One of the thorniest issues providers face in implementing the Health Insurance Portability and Accountability Act's (HIPAA) privacy laws is the issue of preemption. In short, HIPAA's privacy standards will preempt any contrary state laws unless those state laws are more stringent.
If that sounds simple, it's not. One law firm that analyzed preemption for the nation’s largest insurers had to field a full-time staff of 14 attorneys for several months to study the issue fully.
Two individual states’ experiences illustrate the complexity. Clark Stanton, a partner with Davis Wright Tremaine in San Francisco, worked with the California Health Care Association to develop a California Privacy Manual that included preemption analysis. One of the first things Stanton hoped to find was a partner from the state.
"We thought that working with the state might be valuable in producing the analysis," he says. "The problem we ran into right at the start is that there was no one at the state to work with." Now, there is an Office of HIPAA implementation, he adds, but the primary mission of that office is to advise California state agencies. "We really don't have a dance partner with the state," he says.
According to Stanton, California has an existing state privacy scheme that includes a fairly comprehensive confidentiality of medical information act, as well as a separate statutory scheme that deals with mental health information. "You have two primary schemes to take into consideration," he says.
As an example of how HIPAA and California state laws interact, Stanton points to subpoenas and other discovery requests. "In this instance, we found that California law was more stringent than HIPAA," he says.
The HIPAA requirement is that a requesting party must make a reasonable effort to notify the person whose protected health information is the subject of the subpoena or discovery request. Meanwhile, the California law had an existing requirement that authorities must actually serve the individual whose records are being requested, advising them that a subpoena has been issued and notifying them about the process for challenging that discovery attempt.
"That is a fairly clear-cut example of a state provision being more stringent and providing greater protection," says Stanton. However, there are various provisions in HIPAA permitting disclosures to law enforcement, not all of which are set forth in California law, he adds.
In that situation, Stanton says you have to ask whether the California law actually is intended not to allow for those disclosures. "As with HIPAA, it is set up in a way that if it is not permitted, you have to assume that it is prohibited," he says.
This became an issue in terms of marketing and fundraising because California law does not have an equivalent provision for the release of information for marketing and fundraising in the same way that HIPAA does.
According to Stanton, the provision of California law allowing the HIPAA provisions to take effect notwithstanding the silence of California law turned out to be controversial but, in his view, a correct interpretation of HIPAA.
Jean Quarier, associate counsel at the New York Department of Health, notes that there is saying that if you can make HIPAA preemption rules apply rationally in New York state, you can make them apply rationally anywhere.
To illustrate her point, Quarier points to two New York state laws. One law guarantees New Yorkers the right to access their records when they seek care for medical, dental, social work, pharmacies, chiropractors, and other health care providers. With some exceptions, personal notes and observations of the provider are not included under this right of access.
New York state law does permit denials of information in certain circumstances, she adds. One of those exceptions is when the information could cause substantial and identifiable harm to the patient or others, which outweighs the patient's right of access.
The second exception is if access to this information would have a detrimental effect on the care of a minor. The review policy is that the state appoints a committee of several providers to review the denial, and if the committee upholds the denial, the patient must seek a court order.
In relation to HIPAA, Quarier says it became clear that, in some ways, HIPAA provides more access. For one thing, it covers a larger data set. Unlike the New York state law, HIPAA also includes notes and observations except for psychotherapy notes.
"It would seem, at first blush, that HIPAA would provide more access," Quarier says. "However, there may be some cases where some psychotherapy notes contain objective information, which could not be classified as a provider's personal notes and observations."
In those specific circumstances, HIPAA actually might not provide broader access, says Quarier. "You can see how this is getting to be a very fact-specific analysis," she asserts.