The relationship between HIPAA Privacy Rule and state public records laws

According to the National Institute of Health, “In general, the Privacy Rule overrides (or preempts) State laws relating to the privacy of health information that are contrary to the Rule. Any provision of State law that is not contrary to a provision of the Privacy Rule will remain in full force and effect, so that covered entities will continue to have to follow such State laws in addition to the Privacy Rule. However, even where a State law is contrary to the Privacy Rule, there are certain exceptions where the Privacy Rule will not override the contrary State law. For example, State laws that relate to the privacy of individually identifiable health information and are both contrary to and more stringent than the Privacy Rule will continue to stand. In addition, contrary laws and procedures established under State law that provide for reporting of disease or injury, child abuse, birth or death, or for conducting public health surveillance, investigation, and intervention also are not overridden by the Privacy Rule.”

Related: HIPAA Privacy Rule's impact on state public record laws

Understanding the basic frameworks

State Public Records Laws

“Similar to the federal-level Freedom of Information Act (FOIA), state open records laws allow individuals to access records and information held by state agencies,” states ScienceDirect in “Using open records laws for research purposes”.These laws typically require that government agencies make their records available to the public upon request, with certain exceptions. Each state has its own version of these laws, sometimes called "sunshine laws" or "open records acts."

HIPAA Privacy Rule

The Department of Health and Human Services (HHS) clarifies that, “The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.”

The intersection and potential conflicts

Preemption principles

The HIPAA Privacy Rule generally preempts contrary state laws, including public records laws, when they provide less protection for individual privacy. However, if a state law provides greater privacy protections or rights concerning protected health information (PHI), the state law prevails.

The HHS outlines that, “In general, State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply. "Contrary" means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.”

The Privacy Rule provides exceptions to the general rule of federal preemption for contrary State laws that;

• relate to the privacy of individually identifiable health information and provide greater privacy protections or privacy rights with respect to such information (45 CFR § 160.203(b)),
• provide for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention (45 CFR § 160.203(c)), or 
• require certain health plan reporting, such as for management or financial audits (45 CFR § 160.203(d)).

In addition the HHS states, “Preemption of a contrary State law will not occur if HHS determines, in response to a request from a State or other entity or person, that the State law:

• Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
• Is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
• Is necessary for State reporting on health care delivery or costs,
• Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
• Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.”
  
  

Considerations for government agencies

1. Government agencies that are also HIPAA covered entities must comply with both sets of requirements. This means they cannot release protected health information in response to a public records request unless:
   • The HIPAA Privacy Rule specifically permits the disclosure
   • The individual has authorized the disclosure
   • The information has been properly de-identified according to HIPAA standards
2. Some government agencies may designate themselves as "hybrid entities" under HIPAA, meaning only certain components of the organization are subject to HIPAA requirements. This designation can help agencies manage their dual obligations more effectively.

Learn more: The function of the Privacy Rule in preventing conflict with state laws

Recommendations for organizations

1. Develop clear policies: Organizations should establish written procedures for handling requests that implicate both HIPAA and public records laws.
2. Train staff: Ensure that personnel handling records requests understand both sets of requirements and know when to seek legal counsel.
3. Implement strong security measures: Maintain security protocols to protect PHI while still facilitating appropriate public access to records.

FAQs

Can government agencies release protected health information under state public records laws?

Government agencies must comply with HIPAA rules and can only release PHI if authorized by the individual or permitted under the Privacy Rule.

What is a hybrid entity under HIPAA?

A hybrid entity is a government agency that designates specific parts of its organization as subject to HIPAA requirements.

When can state laws override the HIPAA Privacy Rule?

State laws can override HIPAA if they provide greater privacy protections, are necessary for public health, or are required for specific state purposes.