by law.”173 The term “required by law” in the Privacy Rule includes (but is not limited to) court orders, court-ordered warrants, subpoenas and summons (issued by a court, grand jury or other tribunal).174 The Privacy Rule specifically provides that a covered entity may reasonably rely that a request made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority, and thus can make the disclosure without getting the individual’s authorization.175 The only other mention of the use of PHI in legal proceedings allows for psychotherapy notes to be used or disclosed by a covered entity without authorization when that entity is trying to defend itself in a legal action brought by the individual who is the subject of those notes.176 Effective September 1, 2003, Chapter 74 of Texas Practice and Remedies Code replaces article 4590(i). Chapter 74 is intended to make CPRC HIPAA compliant.
A covered entity that wants to ensure compliance should not disclose any records without the individual’s authorization or a subpoena, or the party requesting the records should receive the records from the patient or get written authorization that complies with HIPAA requirements. In drafting these authorizations, attorneys should refer to the Privacy Rule and make sure the authorization complies with its requirements and is not just a consent form, which could be insufficient.
Endnotes
1. 45 C.F.R. Parts 160-164 (2002). 2. Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191, 110 Stat. 1936 (1996). 3. Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 164.453(b). 4. 45 C.F.R. § 164.534(b)(2). 5. Office for Civil Rights, Standards for Privacy of Individually Identifiable Health Information 1, at http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm (last visited May 21, 2003) [hereinafter OCR Privacy Standards]. 6. 45 C.F.R. § 164.522(a). 7. 45 C.F.R. § 164.522(b). 8. 45 C.F.R. §§ 164.524, 164.526. 9. 45 C.F.R. § 164.528. 10. 45 C.F.R. § 164.520(c)(3). 11. 45 C.F.R. §§ 160.102, 160.103. 12. 45 C.F.R. §§ 160.102, 160.103. 13. 45 C.F.R. § 160.103. 14. 45 C.F.R. § 160.103. 15. 45 C.F.R. § 160.103. 16. Office for Civil Rights, Summary of the HIPAA Privacy Rule 4, at http://www.hhs.gov/ocr/privacysummary.rtf (May, 2003) [hereinafter Privacy Rule Summary]. 17. 45 C.F.R. §§ 164.502(d), 164.514(a), (b). 18. 45 C.F.R. § 164.530(a)(1)(i). 19. 45 C.F.R. § 164.530(i), (j). 20. 45 C.F.R. § 164.530(a)(1)(i), (ii). 21. 45 C.F.R. § 164.530(b), (c). 22. 45 C.F.R. § 164.502(a). 23. 45 C.F.R. § 164.502(a)(2). 24. 45 C.F.R. § 164.502(a)(2). 25. 45 C.F.R. §§ 164.502(a)(1)(ii), 164.506. 26. 45 C.F.R. § 164.501. 27. 45 C.F.R. § 164.501. 28. 45 C.F.R. §§ 164.501, 164.506(c). 29. OCR Guidance at 21; 45 C.F.R. §§ 164.501, 164.506(c). 30. 45 C.F.R. § 164.510(b)(3); Department of Health and Human Services, Questions and Answers #198 at http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/ std_alp.php [hereinafter DHHS Questions and Answers] (Caveat: locating these questions will be tricky, because as more questions are posed, their order on the website will change. The number provided is the “topic” number for each entry.). 31. 45 C.F.R. § 164.501. 32. 45 C.F.R. § 164.501. 33. OCR Guidance at 21, 45 C.F.R. §§ 164.501, 164.506(c). 34. Id. 35. 45 C.F.R. § 164.501; OCR Guidance at 22. 36. 45 C.F.R. § 164.501. 37. 45 C.F.R. § 164.501. 38. 45 C.F.R. § 164.501; OCR Guidance at 22. 39. 45 C.F.R. §§ 164.502(a)(1)(iv), 164.510. 40. 45 C.F.R. § 164.510. 41. 45 C.F.R. § 164.510(1)(i). 42. 45 C.F.R. § 164.510(1)(ii). 43. 45 C.F.R. § 164.510(a)(i)(3). 44. 45 C.F.R. § 164.510(a)(ii). 45. 45 C.F.R. § 164.510(b)(1)(i). 46. Privacy Rule Summary at 6. 47. 45 C.F.R. § 164.510(b)(1)(ii). 48. 45 C.F.R. § 164.502(a). 49. 45 C.F.R. § 164.514(e). 50. 45 C.F.R. § 164.512. 51. 45 C.F.R. § 164.512(a) 52. 45 C.F.R. § 164.512(b) 53. 45 C.F.R. § 164.512(a),(c) 54. 45 C.F.R. § 164.512(d) 55. 45 C.F.R. § 164.512(e) 56. 45 C.F.R. § 164.512(f) 57. 45 C.F.R. § 164.512(g) 58. 45 C.F.R. § 164.512(h) 59. 45 C.F.R. §§ 164.501, 164.512(i), 164.514(e) 60. 45 C.F.R. § 164.501(j) 61. 45 C.F.R. § 164.512(k) 62. 45 C.F.R. § 164.512(l). 63. 45 C.F.R. § 164.512(e) 64. 45 C.F.R. § 164.512 (e) 65. OCR Privacy Standards at 8. 66. Id.; 45 C.F.R. § 164.508. 67. Office for Civil Rights, Guidance Explaining Significant Aspects of the Privacy Rule 19, at http://www.hhs.gov./ocr/hipaa.html (April 3, 2003) [hereinafter OCR Guidance]; 45 C.F.R. § 164.506(b). 68. Id. at 23. 69. OCR Privacy Standards at 7 70. OCR Guidance at 23. 71. DHHS Questions and Answers, #329. 72. 45 C.F.R. § 164.508. 73. 45 C.F.R. § 164.506(c). 74. Privacy Rule Summary at 9. 75. Id. 76. 45 C.F.R. § 164.508(a)(2). 77. 45 C.F.R. § 164.508(a)(3). 78. 45 C.F.R. § 164.501. 79. OCR Guidance at 24. 80. Id. 81. 45 C.F.R. § 164.501. 82. 45 C.F.R. § 164.501. 83. OCR Guidance at 25. 84. Id. 85. Id. at 26, 45 C.F.R. § 164.501. 86. 45 C.F.R. § 164.501. 87. OCR Guidance at 26. 88. 45 C.F.R. § 164.508(a)(3). 89. 45 C.F.R. § 164.508(a)(3)(i)(A); OCR Guidance at 27. 90. 45 C.F.R. § 164.508(a)(3)(i)(B); OCR Guidance at 27. 91. OCR Guidance at 23. 92. Id.; 45 C.F.R. § 164.522(a). 93. Id. 94. Id.; 45 C.F.R. § 164.522(b). 95. DHHS Questions and Answers, #198. 96. 45 C.F.R. §§ 164.502(b), 164.514(d). 97. 45 C.F.R. § 164.502(b)(2). 98. 45 C.F.R. § 164.514(d)(2)(i). 99. OCR Guidance at 8. 100. Id.; 45 C.F.R. § 164.514(d)(3)(i). 101. Id.; 45 C.F.R. § 164.514(d)(3)(i). 102. 45 C.F.R. § 164.514(d)(3)(ii). 103. 45 C.F.R. § 164.514(d)(3)(iii). 104. OCR Privacy Standards at 8. 105. 45 C.F.R. § 164.501(a)(1)(iii); DHHS Questions and Answers, #201. 106. Id. 107. DHHS Questions and Answers, #199. 108. DHHS Questions and Answers, #202. 109. OCR Guidance at 4; 45 C.F.R. § 164.502(a). 110. Id. at 4; 45 C.F.R. § 164.530(c). 111. OCR Guidance at 4. 112. OCR Guidance at 5. 113. DHHS Questions and Answers, #196; 45 C.F.R. §§ 164.502(b), 164.514(d). 114. Id. 115. DHHS Questions and Answers, #197. 116. OCR Guidance at 38; 45 C.F.R. § 164.520. 117. Id. 118. 45 C.F.R. § 164.520(b)(1). 119. 45 C.F.R. § 164.520(b)(1)(vi), (vii). 120. 45 C.F.R. § 164.520(b)(1)(v). 121. 45 C.F.R. § 164.520(b)(1)(viii). 122. 45 C.F.R. § 164.520(b)(3), (c)(1)(i)(C), (c)(2)(iv). 123. 45 C.F.R. § 164.520(c)(3). 124. 45 C.F.R. § 164.520(c)(2). 125. 45 C.F.R. § 164.520(c)(2)(ii). 126. 45 C.F.R. § 164.520(c)(3)(iii). 127. 45 C.F.R. § 164.520(c)(2)(i)(B). 128. 45 C.F.R. § 164.520(c)(2)(iii)(B). 129. DHHS Questions and Answers, #346. 130. 45 C.F.R § 164.502(g)(1). 131. 45 C.F.R § 164.502(g)(3)(i). 132. 45 C.F.R § 164.502(g)(3)(i). 133. 45 C.F.R §§ 164.502(g)(3)(ii), 164.524. 134. OCR Privacy Standards at 20, citing 45 C.F.R § 160.202. 135. 45 C.F.R § 164.502(g)(3)(i)(B). 136. Id.; 45 C.F.R § 164.502(g) (3)(ii)(4). 137. 45 C.F.R § 164.502(g)(3)(i)(C). 138. 45 C.F.R § 164.502(g)(5). 139. OCR Privacy Standards at 20. 140. Id. 141. 45 C.F.R. § 164.502(g). 142. OCR Guidance at 11; 45 C.F.R. § 164.502(g). 143. Id..; 45 C.F.R. § 164.502(g). 144. Harris County Protective Services for Children and Adults, Notice of Privacy Rights – Health Care Records 7 (2002). 145. OCR Guidance at 11. 146. Id. 147. Federal Register 12/28/2000 page 82516. 148. 45 C.F.R. § 165.508(b)(6)(c)(1) 149. 45 C.F.R. § 165.502(i)(A+B) 150. 45 C.F.R. § 164.502(g)(4). 151. 45 C.F.R. § 164.502(f). 152. 45 C.F.R. § 164.502(g)(5). 153. 45 C.F.R. § 164.502(g)(5)(ii). 154. 45 C.F.R. § 160.103. 155. 45 C.F.R. § 164.502(e). 156. 45 C.F.R. § 164.504(e). 157. OCR Privacy Standards at 19. 158. Id. 159. Id. 160. OCR Guidance at 16; 45 C.F.R. § 164.504(e)(1)(ii), (2). 161. 45 C.F.R. § 160.202; Health Insurance Portability and Accountability Act, § 264. 162. 45 C.F.R. § 160.203(b). 163. 45 C.F.R. § 160.203(c). 164. 45 C.F.R. § 160.203(d). 165. 45 C.F.R. § 160.203(a)(1)(i). 166. 45 C.F.R. § 160.203(a)(1)(ii), (iii). 167. 45 C.F.R. § 160.203(a)(i)(iv). 168. 45 C.F.R. § 160.203(a)(2). 169. Tex. R. Civ. P. 194.2(j). 170. Tex. R. Civ. P. 194.2(k). 171. Tex. R. Evid. 509(e)(4). 172. Tex. R. Evid. 509(e)(2), (f). 173. 45 C.F.R. § 164.512(a). 174. 45 C.F.R. § 164.501. 175. 45 C.F.R. § 164.514(h)(2)(iii). 176. 45 C.F.R. § 164.508(2)(i)(C).
Georgia Akers is the court coordinator/ staff attorney for Harris County Probate Court No. Three, the Hon. Rory R. Olsen, presiding. Akers is Board Certified in Estate Planning and Probate. She earned her J. D. from South Texas College of Law in 1991. She is a well known speaker and author on probate/guardianship issues at CLE Seminars.
Jean Ann Kelly assisted in the research for this paper. She is a third year law student at the University of Texas who expects to earn her J. D. in May 2004. Kelly is a cum laude graduate of Rice University; she was a summer clerk for Probate Court No. Three.
< BACK TO TOP >
|
