What if HIPAA conflicts with your state's law?

Disclosure isn't always prohibited

According to Jill M. Steinberg, a health care attorney with Baker Donelson in Memphis, TN, the Health Insurance Portability and Accountability Act (HIPAA) would prevent an ED physician from discussing a patient's HIV status with any other person, even if that person could be potentially exposed to an infectious disease.

Instead, the ED physician should do what he or she can to obtain permission from the patient to disclose the information and/or make a strong recommendation to the patient to disclose his or her HIV status. "The physician should also document in the patient's record that he was counseled to avoid unprotected intercourse, stop using drugs, and warn all of his sex partners of their potential exposure," she says.

It is unlikely that a successful lawsuit could be maintained against the emergency physician for failure to tell a patient's girlfriend of his HIV status even if she becomes infected, since HIPAA prevents the disclosure, says Steinberg. "Without permission or a health care power of attorney, there are very few, if any, scenarios, wherein an ED physician or nurse would be legally able to divulge patient information unless the patient is incompetent or comatose," says Steinberg.

There appears to be no private right of action for a HIPAA violation. Patients complaining of violations are required to file their grievance with the Office of Civil Rights. However, suits may be filed by patients alleging a breach of confidentiality based upon state law rights of privacy.

There may be situations in which state law and federal law are in conflict, such as states that require the physician to notify a sexual partner or local health organization of the patient's status as HIV-positive. "Failure to notify may put the physician in violation of state law. But notifying a nonpatient of the patient's status would be in violation of federal law," says Steinberg.

However, ED physicians likely will not violate HIPAA by complying with a state statute that permits or requires reporting known contacts of an HIV-positive individual to a public health agency. "Such reporting probably would fall under the HIPAA exception for public health activities, so those state laws would not be contrary to HIPAA," says Erin McAlpin Eiselein, a health care attorney with Davis Graham in Denver.

Eiselein adds that there is a "good argument" that an ED physician notifying a contact or a local health agency about a possible HIV infection would not violate HIPAA for the reason that there is an exception for disclosures to avert a serious threat to health or safety. Steinberg points to a Wisconsin case that found that an emergency medical technician invaded the privacy of an overdose patient when she told the patient's co-worker about the overdose.1 In a Michigan case involving a pharmacy employee who loudly blurted out a patient's HIV status in a crowded waiting room, the court of appeals upheld a jury verdict of $100,000 for slander, invasion of privacy, intentional infliction of emotional distress, and violation of a Michigan statute that protects the confidentiality of HIV results.2

Before HIPAA, physicians had been sued for failure to disclose to third parties in limited instances, notes Steinberg. A physician was successfully sued in a case involving the failure to warn family members of the possibility that they also had been exposed to Rocky Mountain spotted fever when a relative had died of the disease.3 "With HIPAA now in effect, these lawsuits probably not be successful if filed today," says Steinberg.


1. Sink L. Jurors decide patient privacy was invaded. Milwaukee Journal Sentinel, May 9, 2002.

2. Doe v. American Medical Pharmacies Inc. (unpublished), 2002 WL 857766 (Mich. App.).

3. Bradshaw v. Daniel, 854 S.W.2d 865 (Tenn. 1993).