“HIPAA In Relation to Other Federal Laws”

Professor Peter P. Swire

Ohio State University

Consultant, Morrison & Foerster LLP

Glasser LegalWorks/HIPAA Conference

October 23, 2002

Overview

Basics of HIPAA and other laws Other federal laws:

– FERPA, Privacy Act, etc. HIPAA and Financial Services Conclusion

I. Basics of HIPAA and Other Laws When are you required to disclose medical data? Much confusion on this during drafting period Basic HIPAA approach -- HIPAA itself never

requires disclosure Exactly two exceptions

– Access to patient records, Sec. 164.524– HHS enforcement of the rule, Sec. 160.310(c)

“Required by Law”

Many situations where other law requires you to disclose medical data– Most clearly for a court order– Not a HIPAA violation to comply

Sec. 164.512(a): “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.”

Basics on required disclosures

HIPAA (almost) never requires disclosure HIPAA generally creates new legal

limitations on using and disclosing PHI HIPAA says you may disclose where

required by other law It’s your call what you are required to do --

HIPAA doesn’t give the answer Both HIPAA and other law apply

The Privacy Act as Example

Law applies to federal agencies, with fair information practices limiting disclosure and providing access

As of April, 2003 federal agencies will comply with both laws, where applicable

HIPAA enforcement for HIPAA violations Privacy Act enforcement for Privacy Act

violations

EMTALA as Example

Requires treatment on site where patient arrives in emergency situation

HIPAA applies -- must protect PHI but can use & disclose it more broadly for treatment, payment & health care operations

EMTALA applies -- a separate, ongoing legal requirement

Public Health & Health Oversight Public health, Sec. 164.512(b) Health oversight, Sec. 164.512(d) Both say covered entity “may” disclose No new compulsion from HIPAA to require

the disclosure If a covered entity believes disclosure is not

appropriate, and disclosure is permitted by HIPAA, then the other law governs

II. HIPAA Provisions about Other Law Some provisions in HIPAA specifically point to

other statutes as supplying the applicable law Workers’ Comp, Sec. 164.512(l)

– May disclose “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault”

– Required vs. permissive disclosure the key

FERPA -- Educational Records

In HIPAA:– Definition of “protected health information”

excludes– “educational records” covered by – the Family Educational Rights and Privacy Act,

20 U.S.C. 1232g Therefore, if records covered by FERPA,

no HIPAA obligations

FERPA

“Educational records” are:– “those records, files, documents, and other

materials which– contain information directly related to a

student; and– are maintained by an educational agency or

institution or by a person acting for such agency or institution”

What Does this Mean for Schools

K-12 nurses -- clearly only have FERPA and not HIPAA

Universities and schools serving over 18 years old -- right to the student instead

What if student health services also serve non-students? Spouses, employees?– Legally, HIPAA applies to those– Practically, keep separate?

HIPAA and the End of College Athletics!

Will we learn that the quarterback is hurt? Will sports gamblers be able to pursue their chosen profession?

FERPA -- governs school athletes, authorizations required as today

Pro sports -- authorization can be required by the employer– Will union contracts limit that?

III. HIPAA & Financial Services

Gramm-Leach-Bliley & HIPAA 2 statutes, comply with both Does that mean 2 notices for covered entities? GLB came first

– GLB agencies contemplated that compliance with HIPAA would count for GLB notice

– I am not aware of any follow-up clarification by GLB agencies

GLB & HIPAA

HHS comments, Dec. 2000– agencies consult to avoid duplication– insurers covered by GLB would be subject to

states, not FTC The upshot:

– Health insurers or other dual covered entities likely can give only HIPAA notice

– No definitive word from GLB agencies, though

HIPAA and Financial Services

The “payment” exception in HIPAA Sec. 1179

Easy case– Check, credit card and the basic routing

information– Name, account numbers, what is needed to

process the payment itself– That data entirely outside of HIPAA

Payments and HIPAA

“Back office”– As financial institution goes deeper, and does back

office for a covered entity, HIPAA risk grows– At some point, become business associate

Clearinghouse– Convert standard/nonstandard transactions– Specialized financial services entity, can become a

covered entity

Conclusion on Other Fed. Laws

Disclosure required by other law, then at least may disclose PHI

Disclosure permitted by other law, then HIPAA limits apply

Disclosure forbidden by other law, then HIPAA does not authorize the disclosure (with tiny possible exceptions)

Contact Information

Web: www.peterswire.net Email: pswire@mofo.com Phone: (240) 994-4142