Safeguarding Patient Health Information in an Emergency Situation
Even in an emergency situation such as that presented by the COVID-19 pandemic, covered entities must continue to meet their obligations under federal and state laws protecting confidentiality of patient health care information, to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. They must continue to comply with the administrative, physical, and technical safeguards of the security rule and privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The obligation to conduct periodic HIPAA security assessments continues, even during the existence of an emergency or natural disaster. The obligation to meet the requirements of state laws protecting special status health information such as mental health records and drug and alcohol rehabilitation records, also continues through a pandemic.
Each of the bodies of regulations that apply to patient health information contain certain specific provisions that can apply during a pandemic. For example, HIPAA permits disclosures to public health authorities and others where it is necessary for purposes of controlling the spread of the virus or to otherwise protect the public from harm. These exceptions permit disclosures that may be in the public good for purposes of addressing the emergency situation. The emergency exceptions do not provide blanket exemption from assuring compliance with applicable regulations.
HIPAA Applies Only to Covered Entities and Business Associates, But Other Laws May Apply More Broadly
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. HIPAA does not apply to others, such as some emergency workers, law enforcement, fire responders, and other first responders who may be involved in the course of a patient’s health care episode. But you should be aware that other laws, such as laws protecting confidentiality of mental health treatment information and substance/alcohol rehabilitation records, may be applicable and will normally be more protective of patient confidentiality than HIPAA. Covered entities include health plans, health care clearinghouses, and most health care providers. Business associates generally are persons or entities that are not inside the organization and who perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information.
Business associates also include subcontractors of other business associates that create, receive, maintain, or transmit protected health information. The HIPAA privacy rules do not apply to disclosures made by entities or other persons who are not covered entities or business associates. (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply. A business associate of a covered entity may make disclosures permitted by the HIPAA rules, including those that are available in the case of an emergency.
Although HIPAA may not apply to law enforcement and others who may come into possession of information concerning the health care of an individual, other federal and state laws apply more broadly and extend beyond covered entities and business associates. For example, the regulations applicable to substance and alcohol abuse records are subject to laws prohibiting any party who receives the protected information from the provider to comply with a prohibition against redisclosure. Even though law enforcement and other first responders may not be covered entities or business associates as defined in HIPAA, the provisions of 42 CFR Part 2, the federal regulations providing confidentiality protection for substance and alcohol abuse treatment records, and possibly state laws protecting mental health records, may impose an obligation on law enforcement and other non-covered entities, to maintain the confidentiality of the information that they receive.
Understanding HIPAA and Its Interaction with State and Federal Confidentiality Laws
HIPAA Privacy Restrictions and Part 2
HIPAA, the body of regulations designed to protect the confidentiality of patient health care information, has been highly effective in creating widespread awareness within health care facilities. Most staff members understand that HIPAA prohibits them from discussing patients outside of work and from disclosing protected patient information to third parties unless there is a valid HIPAA exception or the patient has provided authorization for disclosure.
The strong “branding” of HIPAA is beneficial, as it reinforces regulatory awareness and helps safeguard patient confidentiality. However, from a legal perspective, this heightened awareness sometimes leads to the assumption that any potential disclosure of patient information is automatically a “HIPAA issue.” While this generalization represents a positive sensitivity to confidentiality, it can also obscure the fact that other, sometimes more protective, laws may apply to certain situations.
Despite its prominence, HIPAA is not the only law safeguarding patient information, nor does it always offer the highest level of protection. While HIPAA sets a national baseline for privacy, many professionals mistakenly assume it is the sole standard. Compliance with patient privacy regulations requires a broader understanding of how HIPAA interacts with other confidentiality regulations, ensuring that all applicable standards are met in each circumstance. Other state and/or federal law can, in some instances, provide more protection of patient privacy than HIPAA.
Beyond HIPAA: Other Protective Laws
There are several laws that can provide greater confidentiality protection than HIPAA. These include specific state law requirements, enhanced protections for mental health treatment records, and special laws governing substance and alcohol treatment records. By broadly labeling all confidentiality matters as “HIPAA issues,” there is a risk that the nuanced requirements of these other laws may be overlooked. In extreme cases, this oversight can result in facility policies that, if followed, could violate the law by failing to properly identify which regulations apply in a particular scenario.
In addition to HIPAA, a complex patchwork of state and federal laws also governs the confidentiality of health information. Many states have statutes that set higher standards of privacy or apply to categories of records not explicitly addressed by HIPAA, such as mental health, HIV/AIDS, or genetic information. Similarly, certain federal laws, like 42 CFR Part 2, which applies to substance use disorder records, impose even stricter requirements for consent and disclosure. As a result, health care providers, administrators, and compliance officers must be aware of overlapping legal obligations and consistently apply the most protective standard to ensure full legal compliance and safeguard patient trust.
Illustration: Application of State Law in Wisconsin
To illustrate this principle, consider the state of Wisconsin, which maintains its own “HIPAA” statute codified at Wisconsin Statutes 146.32. Wisconsin law often imposes more stringent or protective requirements on patient confidentiality than those set forth under HIPAA. In addition to general confidentiality provisions, Wisconsin enforces specific regulations concerning mental health treatment records as outlined in Statute 51.30 and administrative directives at DHS 92. These protections are notably stricter than both HIPAA requirements and state standards applicable to general patient records. Historically, restrictions governing mental health records were so rigorous that providers could not share a patient’s records with another treating provider without obtaining explicit written consent from the patient.
Recognizing the practical challenges associated with these heightened restrictions, Wisconsin enacted the “HIPAA Harmonization Act” in 2013. This legislation mitigated some of the most burdensome limitations and introduced a requirement for providers to “triage” each disclosure request. Through this triage process, providers must determine whether the more permissive HIPAA rules or the more restrictive state statutes take precedence, especially regarding mental health treatment records.
The Triage Process Under Wisconsin Law
Pursuant to the HIPAA Harmonization Act, HIPAA governs disclosures related to “payment, treatment, or health care operations.” Subsequently, Wisconsin expanded these provisions to narrowly defined emergencies, thereby permitting disclosures to other treating providers if consistent with HIPAA. While HIPAA would generally mandate disclosure to a treating provider, for disclosures beyond treatment, payment, health care operations, or specified emergency situations, the more restrictive state law prevails. Although certain exceptions exist under Wisconsin law, they are considerably narrower compared to those allowed under HIPAA.
HIPAA Preemption and the Harmonization Act
HIPAA’s preemption rules generally require that the more restrictive law, whether federal or state, be applied. If HIPAA is more restrictive, it prevails; if state law is more restrictive, the state law applies. However, under the Wisconsin Harmonization Act, this preemption analysis does not apply in situations where HIPAA governs (i.e., disclosures for payment, treatment, or health care operations), since the Act’s very purpose is to specify when HIPAA standards override state law. In cases where the Harmonization Act dictates that the more restrictive state law applies, that law is followed unless HIPAA is even more restrictive. Thus, providers must always be attentive to which set of rules is most protective in each scenario.
Preemption refers to the circumstance in which HIPAA’s regulations override state law, except where the state law is more stringent regarding privacy protections. Under the Harmonization Act, Wisconsin providers must always identify the law that offers the greatest protection to patient information and apply that standard. This approach underscores the necessity for health care professionals to conduct careful legal analysis and remain vigilant to changes in both federal and state confidentiality requirements.
SAMHSA Part 2: The Most Restrictive Regulations
Among the various federal regulations, 42 CFR Part 2, administered by the Substance Abuse and Mental Health Services Administration (SAMHSA), stands out as one of the most restrictive frameworks for protecting the confidentiality of substance use disorder (SUD) treatment records. Part 2 imposes limitations that go beyond HIPAA and most state laws, requiring explicit written consent from the patient before most disclosures can be made, even for purposes like treatment, payment, or health care operations. This heightened level of protection is intended to encourage individuals to seek treatment without fear that their sensitive SUD information will be widely disclosed.
For health care providers, compliance with Part 2 means that, when SUD records are involved, the strictest standard must be applied, often necessitating a separate consent process and additional safeguards. In practice, this may require maintaining SUD records separately from other health information and routinely verifying the legal basis for any disclosure. Providers must also stay alert to evolving federal and state regulations, as changes to SAMHSA Part 2 or state law may further impact confidentiality protocols.
Avoiding the “HIPAA Bias” in Compliance
The detailed requirements and exceptions of these regulations are complex, but the essential point is this: referring to all patient confidentiality matters as “HIPAA issues” can be misleading and potentially dangerous from a compliance perspective. Overreliance on generic “HIPAA” policies, or hiring consultants without sensitivity to state and federal nuances, can institutionalize what is referred to as the “HIPAA bias.” This can leave organizations vulnerable to compliance failures if they do not carefully consider all relevant laws.
Conclusion: Applying the Correct Law
Wisconsin provides a clear example of how both state and federal laws must be considered when determining the appropriate approach to patient information disclosures. Many other states also provide heightened confidentiality protections for certain types of information, such as mental health records. It is critical to accurately identify and apply all relevant laws in policy and practice to ensure full compliance and avoid the pitfalls of the “HIPAA bias.”
For more information, please contact your PhysiciansHealthLawyers.com health care attorney.
OCR Settlement Lessons – No Risk Assessment Exposes Provider to Liability
Failure to conduct a risk assessment before a hacking incident occurred resulted in a $400,000 settlement between OCR and a Federally Qualified Health Clinic. The FQHC filed a breach report upon learning that its employee emails had been hacked and that the hacker had access over electronic health information of over 3,000 patients. The OCR’s investigation that resulted from the breach disclosure revealed that required corrective action was taken in response to the breach but that the provider failed to conduct a timely risk analysis. Furthermore, the provider had failed to conduct an assessment of risks and vulnerabilities of ePHI prior to the breach and had not implemented corresponding risk management plans to address electronic risks. Even when the provided conducted a risk analysis, ORC found the analysis to be insufficient to meet HIPAA security standards.
Lesson 1 – Conduct an analysis of electronic risk vulnerabilities before an unauthorized access breach occurs.
Lesson 2 – OCR considered that the provider was a Federally Qualified Health Clinic and still imposed a $400,000 settlement amount.
Lesson 3 – Don’t overlook the HIPAA security rules.
HIPAA Audits of Physician Practices – Phase II Audits
The HHS Office for Civil Rights (“OCR”) has Officially announced The commencement of its 2016 Phase 2 HIPAA Audit . In Phase 2, OCR Will be reviewing the policies and procedures of covered entities and their business associates. This phase of audits is intended to determine whether providers have properly implemented and satisfy standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. For the most part, Phase 2 audits will Years include only document review to determine compliance with policy and procedure Requirements. In cases of noncompliance, the initial document review may turn into a formal site visit and more complete hip audit.
The OCR will be sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. This will be followed by transmission of a pre-audit questionnaire Asking for information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools. It is critical that providers respond to the request fro information within the specified timeframes. Failure to respond may increase the of further audit and scrutiny. More details will b forthcoming from OCR regarding audit protocols.
Not ll providers will be subject to audit. OCR is in effect using the increased risk of audit to assure that providers make preparations and enhance their policies, procedures, business associates agreements and other compliance documentation and practices. A provider’s chance of audit are much greater under the phase 2 audit program than under the prior phase. Given the public nature and time that providers have been given to get their ship in order, audits are likely to be less forgiving that the previous phase.
What does this mean to providers? Now is the time to make retain that hipaa practices, policies and procedures are in compliance with legal requirements. Providers may consider performing effectiveness audits of their hipaa process to identify any gaps in policy and practice that could lead to further investigation under The phase 2 program.
