Federal vs. State Law
Although the term "preemption" is typically thought of in terms of an ERISA analysis, many HIPAA issues require a preemption analysis. As a general rule, HIPAA should be thought of as a regulatory "floor" of provisions. In other words, HIPAA provides a baseline of privacy requirements that state law cannot abrogate. This is not to say, however, that state law will not provide the answer to a given privacy concern.
State privacy laws are preempted by HIPAA if the state law is contrary to HIPAA. In order to determine whether the state law is contrary, two questions should be asked:
1.Would a Covered Entity find it impossible to comply with both the state and federal requirements?
2.Does the state law stand as an obstacle to the accomplishment and execution of the full purposes and objectives of the Privacy Rule?
Generally, if the answer to either of these questions is "yes," then the state law requirement will be preempted by HIPAA. It is important to keep in mind, however, that stronger state laws that are not contrary to HIPAA will apply. Such laws typically further limit the use or disclosure of PHI, create greater rights of access to PHI to the individual, strengthen authorization protection, or impose greater record-keeping requirements.
For example, many states have more stringent state laws regarding the use and disclosure of HIV/AIDS records, drug and alcohol treatment records, DNA records, and sexual assault victim records. Additionally, some states (with California being a prime example) have extremely intricate and detailed bodies of law that provide more stringent requirements that parallel much of the Privacy Rule.
Privacy vs. Security
Although the HIPAA statute and regulations address much more than privacy and security (i.e. health care transaction standards fraud and abuse provisions, provisions regarding medical savings accounts), HIPAA has become synonymous with patient privacy. Furthermore, as electronic medical records have become more prevalent (i.e., the recently passed Stark law exception and Anti-kickback statute safe harbor dealing with e-prescribing), the security regulations will become implicated on a more regular basis.
To a large extent, the privacy and security requirements are distinct regulatory provisions. A quick review of the security regulations, however, reveals many provisions that appears to be equally related to privacy. Generally, the following distinction between HIPAA privacy and HIPAA security hold true: Privacy generally refers to the rights of an individual to limit the use and disclosure of PHI; Security generally refers to the obligations of Covered Entities to safeguard health information from improper use or disclosure. In other words, the Privacy Rule addresses the "what," and the Security Rule addresses the "how."
Importantly, and to further complicate matters, the Security Rule essentially provides Covered Entities with a list of security issues that must be addressed. At no point does the Security Rule instruct Covered Entities how to implement these security standards. Although what appears to be a lack of direction in the Security Rule may seem frustrating to a provider (or an attorney advising the provider), the various administrative, technical, and physical safeguards described in the Security Rule are specifically designed to be both flexible and scalable. Security "solutions" should be proportionate to an organization's risks, and be based on organizational circumstances such as size, complexity, and capabilities
Violating HIPAA can be very costly. Civil penalties range from $100 per incident to $25,000 per person per year per standard violated. On the criminal side of enforcement, illegally obtaining or disclosing PHI can result in a fine of up to $50,000 and one year in prison. Obtaining PHI under "false pretenses" can be punished with fines up to $100,000 and five years in prison. Obtaining or disclosing PHI with the intent to sell, transfer, or use the PHI for commercial gain, personal gain, or malicious harm can result in even stiffer penalties - up to $250,000 and ten years in prison.
Civil enforcement of HIPAA is handled by the Department of Health and Human Services' Office of Civil Rights ("OCR"), while criminal enforcement is overseen by the Department of Justice. The final Enforcement Rule was issued in February of 2006, and makes the HIPAA enforcement provisions applicable to all aspects of the Administrative Simplification Standards (not only the Privacy Rule). Importantly, the Enforcement Rule affirms that the OCR's enforcement philosophy is one of voluntary compliance.
That being said, and although enforcement measures have not been traditionally onerous, it seems that the tide is changing with regard to enforcement and the mindset of those investigating reported HIPAA violations.
Do Not be Fooled by the Myths
When discussing privacy and security issues with fellow health care providers, patients or friends, one of the first obstacles to overcome is their preconceived assumptions about what HIPAA does or does not permit. The following are a few of the many common myths regarding the Privacy Rule:
-- Myth - A hospital is prohibited from sharing information with the patient's family without the patient's express consent.
-- Fact - The Privacy Rule permits the disclosure to a patient's family members (not just immediate family) or close friends of medical information that is directly relevant to that person's involvement with the patient's care. If the patient is in the room when a provider is about to disclose such information and the patient does not object to such disclosure, the provider may freely disclose the information. On the other hand, if the patient is unable to provide consent (if, for example, the patient is unconscious or due to an emergency situation), the provider must determine whether such disclosure is in the best interest of the patient.
-- Myth -HIPAA does not permit providers to communicate with patients via email.
-- Fact - So long as the communication is made with reasonable and appropriate safeguards (such as encryption) to protect against any reasonably anticipated threats to the security of the information, email communication is permitted.
-- Myth - A patient's family member can no longer pick up prescriptions for the patient from a pharmacy.
-- Fact - This is simply not true. If a pharmacy does not allow this practice, the prohibition is one set forth in the pharmacy's policies and not one mandated by HIPAA.
In addition to addressing the many commonly circulated myths regarding the Privacy Rule, there are many provisions within the regulations to which health care providers and their attorneys should pay special attention.
The Privacy Rule specifically addresses the manner in which records should be released in response to a court order or subpoena. Additionally, there are provisions that address how Covered Entities should interact with a patient's personal representative. Although these provisions can appear somewhat intricate, a careful reading of the regulatory language, along with the published comments within the federal register, and diligent cross-referencing throughout the Privacy Rule will enable a thorough understanding of the concerns at issue.
Any questions or comments should be directed to: firstname.lastname@example.org. Tracy Green is a principal at Green and Associates. They focus their practice on the representation of professionals, particularly health care professionals including individual physicians, corporate providers and group practices. Their website is: http://www.greenassoc.com/