[Med-privacy] State Privacy Laws’ Increasing Role in Health Care
Privacy
pmarshall
pwm@comcast.net
Wed, 28 Jan 2004 10:29:46 -0800
State Privacy Laws’ Increasing Role in Health Care
Privacy
Privacy In Focus, January 20004
From a health care privacy perspective, 2003 proved
to be a study in duality, with health plans and health care providers
initially
anticipating that their health care privacy
obligations would be met almost exclusively through compliance with the
federal HIPAA
Privacy Rule (i.e., the Standards for the Privacy
of Individually Identifiable Health Information), but then quickly
grasping the reality
that state privacy laws will continue to be an
important factor in their overall privacy compliance responsibilities.
HIPAA provides only
limited preemption. So when state legislatures
continued to enact privacy laws in 2003, health plans and health care
providers recognized
that the HIPAA Privacy Rule will be only one
component of their future privacy compliance obligations.
April 14 "Sigh" Misplaced
As we approached the April 14, 2003 compliance date
for the HIPAA Privacy Rule, health plans and health care providers
("covered
entities" under the Privacy Rule) focused their
attention principally (and in some cases exclusively) on meeting their
compliance
obligations under the Privacy Rule. They began to
see their multi-year HIPAA implementation efforts finally come to
fruition. There was
an audible, collective sigh on April 14th as a new
era in health care privacy took effect without (the often predicted)
catastrophic
results. However, as time moved on, changes in
health care privacy compliance obligations have continued, despite the
muscle of the
HIPAA Privacy Rule. Indeed, state legislatures
continue to flex their own privacy muscle. Thus, for 2004 and beyond,
the health care
privacy landscape is expected to continue to ebb
and flow based in large part on changes dictated by state privacy laws.
The HIPAA Privacy Rule generally does not preempt
state privacy laws that provide individuals greater privacy protections.
Specifically,
the HIPAA Privacy Rule provides that the Privacy
Rule does not preempt state laws that relate to the privacy of health
information and
are not contrary to and are more stringent than the
Privacy Rule. In other words, the HIPAA Privacy Rule provides that an
individual will
receive the benefit of the law that provides
greater privacy protections. Most information uses and disclosures
allowed under the HIPAA
Privacy Rule are permissive rather than mandatory
(meaning, a health plan or provider is free to use or disclose the
health information as
permitted by the Rule, but it is not required to do
so). Among those state laws that provide greater privacy protections are
those that
prohibit or restrict a use or disclosure of health
information that is permitted under the Privacy Rule. Thus, where a
state law prohibits
a disclosure of certain health information, but the
HIPAA Privacy Rule permits the disclosure, the more restrictive state
law will
control.
Because of this limited preemption rule, the HIPAA
Privacy Rule need not always impose the exclusive privacy standard under
which
health plans and providers will be required to
operate. Indeed, in many instances, current (or new) state laws and
regulations will remain
(or become) the governing privacy standard for many
types of health information uses or disclosures. Health plans and
providers need to
keep an eye on the state privacy landscape to
ensure that their operational policies on uses and disclosures of
protected health
information meet the requirements of the more
stringent law.
A Changing Landscape
Keeping abreast of a changing state privacy
landscape can be a daunting undertaking, given that (i) strengthening
individual privacy rights
remains an important state health-care issue, (ii)
most state legislatures convene annually, so there might be year-to-year
modifications
and (iii) health plans (and providers) are often
subject to the laws of multiple states. Thus, for covered entities,
determining the extent
of their state privacy obligations (from both
statutory and regulatory perspectives) will be a key ingredient to
ensuring on-going
compliance.
With this said, the focus and scope of state health
care privacy laws contain some common denominators, and we believe state
legislatures (and regulators) will continue to
target these areas. Thus, as an initial step, health plans and providers
might want to focus
their attention on the following:
Many state laws seek to impose
limitations on external disclosures of certain health information, but
do not address internal
uses of such information. Thus, the HIPAA
Privacy Rule will often impose the sole standard for health plans and
providers with
respect to the permissible internal uses
of protected health information.
Many state laws that impose additional
(or different) privacy requirements exceeding those in the HIPAA Privacy
Rule address
"sensitive health conditions," meaning
those health care diagnoses involving a high degree of personal
sensitivity or social
stigmatization (e.g., HIV and/or AIDS,
drug and/or alcohol use, mental health and/or psychiatric treatment, and
genetic
testing). Such state laws often require
covered entities to obtain some form of "legal permission" before they
are permitted to
disclose the health information for
purposes other than those expressly identified in the state law. The
types of permitted
disclosure under these laws may be more
limited than the HIPAA Privacy Rule’s categories of "treatment, payment
or health care
operations" and those for national
priority purposes. The practical effect of these state provisions is
that health plans and
providers will need to obtain legal
permission in situations in which the HIPAA Privacy Rule requires no
consent or authorization.
"Legal Permission" Means?
Where state laws do require some form of legal
permission and the HIPAA Privacy Rule does not, covered entities must
determine what
type of "legal permission" the state requires. Some
state laws do not include any express requirements for the legal
permission, while
other state laws dictate requirements that may or
may not be as stringent as those of the HIPAA Privacy Rule. Given these
state-to-state variations, a growing challenge for
health plans and providers will be whether the HIPAA Privacy Rule’s
consent/authorization requirements apply when: (i)
state law is silent on the components of legal permission, or (ii) state
law prescribes
requirements for legal permission, but the
requirements are different from those of the
Privacy Rule.
As we continue in the new year (and for the
foreseeable future), the goal and the challenge for covered entities
will be to ensure that
their on-going health care privacy compliance
efforts properly recognize, integrate and respond not only to future
changes in the HIPAA
Privacy Rule, but also to the vast array of
existing—and growing—state privacy laws.
©2003 Wiley Rein & Fielding
LLP