HIPAA Disclosures as Required by Law - by What Law? How do I know ‘That Law?'

Description

The HIPAA Privacy Rule sets national standards for the protection of individuals’ protected health information (PHI) held by “covered entities” such as health care providers, health plans, and health care clearinghouses.

While the Privacy Rule generally prohibits uses or disclosures of PHI without patient authorization, it also recognizes that other laws may legitimately require or permit such disclosures without individual consent.

One of the key challenges for covered entities is determining how state law requirements interact with HIPAA’s standards. Some state laws require patients’ informed consent before a provider can use or disclose their health information. Covered entities may wonder whether the HIPAA Privacy Rule overrides or preempts these state protections.

The Health and Human Services office clarifies that HIPAA does not take away state law protections and that covered entities may still obtain and must comply with state consent requirements where they exist. HIPAA does not prohibit a covered entity from obtaining an individual’s consent before using or disclosing PHI nor does it create a barrier to complying with a state law that mandates consent for such disclosures. In effect, state laws that provide greater privacy protections than HIPAA remain valid, and covered entities must honor them alongside HIPAA’s own requirements.

Another important situation involves disclosures to Protection and Advocacy (P&A) systems. Under federal statutes such as the Developmental Disabilities Assistance, Bill of Rights Act, and the Protection and Advocacy for Individuals with Mental Illness Act, states designate Protection and Advocacy systems to safeguard the rights of individuals with certain disabilities.

These laws require access to records in specific circumstances, such as investigating abuse, neglect, or violations of rights. HIPAA’s Privacy Rule recognizes that when a federal, state, or other law mandates such disclosures, covered entities may release PHI without the individual’s authorization to the designated P&A system — to the extent that the disclosure is required by that law and complies with its requirements.

Importantly, when a disclosure is “required by law” — whether by federal statute or a state requirement — the usual HIPAA minimum necessary standard does not limit the scope of information that may be disclosed if the governing law dictates the extent of the disclosure. Covered entities cannot use HIPAA as a reason to refuse to comply with other legal obligations: if another law compels a disclosure of PHI, the covered entity must comply with that law’s terms while also applying HIPAA’s safeguards and procedural requirements where appropriate.

In summary, HIPAA’s Privacy Rule establishes baseline protections for PHI, but it also anticipates and accommodates the existence of other laws that may require disclosures without patient authorization. Covered entities must be able to identify when such laws apply — whether state consent laws or federal statutes regarding Protection and Advocacy systems — and ensure that PHI is disclosed in conformity with both HIPAA and the applicable law.

Areas Covered in the Session

• HIPAA Privacy Rule and the general rule against unauthorized PHI disclosures
• How state laws interact with HIPAA disclosure requirements
• Whether HIPAA preempts or overrides state laws
• Federal statutes that mandate disclosures to Protection and Advocacy systems
• Definition of ‘required by law’
• HIPAA’s minimum necessary: where it does and does not apply
• Compliance considerations
• Examples Under State Law for Duty to Warn and Duty to Report Child or Adult Abuse or Neglect

Why should you Attend?

Any healthcare practitioner may at one point or another be required to disclose certain PHI according to federal or state law; this webinar helps guide you through it.

Who will Benefit?

All healthcare workers