[ Tuesday, February 17, 2004 ]
Texas AG issues HIPAA analysis:
I heard this
on the radio Friday and immediately thought, "That's probably not right." The Texas attorney general has issued an opinion that purportedly concludes that the Texas Public Information Act overrides HIPAA. This opinion centers on the intersection of two HIPAA principles: preemption and disclosures allowed/required by law. As you might know, HIPAA has a partial preemption which states that wherever there is a state statute that is less protective of PHI, that state statute is preempted by HIPAA, but wherever there is more protective state statute, that state statute remains in place. HIPAA also contains an exception to its prime directive (thou shall not disclose PHI, except for an allowed disclosure) which states that a covered entity MAY disclose PHI "as required by law." What happens when a disclosure is required by state law, but the state law requiring the disclosure is less protective of the PHI than HIPAA? Is the disclosure allowed, or is the state law preempted?
I haven't yet had a chance to review the AG opinion (which is here
), due to an ugly and moronic mediation I had to attend, but will update this shortly (I promise). Stay tuned!
I've reviewed the AG opinion, and I'm not impressed. The opinion, in fact, is actually correct. What I'm not impressed with are Mr. Abbott's public statements, which don't reflect the content of his opinion and aren't an accurate reflection of state law or HIPAA.
I have met Greg Abbott before; he and I used to attend the same church in Houston, and his personal story is very compelling (he's a wheelchair-bound paraplegic, the result of an injury he suffered when a tree fell on him while he was jogging). By all measures, he's a very smart and effective lawyer. He has spent time as a state judge, which is good experience for an attorney general. Lately, however, any press he has gotten smacks of publicity-seeking opportunism. He has toured the state holding press conferences highlighting his crime-fighting initiatives (including video, a la the TV show Cops
, showing his "agents" busting down doors in their black windbreakers with gold "Attorney General" lettering on the back), despite the fact that a miniscule part of the AG's job involves police-style law enforcement. The previous Texas AG, current US Senator John Cornyn, used lights-flashing police cars in his television ads when he was running for AG, which also seemed out of place. Mr. Abbott's statements upon issuing the opinion (statements made to the board of directors of the Freedom of Information Foundation of Texas at the Associated Press office in Dallas) seem to be a continuation of this disheartening trend.
The opinion itself is in response to a request from state Senator Robert Duncan, chairman of the Senate Committee on Jurisprudence. The questions posed by Senator Duncan revolve around the obligations of a governmental body under HIPAA and what law enforcement officials and "first responders" can disclose to the press or the public, particularly when the information is requested in an open records or freedom-of-information context. The opinion notes that HIPAA is only applicable to plans, providers, and clearinghouses, which would include EMS-type first responders but would not include police. The opinion also properly notes that while HIPAA prevents the disclosure of protected health information ("PHI"), an exception exists where the disclosure is required by state law. Since the Public Information Act ("PIA") in Texas requires public agencies to disclose information, disclosures under the PIA would be allowed under HIPAA, since they are disclosures required by state law.
In this sense, there is no conflict between HIPAA and the PIA; HIPAA says that if the PIA requires disclosure, disclosure there will be. However, there are two problems, one that is touched upon in the opinion and one, the bigger one, that is basically ignored. The first is that the PIA itself contains exceptions designed to prevent the disclosure of personal information, especially if that information is protected by the state constitution, other state laws, or state common law. There are other state laws that prevent the disclosure of hospital or physician medical records, mental health records, EMS records, medical conditions and histories deemed confidential under the ADA, or "information that is intimate or embarrassing and in which the public has no legitimate interest." Much (if not all) PHI would fall into one of these categories.
Since the police are not covered entities, they are not subject to HIPAA privacy restrictions, and can and should respond to PIA requests. However, they must still recognize when the PIA restricts the disclosure of information (for example, if the information fits one of the above categories, or was received from a physician or hospital and is subject to state-law restrictions on further disclosure). In those cases, HIPAA doesn't even apply (since the disclosing party isn't a covered entity under HIPAA), but that does not mean the disclosing party should necessarily disclose everything.
This illustrates the second missed issue in the Attorney General's opinion: that the big problems come when someone invokes HIPAA to prevent disclosure of information where HIPAA just isn't applicable. In today's Dallas Morning News, in an editorial
supporting the AG's position, the editors give an example of an arrestee dying in police custody, and the police refusing to divluge the circumstances of the death, citing HIPAA as a restriction. In that case, there is no HIPAA restriction on the disclosure of the information
. The AG can't say, "HIPAA is not an exception to the rule of openness in the state of Texas" (well, actually, he did say that, but he shouldn't have). What he should say is that governmental entities can't refuse to disclose information pursuant to a proper PIA request based on HIPAA grounds unless there are really HIPAA grounds for the refusal.
That is the big problem the AG could've highlighted and discussed, but didn't. If you want to hide information that the public has a right to, you can't rely on HIPAA to do it with impunity. Don't disclose the name and address of a rape victim, but disclose non-identifying information such as time, place, etc. There are ways to make HIPAA and the PIA operate in tandem, and issuing a blanket refusal to answer on HIPAA grounds isn't generally appropriate.
Although the opinion isn't very well organized to highlight this, governmental entities in Texas confronted with information requests need to make several determinations: (i) is the request made of an entity that is a "covered entity" under HIPAA; (ii) is the request made under the PIA or is it some other type of request; and (iii) is the entity seeking to limit the disclosure or hold back some information? If the answer to (i) is yes, HIPAA applies. If the answer to (ii) is yes, PIA applies. If the answer to (iii) is yes, the entity must first seek a ruling from the AG's office as to whether they can withhold the information. Unfortunately, this is the primary answer to whether a governmental entity can disclose protected health information: if you think you don't want to disclose it, ask us for a ruling.
At least one concrete example of a proper disclosure of information is outlined in the opinion: if a police officer observes the medical condition of a prisoner, the police officer is not prohibited from disclosing that information to a party requesting it for PIA purposes. But if you receive the information from a hospital or physician, you probably shouldn't disclose it, but should ask the AG's office for a ruling.
Ultimately, the AG's opinion isn't wrong. In fact, it's pretty much right on point. Unfortunately, the AG's public declarations of what his opinion says aren't accurate. That is pretty disappointing. The PIA and HIPAA can and do work well together, and entities that try to shirk their PIA obligations by hiding behind HIPAA should be exposed for what they are doing and brought into compliance. Implying that HIPAA is inapplicable to public entities in Texas, however, is dangerous and wrong.
Jeff [11:02 AM]
Blogger: HIPAA Blog - Edit your Template