By John H. Fisher II
May 21, 2019
HIPAA, as a body of regulations protecting the confidentiality of patient health care information, has been branded very effectively. Most staff at your average health care facility know about HIPAA and that it protects the confidentiality of a patient’s health care information. They understand they cannot go home and discuss patients they treat and that they cannot disclose patient protected information to third parties unless there is an applicable HIPAA exception, or the patient has authorized the disclosure.
HIPAA branding is a very good thing. It reinforces awareness of the regulatory restrictions and helps protect patient confidentiality. But as an attorney who is constantly involved in health information issues, it sometimes seems as if any time there is a potential disclosure of patient information there is an automatic conclusion it is a “HIPAA issue.” Again, this is a good thing as a generic reflection of an awareness that a patient’s information is confidential. However, sometimes it ignores the fact that a confidentiality issue that is generically referred to as a “HIPAA issue” might actually implicate other laws more protective of patient rights than HIPAA.
Laws that can be more protective than HIPAA include state law confidentiality requirements, special protections that are often applicable to mental health treatment records, or special laws and regulations applicable to substance and alcohol treatment records. Generalizing these issues as “HIPAA issues” can create a risk that the subtleties of other applicable laws will be overlooked. In extreme cases, the failure to consider more protective laws can be reflected in facility policies that, if followed, could actually result in violation of law because they fail to identify which regulation applies.
Let me illustrate how this happens. I will use the state in which I practice law as an example, though many states require a similar analysis. Wisconsin has a state “HIPAA” statute codified in Wis. Stats. 146.32. As a general matter, and for purposes of illustrating the triage that is required, let’s assume that in many situations, the Wisconsin law is more restrictive or protective of confidentiality than HIPAA.
In addition to Wisconsin’s confidentiality restrictions that apply to patient health information, special requirements pertain to mental health treatment records under Wisconsin Statutes 51.30 and applicable administrative rules at DHS 92. The protections applicable to mental health treatment records are much more restrictive than HIPAA or state law covering general patient records. In fact, the Wisconsin restrictions covering mental health treatment were so restrictive that Wisconsin had to enact a special law to provide a work-around case to avoid some really outrageous restrictions. Before this law was enacted, Wisconsin law protecting mental health records was so restrictive that a provider could not even make a patient’s records available to another treating provider without obtaining a specific written consent from the patient.
In order to address the practical problems created by these restrictions, the Wisconsin legislature passed a new law in 2013 called the “HIPAA Harmonization Act.” The new law provided some relief from the often draconian restrictions created by Wisconsin law. At the same time, the HIPAA Harmonization Act requires providers to triage each requested disclosure to determine whether the more forgiving HIPAA requirements apply or whether the more restrictive state law, in particular the restrictions that apply to mental health treatment records, must be complied with.
Now, in Wisconsin, where a disclosure involves mental health treatment records, providers need to triage the disclosure through the HIPAA Harmonization Act to determine whether HIPAA or state law applies. Under the HIPAA Harmonization Act, HIPAA applies when the purpose of the disclosure is for “payment, treatment, or health care operations” purposes. Wisconsin added two more conditions where HIPAA applies in an amendment to the Harmonization Act. One permits HIPAA to apply in narrowly defined emergencies. The disclosure to another treating provider can now be provided if permitted under HIPAA standards. Normally HIPAA will require disclosure to a treating provider. If a disclosure is not for treatment, payment health care operation, or certain emergency circumstances, mental health record releases can only take place as permitted under the restrictive state statute. It is not that disclosure is never permitted under Wisconsin law. However, the exceptions permitting disclosure are much narrower and more restrictive than permitted under HIPAA.
Now, let me confuse things a bit more by touching on HIPAA preemption rules. When we apply HIPAA preemption rules, we come up with a huge puzzle. Generally, HIPAA preemption rules require application of the more restrictive (or protective) law. If HIPAA is more restrictive, that law applies. If the state law is more restrictive, the state law applies. However, we do not apply this rule under the Wisconsin Harmonization Act when HIPAA applies (i.e. in payment, treatment and health care operation situations). That is because the very purpose of the HIPAA Harmonization Act is to dictate circumstances where HIPAA, rather than the more restrictive state law, applies to a contemplated disclosure.
The same preemption analysis does not apply if the HIPAA Harmonization Act results in application of the more restrictive state law. In those cases, we look to the state law and not to HIPAA; unless HIPAA is more restrictive through application of HIPAA preemption rules. You cannot ignore HIPAA entirely where state law applies through application of the HIPAA Harmonization Act. In most cases state law is more restrictive, but there can be cases where state law would permit a disclosure, but HIPAA would not. In those cases, the more restrictive HIPAA provisions would apply.
The required Harmonization Act triage gets very complicated when applied to specific release scenarios. Unfortunately, I am not finished yet. We still have not addressed the granddaddy of all patient information protection laws, the Part 2 or SAMHSA regulations. Part 2 applies to information that can identify a patient as having an alcohol or substance abuse disorder. The restrictions of Part 2 apply to information created in an alcohol or substance treatment program. It restricts the program itself, but also applies to re-disclosure from a lawful holder who receives information from the Part 2 program. Where Part 2 applies, it is the more restrictive of all patient privacy laws. Disclosure is never required, but only permitted in certain, very narrowly defined circumstances. Almost all disclosures require the patient provide informed consent. General consent to disclose protected information is almost never permitted. Even a disclosure to another treating provider or health insurer requires the patient to execute an informed consent. The requirements for a valid consent form are much more specific than permitted under HIPAA or even state law.
The specific requirements of applicable regulations and various exceptions under each is beyond the scope of this article. The primary point that I want to make is that referring to everything that involves patient information confidentiality as a “HIPAA issue” misses the point in many situations. Frankly, it can be dangerous from a compliance standpoint to the extent it takes attention away from the need to triage information issues to determine which law actually applies. It can become even more dangerous when the “HIPAA bias” becomes institutionalized in policy. Use of pre-canned “HIPAA” policies without proper consideration of all applicable laws, or hiring a “national” consultant that does not have proper sensitivity to state law and/or Part 2 are common situations that can result in incorrectly institutionalizing the “HIPAA bias” in policy. This creates a very dangerous situation from a compliance perspective.
Wisconsin law is a good example of how state and federal law require a triage process in various disclosure scenarios. But the need to apply state and federal law is not uncommon in other states. Many states provide greater confidentiality protections for special categories of information such as mental health records. Be sure that you correctly apply all relevant law and that your policies consider all relevant laws. Only then can you assure that you do not fall victim to the HIPAA Bias.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2020 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.