Front Page

Column One

• CJOG's 5 Ws
• Our Members
• Our Principles
• Position Papers & Petitions
• CJOG Update
• FOI Calendar

Opening the Government

Tools for FOI Work

• Useful Web Sites
• Help By Topic
• Experts
• Reports, Resources
• Finding Federal Documents

FYI on FOI

• Backgrounders
• Pending Legislation
• Speaking Out
• Commentary
• How You Can Help Open Government

HIPAA

---

HIPAA and State Law

On August 24, 2004, the Department of Health and Human Services posted, in Q&A form, a “clarification” on HIPAA and state open records laws.  

The posting makes clear that any state or local agency that is not covered under HIPAA, such as a police department, is not subject to the act’s information restrictions and must comply with state law. 

In addition, it says that if the agency is a “covered entity,” and the state public records law requires disclosure, the information has to be disclosed.

Only if the agency is covered by HIPAA and the state law is permissive do the HIPAA privacy provisions prevail.

The August 24 posting:

Question:   State public records laws, also known as open records or freedom of information laws, all provide for certain public access to government records. How does the HIPAA Privacy Rule relate to these state laws?

Answer:  If a state agency is not a “covered entity”, as that term is defined at 45 CFR 160.103, it is not required to comply with the HIPAA Privacy Rule and, thus, any disclosure of information by the state agency pursuant to its state public records law would not be subject to the Privacy Rule.

If a state agency is a covered entity, however, the Privacy Rule applies to its disclosures of protected health information. The Privacy Rule permits a covered entity to use and disclose protected health information as required by other law, including state law. See 45 CFR 164.512(a). Thus, where a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law.

However, where a state public records law only permits, and does not mandate, the disclosure of protected health information, or where exceptions or other qualifications apply to exempt the protected health information from the state law’s disclosure requirement, such disclosures are not “required by law” and thus, would not fall within § 164.512(a) of the Privacy Rule. For example, if a state public records law includes an exemption that affords a state agency discretion not to disclose medical or other information where such disclosure would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law, and therefore is not permissible under § 164.512(a). In such cases, a covered entity only would be able to make the disclosure if permitted by another provision of the Privacy Rule.

As an example of how the Privacy Rule would apply in the case where an exemption exists in a freedom of information law, see the December 2000 Privacy Rule preamble discussion regarding the relationship of the Privacy Rule with the federal Freedom of Information Act (64 FR 82482).

From an earlier posting:  Who must comply with new privacy standards? 

Answer:   As required by Congress in HIPAA, the Privacy Rule covers:
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

These entities (collectively called “covered entities”) are bound by the new privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See the fact sheet and frequently asked questions on this web site about the standards on “Business Associates” for a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.