How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

29 vacy and security of the information.253 The agreements that transit agencies provided in re- sponse to the survey provide that the agencies will comply with HIPAA; thus, the required by law provision in HIPAA and/or in the agreements could mean that laws other than HIPAA may ap- ply. X. DISCLOSURE OF PROTECTED HEALTH INFORMATION WHEN REQUIRED BY LAW A. Subpoenas and Discovery Requests The HIPAA regulations provide that when re- quired by law, covered entities may disclose PHI without a written authorization of the individual who is the subject of the information and in some cases without an opportunity for the individual to agree or object.254 First, covered entities may disclose PHI in re- sponse to an order of a court or an administrative tribunal but only as required by the order.255 That is, PHI is not to be disclosed beyond what is re- quired by a judicial or an administrative order.256 Second, covered entities may disclose PHI in re- sponse to a subpoena including a grand jury sub- poena,257 discovery request, or other lawful proc- ess.258 When served with a subpoena or a demand for discovery covered entities must comply with certain HIPAA requirements before disclosing PHI.259 A covered entity must receive satisfactory assurance that “reasonable efforts” have been made by the requesting party to ensure that an individual who is the subject of the requested PHI has been notified of the request260 or that “reason- able efforts” have been made by the requesting 253 See Section XV.C. of this digest. 254 45 C.F.R. § 164.512(a) (2013). See also 45 C.F.R. § 164.508 and 164.510 referenced in the preceding sec- tion. See also, 45 C.F.R. § 164.103 (2013) (definition of required by law). HIPAA also requires the disclosure of PHI when payment is sought under a government pro- gram providing public benefits. Id 255 45 C.F.R. § 164.512(e)(1)(i) (2013). 256 45 C.F.R. § 164.512(e)(1) (2013). 257 45 C.F.R. § 164.512(f)(1)(ii)(B) (2013). 258 45 C.F.R. § 164.512(e)(1)(ii) (2103). 259 45 C.F.R. § 164.512(e) (2013). 260 45 C.F.R. § 164.512(e)(1)(ii)(B) (2013). See § 164.512(e)(1)(iii) (2013) for additional requirements on what constitutes the receipt by a covered entity of satis- factory assurances from a party seeking protected health information. party to obtain a “qualified protective order.”261 PHI requested during a lawful process also may be disclosed without a covered entity having re- ceived satisfactory assurance if the covered entity makes reasonable efforts to provide notice to the individual or seeks a qualified protective order.262 A business associate agreement must provide that a business associate will not use or disclose PHI other than as provided in its contract or as required by law,263 such as in response to a sub- poena, request for discovery, or a FOIA or similar request. Although HHS’s sample business associ- ate agreement does not deal specifically with sub- poenas and discovery requests, the sample agree- ment includes a provision that it is a business associate’s duty to disclose PHI as required by law.264 In regard to what is required by law in a par- ticular state, state law that is more stringent than HIPAA may result in an exception to HIPAA. For instance, in Ohio the state’s physician-patient privilege permits disclosures only in certain lim- ited circumstances “and responding to a grand jury subpoena is not one of them.”265 Thus, “be- cause Ohio’s physician-patient privilege statute provides more protection, it is not preempted by HIPAA”266 Twelve agencies having health information on patrons reported that they had not been required or requested to provide health information on their patrons pursuant to a subpoena, a discovery request, or a court or administrative order. How- 261 45 C.F.R. § 164.512(e)(1)(ii) (2013). See § 164.512(e)(1)(iv) (2013) regarding the written state- ment and accompanying documentation needed by a covered entity as satisfactory assurances. See § 45 C.F.R. § 164.512(e)(1)(v) (2013) regarding what is meant by a qualified protective order. 262 45 C.F.R. § 164.512(e)(vi) (2013) (internal cita- tions omitted). 263 45 C.F.R. § 164.504(e)(2)(A) (2013). 264 See U.S. DEP’T OF HEALTH AND HUMAN SERVICES, SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS, (Jan. 25, 2013), available at http://www.hhs.gov/ocr /privacy/hipaa/understanding/coveredentities/ contractprov.html. 265 Natalie F. Weiss, To Release or not to Release: An Analysis of the HIPAA Subpoena Exception, 15 MICH. ST. J. MED. & LAW 253, 271 (citing O.R.C. §§ 2317.02(B)(1)(a)-(e) (2011) and 2317.02(B)(2)(a) (2011)), hereinafter referred to as “Weiss.” 266 Id. (citing O.R.C. § 2317.02(B)(1) (2011); 45 C.F.R. § 164.512(f)(1)(ii)(B) (2011)). The Weiss article contains a state-by-state discussion of subpoenas for health in- formation.

30 ever, four agencies reported that they had.267 GATRA has provided certain unspecified docu- ments in response to a discovery request by a cus- tomer’s legal representative. MATA in Memphis has provided records of a paratransit patron’s scheduled rides in response to a court order aris- ing out of a patron’s complaint regarding service. Pierce Transit has provided certain unspecified documents as requested or required. On the other hand, one transit agency that assumes that HIPAA applies to the agency reported that when requested on one occasion to provide records the agency did not to release them because of “HIPAA constraints.” B. FOIA Requests The term required by law has been construed to include requests made under the federal or a state FOIA or public records disclosure law. In State ex rel. Cincinnati Enquirer v. Daniels268 the court held that it was HHS’s intention to “pre- serve access to information considered important enough by state or federal authorities to require its disclosure by law;” that Congress did not in- tend to preempt the disclosure laws; and that the Privacy Rule’s “approach is simply intended to avoid any obstruction to the health plan or cov- ered health care provider’s ability to comply with its existing legal obligations (citations omit- ted).”269 In Abbott v. Texas Dep’t of Mental Health & Mental Retardation270 the court, quoting 45 C.F.R. § 164.103, ruled that the phrase required by law, which is a legal mandate that is enforceable in a court of law for the disclosure of PHI, includes “statutes or regulations that require the produc- tion of information.” The court held that HIPAA did not preempt the Texas Public Information Act, that the information requested was not confiden- tial, and that the records could be released (some internal quotation marks omitted). When FOIA or public records disclosure laws mandate disclosure by a covered entity, PHI must be disclosed as long as HIPAA’s “minimum neces- sary” standard is met and the disclosure does not exceed what is allowed by state laws that are 267 One transit agency did not respond to the ques- tion. 268 108 Ohio St. 3d 518, 844 N.E.2d 1181 (Ohio 2006). 269 Id. at 1187. 270 212 S.W. 3d 648, 654-655 (Tex. App. 2006). more stringent than HIPAA.271 When state law allows but does not require the disclosure of PHI, or when there are exceptions or other qualifica- tions that exempt the disclosure of PHI, the re- quested disclosures are not required by law and, therefore, do not come within the meaning of the Privacy Rule.272 A FOIA or public records disclosure law may or may not be more restrictive than HIPAA with re- spect to the PHI requested. Under Exemption 6 of the federal FOIA, federal agencies may withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly un- warranted invasion of personal privacy.”273 The Arkansas FOIA does not allow government enti- ties to disclose individuals’ mental health records, adoption or education records274 or “medical in- formation contained in a non-medical record relat- ing to a medical condition, diagnosis, or treat- ment.”275 No transit agency having health information on patrons reported having been required to provide such information pursuant to a request under the federal or a state FOIA or public records disclo- sure law.276 271 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION PRIVACY, MINIMUM NECESSARY REQUIREMENT, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/minimumnecessary.html. 272 U.S. DEP’T OF HEALTH AND HUMAN SERVICES (an- swering question regarding the application of HIPAA to FOIA laws) (citing 45 C.F.R. § 164.512(a)), available at http://www.hhs.gov/hipaafaq/permitted/require/506. html. 273 5 U.S.C. § 552(b)(6) (2013); see HHS Dec. 2000 Fi- nal Rule, supra note 186, 65 Fed. Reg. 82482. 274 Ayres, supra note 42, at 1007 (citing ARK. CODE ANN. §§ 20-46-104 (Repl. 2001) and 25-19-105(b)(2) (Supp. 2011)). 275 Id. at 2 (citing ARK. CODE ANN. § 14-14-110(b) (Repl. 1998); Ark. Op. Atty. Gen. No. 2009-021 (Feb. 25, 2009)). The author notes also that “state hospital re- cords, including mental-health information, may only be used for specific research-related purposes and may not otherwise be disclosed.” Id. (citing ARK. CODE ANN. § 20-46-104(a)-(b)). 276 One transit agency did not respond to the ques- tion.