How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

41 unable to climb steps and requires a boarding chair to enter a van; and whether a rider travels with oxygen tanks.407 The transit agencies’ responses to the survey concerning their handling of patrons’ health in- formation indicate that they are maintaining strict confidentiality of any patrons’ health infor- mation that they receive and maintain. B. Other Federal Privacy Laws Transit agencies did not identify any federal laws applicable to them other than the ADA and DOT laws and regulations.408 HHS has identified a number of federal statutes and regulations that restrict the disclosure of patient information to those disclosures that are required by law. Ap- pendix A of this digest discusses other federal pri- vacy statutes, including those identified by HHS, that are important to the privacy of health infor- mation.409 Some of the federal privacy laws are more extensive than HIPAA and “touch on pri- vacy issues slightly differently.”410 Federal privacy laws may restrict federal grantees or other enti- ties that are providing services under programs that are affected from making many of the disclo- sures that the HIPAA regulations would permit 407 Id. 408 Sixteen of 17 transit agencies having health in- formation on patrons reported said that they were un- aware of other federal privacy laws that were applicable to their agency. 409 App. A of this digest does not discuss several fed- eral privacy laws that clearly are inapplicable to transit agencies having health information on patrons. See, e.g., Electronic Communications Privacy Act, 18 U.S.C. § 2511(1)(a)-(b) (disclosure of wire, oral, or electronic communications); Telecommunications Act, 47 U.S.C. § 222(a)-(c) (expressing a telecommunications carrier’s duty to protect the confidentiality of proprietary cus- tomer information); Cable Communications Act, 47 U.S.C. § 551 (prohibiting the disclosure of cable sub- scriber information without consent); and Child Online Protection Act, 15 U.S.C. §§ 6501(4) and (8) (defining disclosure and personal information). 410 WORLD PRIVACY FORUM, Patient’s Guide to HIPAA–Overview: What Federal Laws are Relevant to Health Privacy? (see subsection 3 entitled “What Fed- eral Laws are Relevant to Health Privacy”) (identifying the five most important as being the Privacy Act of 1974, Confidentiality of Alcohol and Drug Abuse Pa- tient Records Regulations, Family Educational Rights and Privacy Act, Americans with Disabilities Act, and the Genetic Information Nondiscrimination Act), here- inafter referred to as “World Privacy Forum,” available at http://worldprivacyforum.org/2013/09/hipaaguide3/. under 45 C.F.R. §§ 164.510 or 164.512.411 More- over, there are federal privacy laws and regula- tions that “impose unique requirements affecting the incorporation of covered information into an EHR system.”412 C. Resolving Conflicts Between HIPAA and Other Federal Laws HIPAA permits disclosures of PHI that are re- quired by law pursuant to 45 C.F.R. § 164.512(a). Thus, there is no conflict with HIPAA when an- other federal law requires a covered entity or business associate to disclose specific informa- tion.413 In such a case, an individual’s authoriza- tion under 45 C.F.R. § 164.508 is not needed be- fore making the disclosure.414 There is also no conflict with HIPAA when the federal law permits but does not require disclo- sure, but HIPAA permits disclosure of the infor- mation. If there is no basis for a permissible dis- closure, then a covered entity or business associate must obtain “an authorization from the individual who is the subject of the information or de-identify the information before disclosing it.”415 XVI. STATE LAWS APPLICABLE TO THE PRIVACY OF HEALTH INFORMATION A. Introduction Prior to HIPAA, the regulation of medical re- cords was primarily a matter of state law.416 Since the advent of HIPAA, state law is still important, because there are many businesses and institu- tions with health information on their patrons that are not subject to HIPAA, including: gyms, health websites not offered by covered entities, Internet search engines, life and casualty insurers, Medi- cal Information Bureau, employers (but this one is com- plicated), worker’s compensation insurers, banks, credit bureaus, credit card companies. many health researchers, National Institutes of Health, cosmetic medicine services, transit companies, hunting and fishing license agencies, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy 411 65 Fed. Reg. 82484. 412 Acevedo & Rathburn, supra note 15, at *8. 413 65 Fed. Reg. 82485. 414 Id. 415 Id. 416 Terry & Francis, supra note 387, at 708–09 (foot- note omitted).

42 groups, marketers of non-prescription health products and foods, and some urgent care facilities.417 In some jurisdictions, state privacy law is as important as HIPAA.418 Consequently, transit agencies with health information on their patrons will want to be aware of their states’ laws on the privacy and security of health information. There are “dozens” of state statutes that obligate corpo- rations and individuals to secure health informa- tion (footnotes omitted).419 Although there are myriad gaps in state legislation, some states have “robust common law and statutory protections applicable to the confidentiality of health infor- mation (footnote omitted).”420 Conveniently, there are several sources available on line with current citations and information on state laws applicable to the privacy and/or security of health informa- tion.421 As discussed below, the possible sources of pro- tection under state law include a state’s constitu- tion, statutes and regulations or administrative codes, and the common law. B. State Constitutions and the Privacy of Health Information In some states there may be an express or im- plied right of privacy in a state’s constitution;422 however, “the vast majority of state constitutions 417 World Privacy Forum, supra note 410, at ¶ 9 (see “Part 1: Learning about HIPAA” and subpart entitled “Other Record Holders”). See also Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 YALE J. HEALTH POL’Y L. & ETHICS 327, 328 (2002), hereinafter referred to as “Pritts.” 418 See Phillips, supra note 13. 419 Pasternack, supra note 8, at 830. 420 Terry & Francis, supra note 387, at 712. 421 See The State of Health Privacy, A Survey of State Health Privacy Statutes (2d ed.), hereinafter referred to as “Survey of State Health Privacy Statutes,” available at http://ihcrp.georgetown.edu/privacy/pdfs/ statereport1.pdf. and National Conference of State Leg- islatures, State Security Breach Notification Laws, hereinafter referred to as “State Security Breach Notifi- cation Laws,” available at http://www.ncsl.org/issues- research/telecom/security-breach-notification-laws.aspx. See also Elizabeth Hutton & Devin Barry, 2004 Privacy Year in Review: Developments in HIPAA, 1 ISJLP 347, 381 (2005). 422 Pritts, supra note 417, at 330 and n.17 (citing King v. State, 535 S.E.2d 492, 494-95 (Ga. 2000) (recog- nizing an implied right to privacy of personal medical records under Georgia’s constitution)). protect only against state action.”423 In contrast, the constitutions of California and Hawaii guar- antee the right of privacy of their citizens, a right that by virtue of judicial decisions includes the protection of individual health information, from invasions of privacy by private parties or the state.424 Privacy in some states is a statutory rather than a constitutional right.425 In Alaska, Article 1, Section 22 of the Alaska Constitution establishes a right to privacy that only applies to government actors, not private ac- tors.426 The right to privacy vis-à-vis employers is covered under Alaska state statutes. The Su- preme Court of Alaska has recognized that an in- dividual has a fundamental privacy interest in his or her medical records427 and that there is a com- mon law right to privacy that protects individuals from intrusions into privacy.428 To establish a vio- lation of a common law right to privacy a plaintiff must establish that there was an intentional in- trusion by the defendant into “the solitude or se- clusion of another or his private affairs or con- cerns” that a reasonable person would find to be highly offensive.429 If the state or a state actor in- terferes with an individual’s fundamental right to privacy, the state or state actor “must demon- strate a compelling governmental interest and the absence of a less restrictive means to advance that interest.”430 In California an individual has a right to pri- vacy under Article 1, Section 1 of the California Constitution.431 To assert a constitutional claim 423 Id. 424 Id. (citing CAL CONST., art. I, 1 and HAW. CONST. art. I, 6.). See also id. at 352 (citing Jeffrey H. v. Imai, 101 Cal. Rptr. 2d 916, 921 (Cal. Ct. App. 2000) (the court stating that disclosure of a medical condition con- cerned a “core value” protected by the California Con- stitution, article I, section 1, on informational privacy) and Hill v. National Collegiate Athletic Ass’n, 865 P. 2d 633, 658 (Cal. 1994)). 425 See, e.g., MASS. GEN. LAWS ch. 214, § 1B (2013) and VA. CODE ANN. § 32.1-127.1:03(A) (2103) (discussed in Section XVI.C in this digest). 426 ALASKA CONST. art. 1, § 22; see Luedtke v. Nabors Alaska Drilling, Inc., 768 P. 2d 1123, 1130 (Alaska 1999). 427 Gunnerud v. Alaska, 611 P. 2d 69, 70 (Alaska 1980). 428 Luedtke, 768 P. 2d at 1133. 429 Id. at 1137 (quoting Restatement (Second) of Torts § 652B). 430 Sampson v. Alaska, 31 P. 3d 88, 91 (Alaska 2001). 431 CAL. CONST. art 1, § 1.

43 for invasion of privacy an aggrieved person must establish that there is a specific, legally protected privacy interest at issue; that the individual had a reasonable expectation of privacy; and that the invasion of privacy was “sufficiently serious in [its] nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.”432 In Montana, Article 2, Section 10 of the Mon- tana Constitution establishes a right to privacy,433 a right that applies to “autonomy privacy” and “confidential informational privacy” and that in- cludes medical records.434 To assert a claim against the state or a state actor an individual must demonstrate that he or she has a subjective or actual expectation of privacy in his or her medi- cal records and that society accepts that expecta- tion as a reasonable one.435 Although none involved HIPAA, several cases were located for this digest in which plaintiffs brought a claim for invasion of privacy under a state constitutional provision. In Faison v. Parker,436 although the issue involved disclosure of information in a presentence report, the court observed, first, that the United States Supreme Court has recognized a constitutionally protected privacy interest in two areas: an individual’s in- terest in avoiding disclosure of personal matters and an individual’s interest in being able to make certain important decisions independently (cita- tions omitted).437 Second, the court observed that the Third Circuit has held that medical records “may contain intimate facts of a personal nature [that] are well within the ambit of materials enti- tled to privacy protection. Information about one’s body and state of health is a matter which the individual is ordinarily entitled to retain within the ‘private enclave where he may lead a private life (citations omitted) (some quotation marks omitted).’”438 In Faison, the court stated that the analysis for a state constitutional claim is the same as it is for a federal constitutional claim.439 In deciding 432 Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal. 4th 1, 37, 865 P.2d 633, 654-55, 26 Cal. Rptr. 853, 857 (1994). 433 MONT. CONST. art 2, § 10. 434 Montana v. Nelson, 283 Mont. 231, 241, 941 P.2d 441, 448 (1997). 435 Id. at 447–48. 436 823 F. Supp. 1198 (E.D. Pa. 1993). 437 Id. at 1201. 438 Id. 439 Id. at 1205. whether a constitutional right of privacy has been violated the court must consider: (1) the type of record requested; (2) the information it does or might contain; (3) the potential for harm in any subsequent nonconsensual disclosure; (4) the injury from disclosure to the relationship in which the record was generated; (5) the adequacy of the safeguards to prevent unauthorized disclosure; (6) the degree of need for access; and (7) whether there is an express statutory mandate, articulated public policy, or other recognized public inter- est militating toward access.440 In Faison, the court held that a “governmental intrusion into medical records is permitted only after balancing the interests of the individual and society” and after “determining that the societal interest in disclosure outweighs the individual’s privacy interest” based on the facts of the case (citations omitted).441 The court held, however, that the plaintiff’s constitutional right to privacy in the nondisclosure of her medical and mental health records was not violated by a disclosure of her medical information in a presentence report. In Grant v. United States442 the plaintiff alleged a violation of the California constitution because of the defendants Pickett’s and Mercury Casualty Company’s (Mercury) disclosure of the plaintiff’s health information to Mercury’s attorney. To state a constitutional claim a plaintiff must show “a legally protected privacy interest,” a “reasonable expectation of privacy” under the circumstances, and conduct by the defendant constituting “a seri- ous invasion of privacy.”443 The magistrate judge, whose recommendations were adopted by the court, agreed that the plaintiff had stated a claim for invasion of privacy under the California con- stitution. However, because the claim arose out of or was incident to the litigation the claim was barred by California’s absolute litigation privi- lege.444 In Rhoades v. Penn-Harris-Madison School Corp.445 a high school administered a psychologi- cal assessment to the plaintiff and other high school students for which the court concluded that Rhoades’ parents had not consented and that Rhodes herself had not given a valid consent. As for state constitutional claims, the court held that because “the full body of state tort law” was avail- able to Rhoades, it was not necessary for the court 440 Id. at 1201. 441 Id. 442 2011 U.S. Dist. LEXIS 61833, at *1 (E.D. Cal. 2011). 443 Id. at 29. 444 Id. at 31. 445 574 F. Supp. 2d 888 (N.D. Ind. 2008).

44 to find a claim for damages for an invasion of pri- vacy under the Indiana constitution.446 As for one of Rhoades’ privacy claims based on a state stat- ute, the court held that the statute did not create a private right of action.447 C. State Statutory Protection of the Privacy of Health Information In some situations, although state laws on health privacy vary considerably, a state statute may apply when HIPAA or another other federal law does not.448 However, as one expert observes, there is an increased demand for health care information from secondary users for purposes that are not really re- lated to health care. Many of these holders of health in- formation are not subject to ethical obligations to main- tain its confidentiality. Even where an ethical duty exists, in some jurisdictions it is not enforceable by law.449 Some states such as California have enacted fairly comprehensive health privacy and security laws, but most state regulation has developed in a “fairly haphazard fashion.”450 In Massachusetts, a person has a statutory right against unreason- able, substantial, or serious interference with a person’s privacy.451 In Virginia, although patient records are the property of a provider, Virginia statutory law also recognizes a patient’s right of privacy in the context of his or her medical re- cords.452 Elsewhere in some states much of the health information is not protected because the statutes are condition-specific or entity-specific.453 Some states have statutes that apply to the pri- vacy of health information created, received, or maintained by health care providers or practitio- ners. With some exceptions (e.g., mental health records), many state statutes reviewed for this digest grant an individual a right of access to his or her medical records held by health care provid- ers.454 Although statutes may restrict the disclo- 446 Id. at 910. 447 Id. at 904–05 (citing IND. CODE § 20-10.1-4-15). 448 Survey of State Health Privacy Statutes, supra note 421, at ii. 449 Pritts, supra note 417, at 328-329. 450 Id. at 327. 451 MASS. GEN. LAWS ch. 214, § 1B (2013) (stating that “[a] person shall have a right against unreason- able, substantial or serious interference with his pri- vacy” and that the superior court has “jurisdiction in equity to enforce such right and in connection therewith to award damages”). 452 VA. CODE ANN. § 32.1-127.1:03(A) (2103). 453 Pritts, supra note 417, at 335. 454 California Patient Access to Medical Records Act, CAL. HEALTH & SAFETY CODE § 123110(a) (2013); FLA. sure of health information, it appears that most state statutes apply only to health care providers as the term is defined by the state statute.455 In most state statutes reviewed for this digest, the term “health care provider” or “practitioner” is not broad enough to apply to transit agencies having health information on patrons.456 Although no cases were located for this digest involving claims against transit agencies for vio- lating patrons’ privacy with respect to their health information, some cases were located in which a plaintiff sued for invasion of privacy based on a state statute. In Cordts v. Chicago Tribune Co.457 the plaintiff alleged that an em- ployee of Medeval Corporation, a company hired by the Chicago Tribune to evaluate disability claims, wrongfully disclosed to Cordts’ ex-wife that he was receiving treatment for depression.458 The Chicago Tribune, his employer, had provided Cordts with a document assuring him that his health information would not be disclosed to un- authorized parties. The plaintiff sued for public disclosure of private facts and for a violation of the Mental Health and Development Disabilities Confidentiality Act.459 The court held that Cordts’ claim under the Confidentiality Act that provided that mental health services “shall be confidential and shall not be disclosed except as provided in this Act”460 was not dismissible in part because the defendants had not challenged the sufficiency of Cordts’ alle- gations.461 However, based on the record the court ruled that Cordts’ allegations were sufficient to state a cause of action.462 In Steinberg v. CVS Caremark Corp.463 the plaintiffs, claiming that CVS Caremark Corpora- tion and CVS Pharmacy, Inc. misused their confi- STAT. ANN. § 456.057(1) (2013); IND. CODE ANN. § 16-39- 1-1(c) (2013); KY. REV. STAT. ANN. § 422.317(1) (2013); LA. REV. STAT. § 40:1299.96 (2013); ME. REV. STAT. ANN. tit. 22, § 1711-B(2); Maryland Confidentiality of Medical Records Act, MD. CODE ANN., Health–Gen. §§ 4-301, 4- 309 (2013); 42 PA. CONS. STAT. ANN. § 6155(b) (2013); and VA. CODE ANN. § 32.1-127.1:03 (2013). 455 Pritts, supra note 417, at 336. 456 See Section XVI.D. 457 369 Ill. App. 3d 601, 860 N.E.2d 444 (2006). 458 Id. at 602, 860 N.E.2d at 446-447. 459 740 ILL. COMP. STAT. 110/1, et seq. (2004). 460 Cordts, 860 N.E.2d at 449, citing 40 ILL. COMP. STAT. 110/2, 3(a) (2004). 461 Id. at 612, 860 N.E 2d at 454. 462 Id. 463 899 F. Supp. 2d 331 (E.D. Pa. 2012).

45 dential prescription information, sued for alleged violations of the Pennsylvania Unfair Trade Prac- tices and Consumer Protection Law (UTPCPL), as well as for invasion of privacy and unjust enrich- ment. On the UTPCPL claim the plaintiffs argued that the defendants made material misrepresen- tations in their Notice of Privacy Practices and Code of Conduct regarding how the plaintiffs’ in- formation would be used. The court dismissed the UTPCPL claim because the health information had been de-identified and was no longer PHI464 and because the plaintiffs failed to allege any “compensable value” of the information.465 In Doe v. Guthrie Clinic, Ltd.466 a nurse at a medical clinic disclosed to the plaintiff’s girlfriend that Doe was being treated for a sexually trans- mitted disease. In addition to other claims, the plaintiff alleged violations of §§ 2803-c and 4410 of the New York Public Health Law and § 4504 of the New York Civil Practice Law and Rules. How- ever, the court ruled that the defendants did not come within the statutory definition in § 2903-c of a “health-related service.” As for § 4410, the court stated that New York courts have held that the section does not authorize a private cause of ac- tion for a wrongful disclosure of health informa- tion.467 In Cooney v. Chicago Public Schools468 the court affirmed the dismissal of an action arising from a firm’s disclosure of personal information on 1,700 former Chicago public school employees. The court held that the Chicago Board of Education, which retained the firm that made the disclosure, was not liable to the plaintiffs under the Illinois Per- sonal Information Protection Act.469 Under the Act, the Board of Education only had to provide timely notice of a security breach, which it did, to the affected parties.470 The plaintiffs’ attempts to 464 Id. at 338. 465 Id. at 339; La Court v. Specific Media, Inc., 2011 U.S. DIST. LEXIS 50543, at *1 (C.D. Cal. 2011); In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005); and In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 525 & n.35 (S.D.N.Y. 2001). 466 2012 U.S. DIST. LEXIS 20507, at *1 (W.D. N.Y. 2012). 467 Id. at 25 (citing Burton v. Matteliano, 81 A.D. 3d 1272, 1275, 916 N.Y.S.2d 438 (2011)). 468 407 Ill. App. 3d 358, 361, 943 N.E.2d 23, 27 (2010). 469 Id. (citing 815 ILL. COMP. STAT. 530/1). 470 Id. at 362, 943 N.E.2d at 28 (citing 815 ILL. COMP. STAT. 530/10). make a claim under other statutes also were to no avail (e.g., the Consumer Fraud Act) for two rea- sons. The laws did not apply to the entity alleg- edly responsible for the disclosure of health in- formation, and the plaintiffs failed to allege “specific actual damages.”471 Allegations of poten- tial harm are not sufficient.472 In Grocela v. General Hosp. Corp.473 the plain- tiff, a doctor, alleged that the Research Ventures & Licensing Department (RVL Department) of Massachusetts General Hospital (MGH) that ad- ministered a research program on behalf of MGH improperly disclosed his personal information on a Web site. The RVL Department identified the doctor as the inventor of a 2005 invention and im- plied that the invention had been tested on the plaintiff doctor personally.474 Among other grounds, the doctor’s invasion of privacy claim was based on a Massachusetts statute.475 The court construed the statute to require a plaintiff to prove that a defendant “unreasonably, substan- tially and seriously interfered” with the plaintiff’s privacy by disclosing facts of a “highly personal or intimate nature” and that the defendant “had no legitimate reason for doing so.”476 The court recognized that publication is essen- tial to a tort claim for invasion of privacy but, first, as did the court in Faison, the court applied a balancing test. Because the Massachusetts stat- ute “proscribes only unreasonable interferences with a per- son’s privacy, legitimate countervailing business interests in certain situations may render the disclosure of per- sonal information reasonable and not actionable under the statute.” … In making such a determination, a court “must balance the employer’s legitimate business interest in obtaining and publishing the information against the 471 Id. at 365, 943 N.E.2d at 31. 472 Id. (citing Yu v. IBM, 314 Ill. App. 3d 892, 732 N.E. 2d 1173, 247 Ill. Dec. 841 (2000)). 473 30 Mass. L. Rep. 176, 2012 Mass. Super. LEXIS 206 (Mass. Super. Ct. 2012). 474 Id. at 14–16. 475 G.L. c. 214, § 1B. The statute provided in part that “[a] person shall have a right against unreason- able, substantial or serious interference with his pri- vacy.” See Grocela, 2012 Mass. Super. LEXIS 206 at 16. 476 Grocela, 2012 Mass. Super. LEXIS 206 at 16 (quoting Martinez v. New England Med. Ctr. Hosps., Inc., 307 F. Supp. 2d 257, 267 (D. Mass. 2004) (applying Massachusetts law and citing Schlesinger v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 409 Mass. 514, 518, 567 N.E.2d 912 (1991) (internal citations omitted) (internal quotation marks omitted)).

46 substantiality of the intrusion on the employee’s privacy resulting from the disclosure.”477 Second, the court applied a de minimis test. MGH has a substantial interest in furthering research and supporting inventions which have the potential to benefit both the hospital and its patients. This interest far outweighs any possible intrusion into Dr. Grocela’s privacy which, in any event, is de minimis.478 Although the balancing of competing interests usually involves a factual inquiry, the court held that a case is “suitable for dismissal” when the record shows that there was only a de minimis intrusion into an employee’s privacy (citation omitted).479 In sum, with a few exceptions, the plaintiffs in the foregoing cases had difficulty stating a claim for a violation of a state privacy statute, as well as difficulty showing that the information had any compensable value. D. State Laws Limiting Further Disclosure of Health Information As discussed in Sections IV, V, and IX of this digest, when a person or entity is a business asso- ciate of a covered entity or a subcontractor of a business associate of a covered entity, HIPAA ap- plies when they create, receive, maintain, or transmit PHI on behalf of the covered entity. When HIPAA does not apply to a person or entity having PHI, the laws of some states may restrict a person or entity from any disclosure or redisclo- sure of an individual’s information to what are referred to herein as downstream recipients. In Arizona, “[a] person who receives medical records…pursuant to this section shall not dis- close those records without the written authoriza- tion of the patient or the patient’s health care de- cision maker, unless otherwise authorized by law.”480 Furthermore, the Arizona statute provides in part that “[i]f a health care provider releases a patient’s medical records…to a contractor…the contractor shall not disclose any part or all of a patient’s medical records or payment records in its custody except as provided in this article (em- 477 Id. at 17 (quoting Bratt v. IBM Corp., 392 Mass. 508, 520, 521, 467 N.E.2d 126 (1984)). 478 Id. at 19–20. See also Doe v. Di Genova, 642 F. Supp. at 634 (also applying a balancing test to the plaintiff’s federal constitutional claim for violation of his right of privacy). 479 Grocela, 2012 Mass. Super. LEXIS 206 at 17–18. 480 ARIZ. REV. STAT. § 12-2294(E) (2013). phasis added).”481 Unless redisclosure is permitted by another provision of the statute an individual must authorize a further disclosure of his or her health information. The California Confidentiality of Medical In- formation Act (CCMIA) states that “[n]o provider of health care, health care service plan, or con- tractor shall disclose medical information regard- ing a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c).”482 California law also provides that “[a] recipient of medical information pursuant to an authorization…may not further disclose that medical information ex- cept in accordance with a new authorization” or as otherwise required or permitted by law (emphasis added).483 Unlike HIPAA, the CCMIA provides that patients may bring a legal action for viola- tions of the law and seek to recover compensatory and punitive damages. The CCMIA provisions permitting a judicial remedy are not preempted by HIPAA because HIPAA has no private right of action.484 Under Florida law, a records owner must main- tain a record of all disclosures of information…to a third party, including the purpose of the disclosure request. … The third party to whom information is disclosed is pro- hibited from further disclosing any information in the medical record without the expressed written consent of the patient or the patient’s legal representative (empha- sis added).485 The term “records custodian” “means any per- son or entity that…[o]btains medical records from a records owner, (emphasis added) ”486 meaning one who is required to “maintain records or docu- ments as provided under the confidentiality and disclosure requirements” of the statute.487 In Massachusetts, every “holder” of “personal data” must identify an individual who is responsi- ble for a personal data system and that person 481 Id. 482 CAL. CIV. CODE § 56.10(a) (2013). 483 CAL. CIV. CODE § 56.13 (2013). See also CAL. CIV. CODE §§ 56.10(c) and 56.11 referenced in the section. 484 David Humiston & Stephen M. Crane, Managed Care (May 2002), Will Your State’s Privacy Law be Su- perseded by HIPAA?, hereinafter referred to as “Humiston & Crane,” available at http://www.managedcaremag.com/archives/0205/0205. hipaabystate.html. 485 FLA. STAT. ANN. § 456.057(12) (2013). 486 FLA. STAT. ANN. § 456.057(3)(b) (2013). 487 FLA. STAT. ANN. § 456.057(4) (2013).

47 must insure that the statutory requirements are met to prevent access to or the dissemination of personal data.488 Under the statute a holder of personal data is an agency that collects, uses, maintains or disseminates personal data or any person or entity which contracts or has an arrange- ment with an agency whereby it holds personal data as [a] part or as a result of performing a governmental or public function or purpose. A holder which is not an agency is a holder, and [is] subject to the provisions of this chapter, only with respect to personal data so held under [a] contract or [an] arrangement with an agency (emphasis added).489 It is not apparent that the above provision would apply necessarily to every transit agency. The statute defines the term “agency” to mean an agency “of the executive branch of the govern- ment, including but not limited to any constitu- tional or other office, executive office, department, division, bureau, board, commission or committee thereof; or any authority created by the general court to serve a public purpose, having either statewide or local jurisdiction.”490 In Texas, the state health privacy law “applies to a broader range of persons and entities that obtain or maintain health information” than HIPAA’s Privacy Rule and arguably applies to prevent any holder of health information from disclosing it to downstream recipients.491 The Texas statute defines the term “covered entity” more broadly than does HIPAA. In Texas a cov- ered entity is: Any person who…(A) for commercial, financial, or profes- sional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, stor- ing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site…. (emphasis supplied).492 However, in Texas a covered entity also is Any person who…(B) comes into possession of protected health information; (C) obtains or stores protected health information under this chapter; or (D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contrac- 488 Fair Information Practices, MASS. GEN. LAWS ch. 66A, § 2(a) (2013). 489 MASS. GEN. LAWS ch. 66A, § 1 (2013) (definitions). 490 Id. 491 Pritts, supra note 417, at 346. 492 TEXAS HEALTH & SAFETY CODE § 181.001(b) (2013). tor creates, receives, obtains, maintains, uses, or trans- mits protected health information.493 Under the Texas statute if an entity is a cov- ered entity it may not “electronically disclose,” except for example to another covered entity in connection with treatment, “an individual’s pro- tected health information to any person without a separate authorization from the individual or the individual’s legally authorized representative for each disclosure.”494 A Texas governmental publi- cation observes that the Texas health privacy law applies to more types of entities than HIPAA and, indeed, “defines ‘covered entity’ as anyone who has any role at all in the production, gathering, storing, processing, or transmittal of PHI, as well as anyone who comes into possession of such in- formation….”495 The attorney general in Texas is authorized to institute an action for a violation and may seek civil penalties ranging from $5,000 to $250,000 against a covered entity, which as noted is a broadly defined term in the Texas stat- ute.496 Other states in which a recipient of medical in- formation may be prohibited from disclosing the information include New York497 and Virginia. Under the Virginia Health Records Privacy Act an individual has a right of privacy in his or her health records.498 Although the records are the property of the health care entity, except as oth- erwise permitted by state law, a health care entity or other person working in a “health care setting” may not disclose an individual’s health records.499 With some exceptions relating to treatment or research, the Virginia statute states that “[n]o person to whom health records are disclosed shall redisclose or otherwise reveal the health records of an individual, beyond the purpose for which such disclosure was made, without first obtaining the individual’s specific authorization to such re- disclosure.”500 Nevertheless, the Virginia statute 493 Id. 494 Id. § 181.154(b) (2013). 495 See Especially for Texas Employers, available at http://www.twc.state.tx.us/news/efte/hipaa_basics.html. 496 TEXAS HEALTH & SAFETY CODE § 181.201(b). In one instance as provided in the statute a court may assess civil penalty not to exceed $1.5 million annually. TEXAS HEALTH & SAFETY CODE § 181.201(c). 497 See discussion in Section XVI.D. 498 CODE OF VIRGINIA § 32.1-127.1:03(A) (2013). 499 Id. 500 Id. The Virginia statute does not preclude redis- closure to “(i) any health care entity that receives health records from another health care entity from

48 includes at least 29 instances when health care entities may or shall disclose health records in- cluding when required “by other provisions of state law….”501 Unlike HIPAA, some state statutes allow an individual to bring a civil action against a person who intentionally and unlawfully discloses a per- son’s health information.502 As in Texas, some of the statutes are broad enough to apply to down- stream recipients of health information such as transit and other agencies. For example, in Maine the enforcement provision follows the section es- tablishing the state’s confidential policies that apply to health care practitioners and health care facilities.503 Maine’s law states in part that “[a]n individual who is aggrieved by conduct in viola- tion of this section may bring a civil action against a person who has intentionally unlawfully dis- closed health care information…(emphasis added).”504 The Maryland statute provides that “[a] health care provider or any other person is in violation of this subtitle if the health care pro- vider or any other person…[d]iscloses a medical record in violation of this subtitle (emphasis added).”505 Maryland law further provides that “[a] health care provider or any other person who knowingly violates any provision of this subtitle is liable for actual damages (emphasis added).”506 Thus, although under HIPAA there is no pro- tection of PHI after it is released by a covered en- tity or business associate to another person or en- tity not subject to HIPAA, some states have laws that are more restrictive than HIPAA. Some state laws direct that a further disclosure by a down- stream recipient of an individual’s health infor- making subsequent disclosures as permitted under this section and [HIPAA] or (ii) any health care entity from furnishing health records and aggregate or other data, from which individually identifying prescription infor- mation has been removed, encoded or encrypted, to qualified researchers” as identified in the statute. Id. 501 CODE OF VIRGINIA § 32.1-127.1:03(D) (2013). 502 ME. REV. STAT. ANN. tit. 22, § 1711-C(13) (2013); MD. CODE ANN., Health-Gen. § 4-309(f) (2013) (patient’s right to sue and recover actual damages from health care providers who knowingly violate the Maryland Confidentiality of Medical Records Act); MASS. GEN. LAWS ch. 214, § 1B (2013) (person has right to maintain civil suit in equity to enforce right of privacy and seek damages). 503 ME. REV. STAT. ANN. tit. 22, § 1711-C(7) (2013). 504 Id. § 1711-C(13) (2013). 505 MD. CODE ANN., Health-Gen. § 4-309(c)(2) (2013). 506 Id. § 4-309(f) (2013). mation requires the individual’s authorization or reauthorization. E. Security of Health Information Under State Privacy Laws According to the National Conference of State Legislatures (NCSL), 46 states, the District of Co- lumbia, Guam, Puerto Rico, and the Virgin Is- lands have enacted legislation requiring notifica- tion of security breaches involving personal information.507 State statutes on notification of security breaches “vary widely in the scope of information they cover and their notification requirements. Although some state laws require notification only to affected individuals, the requirements governing the content of such notifications are not materially different from what is required by the HIPAA Breach Notification Rule.”508 The state statutes and security rules appear to apply only to health care providers.509 However, some state statutes may be broad enough to apply to other recipients or custodians of health infor- mation. In Florida, a “records owner” includes, for example, any health care practitioner who gener- ates a medical record or a health care practitioner to whom records are transferred by a previous records owner or any health care practitioner’s employer.510 Furthermore, a records custodian is “any person or entity that…[o]btains medical re- cords from a records owner…. (emphasis added).”511 In New York, with respect to patient information disclosed by a health care provider to someone other than the subject of the information or to other permitted persons the information is subject to limitations on disclosure as provided in the statute and “should be kept confidential by the party receiving such information.”512 507 Survey of State Security Breach Notification Laws, supra note 421. 508 Acevedo & Rathburn, supra note 15, at *7 (citing, e.g., ARIZ. STAT. § 44-7501; CAL. HEALTH & SAFETY CODE § 1280.15; 815 ILL. COMP. STAT. 530/5.1; MD. CODE ANN. Com. Law §§ 14-3504–3508; and MASS. GEN. LAWS ch. 93H, §§ 1–6 (requiring that notification be given to cer- tain state officials)). 509 Pritts, supra note 417, at 338. 510 FLA. STAT. ANN. § 456.057(1) (2013). 511 Id. §§ 456.057(3)(b) (2013) and § 456.057(4) (2013). A records owner must maintain “a record of all disclosures of information…to a third party, including the purpose of the disclosure request. FLA. STAT. ANN. § 456.057(12) (2013). 512 N.Y. PUB. HEALTH LAW § 18(6) (2013).