National Academies Press: OpenBook
« Previous: CONCLUSION
Page 58
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 58
Page 59
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 59
Page 60
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 60
Page 61
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 61
Page 62
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 62
Page 63
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 63
Page 64
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 64
Page 65
Suggested Citation:"APPENDIX A FEDERAL PRIVACY LAWS OTHER THAN HIPAA ." National Academies of Sciences, Engineering, and Medicine. 2014. How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations. Washington, DC: The National Academies Press. doi: 10.17226/22359.
×
Page 65

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

58 APPENDIX A—FEDERAL PRIVACY LAWS OTHER THAN HIPAA Although transit agencies did not identify any federal laws applicable to them other than the ADA and DOT laws and regulations, Appendix A discusses other federal privacy statutes, including those identified by HHS, that restrict the disclosure of an individual’s health information.608 1. Patient Protection and Affordable Care Act In National Federation of Independent Business v. Sebelius609 the Supreme Court upheld the con- stitutionality of the Patient Protection and Affordable Care Act (ACA)610 in part on the basis that the individual mandate imposed by the ACA (see 26 U.S.C. § 5000A, Requirement to Maintain Minimum Essential Coverage, Appendix B to this digest) was within Congress’s power to tax under the Taxing Clause611 but held that the ACA’s expansion of Medicaid violated the Constitution by threatening states with the loss of their existing Medicaid funding if they declined to comply with the expan- sion.612 In brief, the ACA imposed “administrative simplification” provisions that build on HIPAA.613 The ACA includes requirements for operating rules for each of the HIPAA transactions; for the enumera- tion of a unique, standard Health Plan Identifier (HPID); for new standards for electronic funds transfer and electronic health care claims attachments; for health plans to certify compliance with the standards and operating rules; and for penalties for health plans that fail to comply or to certify their compliance with applicable standards and operating rules (quotation marks omitted).614 The ACA has 608 Also identified by HHS in its Final Rule published December 28, 2000 but not discussed herein are: the Public Health Service Act § 318(e)(5) and 42 C.F.R. § 51b.404 (program for prevention and control of sexually transmitted diseases funded under the Act); Public Health Service Act § 330 and 42 C.F.R. § 51c.110 (commu- nity health center program funded under the Act); Public Health Service Act, title X and 42 C.F.R. § 59.15 (grant program for family planning services under the Act); 30 U.S.C. § 437(a) and 42 C.F.R. § 55a.104 (grant program for black lung clinics funded); Public Service Act § 501 and 42 C.F.R. § 51a.6 (program of maternal and child health projects funded under the Act); and 42 C.F.R. § 37.80(a) (program of medical examinations of coal miners). 65 Fed. Reg. 82462, 82484 (see subpart entitled “Relationship to Other Federal Laws”). 609 132 S. Ct. 2566, 183 L. Ed. 2d 450 (2012). 610 Patient Protection and Affordable Care Act of 2010, Pub. L. No. 111-148, § 9008(f)(2), 124 Stat. 119, amended by Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, § 2503(a), 124 Stat. 1029, available at http://www.healthcare.gov/law/full/. 611 National Federation of Independent Business, 132 S. Ct. at 2593-2600, 183 L. Ed. 2d at 483-490 (holding, inter alia, that “[o]ur precedent demonstrates that Congress had the power to impose the exaction in § 5000A under the taxing power, and that § 5000A need not be read to do more than impose a tax. That is sufficient to sustain it. The ‘question of the constitutionality of action taken by Congress does not depend on recitals of the power which it undertakes to exercise.’”) (Id., 132 S. Ct. at 2598, 183 L. Ed. 2d at 487) (citation omitted)). 612 National Federation of Independent Business, 132 S. Ct. at 2600-2608, 183 L. Ed. 2d at 490-498. 613 United Health Care, “Administrative Simplification” (“The Administrative Simplification provision under Section 1104 of the Patient Protection and Affordable Care Act (the Act) intends to improve the standards for electronic transactions mandated by the Health Insurance Portability and Accountability Act (HIPAA)” and “[t]he intent of this provision is to reduce administrative costs by adopting a set of operating rules for each transaction and to create as much uniformity in implementing electronic standards as possible.”), available at http://www.uhc.com/united_for_reform_resource_center/health_reform_provisions/administrative_simplification. htm. 614 Centers for Medicare and Medicaid Services, available at http://www.cms.gov/Regulations-and-Guidance/ HIPAA-Administrative-Simplification/Affordable-Care-Act/index.html?redirect=/Affordable-Care-Act/.

59 privacy protections similar to the HIPAA privacy rule; requires security safeguards for data collection, analysis, and sharing; and protects against all inappropriate internal use by any entity that collects, stores, or receives the data, including use of such data in determinations of eligibility (or continued eligibility) in health plans, and from other inappropriate uses (to be defined by the Secretary) (internal quotation marks omitted).615 The ACA expands several aspects of HIPAA.616 The ACA requires the Secretary of HHS to prom- ulgate rules for each of the HIPAA covered transactions that enable point-of-care eligibility determi- nations; minimizes the need for paper attachments to claims submissions; and requires that all data elements be entered in unambiguous terms.617 As stated, the ACA requires the creation of a unique, standard health plan identifier and a standard for electronic funds transfers.618 In general, the objec- tive is to enable the exchange of electronic data in a way that minimizes reliance on multiple for- mats.619 The changes to HIPAA implemented by the ACA include increased security standards for the use and transfer of PHI by covered entities and business associates. The ACA does not apply to an individual or entity that could have PHI yet is not a covered entity or a business associate of one. No transit agency responding to the survey stated that the ACA would have any effect on the agency’s handling of any health information on their patrons. However, as noted, the ACA does in- clude some new requirements for business associates. 2. Department of Transportation Regulations DOT regulations apply to records generated by certain occupational health tests and examina- tions.620 DOT advises that with respect to medical exams there are DOT “[r]egulatory requirements [that] take precedence over” HIPAA.621 Any person who is designated in DOT regulations as a “safety-sensitive employee” is subject to DOT drug and alcohol testing.622 Transportation employers have very detailed requirements for “transportation workplace drug and alcohol testing pro- grams.”623 In general, service agents and employers may not release individual test results or medi- cal information without an employee’s specific written consent.624 However, an employer may release 615 Joel Teitelbaum, Lara Cartwright-Smith & Sara Rosenbaum, Translating Rights into Access: Language Access and the Affordable Care Act, 38 AM. J. L. AND MED. 348, 368 (2012). 616 American Medical Association, hereinafter referred to as “AMA Web site,” available at http://www.ama- assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth- insurance-portability-accountability-act.page. 617 Section 1104 of the ACA. See AMA Web site, supra note 616. 618 AMA Web site, supra note 616. 619 Federal Register, https://www.federalregister.gov/articles/2011/07/08/2011-16834/administrative- simplification-adoption-of-operating-rules-for-eligibility-for-a-health-plan-and. 620 49 C.F.R. § 40 (2013). 621 U.S. DEP’T OF TRANSPORTATION, FEDERAL MOTOR CARRIER SAFETY ADMINISTRATION, available at http://nrcme.fmcsa.dot.gov/mehandbook/me_privacy.aspx. 622 U.S. DEP’T OF TRANSPORTATION, OFFICE OF DRUG AND ALCOHOL POLICY AND COMPLIANCE, WHAT EMPLOYEES NEED TO KNOW ABOUT DOT DRUG AND ALCOHOL TESTING, at 1, available at http://web.multco.us/sites/default/files/employee-labor-relations/documents/dot_employee_handbook.pdf. 623 49 C.F.R. § 40 (2013). 624 49 C.F.R. § 40.321 (2013) (stating that “‘[b]lanket releases,’ in which an employee agrees to a release of a category of information (e.g., all test results) or to release information to a category of parties (e.g., other em- ployers who are members of a C/TPA, companies to which the employee may apply for employment), are prohib- ited under this part”); see id. at § 40.27 (stating an employer may not require an employee to sign a “consent, release, waiver of liability, or indemnification agreement with respect to any part of the drug or alcohol testing

60 such information without an employee’s consent pursuant to a legal action, grievance, or administra- tive proceeding that the employee brings as a result of a positive drug or alcohol test or a refusal to take a drug or alcohol test.625 An employer may release such records to a court in lieu of a civil or criminal proceeding when the court determines that the results of a test are relevant because of an “employee’s performance of safety-sensitive duties.”626 In any case, an employer must notify an em- ployee in writing if the employer decides to disclose an employee’s information under 49 C.F.R. § 40.323.627 Employers or service agents are required to release information to an employee (or former em- ployee) who is the subject of the information upon an employee’s request.628 Additionally, upon re- quest employers and service agents must provide DOT agents access to facilities used for DOT drug and alcohol functions and all “drug and alcohol program records and reports (including copies of name-specific records or reports).”629 If the National Transportation Safety Board requests informa- tion as part of an accident investigation, an employer must furnish information about a drug or al- cohol test the employer administered after the accident.630 If a “Federal, state or local safety agency with regulatory authority over [an employer] or the employee” requests drug and alcohol test records concerning an employee, the employer must provide them.631 DOT advises that if such testing information is “viewed as protected” under HIPAA, it is not nec- essary to obtain written authorization from an employee when DOT regulations require the use or disclosure of health information otherwise protected under 49 C.F.R. part 40.632 DOT has provided examples of when an employer or service agent in a DOT program may disclose information without an employee’s written authorization.633 For example, employers do not have to have written authori- zations from employees for DOT tests.634 Although two transit agencies responding to the survey noted the applicability of DOT privacy provisions to their agencies, it appears that the agencies were referring to DOT and ADA require- ments regarding paratransit service.635 process covered by this part (including, but not limited to, collections, laboratory testing, MRO and SAP ser- vices”). 625 49 C.F.R. § 40.323 (2013). 626 49 C.F.R. § 40.323(a)(2) (2013). 627 49 C.F.R. § 40.323(d) (2013). 628 49 C.F.R. § 40.331(a) (2013). 629 49 C.F.R. §§ 40.331(b)–(c) (2013). 630 49 C.F.R. § 40.331(d) (2013). 631 49 C.F.R. § 40.331(e) (2013). 632 U.S. DEP’T OF TRANSPORTATION, GENERAL ISSUE UPDATE, DOT RULE 49 C.F.R. PART 40 SECTION 40.27 Q&A, hereinafter referred to as “DOT General Issue Update,” available at http://www.dot.gov/odapc/part40QA/40_27. 633 Id. 634 Id. 635 Response of Pierce Transit (stating that “DOT/ADA Rules require a paratransit eligibility process which has required Pierce Transit to handle HIPAA-related information”); Response of Whatcom (noting that its agency is subject to DOT and ADA laws and regulations regarding the “providing [of] complementary paratran- sit service for disabled passengers”).

61 3. Public Health Service Act and Records of Substance Abuse The confidentiality of patient records of substance abuse under § 543 of the Public Health Service Act636 and its implementing regulations637 interact with several of HIPAA’s privacy provisions.638 There are requirements that apply to patient records maintained by federally assisted specialized alcohol or drug abuse programs.639 The law’s provisions apply to a number of health care providers that must comply also with HIPAA requirements.640 Generally, however, no conflict will exist in the simultaneous application of both of these statutes.641 Records of substance abuse, patients’ identity, diagnosis, prognosis, or treatment, maintained in connection with programs assisted by the government must remain confidential unless a patient gives written consent.642 However, the records may be disclosed to medical personnel, even if the pa- tient does not provide written consent, in a medical emergency or to qualified personnel for the pur- poses of conducting scientific research, management or financial audits, or program evaluations.643 In such cases, personnel may not identify an individual patient in any manner.644 Records of pa- tients’ substance abuse must be disclosed pursuant to a court order regardless of a patient’s prior written consent; however, “[u]pon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safe- guards against unauthorized disclosure.”645 Unless authorized by a court order, the records may not be used to investigate a patient or initiate or substantiate a criminal case against him or her.646 The privacy rule applies to anyone who has ever been a patient of such a substance abuse facil- ity.647 The privacy rule does not apply to an interchange of records within the uniformed services, within departments of the Veterans Administration (VA) providing health care, or between the uni- formed services and the VA.648 The rule also does not apply to reports to state officials under state law applicable to incidents of child abuse or neglect.649 Part 2 of title 42 of the C.F.R. provides more guidance on the implementation of privacy rules ap- plicable to patient records of alcohol and drug abuse.650 Part 2 establishes that the restriction on dis- closure of records applies to any information, written or unwritten, that would identify a patient as a drug or alcohol user or that is information that was obtained in a federally-funded treatment pro- gram.651 Moreover, there is an exception to the prohibition of record-sharing that allows “communi- 636 42 U.S.C. § 290dd-2 (2013). 637 42 C.F.R. part 2 (2013). 638 65 Fed. Reg. at 82,481, 82,482 (2000). 639 Id. at 82,482–82,483. 640 Id. at 82,482. 641 Id. 642 42 U.S.C. §§ 290dd-2(a) and (b)(1) (2013). 643 42 U.S.C. §§ 290dd-2(b)(2)(A)–(B) (2013). 644 Id. 645 42 U.S.C. § 290dd-2(b)(2)(C) (2013). 646 42 U.S.C. § 290dd-2(c) (2013). 647 42 U.S.C. § 290dd-2(d) (2013). 648 42 U.S.C. § 290dd-2(e) (2013). 649 Id. 650 42 C.F.R. pt. 2 (2013). 651 42 C.F.R. §§ 2.12(a) and 2.12(e)(1) (2013).

62 cations between a program and a qualified service organization of information needed by the organi- zation to provide services to the program.”652 Under this rule, although no state law may permit dis- closure of records that is prohibited by the rule, if a state law prohibits a disclosure that is allowed by the federal statute, a disclosure is not permitted.653 4. Employee Retirement Income Security Act of 1974 The Employee Retirement Income Security Act of 1974 (ERISA) was enacted “to regulate pension and welfare employee benefit plans established by private sector employers, unions, or both, to pro- vide benefits to their workers and dependents.”654 Employee welfare benefit plans are plans that pro- vide medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, dis- ability, or death through the purchase of insurance or otherwise.655 Although ERISA may not be regulated directly by state law, HIPAA does not disturb “state pri- vacy protections that would otherwise apply and that are more stringent than the federal privacy protections.”656 Except for state laws that regulate insurance,657 § 514(a) of ERISA preempts all state laws that ‘‘relate to’’ any employee welfare benefit plan.658 However, an ERISA plan is not to be con- sidered an insurer for the purpose of state insurance laws.659 Thus, ERISA plans are not subject to regulation by state law.660 On the other hand, § 514(d) of ERISA provides that ERISA does not ‘‘al- ter, amend, modify, invalidate, impair, or supersede any law of the United States.’’661 5. Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student records maintained by federally funded educational agencies or institutions or persons acting on behalf of the agencies or institutions.662 The federal government will not provide funds to schools or educa- tional agencies that deny parents the right to inspect or review the educational records of their mi- nor children.663 Schools are prohibited from making available students’ educational records or per- sonally identifiable information to others without a parent’s consent.664 Both HIPAA and FERPA may preempt state laws that provide less protection.665 HIPAA does not apply to educational records because those records are covered by FERPA.666 When applicable, 652 42 C.F.R. § 2.12(c)(4) (2013). 653 42 C.F.R. § 2.20 (2013). 654 65 Fed. Reg. 82,483. See 29 U.S.C. § 1002(1) (2013). 655 Id. 656 Id. (citing HIPAA, § 264(c)(2)). 657 ERISA, § 514(b) and 29 U.S.C. § 1144(b)(2)(A) (2013). 658 29 U.S.C. § 1144(a) (2013). 659 ERISA, § 514(b)(2)(B) and 29 U.S.C. § 1144(b)(2)(B) (2103). 660 65 Fed. Reg. 82,483. 661 29 U.S.C. § 1144(d) (2013). See 65 Fed. Reg. 82,483. 662 20 U.S.C. § 1232g (2103). 663 20 U.S.C. §§ 1232(g)(a)(1)(A)–(B) and (d) (2013). 664 20 U.S.C. § 1232(b) (2013) (allowing release of documents, however, to school and government officials un- der various circumstances). 665 Celina Munoz, Privacy at the Cost of Public Safety: Reevaluating Mental Health Laws in the Wake of the Virginia Tech Shootings, 18 S. CAL. INTERDIS. L.J. 161 (2008), hereinafter referred to as “Munoz.”

63 FERPA provides parents with the right to review and inspect their children’s educational records;667 however, “[w]hen a student turns eighteen or attends any school beyond high school, the rights given to parents under FERPA transfer to that student, and [the student] becomes an ‘eligible student.’”668 HHS advises that it has excluded education records covered by FERPA669 from the definition of protected health information. Individually identifiable health information created by a nurse relat- ing to students under the age of 18 in a primary or secondary school receiving federal funds and sub- ject to FERPA is not protected health information. Instead, the information is an education record under FERPA that addresses how such information is to be protected.670 6. Privacy Act of 1974 The Privacy Act of 1974671 applies only to government or government-controlled corporations and not to private entities.672 The Act is applicable to privacy issues within federal agencies.673 Under the Act when disclosing records no federal agency or its contractors may disclose individually identifi- able information without the written consent of the subject of the record.674 However, the agencies may publish records for “routine use” in the Federal Register.675 These rules also apply to “certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.”676 If privacy regulations and the Privacy Act provide different standards, a federal agency must abide by whichever one allows the least disclosure.677 The Act requires each government agency to make certain information available to the public. Agencies must publish guidance about their rules, methods, and operations in the Federal Regis- ter.678 Furthermore, they must make available opinions, orders, policies, and interpretations, staff manuals that affect the public, and records that are likely to be the subject of frequent requests for information.679 When an agency makes records available pursuant to the statute, it may delete iden- 666 Id. at 175 (citing 45 C.F.R. § 160.103). The article notes that “[a]ny school receiving federal funding from the U.S. Department of Education is subject to the provisions in FERPA, meaning that all public elementary schools, secondary schools, and universities must comply.” Id. (citing U.S. DEP’T OF EDUCATION, FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA), available at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index. html). 667 Id. at 174 (citing U.S. Dep’t of Education, Family Educational Rights and Privacy Act (FERPA)). 668 Id. (citing 20 U.S.C. § 1232g). 669 Also excluded from the definition of protected health information are records designated as education re- cords under Parts B, C, and D of the Individuals with Disabilities Education Act Amendments of 1997. 670 65 Fed. Reg. 82,483. 671 Privacy Act of 1974, §§ 2(a) and (b), Pub. L. No. 93-579, 88 Stat. 1896 (codified in part as amended at 5 U.S.C. § 552a (2013)). 672 John M. Eden, When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID, 4 DUKE L. AND TECH. REV. 20, P4 (2005) (citing 5 U.S.C. § 522(a) and (a)(1)), hereinafter re- ferred to as “Eden.” 673 5 U.S.C. §§ 552a(b)-(d) (2013). 674 65 Fed. Reg. 82,482. 675 Id. 676 Id. 677 Id. 678 5 U.S.C. 522(a)(1) (2013). 679 5 U.S.C. 522(a)(2) (2013).

64 tifying information to prevent unwarranted invasion of personal privacy.680 However in each case, the agency must explain fully in writing the reason for and scope of each deletion.681 Private entities “are not bound by the fair information practices, open-access rules, and data- ownership principles embodied in the Act.”682 On the other hand, the Act “requires notice to, and con- sent from, individuals when the government collects and shares information about them.”683 In gen- eral, unless governed by federal or state law, private companies may gather and share data without obtaining an individual’s consent.684 DOT explains that the Privacy Act of 1974 sets forth “how the federal government should treat individuals and their information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of personally identifiable information (PII).”685 DOT also ob- serves that § 208 of the E-Government Act of 2002 “establishes the requirement for agencies to con- duct privacy impact assessments (PIAs) for electronic information systems and collections.”686 7. Medicare and Medicaid Congress explicitly subjected Medicare and Medicaid to HIPAA’s privacy regulation.687 Medicare and Medicaid programs must comply both with HIPAA and the Privacy Act.688 There may be situa- tions when the Privacy Act authorizes a disclosure but HIPAA regulations do not permit disclo- sure.689 8. Genetic Information Nondiscrimination Act In 2008, Congress enacted the Genetic Information Nondiscrimination Act (GINA).690 Although “characterized as civil rights legislation, GINA represents a major departure from every antidis- 680 5 U.S.C. 522(a)(2)(E) (2013) (stating that “[t]o the extent required to prevent a clearly unwarranted inva- sion of personal privacy, an agency may delete identifying details when it makes available or publishes an opin- ion, statement of policy, interpretation, staff manual, instruction, or copies of records referred to in subpara- graph (D)” and further stating that in each case the justification for the deletion shall be explained fully in writing, and the extent of such deletion shall be indicated on the portion of the record which is made available or published, unless including that indication would harm an interest protected by the exemption in subsection (b) under which the deletion is made). 681 5 U.S.C. § 522(a)(2)(E) (2013). 682 Eden, supra note 672, at P4. 683 James X. Dempsey & Lara M. Flint, Surveillance, Records & Computers: Commercial Data and National Security, 72 GEO. WASH. L. REV. 1459, 1474 (2004). 684 Eden, supra note 672, at P5 (article addresses the use of radio frequency identification technology or RFID used by some commercial retailers, not the collection and dissemination of health information). Id. at 1. 685 U.S. DEP’T OF TRANSPORTATION, PRIVACY IMPACT ASSESSMENT (UPDATE) NATIONAL REGISTRY OF CERTIFIED MEDICAL EXAMINERS (NATIONAL REGISTRY), Aug. 20, 2012, hereinafter referred to as “DOT Privacy Impact As- sessment,” available at http://www.dot.gov/sites/dot.dev/files/docs/FMCSA_PIA_National_Registry_082012. pdf. 686 Id. at 1. 687 65 Fed. Reg. 82,484. 688 5 U.S.C. § 552a (2013). 689 65 Fed. Reg. 82,482 (explaining that “if the privacy regulation permits a disclosure, but the disclosure is not permitted under the Privacy Act, the federal agency may not make the disclosure. If, however, the Privacy Act allows a federal agency the discretion to make a routine use disclosure, but the privacy regulation prohibits the disclosure, the federal agency will have to apply its discretion in a way that complies with the regulation”). 690 42 U.S.C.A. § 2000ff-1 (2013).

65 crimination statute preceding it” because it is prospective:691 “GINA prohibits health insurers and employers from making decisions based on genetic information” even though there was “scant evi- dence” of a “significant history of genetic-information discrimination.”692 It is now “unlawful for em- ployers to discharge, refuse to hire, or make employment decisions relating to compensation or the terms and privileges of employment based on an employee’s genetic information.”693 Under 42 U.S.C. § 2000ff(b) it is generally an “unlawful employment practice for an employer to request, require, or purchase genetic information with respect to an employee or a family member of the employee….” However, there are several exceptions, such as when an “employer inadvertently requests or requires family medical history of the employee or family member of the employee” or when “health or genetic services are offered by the employer, including such services offered as part of a wellness program” and “the employee provides prior, knowing, voluntary, and written authori- zation….”694 9. Other Federal Privacy Laws According to one source,695 other privacy laws that may apply to the use or disclosure of personal health information include the Electronic Communications Privacy Act;696 Telecommunications Act;697 Cable Communications Act;698 Child Online Protection Act;699 Gramm-Leach-Bliley Act;700 Sarbanes-Oxley Act;701 and the Fair Credit Reporting Act.702 691 Jessica L. Roberts, Preempting Discrimination: Lessons from the Genetic Information Nondiscrimination Act, 63 VAND. L. REV. 439, 440 (2010), hereinafter referred to as “Roberts.” 692 Id. at 441. 693 Sharona Hoffman, Employing E-Health: The Impact of Electronic Health Records on the Workplace, 19 KAN. J.L. & PUB. POL’Y 409, 417 (2010) (citing 42 U.S.C.A. § 2000ff-1 (2010)). 694 42 U.S.C. §§ 2000ff(b)(1) and (2). There are other exceptions included in subsection (b). 695 Ayres, supra note 42, at 990 (2013). 696 18 U.S.C. §§ 2511(1)(a)-(b) (2013). 697 47 U.S.C. §§ 222(a)-(c) (2013). 698 47 U.S.C. § 551 (2013). 699 15 U.S.C. §§ 6501(4) and (8) (2013). 700 15 U.S.C. §§ 6801(a)-(b) (2013). 701 15 U.S.C. § 7262 (2013). 702 15 U.S.C. § 1681 (2013).

Next: APPENDIX B AFFORDABLE CARE ACT, 26 U.S.C. Section 5000A Requirement to Maintain Minimum Essential Coverage »
How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB’s Transit Cooperative Research Program (TCRP) Legal Research Digest 46: How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations explores whether the privacy and security rules established by HIPAA apply to transit agencies that possess patrons’ health information.

The first seven sections of this digest discuss HIPAA and whether various entities are subject to HIPAA’s privacy and security provisions applicable to the protection of protected health information, as defined by HIPAA. This digest also analyzes how protected health information is defined by HIPAA and discusses HIPAA’s Privacy Rule and Security Rule as defined by the U.S. Department of Health and Human Services in its most recent final rule.

This digest summarizes other important aspects of HIPAA including whether protected health information must be produced in response to a subpoena, discovery request, or a request under a freedom of information act (FOIA) or similar law. The remainder of the digest discusses the privacy of health information under other federal and state laws. The digest also covers industry standards and best practices used by transit agencies to protect the privacy of patrons’ health information.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!