State & Federal Privacy Laws
and Preemption Analyses
Summary on HIPAA and FERPA from the Department of Education: The Family Policy Compliance Office has not published any guidance on the applicability of the Family Educational Rights and Privacy Act (FERPA) to HIPAA. However, the Office worked closely with HHS on this issue during the rulemaking process. Because FERPA affords students adequate privacy protections, the Government agreed that records that are protected by FERPA should not be subject to HIPAA. The HIPAA Final Privacy Rule of December 28, 2000 explains that records that are subject to FERPA are not subject to HIPAA. Additionally, medical records that are excepted from FERPA's definition of "education records" under section 99.3 "education records" provision are also exempted from coverage by HIPAA. (See page 82483 of the December 28, 2000, Federal Register document on the HIPAA final rule.)
Health Privacy Project Details State Laws Protecting
Privacy
The Health Privacy Project
![[external link]](../images/extlink.gif "external link")
of Georgetown University has published a comprehensive study of
state health privacy statutes. The December 1999 report contains
a careful analysis of current trends in state law and a detailed
summary of patient access, privilege, restrictions on disclosures,
and condition-specific requirements for each state. The Project
is issuing updated state summaries throughout 2002. The updated
summaries reflect changes in state health privacy statutes that
have been made since its original report of nearly 300 pages, "The
State of Health Privacy: An Uneven Terrain (A Comprehensive Survey
of State Health Privacy Statutes)" (PDF) ,
was published. The summaries focus predominantly on the use and
disclosure of information gathered and shared in the context of
providing and paying for health care. Furthermore, the Project has
not analyzed how these state laws will interact with the HIPAA privacy
rule.
Key Findings:
One of the key findings of the report was wide variation in patient
access provisions: 33 states grant access to records held by hospitals
and healthcare facilities, 13 to records held by HMOs and 16 to
records held by insurance companies. Many states grant access to
medical records held by a "provider," but the definitions
of the term often exclude important entities such as pharmacies.
The report also found that state health statutes have not kept up
with changes in the healthcare environment and information technology.
"Our analysis is the first to delineate the ways states have
legislated medical records confidentiality," said Janlori Goldman,
Director of the Health Privacy Project. "It shows tremendous
unevenness, inconsistency, confusion, and lack of coherence across
states in their protection of basic privacy principles. "But
despite this disparity, the report suggests broad preemption of
state law may be unwise. The report observes that:
- states are first to respond to health privacy concerns and
have, in many cases, enacted strong protections;
- states are able to craft detailed laws that address the unique
needs of the patient population and particular healthcare entities;
and
- the extensive range of state law makes it impossible to predict
the effect of federal preemption.
View
the summary of a specific state. View
the report by section (PDF).
Preemption Analyses
State Legislation Tracking Center
eHealth Initiative's State Legislation Tracking Center service lists state-by-state information on bills that have been proposed, are pending or have passed that involve health IT or health information exchange. This service has been created for eHealth Initiative by the legal firm, Davis Wright Tremaine, LLP. It is updated bi-weekly to keep eHealth Initiative and its Connecting Communities members regularly apprised of legislative action as it happens.
Center on Medical Record Rights and Privacy
Georgetown University's Health Policy Institute is issuing a series of state guides that are designed to help healthcare consumers understand their rights to see, get a copy of, and amend their medical records under a combination of their state laws and the HIPAA Privacy Rule. The literacy level is aimed at the average healthcare consumer. Healthcare-related organizations are encouraged to link to the guides so that the materials are widely accessible to healthcare consumers. Work on this project is funded by a grant from the National Library of Medicine.
OCR's FAQs on preemption of state law and requests for preemption exception determinations.
HHS Process for Requesting State Preemption of HIPAA
The March 11, 2003 Federal Register contained a notice from the Department of Health and Human Services (HHS) outlining the process for requesting a state exemption of the HIPAA regulations. The notice also makes clear the boundaries of what HHS can exempt and the reasons that may be used to justify an exemption. Requests must be made to HHS in writing and in the format specified in the notice.
HIPAA State Preemption Analysis , updated as of October 2002, from the American Hospital Association (AHA).
State health information privacy and security laws may be researched at the Attorney Internet Services (AIS) Web site's State Resources page.
WEDI-SNIP's guidelines on common HIPAA issues include an entire section on "Preemption: Balancing Federal and State Regulation of Privacy for Confidential Health Care Information" (document file).
StateHIPAAStudy.com
The Confidentiality Coalition, a 130-member organization representing the health care industry and a part of the Healthcare Leadership Council, sponsors a state preemption analysis resource for HIPAA privacy rules. The tool allows users to subscribe just to the information pertinent to their organization, selecting from the 54 states and jurisdictions, and types of entities covered under the analysis.
Specific States:
|
