Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
31 XI. HIPAA PREEMPTION OF CONTRARY STATE LAWS THAT ARE LESS STRINGENT THAN HIPAA HIPAA preempts state privacy laws that are contrary277 to the HIPAA requirements and that are less stringent than the HIPAA rules in pro- tecting an individualâs PHI.278 However, a state law is contrary to HIPAA only when it would be impossible for a covered entity or business associ- ate to comply with both the state law and the ap- plicable HIPAA requirement.279 Although there are cases holding that HIPAA preempts a provi- sion of state law, the HIPAA preemption provision may not be as broad as it would first seem. First, the Secretary of HHS may be requested to determine that there is an exception pursuant to which a particular state privacy law is not pre- empted.280 There are various grounds on which the Secretary may determine that a provision of state law is ânecessary.â281 There is no preemption when the Secretary determines that a provision of state law is needed to prevent fraud and abuse relating to the provision of or payment for health care; constitutes appropriate state regulation of insurance and health plans; concerns state report- ing on health care delivery or costs; or serves a compelling need regarding public health, safety, or welfare such as to warrant an intrusion into privacy.282 There is also no preemption when the Secretary determines that the purpose of a state law concerns the âregulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substancesâ as the terms are defined under federal or state law.283 Second, there is no preemption when a contrary state law ârelates to the privacy of individually 277 45 C.F.R. § 160.202 (2013) (definition of contrary). 278 45 C.F.R. § 160.203 (2013) (stating that â[a] stan- dard, requirement, or implementation specification adopted under this subchapter that is contrary to a pro- vision of State law preempts the provision of State lawâ). See also Weiss, supra note 265, at 258 (citation omitted). 279 45 C.F.R. § 202 (2013) (subsection (1) of the defi- nition of contrary). The term âcontraryâ alternatively means that the state law is an âobstacle to the accom- plishment of the objectivesâ of the federal laws desig- nated in the subjection. Id. (subsection (2) of the defini- tion of contrary). 280 45 C.F.R. § 160.204(a) (2013). 281 45 C.F.R. § 160.203(a) (2103). 282 45 C.F.R. §§ 160.203(a) and (a)(1)(i), (ii), (iii), and (iv) and 45 C.F.R. § 160.204 (2013). 283 45 C.F.R. § 160.203(a) (2013). identifiable health information and is more strin- gent than a standard, requirement, or implemen- tationâ under HIPAA.284 To be more stringent than a HIPAA provision means that a state law must prohibit or restrict a use or disclosure when the use or disclosure would be permitted by HIPAA.285 A more prohibitive or restrictive state law still may be preempted either when the Secre- tary requires disclosure to determine whether a covered entity or business associate is in compli- ance with HIPAA or when a disclosure is to be made to an individual who is the subject of indi- vidually identifiable health information.286 Third, a state law is more stringent and thus not preempted when a state law permits an indi- vidual âgreater rights of accessâ to his or her indi- vidually identifiable health information; âprovides greater privacy protection for the individualâ who is the subject of the individually identifiable health information; or furnishes an individual with a âgreater amount of information.â287 Some state laws address the legal authority needed from an individual for the use or disclosure of in- dividually identifiable health information. Thus, more stringent state laws are not preempted when they ânarrow the scope or durationâ of the legal permission or âreduce the coercive effect of the circumstances surrounding the express legal permission.â288 Fourth, there may not be necessarily a conflict when a state privacy law is contrary to HIPAA. A covered entity may be able to comply both with the contrary state law and with the HIPAA re- quirement at issue. For instance, there is no con- flict when a HIPAA requirement permits a cov- ered entity to disclose PHI and the contrary state law also permits disclosure. If the issue involves a permissible disclosure under HIPAA, a covered entity may comply with both laws. Fifth, if a state law prohibits a use or disclosure of information without an authorization for which HIPAA requires an individualâs authorization, a covered entity or business associate may comply with both laws by obtaining an individualâs au- thorization as provided by the HIPAA regula- 284 45 C.F.R. § 160.203(b) (2013). 285 45 C.F.R. § 160.202 (2013) (subsection (1) of the definition of more stringent). 286 45 C.F.R. §§ 160.202(1)(i) and (ii) (2013). 287 45 C.F.R. § 160.202 (2013) (subsections (3) and (6) of the definition of more stringent). 288 45 C.F.R. § 160.202 (2013) (subsection (4) of the definition of more stringent).
32 tions.289 As observed by a New Jersey court â[a]n authorization is a document that is signed by an individual or personal representative of an indi- vidual to allow release of protected health infor- mation,â the minimal elements of which are set forth in 45 C.F.R. § 164.508(c)(1).290 One source has concluded that there may not be that many instances when state laws are pre- empted by HIPAA.291 The reason is that HIPAA mandates disclosure only in two instances: (1) when the disclosure is sought by the Secretary of HHS to enforce the Privacy Rule, and (2) when the disclosure is to an individual at the individualâs request. Thus, the state law will have to either prohibit or restrict disclosure to the Secretary of HHS or prohibit or restrict disclosure to the individual at the individualâs request in order to be contrary to HIPAA. It is unlikely that there are many state laws that refuse access to HHS or refuse access to the individual of his or her own medical information, so that few state laws potentially qualify for preemption (emphasis added).292 Finally, as discussed in Section X, if a state law requires a use or disclosure of PHI, HIPAA will not prevent the use or disclosure of the informa- tion. Under 45 C.F.R. § 164.512(a) a âcovered en- tity may use or disclose protected health informa- tionâ¦to the extent that such use or disclosure is required by law.â293 Although § 164.512 addresses the uses and disclosures for which a patientâs au- thorization or opportunity to agree or object is not required, a covered entity must comply with the procedures in subparts (c), (e), and (f) when com- plying with a law that requires a covered entity to make a disclosure of PHI. A number of cases have held that HIPAAâs Pri- vacy Rule does not preempt state law.294 In Ka- 289 See, e.g., 45 C.F.R. §§ 164.502(a)(1)(i) and (iv) and 164.502(2)(i) and (4) (ii) (2013). See also 45 C.F.R. §§ 164.508 and 164.510 (2013). 290 Smith v. American Home Products Corp. Wyeth- Ayerst Pharmaceutical, 372 N. J. Super. 105, 114, N 6, 855 A.2d 608, 613 N 6 (2003). 291 Beverly Cohen, Reconciling the HIPAA Privacy Rule with State Laws Regulating Ex Parte Interviews of Plaintiffs' Treating Physicians: A Guide to Performing HIPAA Preemption Analysis, 43 HOUS. L. REV. 1091, 1140-1141 (2006). 292 Id. 293 45 C.F.R. §§ 164.512(a)(1) and (2) (2103); 65 Fed. Reg. 82481-82482. 294 In Alvista Healthcare Center, Inc. v. Miller, 286 Ga. 122, 126, 686 S.E. 2d 96, 99 (2009) (holding that OCGA § 31-33-2 (a) (2) is more stringent than and thus not preempted by 45 C.F.R. § 164.502(g)(4) of the HIPAA regulations); State ex rel. Cincinnati Enquirer v. Daniels, 108 Ohio St. 3d 518, 524, 844 N.E. 2d 1181, 1186-1187 (2006) (no HIPAA preemption of certain linoski v. Evans295 a federal court decided that the District of Columbiaâs limitations on the disclo- sure of the personal notes of mental health pro- fessionals are more stringent than HIPAAâs re- quirements and therefore are not preempted by HIPAA.296 Although the HIPAA regulations allow the disclosure of PHI pursuant to a court order, the District of Columbiaâs privacy law prohibited disclosure.297 Nevertheless, the court held that the information could be disclosed as a matter of a federal evidentiary rule that circumscribed the more stringent District of Columbia privacy law.298 In National Abortion Federation v. Ashcroft299 the court held that an Illinois privacy law was more stringent than HIPAA and therefore not preempted. The Illinois law forbade the disclosure of information without a patientâs consent, even in response to a subpoena and regardless of whether PHI had been deleted or redacted.300 Under HIPAA the disclosure of the information would be permitted if sensitive information contained in the documents were deleted or redacted.301 Be- cause the state law was found to be more strin- gent and more protective of a patientâs privacy, the court held that HIPAA did not preempt the Illinois law. In 2009, the Minnesota Court of Appeals up- held a statute that gives patients a private right of action for the improper disclosure of medical information.302 The medical clinic argued that HIPAA preempted the state statute.303 The court explained that a state statute is contrary to HIPAA if it makes it impossible for a health care provider to comply, or is an obstacle to a health care provider being able to comply, with both the lead-citations issued by the Cincinnati Health Depart- ment); Grove v. Northeast Ohio Nephrology Assoc., Inc., 164 Ohio App. 3d 829, 844 N.E.2d 400 (2005) (OHIO REV. CODE ANN. § 2317.02(B)(1) relating to the privacy of individually identifiable health information held not superseded by HIPAA); Bihm v. Bihm, 932 So.2d 732 (La. Ct. App. 3d Cir. 2006) (no HIPAA preemption of La. Code Evid. Ann. art. 510). 295 377 F. Supp. 2d 136 (D.D.C. 2005). 296 Id at 139 (citing D.C. CODE § 7-1201.03). 297 Id. at 139. 298 Id. at 140â141. 299 2004 U.S. Dist. LEXIS 1701 (N.D. Ill. 2004). 300 Id. at 10, 18. 301 Id. at 9â12. 302 Yath v. Fairview Clinics, N.P., 767 N.W. 2d 34, 49-50 (Minn. Ct. App. 2009). 303 Id. at 49.
