Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Bringing the health care industry into compliance with the privacy provisions of the federal Health Insurance Portability and Accountability Act of 1996 is no easy task. The HIPAA privacy provisions contained in 42 U.S.C. �1320d, and the implementing regulations contained in 45 C.F.R. Parts 160 and 164, establish national standards to protect individuals’ personal health information and give patients increased access to their medical records. Most entities covered by HIPAA must comply with the privacy standards by April 14, 2003, although small health plans have until April 14, 2004. The HIPAA privacy regulations are not only voluminous and detailed, they are too new to have been tested. Yet, for health care attorneys in California, interpreting the federal law and rules is just the beginning of our task. HIPAA sets a minimum standard for patient privacy, but state law will prevail if it provides more stringent privacy protection. With the race to come into compliance with the HIPAA privacy requirements by April, many covered entities have overlooked the implications of HIPAA preemption for their operations. However, conducting a preemption analysis is a critical step to every HIPAA compliance effort. Under the general rule, HIPAA preempts any provision of state law that is “contrary” (45 C.F.R �160.203). If an entity that is subject to HIPAA would find it impossible to comply with both the federal HIPAA requirements and state privacy requirements, or if the state provision acts as an obstacle to HIPAA compliance, then the HIPAA provision prevails. However, if a provision of state law is “more stringent,” i.e. it provides more privacy protection than HIPAA, or if an exception applies, then the entity must comply with the state law. Note that the preemption rule applies provision by provision. Thus, even if much of a state law is generally “more stringent” than HIPAA, if a single provision fails the stringency test, then HIPAA will apply. Accordingly, entities will often find they need to comply with both federal and state requirements. CALIFORNIA’S PRIVACY LAWS Unlike many states, California already had a well-developed system of privacy protections in place when Congress passed HIPAA. California’s range of privacy protections are applicable not only to providers, but also to health plans, insurers and other entities subject to HIPAA. Some California laws protect the privacy of specified types of information, such as HIV status, mental health records and patient records. For example, the Lanterman-Petris-Short Act governs the confidentiality of mental health records and the Patient Access to Health Records Act establishes requirements for providing patients with access to their own medical records. Perhaps the most extensive state privacy safeguards appear in the California Medical Information Act, which establishes detailed protections for certain patient information. Below we highlight several of the significant preemption issues raised by the CMIA: identifying who is covered by which law, defining the information that must be protected, establishing adequate disclosure procedures to researchers and business associates and making disclosures to employers. While these examples are just the tip of the preemption iceberg, they provide a sampling of the range of issues that every California health care entity must consider when attempting to comply with both HIPAA and California law. Applicability. Not every entity that is subject to HIPAA is subject to the CMIA. HIPAA applies to “covered entities” — health plans, health care clearinghouses and any health care provider who transmits health information in electronic form, in connection with a covered transaction. However, the CMIA applies to providers of health care, health care service plans and “contractors” — medical groups, independent practice associations, pharmaceutical benefits managers, or medical service organizations that are not health care service plans or providers of health care. Thus, before any preemption analysis, the first question for every entity must be: Am I covered by both laws? Protected information. “Protected health information” under HIPAA is not identical to the definition of “medical information” protected by the CMIA. HIPAA protects individually identifiable health information that is transmitted or maintained in any form or medium. Under HIPAA, health information includes any information, whether oral or recorded, that is created or received by a provider, plan, public health authority, employer, life insurer, school, university or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an individual, or the provision of or payment for care to that individual. On the other hand, the CMIA’s definition of protected “medical information” applies only to individually identifiable information in electronic or physical form, not oral. Such information must be in possession of or derived from a narrower list than provided for under HIPAA, including: a provider of health care, health care service plan, or a “contractor.” Finally, applicable information under the CMIA relates only to a patient’s medical history, mental or physical condition, or treatment. The CMIA’s definition contains no reference to payment. Research. HIPAA contains more stringent protections for research disclosures than the CMIA. Under the CMIA, a provider of health care, or a health care service plan may disclose medical information for bona fide research purposes to public agencies, clinical investigators including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions, provided the information is not further disclosed by the recipient in a manner that identifies any patient or violates the act. HIPAA, however, prohibits such disclosure without first obtaining a patient’s authorization or a waiver of authorization from an institutional review board or certified privacy board. HIPAA also allows disclosure of partially de-identified information contained in a “limited data set” if both parties enter into a limited data set agreement to protect against improper disclosure. Business associates. The HIPAA business associate rule preempts the CMIA’s contrary prohibition against the disclosure of medical information to a person or entity that is not engaged in providing direct health care services to the patient (or his or her provider, plan, insurer or self-insured employer). The CMIA only permits such disclosures with the express authorization of the patient, enrollee or subscriber. HIPAA, however, allows covered entities to disclose protected health information to “business associates” without any such authorization (and also allows business associates to create or receive such information on their behalf), provided the parties enter into a business associate agreement. A business associate does not provide direct health care services to patients. Rather, it operates on behalf of a covered entity (or an organized health care arrangement) to provide such services as claims processing, billing or utilization review. By entering into a business associate agreement, the disclosing entity obtains the reasonable assurances required by HIPAA that the protected health information disclosed to the business associate will be appropriately safeguarded. Because an entity could not conform to both the state and federal rules, HIPAA prevails. Disclosures to Employers. The CMIA and HIPAA differ in how they regulate the disclosure of medical information to an employer. Under California law, a provider or a plan that creates medical information about an employee may disclose that employee’s medical information to his or her employer. However, such disclosure is permitted only if the information results from employment-related health care services performed at the employers’ prior written request and expense. Furthermore, the information that may be disclosed is limited. The disclosure must either be relevant to a proceeding in which the patient has placed his or her medical history, condition or treatment at issue; or, it must describe the patient’s functional limitations, if any, that would warrant medical leave or limit the performance of a particular job. HIPAA, by contrast, permits a covered health care provider (but not a plan) to disclose protected health information to an employer if the provider is itself a member of the employer’s workforce or if it provides the care at the request of the employer. The disclosure may be about any member of the employer’s workforce — not only employees, but also volunteers, trainees and anyone else whose work performance is under that entity’s direct control. Furthermore, disclosure is permitted not only to evaluate whether the patient has a work-related injury, but also to conduct an evaluation relating to a medical surveillance of the workplace, provided the employer needs the information to comply with federal Occupational Safety and Health Administration regulations, federal Mine Safety and Health Administration regulations or similar California law, to record injuries or illness or conduct medical surveillance of the workplace. Unlike California law, under HIPAA the provider must notify the individual that protected health information relevant to such purposes will be disclosed to his or her employer. In addition to the CMIA, the Lanterman-Petris-Short Act and the Patient Access to Health Records Act, other areas where California law may be subject to HIPAA preemption include but are not limited to: The Knox-Keene Health Care Service Plan Act of 1975, regulating California health plans (Cal. Health & Safety Code). Injury reporting requirements (Cal. Penal Code). The Child Abuse and Neglect Reporting Act (Cal. Penal Code). Reporting requirements for assaults against hospital personnel (Cal. Health & Safety Code). The Insurance Information Privacy Protection Act, applicable to California insurers (Cal. Insurance Code). Procedural and evidentiary rules governing patients’ medical records (Cal. Code of Civil Procedure and Calif. Evidence Code). The Elder Abuse and Dependent Adult Civil Protection Act (Cal. Welfare & Institutions Code). The Information Practice Act of 1977, protecting the privacy of personal information (Cal. Civil Code). Disclosure of AIDS-related information for purposes of public health and safety (Cal. Health & Safety Code). 9

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.