The following describes the scope of the Privacy Study and the methodology used to develop the various elements of the Privacy Study.
A. Selection and Summary of State Rules
1. State Rules Included in the Privacy Study
The Privacy Study catalogs and summarizes certain state laws relating to the privacy and confidentiality of health information. In particular, the Privacy Study includes provisions that satisfy several criteria:
In addition, the Privacy Study incorporates the following: (i) state peer review, physician-patient and other evidentiary privileges; and (ii) a summary of state laws concerning persons authorized to make health care decisions on behalf of others. In the case of evidentiary privileges, the Privacy Study contains a summary of the state rule and directs the user to comply with the state rule. This is due to the fact that the application of evidentiary privileges is generally informed by extensive bodies of case law, and case law is not addressed in the Privacy Study. For each state, the Privacy Study also includes a single record, under the Personal Representatives topic, that summarizes various treatment consent laws. These provisions are incorporated as a reference tool to inform users concerning who can serve as a personal representative for an individual under different circumstances.
- The state rule derives either from state statutes or regulations;
- The state rule governs one of the types of entities covered by the Privacy Study ("Study Entities"); and
- The state rule relates to the privacy or confidentiality of health information (e.g., disclosure of health information, reporting of health information and provision of access to health information).
2. State Rules Excluded from the Privacy Study
As a result of the application of the principles described above, users of the Privacy Study should be aware that the following types of provisions are not addressed by the Privacy Study:
3. Summary of State Rules
- State rules deriving from case law or Attorney General opinions;
- Local and municipal laws;
- State rules applicable solely or primarily to governmental authorities;
- State rules applicable solely or primarily to types of organizations or practitioners within the health care industry that are not included among the Study Entities (e.g., dentists, chiropractors, medical colleges);
- State rules addressing certain billing and operational requirements that involve use or disclosure of information and that, while permissible under the HIPAA rule, were not sufficiently privacy-related for inclusion in the Privacy Study;
The summaries of state rules contained in the Privacy Study contain sufficient detail to enable the user to understand the relevant compliance obligations and the context in which they arise. In addition, wherever possible the summaries have been prepared using the statutory or regulatory language that describes the scope and application of the rule so that users can make their own assessment of the application of the rule to them.
Where possible, the Study addresses related statutory and regulatory provisions in the same record. In circumstances where the statutory and regulatory provisions differ in a substantive way, each provision is summarized in a different record under the same topic.
Puerto Rico: PLEASE BE ADVISED THAT THIS REPORT DOES NOT ADDRESS ANY ADMINISTRATIVE RULES OR REGULATIONS AND ONLY REFLECTS STATUTORY ACTIVITY THROUGH DECEMBER 2002, due to the unavailability of official English translations of Puerto Rico regulations and the time-lag in the availabillity of statutes. As a result, there may be additional provisions governing privacy that are affected by the HIPAA Rule that are not addressed in this report.
B. Application of State Rules to Study Entities
1. Factors Considered
In order to make the Privacy Study searchable by Study Entity type, each state rule has been applied to the type(s) of Study Entities that are subject to the provision. In some cases, it is relatively easy to determine from the language or context what types of entities or services were governed by a particular state rule; while in other cases, it is less obvious. In order of priority, the following factors were considered in deciding which Study Entities to apply a state rule to:
For example, absent authoritative guidance, a state rule that requires facilities to report live births to a vital statistics registry might be applied to hospitals and clinics, with the understanding that these are the only types of Study Entities that would routinely furnish birthing services. If the same state rule also governed individual practitioners, it might also be applied to physicians and nurses/nurse practitioners/nurse midwives. It would not be applied to long-term care/skilled nursing facilities or pharmacies, among others.
- If the state rule names particular Study Entities (e.g., "a hospital must…") or derives from a chapter of law that clearly applies to certain Study Entities (e.g., a state’s clinical laboratory licensing chapter), the state rule is applied to the named Study Entities.
- If a state rule uses more general terms to describe its application (e.g., "all health care facilities" or "all health care providers" or "all persons subject to Chapter X of the Public Health Code"), efforts have been made to determine the scope of the state rule by consulting statutory and regulatory definitions sections, applicable scope and purpose descriptions relating to the state rule, and other authorities cross-referenced in the state rule.
- In the absence of guidance from the authorities described above, a state rule is applied to Study Entities based upon general understandings about the health care industry, health information and health services.
2. Notes About the Application of State Rules to Study Entities
Due to the structure of the Privacy Study and the manner in which state rules are applied to Study Entities, users of the Privacy Study should bear the following in mind when performing searches:
C. Summary of HIPAA Rules
- The Privacy Study applies each state rule only to the type(s) of services or organizations that are governed directly by the provision. To the extent that another type of Study Entity might also operate the service at issue, the state rule would not be applied to that Study Entity. It is necessary for the user to search under the directly-regulated service in order to identify the applicable provisions. For example, virtually all hospitals also operate pharmacies to serve their patients. Notwithstanding this fact, in the Privacy Study, state rules governing pharmacies are listed only under pharmacies and not also under hospitals. A multi-purpose organization like a hospital must search under the appropriate types of services in order to identify the state rules applicable to those distinct parts of its operations.
- Certain of the Study Entity types – particularly, clinics and rehabilitation facilities – can describe a number of different service settings. For example, the concept of "clinic" could include a physician group or a diagnostic center. A "rehabilitation facility" could refer to an inpatient rehabilitation hospital, an outpatient physical therapy service or a substance abuse treatment center. Consequently, state rules have been applied to these Study Entity types in circumstances where the provision applies to one of the types of settings that could fall within the Study Entity type. At the same time, it is possible that a state rule applied to one of these Study Entity types may not be relevant for all different service settings that are included in that Study Entity type.
For virtually all state rules included in the Privacy Study, there is a corresponding or relevant principle from the HIPAA rule. For the user’s reference, summaries of the applicable HIPAA rules are furnished as a part of the record for each state rule in the Privacy Study when that state rule has been applied to a Study Entity that may be a covered entity for HIPAA purposes. In order to avoid the false impression that non-covered entities addressed by the Privacy Study (i.e., medical technology companies, pharmaceutical/device manufacturers, pharmacy benefit managers, third-party administrators, underwriters and utilization review organizations) are directly subject to HIPAA, HIPAA rule summaries are not provided with respect to state rules that apply to these Study Entities.
In order to assure consistency, stock summaries have been prepared and used throughout the Privacy Study; however, these summaries have been augmented to incorporate more details from the HIPAA rule where necessary to address issues raised in individual state rules. Because the HIPAA rules described in the Privacy Study are merely summaries of the actual regulatory provisions, users of the Privacy Study are strongly advised to consult with the HIPAA rule directly when addressing particular HIPAA compliance issues.
D. Preemption Standard
A preemption recommendation and analysis is furnished for each state rule addressed by the Privacy Study. Those recommendations and analyses are summaries of the application of HIPAA’s preemption rules to the state rules. Below is a brief summary of the preemption rules as they are described at 45 C.F.R. § 160.203 (the "Preemption Standard").
The Preemption Standard provides that the administrative simplification provisions of the HIPAA statute and regulations will preempt, or override, "contrary" state law unless one of four exceptions is met. In other words, unless a state rule is directly contrary to the requirements of a HIPAA rule that deals with the same issue, the state rule will remain in force.
1. What Is State Law and When Is It Contrary to HIPAA?
HIPAA defines state law as a constitution, statute, regulation, rule, common law, or other state action having the force and effect of law. A state law provision is "contrary" if:
2. When Is It Impossible to Comply with Both State Law and HIPAA?
- A covered entity would find it impossible to comply with both the state provision and the HIPAA provision; or
- The state provision is an obstacle to the accomplishment and execution of the full purpose of the HIPAA provision.
HHS constructed a narrow definition of when it is impossible to comply with both a state law and HIPAA. HHS’s stated intent is for the HIPAA rule to serve as a "floor" for privacy protections but not to replace more detailed or protective state laws. For purposes of preemption, it is not enough that state law be "inconsistent" with HIPAA. In order to be preempted, the state and federal laws must conflict with each other to a point that one cannot comply with both.
3. When Is a State Law and Obstacle to the Accomplishment of HIPAA?
Whether a state law constitutes an obstacle to the accomplishment of HIPAA’s purposes is often less evident than whether it is impossible to comply with both laws. The "obstacle" standard may be satisfied in circumstances where one law prohibits certain activity, while the other law permits it. For instance, a state law that permits a Study Entity to charge a patient for inspection of his records would be contrary to HIPAA under this test because HIPAA would prohibit such a charge. While it is possible for the Study Entity to comply with both laws by not charging the inspection fee, the ability to do so is contrary to the purposes of HIPAA.
4. Exceptions to Preemption by HIPAA
Even if a state rule is potentially contrary to HIPAA, it would not be preempted under the following four circumstances:
5. When Is State Law "More Stringent"?
- If HHS determines through an administrative review process that the state law should not be preempted (based on review criteria provided in HIPAA);
- If the state law is "more stringent" than HIPAA;
- If the state law provides for the reporting of disease, injury, child abuse, birth or death, or the conduct of public health surveillance, investigation or intervention; or
- If the state law governs accessibility to, or reporting of, information in the possession of health plans.
State laws are considered to be "more stringent" than HIPAA if they:
6. Steps in Preemption Analysis
- Are more restrictive with respect to use or disclosure by the covered entity (except if disclosure is required by HHS to determine compliance with HIPAA or is to the subject);
- Offer subjects of protected health information greater rights of access to or amendment of their information;
- Provide subjects of protected health information with a greater amount of their information;
- Narrow the scope or duration, increase the privacy protections afforded or reduce the coercive effect of express legal permissions required from subjects of protected health information;
- Provide for the retention or reporting of more detailed information or for a longer duration in an accounting of disclosures; or
- In any other manner, provide greater privacy protection for subjects of protected health information.
Based on the preemption principles established in the HIPAA rule, one follows these steps in determining whether a state rule survives HIPAA preemption:
Step 1: Determine whether the state rule is contrary to HIPAA. If not, the state rule survives preemption.
Step 2: If the state rule is contrary to HIPAA, determine whether one of the four exceptions to preemption is satisfied.
E. Recommendations and Analyses in the Privacy Study
- If one of the exceptions to preemption is satisfied, the state rule survives preemption.
- If none of the exceptions to preemption is satisfied, HIPAA preempts the state rule.
1. Explanation of Recommendations and Analyses
As noted above, a preemption recommendation and analysis is furnished for each state rule addressed by the Privacy Study. Those recommendations and analyses are summaries of the predicted application of HIPAA’s preemption rules to the state rules.
In an effort to furnish practical guidance to users, each state rule included in the Privacy Study is accompanied by one of the following three general recommendations:
With each recommendation, the Privacy Study furnishes a summary explanation of the basis for the recommendation. Where the recommendations is to comply with both state and HIPAA rules, the following analyses have been used:
- Comply with both state and HIPAA rules;
- Comply with state rule; or
- Comply with HIPAA rule.
: This analysis is furnished where it is possible to comply with both the state rule and HIPAA rule without further material consideration.State rule not contrary to HIPAA; state rule contains additional requirements: This analysis is furnished where it is possible to comply with both the state rule and HIPAA rule, but where the state rule imposes certain additional requirements or restrictions on the Study Entity. While these additional requirements or restrictions do not make the state rule contrary to HIPAA, users should consult the state rule for a full understanding of their compliance obligations.State rule not contrary to HIPAA; HIPAA rule contains additional requirements: This analysis is furnished where it is possible to comply with both the state rule and HIPAA rule, but where the HIPAA rule imposes certain additional requirements or restrictions on the Study Entity. While these additional requirements or restrictions do not make the state rule contrary to HIPAA, users should consult the HIPAA rule for a full understanding of their compliance obligations.State rule not contrary to HIPAA; in certain aspects, state rule contains additional requirements; in other aspects, HIPAA rules contains additional requirements: This analysis is furnished where it is possible to comply with both the state rule and HIPAA rule, but where each of the state rule and HIPAA rule imposes certain additional requirements or restrictions on the Study Entity. While these additional requirements or restrictions do not make the state rule contrary to HIPAA, users should consult both the state rule and the HIPAA rule for a full understanding of their compliance obligations.Where the recommendation is to comply with state rule, the following analyses have been used:
- State rule not contrary to HIPAA
: This analysis is furnished where a state rule addresses issues that are not covered by HIPAA.State rule contrary to and more stringent than HIPAA: This analysis is furnished where it is impossible to comply with both the state rule and HIPAA rule or where one rule stands as an obstacle to the accomplishment of the other’s purposes, and where the state rule is more protective of individual privacy or privacy-related rights.State rule contrary to HIPAA, but governs state public health reporting: This analysis is furnished where it is impossible to comply with both the state rule and HIPAA rule or where one rule stands as an obstacle to the accomplishment of the other’s purposes, and where the state rule addresses public health reporting issues as contemplated in 45 C.F.R. § 160.203(c).State rule contrary to HIPAA, but governs reporting of or access to health plan information: This analysis is furnished where it is impossible to comply with both the state rule and HIPAA rule or where one rule stands as an obstacle to the accomplishment of the other’s purposes, and where the state rule addresses requirements on health plans to furnish access to information for oversight purposes as contemplated in 45 C.F.R. § 160.203(d).Where the recommendation is to comply with HIPAA rule, the following analyses have been used:
- No corresponding HIPAA rule
: This analysis is furnished where the HIPAA rule addresses issues that are not covered by the state rule.State rule contrary to HIPAA; no applicable exception to preemption: This analysis is furnished where it is impossible to comply with both the state rule and HIPAA rule or where one rule stands as an obstacle to the accomplishment of the other’s purposes, and where the state rule is less protective of individual privacy or privacy-related rights. 2. Note Concerning Provisions with Multiple Recommendations
- No corresponding state rule
The Preemption Standard under HIPAA requires a provision-by-provision assessment of each state rule in comparison to the applicable HIPAA rule. Some state rules contain multiple requirements and exceptions, and there may be different recommendations for various subparts of the same state rule. In order to ensure that users have ready access to all parts of a single state provision (or closely related provisions), the Privacy Study has retained the subparts of such state rules in a single record. However, these state rules have been annotated (with corresponding annotations in the HIPAA summaries and Recommendation/Analysis section) in order to identify the different parts of the state rule with respect to which there are different recommendations.
F. Approach to Specific Issues
In addition to the methodology described above, users should be aware of certain other approaches that were followed in the development of the study:
Disease Reporting Requirements: With respect to state rules that establish disease or other health condition reporting requirements, where it cannot otherwise be determined to which Study Entities the state rules applies, the state rules have been applied to those providers likely to come into first contact with the patient, as follows:
Forensic Laboratories: The Study does not address state rules that are applicable solely or primarily to forensic laboratories (i.e., laboratories whose function is to evaluate the evidentiary value of specimens collected in a criminal investigation).
- Communicable Diseases, Food Poisoning, Lung Disease and Sexually-Transmitted Diseases: Ambulatory Surgery Centers, Assisted Living/Intermediate Care Facilities, Clinical Laboratories, Clinics, Hospitals, Long-Term Care/Skilled Nursing Facilities, Nurses/Nurse Practitioners/Nurse Midwives, Physicians and Rehabilitation Facilities.
- Cancer: Ambulatory Surgery Centers, Clinical Laboratories, Clinics, Hospitals and Physicians.
- Abortions and Low-Birthweight Babies: Clinics, Ambulatory Surgery Centers, Hospitals, Nurses/Nurse Practitioners/Nurse Midwives and Physicians.
Managed Care/Payor Contracting Requirements: The Study does not include state rules that specify the required terms of managed care, Medicaid or other third-party payor contracts, including contract terms that relate to the disclosure of health information. The Study does, however, include state rules that establish direct requirements for providers participating in Medicaid or other insurance programs to disclose documents or information to certain authorities.
Medical Record Content/Retention: The Study does not include state rules that govern the content of medical records or that require the retention of general medical records for a specified period of time. The Study does, however, include any state rules concerning the content or retention of privacy-related documentation (e.g., notice of privacy practices, authorization for release of information).
Physical Examination Results (Job- or License-Related): The Study does not include state rules that require physicians or other providers to report the results of physical examinations conducted for employment or professional qualification purposes.
Practitioners in Appointed Capacities: The Study does not generally include state rules that relate to the activities of practitioners, particularly physicians, when they are serving in an appointed capacity. For example, the Study would not include state rules governing physicians who have been appointed by a court to perform an examination, who have been appointed by a state board to examine claimants for disability benefits or who have employed by a correctional facility to treat inmates.
Practitioner Substance Abuse Treatment Programs: Many state licensure boards operate programs through which practitioners can seek assistance for substance abuse issues. The Study includes any related rules that authorize or require a treating practitioner to disclose information concerning an individual licensee’s progress in treatment for a substance abuse problem. The Study does not include state rules that permit or require a practitioner to disclose that they suspect or have evidence that another provider has a substance abuse problem.
Puerto Rico: PLEASE BE ADVISED THAT THIS REPORT DOES NOT ADDRESS ANY ADMINISTRATIVE RULES OR REGULATIONS. Due to the unavailability of an English translation of the Puerto Rico regulations, this report focuses exclusively on the Puerto Rico statutes. There may be local regulatory provisions governing privacy affected by the HIPAA Rule that are not addressed in this report.
State-Run Providers: Although the Study does not generally include state rules that are applicable solely or primarily to governmental authorities, it does include rules that govern state-operated health care providers (such as public hospitals and state run laboratories).
June 19, 2013