1. What is the 50-State HIPAA Privacy Study?
The 50 State HIPAA Privacy Study ("Privacy Study") is a reference source on the interaction of state privacy law and the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governing privacy. It consists of the following components: (1) a survey of state laws and regulations governing medical privacy, broken down into topics; (2) a summary of the corresponding HIPAA provisions that relate to those topics; and (3) a preemption analysis describing whether to follow, HIPAA, the state privacy rule, or both.
2. What states does the Privacy Study cover?
By April 14, 2003 the Privacy Study will cover the laws of 41 states and jurisdictions:
* Puerto Rico: PLEASE BE ADVISED THAT THIS REPORT DOES NOT ADDRESS ANY ADMINISTRATIVE RULES OR REGULATIONS AND ONLY REFLECTS STATUTORY ACTIVITY THROUGH DECEMBER 2002, due to the unavailability of official English translations of Puerto Rico regulations and the time-lag in the availabillity of statutes. As a result, there may be additional provisions governing privacy that are affected by the HIPAA Rule that are not addressed in this report.
- District of Columbia
- New York
- New Jersey
- New Hampshire
- New Mexico
- North Carolina
- Puerto Rico*
- South Carolina
- South Dakota
- West Virginia
3. What laws does the Privacy Study address?
The Privacy Study consists of a database which includes summaries of state laws and regulations that relate to the privacy or confidentiality of health information. It does not include all state privacy laws, so for example, rules relating to privacy of financial records are not included. In addition, the database does not include the law governing workers’ compensation in our analysis, since that is generally excluded from the HIPAA privacy rule.
With regard to laws and regulations governing health information privacy, the Privacy Study does not review all health care laws and regulations that relate to the use of information, but rather only those that address privacy or confidentiality in some way. For example, a regulation requiring physicians to submit claims for payment to a state Medicaid program in a particular manner is not included, nor are laws requiring insurers to maintain records of claims for a certain number of years. However, a law requiring a hospital to provide Medicaid fraud inspectors with access to patient records would be included.
4. Does the Privacy Study include laws on evidentiary privilege and peer review records?
State laws on evidentiary privilege and confidentiality of peer review records are included in the database. They are addressed in a separate topic heading and are summarized but are not analyzed against HIPAA’s requirements as HIPAA does not address these issues. Many of the requirements and standards in this area have been developed through court decisions, and those developments are not included in the Privacy Study.
5. Does the Privacy Study address local or municipal laws?
No. The Privacy Study includes only the HIPAA rules and laws and regulations at the state (or territory) level.
6. How is the HLC Privacy Law Database organized?
The HLC Privacy Law Database is organized by state (or territory). Within each state, summaries of laws and regulations are broken out by types of entities, e.g., physicians, hospitals, insurers, etc. For a complete list of the entities covered by the study, click here. Within each entity, are groupings of laws and regulations by topics, e.g., duty of confidentiality, access and inspection of records, public health oversight, etc. For a listing of topics, click here.
Accordingly, the Privacy Study consists of a series of individual records. Each record summarizes the law of a state for a certain provider[s] on a certain topic[s], e.g., the duty of confidentiality requirements for hospitals in Pennsylvania. Each record summarizes an issue or set of requirements within a law or regulation. A state may have multiple provisions of law or regulation on a particular topic, and each will be addressed in an individual record. Thus, a topic may contain multiple records, e.g., a search in Pennsylvania for physician requirements under the topic of Public Health/Health Oversight Activities may return five separate records.
Each record presents the relevant information in a series of columns. The first, titled "State Requirement" consists of a summary of the relevant state law and regulations, along with citations and, where possible, a link to an online source for the text. The next column, titled "HIPAA Requirement," contains a summary of the corresponding HIPAA requirements, with citations to the HIPAA rule. The final column, "Analysis," contains an analysis of whether to comply with the state rule, the HIPAA rule, or both.
For a further description of what your search will show, click here.
7. How do I use the Privacy Study?
The Privacy Study is a searchable tool that can be reviewed and utilized in a number of different ways. You can use the following search strategies to identify the rules that are relevant to you and your organization:
Click here to see what kind of search you should use.
- View a Listing of Records. You can view records related to particular issues that concern you or your organization. The database allows you select records in the following combinations:
- A list of all records within a state for a particular entity on a particular topic.
- A list of all records within a state for a particular entity on multiple topics (up to four).
- A list of all records within a state for multiple entities (up to four) on a particular topic.
- A list of all records, across multiple states (up to four), for a particular entity on a particular topic.
- Key Word Search. You can search all records within a state for a particular term, e.g., all records containing the word "psychotherapy."
8. Are the recommendations in the Privacy Study legal advice?
No. While the Privacy Study contains an assessment of the relevant state rules and how they interact with HIPAA, it is not legal advice. The Privacy Study cannot constitute legal advice on privacy law reviewed without the context of an individual user’s operations and needs. Instead, the summaries and analyses are meant to serve as a guide as to which laws govern a particular issue and the legal requirements users should consider in health information privacy compliance.
9. Are all of the entities listed in the Privacy Study subject to HIPAA?
No. While all of the entities included in the Privacy Study will be affected by the HIPAA rules, they are not all covered entities directly subject to HIPAA. A number of entities that are not HIPAA covered entities are included in the Privacy Study because they may have business relationships with covered entities, or their business could otherwise be directly impacted by the changes covered entities must make to comply with HIPAA (including medical technology companies, pharmaceutical/device manufacturers, pharmacy benefits managers, third-party administrators, underwriters, utilization review organizations). To avoid confusion, all of the records for those entities not covered by HIPAA include a notice indicating that HIPAA does not apply directly to them, and then suggests examples of types of covered entities included in the Privacy Study with whom they may do business who are HIPAA covered entities. While this is meant to assist the non-covered entities in determining the privacy obligations of their business partners; it is not meant to infer the existence of a specific business associate relationship under HIPAA.
In addition, it is important to note that health care providers are not necessarily covered entities under HIPAA, and likewise the health care provider entities included in the Privacy Study are not necessarily covered entities. According to the HIPAA privacy rule, a health care provider is not a covered entity unless it engages in certain electronic billing and claims processing transactions under the rule. For purposes of uniformity, all health care providers are treated as covered entities for purposes of HIPAA compliance in preparing the Privacy Study. However, each health care provider should confirm for itself whether it does in fact engage in electronic transactions that subject it to the HIPAA requirements.
10. How does the Privacy Study provide a HIPAA analysis for entities that are not covered by HIPAA?
The Privacy Study does not. Because these entities are not subject to the HIPAA rule, no HIPAA provisions are included in their records. Instead, any relevant state rules are included, so that these entities will know what their privacy obligations are, and an analysis statement directing them to comply with those state rules.
11. What if there are no state privacy rules on a particular topic?
Where there is no state privacy rule on a particular topic, the relevant HIPAA requirements are included for that topic (for those entities subject to HIPAA). Where there is no relevant HIPAA rule either, "None" is stated across the record.
12. How current is the data in the Privacy Study? What if the privacy laws change?
Information included in the Privacy Study derives from research conducted during the last quarter of 2002 and the first quarter of 2003, and updated during the first quarter of 2004. The Study Funders anticipate that the Privacy Study will be updated once annually. Users should consult legal counsel or original legal sources to ensure they are accessing the most current information.
13. Can I see a sample search?
Yes, you can. Click here.
14. How can I subscribe to the website?
Click here for subscription information.
June 20, 2013