HIPAA Regulatory Alert

HIPAA allows disclosure to state oversight group

An Ohio federal court has ruled that HIPAA's confidentiality requirements don't excuse the state's Medicaid agency from disclosing patient information sought in a class-action suit to enforce Medicaid's Early Periodic Screening, Diagnosis, and Treatment (EPSDT) requirements.

The proposed class-action suit was brought by the Ohio Legal Rights Service (OLRS) as the federally designated protection and advocacy agency charged with protecting the rights of persons with mental illness, mental retardation, developmental disabilities, and other disabilities. The named plaintiffs were children under age 21 whose disabilities made specific early childhood intervention services medically necessary.

Plaintiffs sought certification of a statewide class of all Medicaid-eligible children up to age 21 who were denied access to necessary services that should have been provided through Ohio's EPSDT program. The Medicaid agency objected, and the court ordered the parties to go through the discovery process relative to class certification.

The legal services group subpoenaed county agencies involved in administering Medicaid and EPSDT programs for information on Medicaid recipients who might qualify as members of the proposed class. The counties and Medicaid program administrators argued that Medicaid law, HIPAA, and Ohio law prevented them from disclosing such private health information.

Observers say the Social Security Act limits disclosure of protected information about Medicaid beneficiaries to purposes directly connected with administering the state Medicaid plan. The court found that a section of the law provided that establishing eligibility, determining the amount of medical assistance, and providing services to recipients are directly connected with plan administration and thus could be disclosed to OLRS in a suit concerning enforcement of Medicaid requirements. The court said OLRS was a particularly appropriate recipient of the information given its government-created role in protecting patient rights.

Likewise, the court noted that HIPAA permits disclosure to a health oversight agency for oversight activities authorized by law. It said OLRS qualifies as a health oversight agency engaged in authorized oversight activities. The court directed the parties to negotiate the terms of an appropriate protective order to prevent unauthorized disclosure.

The Medicaid agency also argued state law contains more stringent protections of private health information than federal law and barred disclosure. But the court said the state law of privilege could not be applied in litigation in federal court to enforce rights under federal law.