Public Entities and HIPAA: When Public Information Laws and HIPAA collide

» Articles » Legal Articles » Article

July 10, 2006

Most public or governmental entities are subject to “sunshine” laws that require them to operate in a fashion that is open to public view. Because those entities are beholden to the taxpayers as their “shareholders,” they generally must keep their deliberative processes and records open to any member of the general public who wants to observe or review them. Most jurisdictions have open meetings, open records, and public information or freedom of information acts, and public entities must meet the requirements of those laws.

This openness requirement presents a unique problem for public hospitals and the like, whose business normally consists of dealing with medical information and other records that are usually thought of as confidential. Particularly, it can be problematic when state open records laws seem to conflict with the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.

This collision of openness and privacy is particularly accentuated by a circular feature of HIPAA. The general rule of HIPAA is that “protected health information” or “PHI” may not be used or disclosed by covered entities unless specifically allowed by HIPAA. HIPAA-allowed uses and disclosures include medical treatment, payment, and healthcare operations, but there are a handful of other allowed uses and disclosures, including disclosures that are required by law. However, HIPAA also states that any state laws that are less protective of privacy are superseded by HIPAA. Of course, any state law that requires a disclosure other than for treatment, payment, or healthcare operations would probably be considered less protective of privacy than HIPAA, so it should be superseded. But, HIPAA specifically allows disclosures required by state law.

The Ohio Supreme Court addressed the issue earlier this year, and last Friday, June 16, a Texas court of appeals in Austin ruled, in Abbott v. Texas Dept. of Mental Health and Mental Retardation, that HIPAA did not prevent a state regulatory agency from disclosing information pursuant to a request that met the requirements of the Texas Public Information Act (“PIA”). The information in question involved statistics of abuse and assault at facilities run by the Texas Department of Mental Health and Mental Retardation. A newspaper reporter sought, under the PIA, statistics regarding incidents of sexual abuse and assault at TDMHMR facilities, investigations conducted and the results of the investigations, and the names of the facilities and dates that the alleged events occurred. TDMHMR released some statistics on all abuse allegations, but did not identify facilities, claiming that the information would be PHI.

Continue reading below

FREE Legal Training from Lorman

Lorman has over 35 years of professional training experience.
Join us for a special white paper and level up your Legal knowledge!

Litigation or Legal Holds for Reasonably Anticipated or Actual Litigation
Presented by John E. Delaney

Learn More

The appeals court noted that it was skeptical of whether the information was actually PHI, but since neither party raised the characterization of the information, the court proceeded to reach an opinion of whether the information should be disclosed, assuming it was PHI. The court determined that the information could still be disclosed under the PIA because that is a disclosure “required by law” and thus is permissible under HIPAA. The court rejected the arguments of TDMHMR that HIPAA made the requested information “confidential” and therefore not disclosable under the PIA, or that the PIA was superseded by HIPAA as a state law less protective of privacy.

Early press reports of the decision note it as a case of state law overriding HIPAA, but that’s a mischaracterization. In this case, because of the “required by law” provisions of HIPAA, both HIPAA and the PIA could be accommodated. It should also be noted that the PIA and the Texas Open Records Act have exceptions for information that is confidential under case law, statute, or the constitution, as well as other exceptions for other personal or private information. The attorney general determined that the information sought, even if it was PHI, was not the type of information that would meet an exception to disclosure under the PIA.

Public hospitals must comply with the requirements of HIPAA, as well as the requirements of the PIA. The PIA has a “default” setting that encourages disclosure, but recognizes that some information should not be publicly available. If a public hospital is requested to disclose information that may contain PHI under a PIA or open records request, it must determine if an exception to disclosure under PIA exists. In most cases involving medical records, there will be relief under the “confidentiality” exception. But if there’s no exception under PIA or the Open Records Act, the public hospital must disclose the information. Note, however, that if a hospital determines that there is an exception, the hospital does not get to unilaterally invoke the exception; rather, the hospital must submit the issue to the Attorney General’s office for a ruling.

On a final note, recently passed legislation requires each director and most officers of public entities, including public hospitals, to receive Open Meetings Act and Open Records Act training. Therefore, public hospitals should be more prepared than ever to address potential conflicts between their “public” nature and their HIPAA obligations.

If you have any questions about the information in this e-Alert, please contact Jeff Drummond at 214.953.5781 or [email protected]. Click Here to visit Mr. Drummond's HIPAA Blog.

The material appearing in this web site is for informational purposes only and is not legal advice. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal or other professional advice is required, the services of a professional should be sought.

The opinions or viewpoints expressed herein do not necessarily reflect those of Lorman Education Services. All materials and content were prepared by persons and/or entities other than Lorman Education Services, and said other persons and/or entities are solely responsible for their content.

Any links to other web sites are not intended to be referrals or endorsements of these sites. The links provided are maintained by the respective organizations, and they are solely responsible for the content of their own sites.