[Med-privacy] public records

Peter Marshall pwm@comcast.net
Thu, 30 Mar 2006 10:33:43 -0800 

  		
State Public Record Access Law Trumps HIPAA Privacy Protections
By Kirk J. Nahra and John W. Kuzin
March 2006 | Privacy in Focus

The Ohio Supreme Court has ruled that the provision of the federal 
Health Insurance Portability and Accountability Act (HIPAA) that 
shields personal health information is trumped by Ohio's Public Records 
Act, which guarantees open access to government records. State ex rel. 
Cincinnati Enquirer v. Daniels, 2006-Ohio-1215 (Mar. 17, 2006).

The case arose from the Cincinnati Enquirer's request to view numerous 
lead-paint citations and lead-assessment reports on private residences 
issued by the city's health department since 1994. The health 
department had denied access to the information based on the HIPAA 
privacy rules, asserting that the records contained private health 
information on children with elevated lead levels who could be 
identified through the addresses of homes cited for lead hazards. An 
intermediate appellate court affirmed the denial of access. In a 
unanimous decision, the Ohio Supreme Court reversed, and ruled that the 
federal privacy law cannot be used to seal records that are public 
under state law and ordered the health department to release the 
requested information.

The court held that the requested records contained no details of any 
specific medical examination, assessment, diagnosis or treatment of any 
medical condition and did not provide any names, ages or any other 
individual identifying information. Thus, they did not contain 
"protected health information" within the meaning of the HIPAA privacy 
rule. The court went on to state that even if the records had contained 
such personal health information -- and assuming that the city health 
department was a "covered entity" subject to HIPAA -- the federal law 
does not supersede the disclosure requirements of the Ohio Public 
Records Act. The specific records requested by the newspaper were 
subject to disclosure under the "required by law" exception to the 
HIPAA privacy rule.