Understanding the boundaries of the HIPAA preemption analysis: who is regulated by the privacy rule and what information does HIPAA protect?
| Author | Olinde, John F. |
| Position | Health Insurance Portability and Accountability Act of 1996 |
-
Introduction
THE Department of Health and Human Services (DHHS) published the final Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) on August 14, 2002. (1) The compliance date for covered entities subject to the Privacy Rule was April 14, 2003 (April 14, 2004 for certain small health plans). The Privacy Rule, found at 45 C.F.R. Part 160 and Part 164, provides comprehensive federal protection for the privacy of certain health information. The Privacy Rule has been described as providing a "federal floor" of safeguards to protect the confidentiality of medical reformation. (2) State laws which provide stronger privacy protection will continue to apply over and above the federal privacy protection. However, in litigated cases involving the application of state privacy laws, it is not apparent at this point which state laws will survive the HIPAA preemption analysis. These issues will likely be decided by judges on a case-by-case basis, which may lead to multiple, conflicting decisions within judicial districts. HIPAA also prescribes several methods by which a covered entity may release information in a judicial or administrative proceeding. This article will describe these various requirements for releasing this information.
-
Who is Regulated by the Privacy Rule?
Familiarity with the vocabulary of HIPAA aids in understanding how medical information may be released. The Privacy Rule regulates "covered entities." A covered entity (CE) is defined under the Code of Federal Regulations as:
-
A health plan;
-
A health care clearinghouse; and
-
A health care provider who transmits any health information in electronic form in connection with a transaction covered by [this] subchapter. (3)
When litigants seek discoverable information, it is likely that they will at some point in the litigation seek medical information in the possession of a covered entity, usually a hospital subject to the Privacy Rule as a "health care provider."
-
-
What Information is Protected?
The Privacy Rule protects Individually Identifiable Health Information (IIHI) in the possession of covered entities. Individually identifiable health information is defined as "information that is a subset of health information, including demographic information collected from an individual ..." (4)
Additionally, IIHI:
-
Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
-
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. (5)
When IIHI is transmitted or maintained by a covered entity, it becomes Protected Health Information, or PHI:
Protected health information means individually identifiable health information:
-
Except as provided in paragraph (2) of this definition, that is:
i. Transmitted by electronic media;
ii. Maintained in electronic media; or
iii. Transmitted or maintained in any other form or medium.
-
Protected health information excludes individually identifiable health information in:
i. Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g;
ii. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv) (related to records of students held by post secondary educational institutions or of students 18 years of age or older, used exclusively for heath care treatment and which have not been disclosed to any one other than a health care provider at the student's request); and
iii. Employment records held by a covered entity in its role as an employer. (6)
The difference between IIHI and PHI is explained in the following Preamble to the Final Privacy Rule:
We use the phrase 'protected health information' to distinguish between the individually identifiable health information that is used or disclosed by the entities that are subject to this rule and the entire universe of individually identifiable health information. 'Individually identifiable health information' as defined in the statute is not limited to health information used or disclosed by covered entities, so the qualifying phrase 'protected health information' is necessary to define that individually identifiable health information to which this rule applies. (7) Generally, any litigant seeking medical information regarding a party to the litigation or medical information regarding a third party which the litigant believes will be useful in he litigation, will be seeking PHI from a CE. The litigant must therefore be familiar with the Privacy Rule's requirements for releasing protected health information.
-
-
Disclosure of Protected Health Information
The Privacy Rule states that a CE may not use or disclose PHI, except as required or permitted by the Privacy Rule.
-
Required Disclosures
HIPAA requires disclosure of PHI to an individual when the individual requests it, unless the information is exempt from access (as is the case with psychotherapy notes prepared in anticipation of or for use in a civil, criminal or administrative proceeding, or certain information covered by the Clinical Laboratory Improvements Amendments (CLIA) of 1988 (8)), or unless denial of access is permitted and the individual is given a fight to have the denial reviewed by a licensed health care professional who is designated by the CE to act as a reviewing official and who did not participate in the original decision to deny access. (9) HIPAA also requires disclosure when necessary to provide an accounting of prior disclosures. Additionally, disclosure is required upon request of DHHS to investigate a complaint under the Privacy Rule, or to determine a covered entity's compliance with the Rule. 10
-
Permitted Disclosures
There are a number of disclosures of PHI which are permitted under the Privacy Rule and which do not require an individual's authorization. For example, an individual's PHI may be used or disclosed by a covered entity for three purposes: (1) treatment of the individual; (2) payment for services; or (3) for the operational requirements of the CE.
In the Final Rule, DHHS developed essentially a four step approach for the release or disclosure of PHI. (11) First, a CE may use or disclose information for its own treatment, payment, or healthcare operations. Second, a CE may disclose PHI to another healthcare provider for treatment purposes. Third, a CE may disclose PHI to another CE for payment activities. Fourth, disclosure of PHI between CEs is permissible with certain limitations, such as for healthcare operations and the detection of fraud and abuse or for compliance issues. Other disclosures may require a written authorization.
An individual may provide a written authorization to a CE requesting the release of his or her PHI that conforms with the Privacy Rule requirements. This process is the most expedient way in which a litigant could access his or her own PHI. If a party seeks the PHI of a non-party to the litigation, having that individual provide a valid HIPAA authorization would expedite the production of the medical information.
-
-
HIPAA Authorization to Release PHI
An individual may authorize the release of her own medical information if such release is not otherwise required or permitted by the Privacy Rule. Prior to the passage of HIPAA, written authorizations were routinely used in litigation to grant access to medical information. The Privacy Rule sets out the elements of a valid authorization for purposes of HIPAA:
Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. (12) The requirements for a valid HIPAA authorization are:
Implementation specifications: core elements and requirements.
-
Core elements. A valid authorization under this section must contain at least the following elements:
i. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
ii. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
iii. The name or other...
-
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
