Module 7: HIPAA and State Law

Louis Altarescu
Length: 33:37 | Format: Video with PowerPoint
Related Content: Module 7 HIPAA and State Law.pdf

Loading the player ...

We should get started now. Let’s see where we are here. If I could get to Module 7. (long pause) Okay, so…um…I’m going to be talking about…umm…HIPAA and and state law. As you know, HIPAA was passed by Congress in 1996, and at that time there was…um…actually a number of privacy bills that were circulating around Congress that didn’t get anywhere and there was a lot of controversy. Um, some of the controversy had to do with…um, rights of parents versus minors and issues regarding….um, abortion records that come into play when you’re dealing with issues of that nature and who makes the decision, so, the all these things were surfacing and one issue was the relationship between the federal government and state laws because, as you know, every state has dozens of privacy laws and some of them are very specific. I mean, most states have specific laws dealing with HIV/AIDS information, with genetic information. A lot of states have cancer registries, birth defect registries, um laws regarding providers and hospitals and insurers and their handling of information, state open records laws. Um…um, what Congress did, which is rather unusual, is specifically saying HIPAA, that HIPAA does not supersede a law that is contrary to HIPAA if the law is more protective of privacy. So, we’ll get specifically into that, but Congress specifically addressed the relationship between HIPAA and state law. And other than that question about laws being more stringent, there’s other areas where the relationship between HIPAA and state law come into play that may affect you’re your practice. So, there’s a section in the Privacy Rule, 45 CFR Part 160, is a general part that relates to both privacy and to security, so 160 is the general section in the administrative simplification rules and the preemption language is in there. So, um, we’re going to be talking about what laws are contrary and how the structure of the Privacy Rule…does…go very far in terms of recognizing and accepting and allowing state laws to operate…um…as as they do. Um, so there’s…um…key concepts and definitions that come into play here. The…um, there are two different types of preemption, which you probably know. One is field preemption and that’s where Congress passes a law that says that this statute is um, pre-empting all laws within that area, or so ERISA is a good example of that. So, no state can enact a law related to employee benefit plans because Congress is saying that they’re law supersedes all those laws and that um, they have captured the field, if you will, in in that area. But they didn’t do that with HIPAA, HIPAA is conflict preemption law, so, um…state laws are preserved and it only becomes an issue where that state law conflicts with HIPAA. The, uh, when we talk about state law, we’re talking about state constitutions, statutes, regulations, rules, common law, court decisions, anything that has the effect of law. So, um, the state law and laws referenced in a number of provisions in the Privacy Rule, such as the use of the term “required by law” and, um, other provisions referenced back to state law, and we use that term very broadly. The, one of the most important terms in dealing with this whole area, preemption, is their idea of contrary. So, by contrary, we mean that it would be impossible for a covered entity to comply, both with HIPAA and that Privacy Law. So, if there’s a state law that says that a healthcare provider has to provide, or has to give an individual access to their medical records in 20 days, and HIPAA says, as you know, 30 days or extended to 60 days, that’s not contrary. Because, clearly, a covered entity could comply with both by giving someone access within 20 days. HIPAA doesn’t preclude that and so, a state law and and HIPAA that address the same matter and do it in different ways are….aren’t necessary contrary. The other element of contrariness that’s in the statute is with a provision of state law that’s an obstacle to accomplishing the purposes of administrative simplification of all the HIPAA Rules. The obstacle test. And, we really haven’t even thought about a scenario where a state law is an obstacle to accomplishing the objectives of HIPAA, or such that it would be a contrary to HIPAA. But, so, hopefully what we end up doing is looking at it in terms of the impossibility test about whether a covered entity would be caught in a Catch-22 situation, that they’re either violating HIPAA or they’re violating the…the state law and I’ll play that out with a number of examples as we move on. So, um, so Section 70…11-78 of the Social Security Act, which is part of the HIPAA statute, um, addresses this and it’s also addressed in these HIPAA Privacy Rule provisions. So, where are, um…let’s see here…so even if, if we find where a state law and HIPAA are contrary to each other, the statute and the regulation still provides situations where the state law would prevail. So, for instance, if the state law provides greater privacy protections, as I mentioned, then that state law will prevail even if that’s contrary to HIPAA. And, if, the state law provides for reporting of disease, or injury, or child abuse, which is not uncommon. As you know, hospitals have to make certain reports to state agencies regarding births and deaths and injuries, and those, um, those provisions are state law, sometimes they’re required, sometimes they’re just permitted, um, and what this provides is that even where that conflicts with HIPAA, that this type of state law would prevail, that a covered entity would be able to comply with the state law in this situation even if it’s contrary to HIPAA. And um, the third situation has to do with health plan reporting that, um, sometimes health plans have to report to state accreditation agencies or state licensing agencies, and where that’s required by state law even if it’s contrary to HIPAA, then it’s permitted. And the fourth area, is where the Secretary makes a determination that an exception should be granted if certain criteria are met, um, such as the state law being necessary to prevent fraud. Um, we’ve gotten three requests, which I’ll get into a little later, but we’ve gotten requests from states saying, “Um, our state law meets one of these exceptions. So, even though it’s contrary to HIPAA, we think the Secretary should make a determination that a covered entity could share information with us, um…even if, um… um, even if it’s contrary to HIPAA.“ So, these are the situations that I’ll get back to this, um, a little later on. So, um…let’s see…So, getting to this um…more stringent tests. So, a state’s law is more stringent than HIPAA if it provides greater privacy protection or provides greater rights to individuals with respect to PHI. So, the example where a state law says that a covered entity has to share information with an individual, give an individual access to their information within 20 days, um, provides greater rights to individuals. Um, providing greater privacy protection, there may be a state law that says, um…information, PHI, could never be shared with law enforcement. OCR says, in the HIPAA Privacy Rule, that there are circumstances in which a covered entity can share information with law enforcement. If you have a state law that says under no circumstances can a covered entity share PHI with law enforcement, that provides greater privacy protections. However, if we think about it, those scenarios and others are contrary to HIPAA. So, in order for this exception to come into play, you have to find that the two laws are contrary. So, as I pointed out, HIPAA would not be contrary to a state law that allows access, or requires access within 20 days, um, because you would not be violating HIPAA by doing it. If a state law says you cannot share PHI with the law enforcement agency, that’s not contrary to HIPAA because while HIPAA permits a disclosure to law enforcement, it does not require a disclosure to law enforcement. So, if a covered entity complies with the state law by not sharing PHI with law enforcement, they’re in compliance with the state law. They’re also in compliance with HIPAA because HIPAA, while it permits disclosures to law enforcement, it does not require that disclosure, so it be it’d not be contrary to HIPAA. So, if it’s not contrary, then you never get into this issue of more stringent. Now, if there’s any questions, at this point about that…So, we have not been confronted with…no one has brought to us an actual state law, um, that is contrary to HIPAA, such that we have to analyze which law is more stringent. Uh, I could think of a…situation where that might occur, um, looking over all of the Privacy Rule and the Privacy Rule says that an individual has a right to receive an accounting of the disclosures of their information. So, if an account…a disclosure is made to a law enforcement agency, generally, you have the right to get an accounting. You have a right to go to the covered entity to say, “Who did you share my information with over the lis…last six years?” And if they shared it with law enforcement, they have to tell you. But, there’s an exception in the accounting provisions that says if a law enforcement agency or health oversight agency says that sharing that information with the individual would impede our investigations and it should be for the next one year, that OCR…um…has to recognize that and a covered entity is prohibited from sharing, providing that accounting to an individual. So, um, there is no…room for a compromise there. A…while an individual has a right to accounting, if there’s a request for delay by law enforcement and health oversight, then the covered entity is prohibited from letting that individual know that their information was shared with law enforcement or health oversight agency in that situation. Um, I’m not sure how all this gets communicated in the process but um, you know when a…um…a law enforcement agency, when they receive information, could inform the covered entity saying, “By the way, um, we want to provoke the delay in, um, in providing an accounting.” Um, so that could be a scenario where, if you have a state law that says you need to provide an accounting, and there’s no delay, even if it’s law enforcement, even if it’s an accounting of a disclosure that a covered entity made to a health oversight agency, then that would be contrary to HIPAA because if a covered entity…um…shares that information with the covered entity, lets that individual know they had shared PHI with the law enforcement agency, they’d be complying with the state law because the state law requires an accounting without delay. But, they’d be in violation of HIPAA because HIPAA says that if law enforcement asks for a delay, you cannot provide an accounting to that individual. And, again, I’m talking about a hypothetical state law, but those two laws would be contrary and a covered entity would be caught between a rock and a hard place and they would have to…uh, what would seem to be violate HIPAA. But, because these laws are contrary because it puts the covered entity in violation of HIPAA, then this exception comes into play and the more stringent law prevails. So OCR, if they investigated the case or if they asked how to analyze the situation, they would say that the covered entity need not apply with this accounting restriction because some more stringent law prevails. And it’s not something where someone would have to request an exception determination from OCR, this would just operate as a matter of law. So, if any of you have to come up with situations where laws are contrary and one is more stringent, I’d really be curious because I need to beef up this presentation, so, you know, I’d welcome that. But there’s very little conflict, and, in fact, much of the Privacy Rule is written to avoid conflict. So, um, for instance, the…um, Privacy Rule, as we know, provides a flaw of privacy protections and you could always provide something more protective, like saying you have to provide access within 20 days. Or, we say that you can make disclosures for treatment payment and healthcare operation without an individual signing an authorization. Well, many states have laws that say, “No, you have to sign an authorization if you are going to disclose information for treatment, payment or healthcare operations.” Or, if it relates to HIV or AIDS, if you’re going to make a disclosure for any purpose, you need to sign an authorization and those state laws prevail because it’s not contrary to HIPAA that…um, you could provide these greater privacy protections and it’s it’s not contrary to HIPAA. So, state laws are an add-on, so while you look at something, um, you need to look at both state law and federal law to see how they come into play. Um, the, um, also the HIPAA provides a number of permissive disclosures and the…looking at the first one is a disclosure that’s required by federal law. So, as um…as we said, um…the earlier when…um…Iliana went through the list of permissive disclosures, the first one, 5-12A, is required by law. So, if a state law requires a covered entity to make a disclosure, then that’s permitted under HIPAA, which means going back to…um…let’s see…this provision here. Congress put in this exception that says a contrary state law prevails if it under 3, it requires reporting to a health plan or it requires a health plan to make reporting. Well, this would never come into play because if a state law requires a covered entity to make some reporting, it’s permitted by HIPAA, so it would never be contrary to HIPAA. So, even though this is in there and Congress put it in, because in writing the regulations, we said all required disclosures are permitted by HIPAA. Any state law which requires a disclosure, would never be contrary to HIPAA and you would never need to have this exception come into play. So, um, HIPAA also provides on the second bullet, that it’s permissive to make disclosures to public health authorities for certain purposes, and the wording is very broad and the attempt was to recognize that this type of disclosure is in the public interest, that a state legislature or state regulatory process had decided that such disclosure should be permitted to public health authorities and that, um, no patient authorization is needed to do this. And, the thinking was, well we should recognize those laws and um, not impede those laws in any way. So, because the HIPAA permits disclosures to public health authorities in a very broad way…let me see where I’m going here…the um…um, the second bullet comes into play, so if a disclosure is permitted by state law for public health purposes, then, um…making that disclosure is not in violation of HIPAA and it’s not contrary to a state law that permits a disclosure. So, again, here a state law permits disclosures for public health authority, would not be contrary. So, this exception that would permit state laws to be in effect even if they’re contrary to HIPAA does not come into play because there would not be a conflict with HIPAA because HIPAA permits these disclosures. So, um…see where I am here (long pause). So, um…so, as I said, we have not been presented with any state law that is contrary to HIPAA and in each case, it’s been, we have found that you’re able to comply with both and, um if state law was contrary, Congress provides that HIPAA pre-empts state law. So, if you find a law that’s a state law that’s contrary to HIPAA, HIPAA pre-empts unless an exception So, we do have an activity now. Um, the…we have a um, a a case study and we’re going to compare, um…with 5-24B located on 37 of your index, so let’s see, um. Um, 5-24B. So, 5-24, you know, the access provisions (long pause) And, um…the case study is this hypothetical state law that says a covered entity must provide an individual with a copy of his or her medical record within 21 working days and no extensions are permitted. So, if you would um…um…I think 5-24B is something we’ve talked about. So, if you could take ten minutes and think about this question and um, then we’ll get back to this. Everybody here? Want to take it, first table here? (from the audience): (inaudible) Um, is this provision a state law contrary to Privacy Rule? (from the audience): “We don’t believe that it’s contrary to the Privacy Rule. We just believe it’s more stringent than the Privacy Rule.” Um, but of course, we have to address more stringent, right?(from the audience): “Exactly.” Right. Right. Good. (from the audience): “So, so we think that’s fine.”And why is it not contrary to…Privacy Rule? (from the audience): “Because it’s not um, it’s it’s just um, it’s if someone in order to be in compliance with the state law, they wouldn’t be in violation of HIPAA. It’s not as if the state law is requiring a 60 day period…”Right. (from the audience): “…for compliance or something to that effect. You can be in compliance with the state law as well being in compliance with HIPAA.” Right. Very good. That that’s the right answer and certainly this state law is um…um…it’s not contrary because it’s not an obstacle to the accomplishment of the purposes of HIPAA to have this. Um, and um, as was pointed out in…in answering this, the um, if the state law, let’s say, said 60 days, um, a permitted disclosure within 60 days, that would also not be contrary because you could comply with the state law by just complying with with privacy because the state’s law doesn’t say you have to take 60 days. So, even if a state law provides less privacy rights, if you can…if you’re not required to comply with that state law that provides less privacy rights, then you could comply with HIPAA and the two are not contrary. So, um. So, um, we talked about state laws that are contrary to HIPAA and if there is contrary, it’s prohib…it’s pre-empted by HIPAA unless there’s an exception. Um, Privacy Rule has/is a federal law. If it is contrary and there’s greater privacy protections, then um, while it’s generally not contrary, if it was, that state law would prevail. It would not be pre-empted by HIPAA. And while where HIPAA permits disclosures that are required or permitted under state law, there’s no conflict, and of course, that would only be where HIPAA also permits such disclosure. So, um, I’m going to go quickly through this part because, as you recall, that this is procedure where anybody could request an exception determination. And this would only come into play, where the two laws are contrary and where it meets certain tests. So, you know, where somebody argues even those these two state laws are contrary, the prior…the state law should prevail because it’s necessary to prevent fraud, or to regulate insurance, or for state reporting or for some compelling health or safety need, or because it regulates controlled substances. Well, so, there is this process to make requests which are in the regulation and anybody could make the request. Um, if the request is made on behalf of the state, it has to be submitted the chief elected official or his or her designee. Um, and OCR handles these and as I indicated um, we have only received three requests and these are from these three states, including Maryland, who’s here today. And, um, all of these cases, we found that there’s no jurisdiction for OCR, on behalf of the Secretary, to make an exception determination because they’re not contrary. So, um…let’s see…this is not on the slide…see if this is here. Okay, I thought there was a description of the of this state’s laws. But in Oklahoma, the request didn’t come from the governor’s office or his designee; it came from the state medical association and a hospital association. And, what they said is that, in Oklahoma, if somebody files a medical malpractice claim, that their records are automatically available to the parties in the case. And, there’s no requirement for a subpoena or notifying the patient that’s involved and, um…even though HIPAA requires that. So, they’re saying, well we want an exception determination because we want Oklahoma law to prevail. So, this is what the medical and hospital association asserted and what we said is, “Um, sorry, this does not apply because these laws are not contrary.” You can comply with a covered entity…a covered entity could comply with Oklahoma law by meeting the HIPAA requirements by getting a subpoena, giving notice to the individual, giving the individual an opportunity to object and that does not put the covered entity in violation of the state law. While it may not be what the state law intended and it may not be to your liking, the state law doesn’t say that um…that a covered entity…um a a covered entity, they provide this process for making information available to parties in a malpractice case, but it um…it doesn’t prevent a covered entity from having to meet other requirements of law. So, a covered entity would not be in violation of Oklahoma law if it takes these added steps which are required by state law, excuse me, by HIPAA. In Indiana, the state department of health requested an exception determination. And um, there they had a state law that said if there’s a missing person, a covered entity can make a report to law enforcement and they could give the name of the individual, the address of the individual, the telephone number, the fax number. And, um…under HIPAA, we do have provision if there’s a missing person, a covered entity can make a call to law enforcement and say, “Um, you know, someone left our hospital, they’re missing and we want to report this.” And, we do allow disclosure of PHI, but we don’t allow disclosure of telephone numbers or fax numbers. Um, who knows why we didn’t think of including that, but it’s not on the list and we said that you’re not required by law to share this information with law enforcement. It’s permitted by state law and thus, you could comply with both by com…complying with HIPAA and not reporting this information…this telephone number or fax number, in the case of a missing person. So, um, I’m not sure Indiana was happy with that result, but that’s where it came. In Maryland, they were happy with the result, because in Maryland, the governor made a request and they pointed out that Maryland law requires health insurance carriers to provide information to a state health plan if they deny coverage. The idea being that, if you’ve been denied coverage by a health plan, there may be a state plan will be able to pick you up and serve you. So, anytime a person is denied coverage, that health plan has to notify the state. Now, because there’s a requirement to make that disclosure to the state, the covered entities are required to do that, then HIPAA permits that. So, in that case, the the state law works the way it was intended to work and HIPAA would not um…change that result in any way because it’s a required by law disclosure. So, there was no need an exception determination because the two laws were not contrary. And in all three cases, laws were not contrary. So…um…I’m going to…um…go quickly through the rest because we’re over time and, um… the um…So, um, this pretty much sums it up about pre-emption and how Privacy Rule’s structured, so that pre-emption should rarely, if ever, come up and how we’ve dealt with requests for exception determinations. So, are there any questions about HIPPA and state law? Okay, Iliana, it’s all yours.
(To use allow video to load completely)
  • Module 7: Introduction, Objectives and Overview
  • Lesson 1: HIPAA Preemption of State Law – Key Concepts and Definitions
  • Activity 1: Contrary Case Studies
  • Lesson 1: Recap
  • Lesson 2: Exceptions to HIPAA Preemption of Contrary State Law – Exception Determinations by the Secretary of HHS
  • Module and Lesson 2 Recap

Tell a friend: