MEMORANDUM
|
TO: |
County Patients' Rights Advocates |
|
FROM: |
Daniel
Brzovic |
|
RE: |
HIPAA
privacy regulations do not preempt PRA access and monitoring authority |
|
DATE: |
|
PAI has been asked whether the new HIPAA privacy
regulations, which took effect
This is an update and revision of our previous memo on the
subject.
HIPAA stands for Health Insurance Portability and Accountability
Act of 1996. This is a federal statute
that is best known for placing restrictions on the ability of employer-provided
health insurance plans to deny coverage for preexisting medical conditions. HIPAA also contains standards for electronic
transmission of health information, and for protecting the privacy of health
information.
Even though HIPAA has been around since 1996, the privacy
provisions were not implemented until 2003 because the issues are so
controversial and complex. For example,
the Department of Health and Human Services received 52,000 comments to the
initial proposed privacy regulations.
The privacy regulations do three things: They place restrictions on the disclosure and
use of individual health information; they allow individuals access to their
health information; and they allow individuals to ask for amendment of
inaccurate or incomplete health information about them.
The federal Department of Health and Human Services
administers the HIPAA privacy provisions, and insures compliance with the HIPAA
privacy requirements. The HIPAA privacy
statute was enacted as part of Part C of Subtitle F of Public Law 104-191,
sections 261-264. Most of the privacy
statute is codified as sections 1171-1179 of the Social Security Act, 42 U.S.C.
§ 1320d-1320d-8. The implementing
regulations, effective
The purpose of the HIPAA “administrative simplification”
provisions (which include the privacy protection requirements) is to improve
the “efficiency and effectiveness of the health care system, by encouraging the
development of a health information system through the establishment of
standards and requirements for the electronic transmission of certain health
information.” Section 261 of the Health
Insurance Portability and Accountability Act of 1996, Public Law 104-191. (The “administrative simplification”
provisions are designed to produce a single set of national billing codes.)
The purpose of the HIPAA privacy regulations is to protect
individual health information from unauthorized disclosure, and to improve the
accuracy of individual health information by allowing individuals to access
their health information and to request amendment of that information if it is
inaccurate or incomplete. Minimum
national privacy standards are necessary as more and more health information is
transmitted electronically. That is the
reason for the federal standards.
The HIPAA privacy regulations require individual written
authorization for release of protected health information unless disclosure
without authorization is allowed under the regulations. There are many
instances when disclosure without individual written authorization is allowed
under the regulations. This includes
disclosure required by law, such as disclosure under the Welfare and
Institutions Code to PRA’s.
The point here is that the regulations are designed to
prevent unauthorized disclosure of protected health information. Disclosure is authorized if an individual
consents to disclosure in writing, or if disclosure is otherwise required by
law. This is similar to the privacy
system under
The HIPAA privacy regulations apply to health care
providers, health plans, and health care clearinghouses (e.g. an entity that
translates provider billing codes into standard HIPAA billing codes, and vice
versa). 45 C.F.R. §§ 160.102(a), 160.103
(definition of “Covered entity”).
The HIPAA privacy regulations apply to “protected health information” which is defined to mean: “…individually identifiable health information [transmitted or maintained in any form or medium, electronic, or otherwise, except]:
(2)(i) Education
records covered by the Family Educational Rights and Privacy Act, as amended,
20 U.S.C. 1232g
(ii) Records described in 20 U.S.C.
1232g(a)(4)(B)(iv) [certain postsecondary school student medical treatment
records]; and
(iii) Employment records held by a covered
entity in its role as employer”
45 C.F.R. § 164.501 (definition of “Protected health
information”).
“Health information” is defined to mean: “…any
information, whether oral or recorded in any form or medium that:
(1) Is created or received by a health care
provider, health plan, public health authority, employer, life insurer, school
or university, or health care clearinghouse; and
(2) Relates to the past, present or future
physical or mental health or condition of an individual; the provision of
health care to an individual; or the past, present, or future payment for the
provision of health care to an individual.”
45 C.F.R. § 160.103 (definition of “Health information”).
No, unless the recipient is a covered entity as described
above (i.e. a health plan, a health care provider, or a health care
clearinghouse).
Yes and no. Any
federal law preempts state law if the laws cover the same subject matter,
unless the federal law has exceptions to preemption. The HIPAA privacy statute has a specific
section dealing with preemption. The
statute provides that the HIPAA privacy statute shall “supersede” any
“contrary” provision of state law.
Social Security Act section 1178(a)(1), 42 U.S.C. § 1320d-7(a)(1). The statute then lists several exceptions to
preemption. Social Security Act section
1178(a)(2), 42 U.S.C. § 1320d-7(a)(2).
The HIPAA privacy statute also provides that the HIPAA privacy
regulations “shall not supercede a contrary provision
of state law, if the provision of State law imposes requirements, standards, or
implementation specifications that are more stringent than the requirements,
standards, or implementation specifications imposed under the regulation.” Public Law 104-191, § 264(c)(2), Social
Security Act section 1178(a)(2)(B), 42 U.S.C. § 1320d-7(a)(2)(B).
There is a three-step process for determining if a state law is preempted by HIPAA:
Is the law contrary to HIPAA?
Is the law more stringent than HIPAA?
Is there a provision of the HIPAA statute or regulations
that otherwise excludes the law from HIPAA preemption?
The HIPAA regulations define “contrary” as follows:
Contrary, when used to compare a
provision of State law to a standard, requirement, or implementation
specification adopted under this subchapter, means:
(1) A covered entity would find it impossible
to comply with both the State and federal requirements; or
(2) The provision of State law stands as an
obstacle to the accomplishment and execution of the full purposes and
objectives of part C of title XI of the Act [the HIPAA privacy statute] or
section 264 of Pub. L. 104-191 [another provision of the HIPAA privacy
statute], as applicable. [Italics in original].
45 C.F.R. § 160.202 (definition of “Contrary”).
A state law is more stringent than HIPAA if it meets the
following conditions:
If a state law provides greater privacy protections to
individuals than HIPAA does;
If a state law provides individuals with greater rights
of access to, or rights to amend, their health information than HIPAA does.
45 C.F.R. § 160.202 (definition of “more stringent”) and §
160.203(b).
In addition, the HIPAA privacy regulations provide that
state laws are not preempted if they relate to reporting of disease or injury,
child abuse, birth, or death; the conduct of public health surveillance,
investigation or intervention; health plan management audits, financial audits,
program monitoring and evaluation; or the licensure or certification of
facilities or individuals; or (with the approval of
PRA access and monitoring probably do not fall under any of the above exceptions to preemption. However, this does not mean that PRA access and monitoring are restricted under the regulations. As discussed in the following sections, the HIPAA regulations themselves allow access and monitoring without individual authorization if disclosure and use of health information is required by law. Disclosure of health information to PRA’s, without individual authorization, is required under state law. This means that the PRA access and monitoring provisions of the Welfare and Institutions Code are not preempted by HIPAA.
Only to the extent required under the Welfare and
Institutions Code. This is because the
HIPAA privacy regulations do not require written authorization for disclosure
of health information if disclosure of the information is “required by
law”. 45 C.F.R. § 164.512.
The Welfare and Institutions Code contains the following PRA access provisions, all of which are mandatory and therefore not preempted by HIPAA:
1.
Access
to clients: Section
5530(a) provides that PRA’s “shall have access to all
clients and other recipients of mental health
services in any mental health facility, program, or service at all times as are
necessary to investigate or resolve specific complaints….” In addition, Section 5255 provides that an
attorney or advocate must meet with a patient as soon as practicable after
certification for 14-day intensive treatment.
2.
Access
to diagnostic or treatment staff: Section 5530(b) provides that PRA’s “shall have the right to interview all persons
providing the client with diagnostic or treatment services.”
3.
Access
to records: Section
5328(m) provides that PRA’s shall have access to
records when they have been given “knowing voluntary authorization by a client
or guardian ad litem.” Section 5542 provides that PRA’s “shall have the right” to inspect and/or copy any non-confidential
records relating to an investigation on behalf of a PRA client, or which
indicates compliance or lack of compliance with laws and regulations governing
patients’ rights. Section 5326.1
provides that the county mental health director or designee (which can include
the PRA) shall have access to information pertaining to denial of rights
contained in the person's treatment record including consent forms, required
documentation for convulsive treatment, documentation regarding the use of
restraints and seclusion, physician's orders, nursing notes, and involuntary
detention and conservatorship papers.[1] Sections 5520(b) and
5545 provide that PRA’s are authorized to obtain
access to otherwise confidential records of non-clients for purposes of
monitoring to ensure compliance with patient’s rights laws and regulations.
All of these sections impose mandatory duties on the part of facilities, programs and services to allow access and monitoring including disclosure of information. Therefore, the disclosure is “required by law.”
The HIPAA privacy regulations set out the following
standard for disclosure of health information required by law:
“A covered entity may use or disclose protected health
information without the written authorization of the individual … in the
situations covered by this section, subject to the applicable requirements of
this section.
(a)
Standard: uses and disclosures
required by law.
(1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
(2) A covered entity must meet the
requirements described in paragraph (c) [relating to disclosures about victims
of abuse, neglect, or domestic violence], (e) [relating to disclosures for
judicial and administrative proceedings], or (f) [relating to disclosures for
law enforcement purposes] of this section for uses or disclosures required by
law. [Italics in original].
45 C.F.R. § 164.512(a).
The regulation broadly requires disclosure of information
required by law under subsection (a), but imposes additional requirements (such
as notice to the individual) for disclosure in connection with the specific
types of activities listed in subsections (c), (e) and (f). None of those specific sections apply to PRA
access or monitoring. Subsection (c),
relating to disclosures about victims of abuse, neglect, or domestic violence,
refers to reports made by the covered entity to agencies authorized to receive
reports of abuse such as adult protective services or the police. This would include mandatory and
non-mandatory reporting under the elder and dependent adult abuse reporting
statute. It does not include disclosures
to the PRA’s because disclosure is at the request of
the PRA, rather than under a reporting statute.
Subsection (e) relating to disclosures for judicial and administrative
proceedings does not apply because PRA access and monitoring is not part of a
court or administrative hearing proceeding.
Subsection (f) relating to disclosures for law enforcement purposes does
not apply to PRA access or monitoring because that section refers to police
procedures, warrants and law enforcement subpoenas. Therefore, the only restriction on disclosure
to PRA’s is the requirement that the disclosure
“complies with and is limited to the relevant requirements of such law,” i.e.
the access and monitoring authority in the Welfare and Institutions Code.
The definition of “required by law” provides further
detail:
“Required by law
means a mandate contained in law that compels an entity to make a use or
disclosure of protected health information and that is enforceable in a court
of law. Required by law includes, but is not limited to, court
orders and court-ordered warrants; subpoenas or summons issued by a court,
grand jury, a governmental or tribal inspector general, or an administrative
body authorized to require the production of information; a civil or an
authorized investigative demand; Medicare conditions of participation with
respect to health care providers participating in the program; and statutes or
regulations that require the production of information, including statutes or
regulations that require such information if payment is sought under a
government program providing public benefits.” [Italics in original, underlining
added]
45 C.F.R. § 164.501 (definition of “Required by law”).
PRA access and monitoring authority is enforceable in a
court of law, Welfare and Institutions Code sections 5530(a), 5550(b), and
5550(e), and therefore clearly falls within the above definition of “required
by law.”
Furthermore, 45 C.F.R. § 164.502(a)(1)(vi) makes it clear
that under the HIPAA privacy regulations a covered entity is permitted to
disclose protected health information in compliance with 45 C.F.R. § 164.512,
discussed above. (Of course, the entity
is required, not permitted, to make the disclosures under the Welfare and
Institutions Code.) The covered entity
does not have authority under the HIPAA privacy regulations to attempt to limit
disclosure. 45 C.F.R. § 164.502(b)(2)(v). The entity must comply with the requirements
of the law that requires the disclosure.
45 C.F.R. § 164.512(a)(1).
It should be noted that the HIPAA privacy regulations in many cases leave in place other laws, including state laws, that are consistent with the purpose of the HIPAA regulations. (See, e.g. 45 C.F.R. § 164.502(g)(4) which provides: “If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.” [Emphasis added]) This is consistent with the purpose of the HIPAA privacy regulations to allow other laws to remain in force so long as the laws provide statutory requirements for the use and disclosure of health information.
No. Release of
records to the PRA is authorized by W&IC section 5328(m).
Release is also authorized by W&IC section 5541. That section provides that records can be released with the authorization of the client or the client’s guardian ad litem. None of these provisions are restricted to adults. Therefore, they include minors.
W&IC section 5523(a) states that clients are presumed competent to authorize release of records to the PRA notwithstanding the existence of a guardianship, conservatorship, or other provision of law. Other provisions of law would include any provision of law restricting minors from executing an authorization for release of records.
Under W&IC section 5523(a) the presumption of
competence exists unless the superior court specifically finds the client to be
incompetent for that purpose, and appoints a guardian ad litem. Therefore, if the client has not been found
incompetent by the court, the client is presumed to be competent. If the client has been found to be incompetent,
the court must appoint a guardian ad litem who must
authorize release of the records. This
includes minors as well as adults since there is nothing in this provision
limiting it to adults.
Yes, as the designee of the county mental health director.
As discussed above, Welfare and Institutions Code section 5326.1 provides that the county mental health director or designee (which can include the PRA) shall have access to information pertaining to denial of rights contained in the person's treatment record including consent forms, required documentation for convulsive treatment, documentation regarding the use of restraints and seclusion, physician's orders, nursing notes, and involuntary detention and conservatorship papers. Necessarily, PRA’s must have access to the names of patients in a facility in order to access this additional information pertaining to denial of rights. Section 5326.1 is broad enough to cover disclosure of patient names.
The
The
the patient's name (now prohibited under HIPAA),
the general condition of the patient (also allowed under HIPAA), and
other information such as the address, age, sex, and medical condition of the patient (now prohibited under HIPAA in the absence of written authorization).
HIPAA regulations allow a facility to maintain a directory
of individuals in the facility, which includes: “(A) The individual’s name; (B)
The individual’s location in the covered health care provider’s facility; (C)
The individual’s condition described in general terms that does not communicate
specific medical information about the individual.” 45 C.F.R. § 164.510(a). HIPAA regulations require that before
information can be added to the directory or released, the patient is “informed
in advance of the use or disclosure and has the opportunity to agree to or
prohibit or restrict the use or disclosure.”
45 C.F.R. §§ 164.510, 164.510(a).
This is the “opt out” provision.
It does not require consent to disclose; it allows disclosure if the
patient has not requested that the information be withheld after being given an
opportunity to object to disclosure. 45
C.F.R. § 164.510 (a)(2), California Civil Code section 56.16. In short, if a hospital wants to maintain a
patient directory, it can do so, consistent with HIPAA and
In addition, under the HIPAA regulations, this information
can be disclosed (for individuals asked for by name) if the individual lacks
capacity to “opt out,” or in an emergency.
Disclosure must be “[c]onsistent with a prior
expressed preference of the individual, if any, that is known to the covered
health care provider.” 45 C.F.R. §§
164.510 (a)(3)(i)(A).
Also, the provider “may, in the exercise of professional judgment,
determine whether the disclosure is in the best interests of the individual
and, if so, disclose only the protected health information that is directly relevant
to the person’s involvement with the individual’s health care.” 45 C.F.R. §§ 164.510 (b)(3). Disclosure of directory information to a PRA
under these sections would always be appropriate unless the provider knows that
the patient has expressed a preference on a prior occasion that the information
not be disclosed to the PRA.
Yes. 45 C.F.R. §
164.512(d)(1) permits use and disclosure of protected health information to a
“health oversight agency” for “oversight activities authorized by law.” This includes “civil … investigations;
inspections; … or other activities necessary for appropriate oversight of: (i) The health care system; … or (iv) Entities subject to
civil rights laws for which health information is necessary for determining
compliance.”
45 C.F.R. § 164.501 defines “health oversight agency” to
mean “… an agency or authority of … a State, … a political subdivision of a
State … or a person or entity acting under a grant of authority from or
contract with such public agency … that is authorized by law to oversee the
health care system (whether public or private) … or to enforce civil rights
laws for which health information is relevant.”
This would include PRA’s acting in accordance
with the Welfare and Institutions Code access and monitoring provisions.
Health oversight activities do not include activities where the individual is the subject of the investigation or activity. 45 C.F.R. § 164.512(d)(2). In other words, the care or services provided to the individual must be the subject of the investigation or activity, e.g. health records could not be disclosed under this section as part of a criminal investigation of the individual.
The Department of Health and Human Services Office for Civil Rights has a useful website. The website has a copy of the final regulations as well as HIPAA fact sheets. It can be found at: http://www.hhs.gov/ocr/hipaa.
The California Office of HIPAA Implementation (Cal OHI)
also has a useful website. It can be
found at: http://www.ohi.ca.gov/state/calohi/ohiHome.jsp. Cal OHI is doing a section by section
analysis to determine which sections of
The California Hospital Association Consent Manual also has up-to-date information on HIPAA.
The Georgetown University Health Privacy Project also has a useful website: http://healthprivacy.com/.
[1]
[2] It does
not include county mental health departments, and probably does not include the