Chapter §11.3 Access to Public Records Under the HIPAA Privacy Rule

• Jurisdiction: Washington

§11.3 ACCESS TO PUBLIC RECORDS UNDER THE HIPAA PRIVACY RULE

Caveat: It is not intended for this chapter to be a full treatment of the HIPAA Privacy Rule or other HIPAA rules. The purpose of this section is only to interpret how the Privacy Rule interfaces with the Washington Public Records Act and other statutes affecting the disclosure of state and local agency records. Readers are urged to review the text of the rule and more current available information for more detail. The U.S. Department of Health and Human Services Office for Civil Rights, designated as the lead agency to implement and enforce the rule, assists in explaining and implementing HIPAA provisions. See U.S. Dep't of Health and Human Servs Health Information Privacy, https://www.hhs.gov/hipaa/index.html (last visited Jan. 29, 2020).

(1) Background and history

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) addresses, among other topics, the privacy of medical information of individuals. Pub. L. No. 104-191, 110 Stat. 1936 (Aug. 21, 1996) (codified at 42 U.S.C. § 1320d). Of the not-so-aptly titled "HIPAA Administrative Simplification Rules," 45 C.F.R. pts. 160-164, the part chiefly impacting public records law in Washington is what is commonly known as the HIPAA Privacy Rule, 45 C.F.R. pts. 160, 164 subpts. A, E. HIPAA rules also contain security, enforcement, breach, and other standards, all located at 45 C.F.R. pts. 160, 162, and 164. The American Recovery and Reinvestment Act of 2009 adopted changes to HIPAA provisions, called the "Health Information Technology for Economic and Clinical Health (HITECH) Act." Pub. L. No. 111-5, ti. XIII, 123 Stat. 115 (Feb. 17, 2009). These changes were incorporated into the HIPAA rules through promulgation of the "Omnibus Rule." 78 Fed. Reg. 5566 (Jan. 25, 2013) (final rule).

(2) Effect of the HIPAA Privacy Rule on the PRA

Federal regulations that prohibit disclosure operate as PRA exemptions under the "other statute" provision of RCW 42.56.070(1). Ameriquest Mortg. Co. v. State Attorney Gen., 170 Wn.2d 418, 439, 241 P.3d 1245 (2010); Freedom Found, v. State Dep't of Transp., 168 Wn.App. 278, 287-88, 276 P.3d 341 (2012). Accordingly, the HIPAA Privacy Rule is an "other statute" exemption under RCW 42.56.070(1). Ameriquest, 170 Wn.2d at 439; Freedom Found., 168 Wn.App. at 287-88. Federal HIPAA standards "shall supersede any contrary provision of State law," 42 U.S.C. § 1320d-7(a)(1), except when state privacy protections are more stringent, 42 U.S.C. § 1320d-7(a)(2)(B); 42 U.S.C. § 1320d-2 notes; 45 C.F.R. § 160.203(b). Under this preemption, the HIPAA privacy rule sets the minimum standards for confidentiality of health care records in Washington.

(3) Application to government agency records

HIPAA applies to "covered entities," which can be health plans such as the state Health Care Authority, which administers Medicaid and other health programs, as well as health care providers such as public hospitals and clinics. 45 C.F.R. § 160.102(a). The rules do not distinguish between public and private agencies acting in these capacities. Therefore, public agencies in Washington that are subject to the PRA may also need to operate under the constraints of HIPAA when disclosing (or denying) public records. Even if not covered by HIPAA by virtue of their own business operations, other public agencies and their partners may come within the scope of the rule if they are "business associates" or providing services "on behalf of a covered entity, due to the HITECH Act and the Omnibus Rule. 45 C.F.R. § 160.103; 45 C.F.R. § 164.104(b), .302, .500(c). A business associate includes a subcontractor that "creates, receives, maintains, or transmits" protected health information on behalf of that business associate. 45 C.F.R. § 160.103. Examples of business associates include legal counsel, service providers, and entities hosting data, including protected health information.

The HIPAA Privacy Rule controls "protected health information" (PHI), defined as "individually identifiable health information." Id. "Individually identifiable health information" is health information that identifies a person, including demographic and genetic information, created or received by a covered entity relating to the person's physical or mental health or condition or to the payment or provision of health care to that person. Id. Electronic PHI (e-PHI) is that which is transmitted or maintained in electronic media. Id...