Public Entities and HIPAA: When Public Information Laws and HIPAA collideJeffery Drummond
June 5, 2008 — 1,094 views
Most public or governmental entities are subject to “sunshine” laws that require them to operate in a fashion that is open to public view. Because those entities are beholden to the taxpayers as their “shareholders,” they generally must keep their deliberative processes and records open to any member of the general public who wants to observe or review them. Most jurisdictions have open meetings, open records, and public information or freedom of information acts, and public entities must meet the requirements of those laws.
This openness requirement presents a unique problem for public hospitals and the like, whose business normally consists of dealing with medical information and other records that are usually thought of as confidential. Particularly, it can be problematic when state open records laws seem to conflict with the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.
This collision of openness and privacy is particularly accentuated by a circular feature of HIPAA. The general rule of HIPAA is that “protected health information” or “PHI” may not be used or disclosed by covered entities unless specifically allowed by HIPAA. HIPAA-allowed uses and disclosures include medical treatment, payment, and healthcare operations, but there are a handful of other allowed uses and disclosures, including disclosures that are required by law. However, HIPAA also states that any state laws that are less protective of privacy are superseded by HIPAA. Of course, any state law that requires a disclosure other than for treatment, payment, or healthcare operations would probably be considered less protective of privacy than HIPAA, so it should be superseded. But, HIPAA specifically allows disclosures required by state law.
The Ohio Supreme Court addressed the issue earlier this year, and last Friday, June 16, a Texas court of appeals in Austin ruled, in Abbott v. Texas Dept. of Mental Health and Mental Retardation, that HIPAA did not prevent a state regulatory agency from disclosing information pursuant to a request that met the requirements of the Texas Public Information Act (“PIA”). The information in question involved statistics of abuse and assault at facilities run by the Texas Department of Mental Health and Mental Retardation. A newspaper reporter sought, under the PIA, statistics regarding incidents of sexual abuse and assault at TDMHMR facilities, investigations conducted and the results of the investigations, and the names of the facilities and dates that the alleged events occurred. TDMHMR released some statistics on all abuse allegations, but did not identify facilities, claiming that the information would be PHI.
The appeals court noted that it was skeptical of whether the information was actually PHI, but since neither party raised the characterization of the information, the court proceeded to reach an opinion of whether the information should be disclosed, assuming it was PHI. The court determined that the information could still be disclosed under the PIA because that is a disclosure “required by law” and thus is permissible under HIPAA. The court rejected the arguments of TDMHMR that HIPAA made the requested information “confidential” and therefore not disclosable under the PIA, or that the PIA was superseded by HIPAA as a state law less protective of privacy.
Early press reports of the decision note it as a case of state law overriding HIPAA, but that’s a mischaracterization. In this case, because of the “required by law” provisions of HIPAA, both HIPAA and the PIA could be accommodated. It should also be noted that the PIA and the Texas Open Records Act have exceptions for information that is confidential under case law, statute, or the constitution, as well as other exceptions for other personal or private information. The attorney general determined that the information sought, even if it was PHI, was not the type of information that would meet an exception to disclosure under the PIA.
Public hospitals must comply with the requirements of HIPAA, as well as the requirements of the PIA. The PIA has a “default” setting that encourages disclosure, but recognizes that some information should not be publicly available. If a public hospital is requested to disclose information that may contain PHI under a PIA or open records request, it must determine if an exception to disclosure under PIA exists. In most cases involving medical records, there will be relief under the “confidentiality” exception. But if there’s no exception under PIA or the Open Records Act, the public hospital must disclose the information. Note, however, that if a hospital determines that there is an exception, the hospital does not get to unilaterally invoke the exception; rather, the hospital must submit the issue to the Attorney General’s office for a ruling.
On a final note, recently passed legislation requires each director and most officers of public entities, including public hospitals, to receive Open Meetings Act and Open Records Act training. Therefore, public hospitals should be more prepared than ever to address potential conflicts between their “public” nature and their HIPAA obligations.
Jackson Walker L.L.P.