What is the Privacy Rule?

The Standards for Privacy of Individually Identifiable Health
Information (Privacy Rule) governs the use and disclosure of
individuals’ health information (referred to as “protected health
information” or “PHI”), by “covered entities.”
Reference: 45 C.F.R. 164.104(a)(1)-(3)(2012).
HIPAA Provides Guidance

The HIPAA Privacy Rule provides guidance on:
• What information needs to be protected (PHI)
• Who must protect PHI (covered entities, business
associates)
• Responsibilities in protecting PHI
Terms & Concepts Used in the
HIPAA Privacy Rule

Use and Disclosure of PHI
Covered entities may only use or disclose PHI as
permitted or required by the Privacy Rule.
Use is the sharing, employment, application, utilization,
examination, or analysis of …information within the
entity…
Disclosure is the release, transfer, provision of access to,
or divulging
in any other manner of information outside the entity.
References: 45 CFR §§ 160.103, 164.502
Terms & Concepts Used in the
HIPAA Privacy Rule

Covered Entities
A covered entity is:
• A health plan
• A health care clearinghouse
• A health care provider who transmits
any health information in electronic form
in connection with a covered transaction—
one for which the Secretary has adopted
standards.
Requirements for Uses and
Disclosures of PHI

A covered entity must not use or disclose PHI, except as specifically
permitted or required by the HIPAA Privacy Rule.
References: 45 CFR § 164.502(a)
Requirements for Uses and
Disclosures of PHI

The HIPAA Privacy Rule requires disclosure to the individual
when the individual exercises the right to access PHI in
designated record sets or the right to an accounting of
disclosures
Reference: 45 CFR § 164.502(a)(2)
Requirements for Uses and
Disclosures of PHI

Required disclosures to the individual:
The individual may be the patient, or in the case of an
unemancipated minor, the “personal representative” of the
individual. Thus parents, guardians or other people acting in loco
parentis can exercise the right of the individual to obtain medical
information.
Reference: 45 C.F.R. 164.502(g)(3).
Recap

The HIPAA Privacy Rule:
• “Federal Floor” of Privacy Protections
• First set of comprehensive federal health privacy protections
• Restricts uses and disclosures of PHI
• Provides rights for individuals who are the subject of PHI
Preemption of State Law

What is Preemption?
The judicial principle asserting the supremacy of federal over state law.
Two kinds:
• Field Preemption
• Conflict Preemption
Definition of State Law

Definition of State Law from 45 CFR § 160.202
State law for HIPAA preemption purposes means provisions in:
• State constitution
• State statutes
• State regulations
• State rules
• State common law
• Any other state action having the force and effect of law
Definition of Contrary

Definition of “Contrary”
Contrary, as it relates to the preemption of state law by HIPAA
requirements, means:
• It would be impossible for a covered entity to comply with both the state
and federal requirements (the impossibility test)
OR
• The provision of state law is an obstacle to accomplishing the full
purposes and objectives of the Administrative Simplification provisions of
HIPAA (the obstacle test)
Reference: 45 CFR. § 160.202
Preemption of State Law – General
Rule

Preemption of State Law – General Rule
Under 45 CFR § 160.203, a HIPAA Rule provision that is contrary to a
provision of state law preempts the state law, unless one
of the specified exceptions applies.
Preemption of State Law – Child
Abuse and Public Health

Important to dependency proceedings is the exemption contained
within § 160.203(c), which provides:
(c) The provision of State law, including State procedures established
under such law, as applicable, provides for the reporting of disease or
injury, child abuse, birth, or death, or for the conduct of public health
surveillance, investigation, or intervention.
Preemption of State Law – Child
Abuse and Public Health

…HIPAA expressly carved out state laws on child abuse and neglect
from preemption or any other interference…. State laws continue to
apply with respect to child abuse, and the final rule does not in any
way interfere with a covered entity’s ability to comply with these
laws.
Reference: Standards for Privacy of Individually Identifiable Health
Information, 65 Fed. Reg. 82,462, 82,527 (Dec. 28, 2000.)
Conflict Minimization and the
HIPAA Privacy Rule

The HIPAA Privacy Rule is designed to minimize conflicts between its
requirements and state law.
Generally, state laws are not contrary.
HIPAA Privacy Rule provides a federal floor and state laws that provide
greater protection for PHI and more expansive privacy rights will not be
affected.
Conflict Minimization and the
HIPAA Privacy Rule

45 CFR § 164.512 provides permission to covered entities to make the uses
and disclosures listed in the statute.
Other uses/disclosures that do not require an authorization:
• Required by law
• Public health activities
• About victims of abuse, neglect, or domestic violence
• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
Conflict Minimization and the
HIPAA Privacy Rule

To date, OCR has not been presented with any state law that is contrary to
a HIPAA provision. In each case, it has been possible to comply with
both.
If a state law were contrary, it would be preempted by HIPAA unless an
exception applied.
Recap

State laws that are contrary to the regulations are preempted by the federal
requirements unless a specific exception applies.
The Privacy Rule provides a federal floor of privacy protections
for individuals’ PHI.
State laws that provide greater protections for PHI and greater privacy
rights for individuals are generally not contrary to the federal
requirements and will not be preempted.
Where HIPAA permits disclosures that are required or permitted under
state law, there is no conflict and so no preemption.
Practice Pointers

1. Disclosure to the GAL is required by HIPAA
The State of Florida stands in loco parentis with an abused, abandoned or
neglected child. Accordingly, the State is a personal representative of the
child for HIPAA purposes and should be treated as an individual for
purposes of determining whether the disclosure is authorized under
§164.502(g)(3). As the court-appointed representative of the State, i.e.,
the child’s personal representative, the GALP’s access to the information
is permitted by §164.502(g).
Practice Pointers

2. Child abuse and neglect laws are exempt from HIPAA’s provisions.
There are exemptions and exclusions from HIPAA. The child abuse
exemption provision of the statute should be read broadly to allow
record sharing of information concerning children:
“Although not generally thought of as public health related functions,
investigative and intervention responses to child maltreatment clearly are
public health matters, even if government social services or law
enforcement agencies play the lead roles.”
References: Howard Davidson, The Impact of HIPAA on Child Abuse and
Neglect Cases (2003); 45 CFR § 160.203
Practice Pointers

3. Disclosure is excluded from HIPAA under § 164.512(a)’s public benefits
exception, because it is required by § 39.822:
(3) Upon presentation by a guardian ad litem of a court order appointing
the guardian ad litem:
(b) A person or organization, other than an agency under paragraph (a),
shall allow the guardian ad litem to inspect and copy any records related to
the best interests of the child who is the subject of the appointment,
including, but not limited to, confidential records.
For the purposes of this subsection, the term “records related to the best
interests of the child” includes, but is not limited to, medical, mental health,
substance abuse, child care, education, law enforcement, court, social
services, and financial records.
No notice for the
order… why do they
keep talking about
drugs and alcohol?
Practice Pointers

CAUTION:
• Do not get caught in the § 164.512(e) trap
• Do not confuse HIPAA with 42 USC §§290dd - 2