[Med-privacy] HIPAAlert: selected items
pmarshall
pwm@comcast.net
Thu, 07 Oct 2004 12:22:47 -0700
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
H I P A A L E R T -- Vol. 5, No. 8 -- October 7, 2004
*** Court Upholds Seizure of Limbaugh's Medical Records,
Disappoints ACLU ***
The American Civil Liberties Union (ACLU) of Florida yesterday said that =
it is disappointed by a state appeals court ruling that state law=20
enforcement officers properly confiscated Rush Limbaugh's medical=20
records as part of a criminal investigation involving alleged=20
"doctor-shopping." "What's at stake here is the medical privacy of=20
millions of people in Florida and the need to protect people against=20
unnecessary government intrusion into their medical records," said ACLU=20
of Florida Legal Director Randall Marshall. In a 2-1 decision issued=20
yesterday, the Fourth District Court of Appeal ruled that: "...the=20
constitutional right of privacy in medical records is not implicated by=20
the State's seizure and review of medical records under a valid search=20
warrant without prior notice or hearing."
Read more:
http://www.hipaadvisory.com/news/index.cfm#1007aclu
*** GAO Looks at First-Year Experiences Under HIPAA Privacy ***
On Monday, the Government Accountability Office (GAO) released a report=20
on "First-Year Experiences under the Federal Privacy Rule." The GAO=20
issued the report to the Chairman of the Senate Committee on Health,=20
Education, Labor, and Pensions (HELP) to review (1) the experience of=20
providers and health plans in implementation; (2) the experience of=20
public health entities, researchers, and representatives of patients in=20
obtaining access to health information; and (3) the extent to which=20
patients appear to be aware of their rights. GAO recommends that the=20
Department of Health and Human Services (HHS) (1) require that patients=20
be informed of mandatory disclosures to public health authorities in=20
privacy notices and exempt such disclosures from the accounting=20
requirement, and (2) conduct a public information campaign to improve=20
patients' awareness of their rights. HHS noted that it continues to=20
monitor the public's experience with the accounting provision to assess=20
the need to modify the rule and described ongoing efforts to educate=20
consumers. GAO remains concerned about the burden of accounting for=20
disclosures to public health authorities and believes it is important=20
that HHS more effectively disseminate information about the Privacy Rule.=
Read the report:
http://www.hipaadvisory.com/news/newsarchives/2004/gaofirstyearprivacy.pd=
f
*** House Passes Prescription Drug Monitoring Bill ***
Last week, the House Energy and Commerce Committee approved a bill (HR=20
3015) that would create federal funding for states to establish=20
electronic systems for tracking prescription drugs. The Prescription=20
Drug Monitoring Program (PDMP) would provide grants through the=20
Department of Health and Human Services (HHS) to states to establish and =
operate prescription drug monitoring programs. The Government=20
Accountability Office (GAO) recently declared that the presence of a=20
PDMP helps states reduce illegal usage of prescription drugs. According=20
to Joy Pritts of Georgetown University's Health Policy Institute, in=20
order to receive funding, states would have to require pharmacists to=20
electronically report the names of patients who fill prescriptions for=20
certain controlled substances. States would be required to share their=20
identifiable information with other state monitoring systems, and with=20
state and federal law enforcement officials. For the most part, these=20
state systems will not be subject to the HIPAA Privacy Rule, says Pritts.=
Read the text of HR 3015:
http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.3015:
*** Military Cites HIPAA in Limiting Details on Injured
Troops ***
HIPAA is making it difficult for military families, veterans groups and=20
even members of Congress to get details about America's mounting war=20
casualties in Iraq, according to the Milwaukee Journal Sentinel.=20
Military officials are citing the law in refusing to identify soldiers=20
wounded in Iraq or disclose details about their injuries.
Read more:
http://www.hipaadvisory.com/news/index.cfm#1005mjs
*** Interaction of HIPAA with State and Other Federal Laws ***
By Steve Fox & Rebekah A.Z. Monson, Esqs., Pepper Hamilton LLP
QUESTION: Our hospital organization continues to be confused by the=20
whole issue of the HIPAA Privacy Rule versus our state privacy=20
regulations. Should both be addressed in our privacy program, and, if=20
so, what guidelines can you offer for appropriate integration of the two?=
ANSWER: One of the more complex aspects of the HIPAA Administrative=20
Simplification requirements (HIPAA), particularly with respect to the=20
HIPAA Privacy Rule (the "Privacy Rule"), is the interaction of HIPAA and =
the Privacy Rule with other federal and state laws addressing privacy of =
information. The Privacy Rule itself specifically addresses its=20
interaction with state laws in the Preemption of State Law subpart of=20
the Privacy Rule (45 CFR =A7 160.201 et seq.), while the preamble to the =
Privacy Rule, issued on December 28, 2000 (the "Preamble"), provides=20
guidance on the interaction of HIPAA with other federal laws.
In general, HIPAA preempts state law provisions that are "contrary" to a =
provision or requirement of HIPAA. HIPAA includes two "tests" for=20
determining whether a provision of state law is contrary to that of=20
HIPAA: (1) if it is "impossible" to comply with both the state law and=20
HIPAA; or (2) the provision of state law "stands as an obstacle to the=20
accomplishment or execution of the federal law." Not surprisingly there=20
are four categories of exceptions to this general preemption rule:
* The Secretary of the US Department of Health and Human Services (HHS)=20
makes a determination that the contrary state provision is: (1)=20
"necessary" (a) to prevent fraud and abuse related to the provision or=20
payment for health care, (b) to ensure appropriate state regulation of=20
insurance and health plans, (c) for state reporting on healthcare=20
delivery or costs, or (d) for purposes serving a compelling need related =
to public health, safety, or welfare; or (2) has as its principal=20
purpose the regulation of the manufacture, registration, distribution,=20
dispensing or other control of any controlled substances.
* The state law(s) relate to the privacy of individually identifiable=20
health information and is "more stringent" than the standard,=20
requirement or implementation provided under the Privacy Rule. HIPAA=20
includes six possible criteria for satisfying the "more stringent" test, =
the specifics of which will not be detailed in this article.
* The state law(s) or procedure(s) are for the reporting of disease,=20
injury, child abuse, birth, death or for the conduct of public health.
* The state law(s) require reporting by health plans or require access=20
to information for audit, evaluation, licensure or certification.
In reviewing a Covered Entity's (the Privacy Rule applies to Covered=20
Entities, which are defined as health plans, clearinghouses, and=20
providers who transmit health information in electronic form in=20
connection with a HIPAA covered transaction) compliance with the Privacy =
Rule, it is important to consider those state laws applicable to the=20
Covered Entity's activities. One of the goals of HIPAA was to establish=20
a uniform national standard for treatment of protected health=20
information (PHI). Other state and federal laws may provide additional=20
privacy rights and protections. According to HHS and the Office for=20
Civil Rights (OCR), in most cases, Covered Entities should be able to=20
achieve compliance with both HIPAA and the applicable state laws. Only=20
when a provision of state law is truly in conflict with a provision of=20
HIPAA, by meeting the "contrary" test described above, is a preemption=20
determination to be made.
In seeking to meld the Privacy Rule requirements with applicable state=20
and federal laws in order to comply with all applicable privacy laws and =
regulations, it is important to remember that the Privacy Rule only=20
requires disclosure of PHI in two instances: (1) to the individual when=20
requested in accordance with the Privacy Rule standards or pursuant to a =
Privacy Rule accounting of disclosures, and (2) when required by the=20
Secretary of HHS to investigate or determine the Covered Entity's=20
compliance with the Privacy Rule. The other uses and disclosures=20
addressed by the Privacy Rule are permitted uses and disclosures.=20
Consequently, if a state or other federal law requires or prohibits a=20
particular use and disclosure which the Privacy Rule would otherwise=20
permit, there is no conflict as the Privacy Rule does not require that=20
particular use or disclosure of PHI.
The preemption discussion above pertains to contrary provisions of state =
laws. With respect to other federal laws, however, HHS wrote in the=20
Preamble that Covered Entities are to comply both with HIPAA and such=20
other federal laws applicable to that Covered Entity. This is possible=20
in most cases, wrote HHS, because while certain federal laws may=20
prohibit a particular disclosure or use of certain PHI, the Privacy Rule =
only permits (and does not require) the same disclosure. Consequently, a =
Covered Entity will not violate the Privacy Rule if it complies with the =
more restrictive federal law and does not make the use or disclosure.=20
Additionally, the Privacy Rule permits uses and disclosures of PHI as=20
required by other laws (45 CFR =A7 164.512(a)), and a Covered Entity may =
obtain an authorization for the individual to use or disclose PHI not=20
otherwise permitted under the Privacy Rule (assuming that the use or=20
disclosure is not prohibited by another law).
In recent months, various federal agencies have issued guidance on the=20
issue of interaction of the Privacy Rule and other federal laws. Two=20
particularly sensitive areas of health information are records and=20
information pertaining to alcohol and drug abuse and HIV/AIDS. This past =
June the HHS Substance Abuse and Mental Health Services Administration=20
(SAMHSA) issued a report titled "The Confidentiality of Alcohol and Drug =
Abuse Patient Records Regulation and the HIPAA Privacy Rule:=20
Implications for Alcohol and Substance Abuse Programs." And, last April=20
the HHS HIV/AIDS Bureau issued a resource guide titled "Protecting=20
Health Information Privacy and Complying with Federal Regulations: A=20
Resource Guide for HIV Services Providers and the Health Resources and=20
Services Administration's HIV/AIDS Bureau Staff." Both the SAMHSA and=20
the HIV/AIDS Bureau reports aim to assist their service providers in=20
their efforts to comply with federal laws and requirements regarding=20
treatment of alcohol and drug abuse records and the Ryan White CARE Act, =
respectively. In particular, the SAMHSA report provides guidance for=20
Covered Entities who are in compliance with the Alcohol and Drug Abuse=20
patient records regulations (42 CFR Part 2) and the Privacy Rule.
Examining state and federal laws regarding privacy of information,=20
including the Privacy Rule, to ensure compliance with all applicable=20
laws is an essential but sometimes daunting task for Covered Entities.=20
OCR has included some Frequently Asked Questions on its website=20
addressing preemption of state laws [see http://answers.hhs.gov], and=20
federal agencies continue to develop guidance for their particular=20
audience. Additionally, some state bar associations and other=20
organizations have developed HIPAA preemption matrices and other=20
documents. The goal to keep in mind when conducting the examination is=20
not necessarily which law will apply but how to blend the various=20
statutory and regulatory requirements to ensure compliance with all of=20
the applicable laws - this is the challenge.
Read past HIPAA Legal articles:
http://www.hipaadvisory.com/action/legalqa/archives.htm
------------------------------
Steve Fox, Esq., is a partner at the Washington, DC, office of Pepper=20
Hamilton LLP. This article was co-authored by Rebekah A.Z. Monson, Esq., =
of Pepper Hamilton LLP. Disclaimer: This information is general in=20
nature and should not be relied upon as legal advice.
Copyright 2004, Phoenix Health Systems, Inc.