What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of individuals’ health information (referred to as “protected health information” or “PHI”), by “covered entities.” Reference: 45 C.F.R. 164.104(a)(1)-(3)(2012). HIPAA Provides Guidance The HIPAA Privacy Rule provides guidance on: • What information needs to be protected (PHI) • Who must protect PHI (covered entities, business associates) • Responsibilities in protecting PHI Terms & Concepts Used in the HIPAA Privacy Rule Use and Disclosure of PHI Covered entities may only use or disclose PHI as permitted or required by the Privacy Rule. Use is the sharing, employment, application, utilization, examination, or analysis of …information within the entity… Disclosure is the release, transfer, provision of access to, or divulging in any other manner of information outside the entity. References: 45 CFR §§ 160.103, 164.502 Terms & Concepts Used in the HIPAA Privacy Rule Covered Entities A covered entity is: • A health plan • A health care clearinghouse • A health care provider who transmits any health information in electronic form in connection with a covered transaction— one for which the Secretary has adopted standards. Requirements for Uses and Disclosures of PHI A covered entity must not use or disclose PHI, except as specifically permitted or required by the HIPAA Privacy Rule. References: 45 CFR § 164.502(a) Requirements for Uses and Disclosures of PHI The HIPAA Privacy Rule requires disclosure to the individual when the individual exercises the right to access PHI in designated record sets or the right to an accounting of disclosures Reference: 45 CFR § 164.502(a)(2) Requirements for Uses and Disclosures of PHI Required disclosures to the individual: The individual may be the patient, or in the case of an unemancipated minor, the “personal representative” of the individual. Thus parents, guardians or other people acting in loco parentis can exercise the right of the individual to obtain medical information. Reference: 45 C.F.R. 164.502(g)(3). Recap The HIPAA Privacy Rule: • “Federal Floor” of Privacy Protections • First set of comprehensive federal health privacy protections • Restricts uses and disclosures of PHI • Provides rights for individuals who are the subject of PHI Preemption of State Law What is Preemption? The judicial principle asserting the supremacy of federal over state law. Two kinds: • Field Preemption • Conflict Preemption Definition of State Law Definition of State Law from 45 CFR § 160.202 State law for HIPAA preemption purposes means provisions in: • State constitution • State statutes • State regulations • State rules • State common law • Any other state action having the force and effect of law Definition of Contrary Definition of “Contrary” Contrary, as it relates to the preemption of state law by HIPAA requirements, means: • It would be impossible for a covered entity to comply with both the state and federal requirements (the impossibility test) OR • The provision of state law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA (the obstacle test) Reference: 45 CFR. § 160.202 Preemption of State Law – General Rule Preemption of State Law – General Rule Under 45 CFR § 160.203, a HIPAA Rule provision that is contrary to a provision of state law preempts the state law, unless one of the specified exceptions applies. Preemption of State Law – Child Abuse and Public Health Important to dependency proceedings is the exemption contained within § 160.203(c), which provides: (c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. Preemption of State Law – Child Abuse and Public Health …HIPAA expressly carved out state laws on child abuse and neglect from preemption or any other interference…. State laws continue to apply with respect to child abuse, and the final rule does not in any way interfere with a covered entity’s ability to comply with these laws. Reference: Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,527 (Dec. 28, 2000.) Conflict Minimization and the HIPAA Privacy Rule The HIPAA Privacy Rule is designed to minimize conflicts between its requirements and state law. Generally, state laws are not contrary. HIPAA Privacy Rule provides a federal floor and state laws that provide greater protection for PHI and more expansive privacy rights will not be affected. Conflict Minimization and the HIPAA Privacy Rule 45 CFR § 164.512 provides permission to covered entities to make the uses and disclosures listed in the statute. Other uses/disclosures that do not require an authorization: • Required by law • Public health activities • About victims of abuse, neglect, or domestic violence • Health oversight activities • Judicial and administrative proceedings • Law enforcement purposes Conflict Minimization and the HIPAA Privacy Rule To date, OCR has not been presented with any state law that is contrary to a HIPAA provision. In each case, it has been possible to comply with both. If a state law were contrary, it would be preempted by HIPAA unless an exception applied. Recap State laws that are contrary to the regulations are preempted by the federal requirements unless a specific exception applies. The Privacy Rule provides a federal floor of privacy protections for individuals’ PHI. State laws that provide greater protections for PHI and greater privacy rights for individuals are generally not contrary to the federal requirements and will not be preempted. Where HIPAA permits disclosures that are required or permitted under state law, there is no conflict and so no preemption. Practice Pointers 1. Disclosure to the GAL is required by HIPAA The State of Florida stands in loco parentis with an abused, abandoned or neglected child. Accordingly, the State is a personal representative of the child for HIPAA purposes and should be treated as an individual for purposes of determining whether the disclosure is authorized under §164.502(g)(3). As the court-appointed representative of the State, i.e., the child’s personal representative, the GALP’s access to the information is permitted by §164.502(g). Practice Pointers 2. Child abuse and neglect laws are exempt from HIPAA’s provisions. There are exemptions and exclusions from HIPAA. The child abuse exemption provision of the statute should be read broadly to allow record sharing of information concerning children: “Although not generally thought of as public health related functions, investigative and intervention responses to child maltreatment clearly are public health matters, even if government social services or law enforcement agencies play the lead roles.” References: Howard Davidson, The Impact of HIPAA on Child Abuse and Neglect Cases (2003); 45 CFR § 160.203 Practice Pointers 3. Disclosure is excluded from HIPAA under § 164.512(a)’s public benefits exception, because it is required by § 39.822: (3) Upon presentation by a guardian ad litem of a court order appointing the guardian ad litem: (b) A person or organization, other than an agency under paragraph (a), shall allow the guardian ad litem to inspect and copy any records related to the best interests of the child who is the subject of the appointment, including, but not limited to, confidential records. For the purposes of this subsection, the term “records related to the best interests of the child” includes, but is not limited to, medical, mental health, substance abuse, child care, education, law enforcement, court, social services, and financial records. No notice for the order… why do they keep talking about drugs and alcohol? Practice Pointers CAUTION: • Do not get caught in the § 164.512(e) trap • Do not confuse HIPAA with 42 USC §§290dd - 2