Careful interpretation required: Health plans operating in multiple states have a challenge sorting out where the federal law trumps state statutes.
With the deadline for complying with the Health Insurance Portability and Accountability Act approaching, it's important to compare the federal statute to state laws. HIPAA did not set a uniform standard for protection of medical records and information that could identify a patient; rather, it set a floor for confidentiality requirements, and indicated that state laws that are more stringent than HIPAA would apply.
This stringency test will result in confusion as to whether providers, insurers, or others should follow state or federal law. This becomes even more difficult in the case of national companies that may be subject to a number of different state laws.
The result could be an administrative nightmare, not to mention potential for liability on the part of those who make disclosures that they later find violated state law — even if those disclosures were allowed under HIPAA.
The degree of variation can be markedly different from state to state. We have used, as examples, three large states — New York, California, and Illinois — and compared some of their medical privacy laws with HIPAA.
The Department of Health and Human Services provides a framework for understanding where HIPAA preempts state law. In essence, state law takes effect only if there is no HIPAA provision on a specific subject, if state law is more stringent, or if there is an exception under HIPAA.
According to HHS rules, if a provision of HIPAA is contrary to state law, federal law will preempt it. There are exceptions to this general rule. For instance, if state regulations governing the privacy of health information are more stringent than HIPAA standards, state law stands. The same is true if a state's law prevents fraud and abuse, ensures regulation of insurance, or serves a compelling public health need. Another exception has to do with reporting of disease, injury, or child abuse. A fourth exception relates to laws requiring health plans to report information for management and financial audit purposes.
State laws are "more stringent" when they prohibit or restrict disclosures that would otherwise have been allowed under HIPAA. "More stringent" includes authorization or consent procedures that are more detailed than those described by HIPAA, that cover a longer period of time, or that provide greater protection to the patient.
These principles serve as a basis for comparison when trying to determine which provisions of state law will be superseded by HIPAA.
There are a number of California laws dealing with medical privacy. The most detailed is the Confidentiality of Medical Information Act. In applying the basic rubrics of preemption to California law, the ensuing analysis would seem to follow.
Where HIPAA takes precedence. There is no California law similar to the HIPAA requirements related to business associates. Under HIPAA, organizations, such as claims processors, that handle information for covered entities (e.g., hospitals or insurers) must establish a "business associate" agreement and agree to follow HIPAA rules.
Regarding amount of disclosure, HIPAA requires that a physician group, health plan, or other covered entity not ask for — or release more than — the minimum personal health information needed for whatever purpose its release is sought. Moreover, HIPAA requires that patients be notified about how their personal health information is handled. California has no such requirements.
Finally, HIPAA requires patient consent for use of that information for treatment, payment, and operations. Again, California has no requirement for such disclosures.
So, with respect to these provisions, the analysis is simple — no California laws in these areas exist and HIPAA prevails.
In examining the provisions of HIPAA and California law that are equivalent, trying to determine whether state law is more stringent than federal law depends on the issue in question.
Consent for treatment. Under HIPAA, a provider must obtain patients' consent before using or disclosing their information for treatment purposes, except when the provider has an indirect treatment relationship with the patient — such as a lab or consulting physician — in which case, consent is unnecessary. The California equivalent says a provider may release a patient's information to other providers, without authorization, for purposes of diagnosis or treatment. Here, it would seem that HIPAA is more stringent than California law because it requires consent; state law does not.
Research. The HIPAA law permits use of a patient's health information for research if it is shared with an institutional review board. This is an exception to the patient-authorization requirement. HIPAA also requires a description of why the information is needed for research, as well as assurances that the information will not be reused. California law, by contrast, provides that medical and research information may be released for "bona fide research purposes" to public agencies, clinical investigators, health care research organizations, and not-for-profit educational institutions. Here again, federal law is more stringent and would prevail under any conflict.
Liability. The California Confidentiality of Medical Information Act says that patients may bring legal action for violations of the state law, and are entitled to compensatory and punitive damages. HIPAA, by contrast, has no private right of action. In this case, California law is more stringent and will not be preempted.
HIPAA does provide, however, for civil and criminal penalties if a person knowingly discloses, obtains, or uses a patient's medical information outside the law — resulting in a fine of $100 per violation, up to $25,000 in one year. Under California law, any violation of the Confidentiality Act is a misdemeanor, and negligent disclosure is subject to a $2,500 fine. While it would appear that federal statute would supersede state law, there are differences. For a case to be made under federal law, there must be specific intent. California requires only negligent disclosure to trigger a fine.
Federal criminal and civil penalties can be brought under HIPAA for knowingly disclosing, obtaining, or using identifiable health information under false pretenses, resulting in fines of up to $100,000 and/or five years in prison. Similarly, California law has a "knowing and willful" violation requirement that involves a $25,000 penalty.
Finally, HIPAA provides that anyone who violates the law for commercial or personal gain that results in malicious harm may be fined up to $250,000 and/or imprisoned for 10 years. The California law, by contrast, provides that where a violation occurs for financial gain, fines of up to $250,000 can be levied — plus, any proceeds resulting from the crime must be forfeited.
The two statutes are somewhat different with regard to false pretenses and commercial gain; the federal statute is more stringent about false pretenses, while state law seems to be tougher with respect to financial gain.
New York comparison
Access to medical records. The New York statutes on medical privacy grant patients the right of access to their medical records maintained by providers, hospitals, and HMOs. Health care providers must allow patients to see their information within 10 days of receipt of a written request. A patient seeking access to personal notes and observations, however, may be denied — provided that the practitioner has not disclosed the notes to others — because New York's definition of patient information does not cover personal notes and observations.
This New York access law appears similar to HIPAA, except that the federal law does not specify the denial of personal notes and observations. It can be concluded that the New York statute is more stringent than HIPAA and would be applicable in this instance.
State statutes also prevent release of records about substance abuse, certain information that one practitioner obtains from another, and information disclosed by others to the practitioner on the condition of confidentiality. Aside from the substance abuse provision, New York law again includes exemptions from disclosure that go beyond the federal law.
Denial of access. New York law also allows providers to deny patients access to their records if it reasonably can be expected that this will cause the provider or others substantial harm. The provider must specify the basis for the denial. The individual then has the right to appeal to a state-appointed, medical record-access review committee.
While the federal law grants patients the right to know why a request is denied, it does not specify the availability of a third-party review panel.
What can be disclosed. As with HIPAA, New York law contains restrictions on the disclosure of information that could identify a patient. When releasing patient information, the provider must get the patient's written authorization or — when a patient has not given written consent — the disclosure must be authorized by law. Such purposes often are routine — for instance, when disclosures are made to government agencies (such as Medicaid) that make payments to insurance companies. In this regard, New York law seems parallel to federal law in permitting disclosure of information that could identify a patient to government agencies for public health needs.
The disclosure, however, must be limited to "the information necessary in light of the reason for the disclosure." Whether this language is equivalent to the "minimum necessary information" limitation in the HIPAA law is uncertain.
Payers that share information. New York insurance law requires that insurers protect the confidentiality of medical records. Insurance companies that are members of what the state calls a medical-information exchange center, or other groups that share medical information with each other — such as an HMO and its pharmacy benefit manager — must obtain an insurance applicant's informed consent. The company must furnish a clear and conspicuous notice at the time a person completes an application for personal health insurance. Among other things, the member has the right to request access to the information in the insurers' files to correct any inaccuracies. There is similar language in the HIPAA statute.
HIV and genetic tests. New York law requires medical-information exchange centers to code information about HIV test results. While there are no specific provisions in HIPAA relating to HIV test results, there are new federal coding requirements that must be applied. It is unclear yet whether the coding requirements under New York law and HIPAA are consistent.
Insurers must also obtain a person's written consent before a genetic test is performed. There is no comparable requirement under federal law.
Access to one's own information. As with New York, Illinois provides patients access to their medical records. A person has a right to have factual errors corrected and any misrepresentation or misleading entries amended or deleted. It is not clear whether under Illinois law a provider, insurer, or other group covered by HIPAA can deny a patient access to information, as can be done under the federal law.
The Illinois patient-access law also permits a person to bring a civil suit. A physician who has received a written request from a patient must allow that patient's designated physician or attorney to examine and copy his medical records. Physicians who fail to comply with such requests within 60 days can be liable for the expenses and lawyers' fees a patient incurs to get a court order. While patients may seek equitable relief, they may not sue for damages.
Restrictions on disclosures. In Illinois, there are substantial restrictions on disclosure of information held by physicians and allied health providers, hospitals, health services corporations, and insurers.
Generally, information that could identify a patient may not be disclosed to anyone except the patient without her written authorization. Medical information, however, may be released without consent to authorities in cases involving suspected child abuse or neglect, or with respect to sexually transmitted diseases.
Because HIPAA's stance on allowable disclosures is broader than Illinois law, it would appear that this state law would be applicable. However, an argument can be made that Illinois law is contrary to HIPAA by permitting less information to be disclosed. This is one instance where the difficulties of interpreting the HIPAA preemption statute is likely to come to the fore.
Insurers, too, are prohibited from disclosing medical information without the member's written consent, but there are numerous exceptions — ranging from medical professionals seeking to verify coverage benefits, to agents conducting the insurer's business, to law-enforcement agencies prosecuting fraud. A person whose information is disclosed in violation of these provisions can bring a civil suit for actual damages sustained as a result. Again, we have what appears to be a broader and more stringent authority under the Illinois statute, which thus would apply.
As with other states, there are numerous Illinois statutes relating to specific conditions — including genetic testing, head and spinal injuries, HIV testing, mental health, and sexually transmitted diseases.
We cannot, within the scope of this article, review all of these instances, but would point out that this presents a daunting task for those who want to learn whether state or federal law applies in such specific instances of disclosure of information that could identify a patient.
Clarification to come
HIPAA compliance and state-law-preemption analysis is still a work in progress. HIPAA regulations are extremely extensive and have yet to be fully implemented and interpreted.
There are many areas of overlap between state and HIPAA laws, and it is still unclear in many cases which will apply. However, from our initial review of these statutes, we believe that in most cases the more stringent provisions are to be found within HIPAA, and therefore, many state statutes will give way.
If HIPAA applies to you or your organization, become familiar with relevant state laws and compare them to HIPAA. Not doing so could result in substantial penalties under state or federal law.