[ Friday, August 27, 2004 ]
New FAQ on HIPAA applicability to State agencies: OCR has issued a new "frequently asked question
" (actually, it's the answer that's important, natch) discussing the intersection of HIPAA and state "open records" requirements. This is a pretty interesting intersection, because it is overlaid by the preemption issue.
HIPAA says covered entities must keep PHI private. A governmental agency can be a covered entity, so it's obligated by HIPAA to keep PHI private. But most governmental agencies must be open and accountable to the public under "open records" or "sunshine" laws. What happens when HIPAA says keep quiet, but Open Records says make it public?
The general rule is that HIPAA says keep it quiet, but that general rule has exceptions. One exception is disclosures that are permitted or required by law. OCR focuses in on that exception, and settles the HIPAA/Open Records dispute on whether the Open Records law is a "permitted" or "required" disclosure. If the Open Records law is a required disclosure, a governmental covered entity must disclose the information. If it's a permitted disclosure, the governmental covered entity can disclose, but has the option not to disclose. Most Open Records issues involved required disclosures, so that's the answer in most cases.
However, there is one interesting aspect of this intersection that OCR doesn't address, and that's preemption. HIPAA preempts state laws that are less protective of privacy. But HIPAA also allows a covered entity to disclose if the disclosure is "required by [state] law." Well, if the state law requires the disclosure but, if the state law weren't there, HIPAA would prevent the disclosure, isn't HIPAA more protective of privacy, and doesn't that mean HIPAA preempts the state law? Wouldn't that analysis make the "required by law" component of HIPAA allowable disclosures nonsensical? Hmmm.
Jeff [11:19 AM]
Blogger: HIPAA Blog - Edit your Template