|
|
HIPAA/LAW:
September 2004
"Interaction of HIPAA with State and Other Federal Laws"
By Steve Fox & Rebekah A.Z. Monson, Esqs., Pepper Hamilton
LLP
QUESTION: Our hospital organization continues to be confused
by the whole issue of the HIPAA Privacy Rule versus our state privacy
regulations. Should both be addressed in our privacy program, and,
if so, what guidelines can you offer for appropriate integration
of the two?
ANSWER: One of the more complex aspects of the HIPAA Administrative
Simplification requirements (HIPAA), particularly with respect to
the HIPAA Privacy Rule (the "Privacy Rule"), is the interaction
of HIPAA and the Privacy Rule with other federal and state laws
addressing privacy of information. The Privacy Rule itself specifically
addresses its interaction with state laws in the Preemption of State
Law subpart of the Privacy Rule (45 CFR § 160.201 et seq.),
while the preamble to the Privacy Rule, issued on December 28, 2000
(the "Preamble"), provides guidance on the interaction
of HIPAA with other federal laws.
In general, HIPAA preempts state law provisions that are "contrary"
to a provision or requirement of HIPAA. HIPAA includes two "tests"
for determining whether a provision of state law is contrary to
that of HIPAA: (1) if it is "impossible" to comply with
both the state law and HIPAA; or (2) the provision of state law
"stands as an obstacle to the accomplishment or execution of
the federal law." Not surprisingly there are four categories
of exceptions to this general preemption rule:
- The Secretary of the US Department of Health and Human Services
(HHS) makes a determination that the contrary state provision
is: (1) "necessary" (a) to prevent fraud and abuse related
to the provision or payment for health care, (b) to ensure appropriate
state regulation of insurance and health plans, (c) for state
reporting on healthcare delivery or costs, or (d) for purposes
serving a compelling need related to public health, safety, or
welfare; or (2) has as its principal purpose the regulation of
the manufacture, registration, distribution, dispensing or other
control of any controlled substances.
- The state law(s) relate to the privacy of individually identifiable
health information and is "more stringent" than the
standard, requirement or implementation provided under the Privacy
Rule. HIPAA includes six possible criteria for satisfying the
"more stringent" test, the specifics of which will not
be detailed in this article.
- The state law(s) or procedure(s) are for the reporting of disease,
injury, child abuse, birth, death or for the conduct of public
health.
- The state law(s) require reporting by health plans or require
access to information for audit, evaluation, licensure or certification.
In reviewing a Covered Entity's (the Privacy Rule applies to Covered
Entities, which are defined as health plans, clearinghouses, and
providers who transmit health information in electronic form in
connection with a HIPAA covered transaction) compliance with the
Privacy Rule, it is important to consider those state laws applicable
to the Covered Entity's activities. One of the goals of HIPAA was
to establish a uniform national standard for treatment of protected
health information (PHI). Other state and federal laws may provide
additional privacy rights and protections. According to HHS and
the Office for Civil Rights (OCR), in most cases, Covered Entities
should be able to achieve compliance with both HIPAA and the applicable
state laws. Only when a provision of state law is truly in conflict
with a provision of HIPAA, by meeting the "contrary" test
described above, is a preemption determination to be made.
In seeking to meld the Privacy Rule requirements with applicable
state and federal laws in order to comply with all applicable privacy
laws and regulations, it is important to remember that the Privacy
Rule only requires disclosure of PHI in two instances: (1) to the
individual when requested in accordance with the Privacy Rule standards
or pursuant to a Privacy Rule accounting of disclosures, and (2)
when required by the Secretary of HHS to investigate or determine
the Covered Entity's compliance with the Privacy Rule. The other
uses and disclosures addressed by the Privacy Rule are permitted
uses and disclosures. Consequently, if a state or other federal
law requires or prohibits a particular use and disclosure which
the Privacy Rule would otherwise permit, there is no conflict as
the Privacy Rule does not require that particular use or disclosure
of PHI.
The preemption discussion above pertains to contrary provisions
of state laws. With respect to other federal laws, however, HHS
wrote in the Preamble that Covered Entities are to comply both with
HIPAA and such other federal laws applicable to that Covered Entity.
This is possible in most cases, wrote HHS, because while certain
federal laws may prohibit a particular disclosure or use of certain
PHI, the Privacy Rule only permits (and does not require) the same
disclosure. Consequently, a Covered Entity will not violate the
Privacy Rule if it complies with the more restrictive federal law
and does not make the use or disclosure. Additionally, the Privacy
Rule permits uses and disclosures of PHI as required by other laws
(45 CFR § 164.512(a)), and a Covered Entity may obtain an authorization
for the individual to use or disclose PHI not otherwise permitted
under the Privacy Rule (assuming that the use or disclosure is not
prohibited by another law).
In recent months, various federal agencies have issued guidance
on the issue of interaction of the Privacy Rule and other federal
laws. Two particularly sensitive areas of health information are
records and information pertaining to alcohol and drug abuse and
HIV/AIDS. This past June the HHS Substance Abuse and Mental Health
Services Administration (SAMHSA) issued a report titled "The
Confidentiality of Alcohol and Drug Abuse Patient Records Regulation
and the HIPAA Privacy Rule: Implications for Alcohol and Substance
Abuse Programs." And, last April the HHS HIV/AIDS Bureau issued
a resource guide titled "Protecting Health Information Privacy
and Complying with Federal Regulations: A Resource Guide for HIV
Services Providers and the Health Resources and Services Administration's
HIV/AIDS Bureau Staff." Both the SAMHSA and the HIV/AIDS Bureau
reports aim to assist their service providers in their efforts to
comply with federal laws and requirements regarding treatment of
alcohol and drug abuse records and the Ryan White CARE Act, respectively.
In particular, the SAMHSA report provides guidance for Covered Entities
who are in compliance with the Alcohol and Drug Abuse patient records
regulations (42 CFR Part 2) and the Privacy Rule.
Examining state and federal laws regarding privacy of information,
including the Privacy Rule, to ensure compliance with all applicable
laws is an essential but sometimes daunting task for Covered Entities.
OCR has included some Frequently Asked Questions on its website
addressing preemption of state laws [see http://answers.hhs.gov
 ], and
federal agencies continue to develop guidance for their particular
audience. Additionally, some state bar associations and other organizations
have developed HIPAA preemption matrices and other documents. The
goal to keep in mind when conducting the examination is not necessarily
which law will apply but how to blend the various statutory and
regulatory requirements to ensure compliance with all of the applicable
laws - this is the challenge.
Read
past HIPAA Legal articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP, www.pepperlaw.com .
This article was co-authored by Rebekah A.Z. Monson, Esq., an associate
of Pepper Hamilton LLP. They may be reached at foxsj@pepperlaw.com.
Disclaimer: This information is general in nature and should
not be relied upon as legal advice.
|
 |
 |
