HIPAA, The Next Level: HIPAA Preemption of State Laws

Slides:



Advertisements
Similar presentations
0 Jumping through Two Hoops: the HIPAA Privacy Rule and State Law Compliance Issues Bruce Merlin Fried, Esq. The fifth National HIPAA Summit November 1,
Advertisements

Jumping through Two Hoops HIPAA and State Law Compliance Bruce Merlin Fried, Esq. HIPAA State Law and Preemption Audio Summit July 10, 2002.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
Jumping through Two Hoops HIPAA and State Law Compliance: the Problem of the Failure of Federal Preemption Bruce Merlin Fried, Esq. HIPAA Summit West II.
 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Minimum Necessary: Use/Disclosure & Role-based Access  Charlene Dunbar Madonna Rehabilitation Hospital  Sheila Wrobel Nebraska Health System.
NAU HIPAA Awareness Training
North Carolina State University Health Information Privacy 4/16/03.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas & Discovery Presented by:RACHEL B. RUBIN Kansas Bar Association Annual Meeting June.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA: Surrogate Decision Making and Advance Health Care Directives Carolyn Heyman-Layne, Esq. Dorsey & Whitney LLP December 20, 2007.
Access to Mental Health Records and Related Issues Social Services Attorneys’ Conference March 10, 2006 Mark Botts School of Government, UNC.
 Freedom of Information Act General Background. Access to Army Records. Exemptions. Exclusions. Procedural Rules for Processing FOIA Requests for Army.
Code of Federal Regulations Title 42, Chapter 1, Subchapter A Part 2 – CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENTS BRYANT D. MILLER CAC II, MAC,
Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.
Confidentiality of MH/DD/SA Records Family Court Conference March 9, 2006 Mark Botts School of Government, UNC.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Confidentiality in Your TEAP Program By Diane A. Tennies, Ph.D., LADC Lead TEAP Health Specialist October 20,
HIPAA OBJECTIVES  Define HIPAA  Define PHI  Use of PHI  Your rights  Your responsibilities.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Michael R. Costa, Esq., M.P.H. Greenberg Traurig, LLP One International Place, 3 rd Floor Boston, MA (fax)
Family Educational Rights and Privacy Act (FERPA) Also known as the Buckley Amendment Statute: 20 U.S.C. § 1232(g) Regulations: 34 CFR Part 99.
Privacy and the Civil Commitment Process Allyson K. Tysinger Assistant Attorney General June 4-5, 2008.
Practicing In Harmony with HIPAA The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions.
Family Educational Rights and Privacy Act (FERPA) UNION COLLEGE.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
Chapter 7—Privacy Law and HIPAA
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA Privacy The Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance.
September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan.
HIPAA and State Law Compliance: the Problem of the Lack of Federal Preemption Clark Stanton HIPAA SUMMIT IV April 26, 2002 Clark Stanton HIPAA SUMMIT IV.
Federal Preemption, and State Healthcare Privacy and Data Security Law and Regulation Fifth National HIPAA Summit October 30 – November 1, 2002 Mark Barnes.
Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
FERPA for the Financial Aid Office NCASFAA Fall Conference November 2012.
HIPAA TRIVIA QUEST December Edition. I’ll ask the questions - and you’ll give the answers.
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
FERPA Family Educational Rights and Privacy Act
HIPAA Privacy Rule Training
Iowa State Association of Counties
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
Wyoming Statutes §§ through
HIPAA Pros - Disclosures
Refuah Community Health Collaborative (RCHC) PPS
Confidential Records and Protected Disclosures
Health Advocate HIPAA Privacy Information
Changes to Exempt Categories
Minors, Informed Consent, and Parental Rights of Access and Health Care Decision Making in Alaska: Case Scenarios, HIPAA, and Alaska Law.
HIPAA Summit West The Hidden Trap: Compliance with State Law
HIPAA Summit VII The Hidden Trap: Compliance with State Law
American Public Health Association
Enforcement and Policy Challenges in Health Information Privacy
Advance Care Plan December 2016.
Presentation transcript:

HIPAA, The Next Level: HIPAA Preemption of State Laws July 10, 2002 Mark Barnes Ropes & Gray 885 Third Avenue New York, NY 10022 (646) 840-6835 mbarnes@ropesgray.com

Introduction: Importance of Preemption Analysis As of April 14, 2003 Covered Entities need to be in compliance with both the Privacy Rule and with state privacy laws that are not preempted (or saved from preemption) Preemption analyses identify components of state privacy laws with which Covered Entities must continue to comply Results of preemption analyses should be incorporated into Covered Entities’ policies and procedures to accurately reflect the requirements of the Privacy Rule, surviving state privacy laws and any other applicable federal laws Results of preemption analyses supplement the gap analysis presently being performed at many hospitals

The Preemption Rule Section 160.203 of the Privacy Rule (“PR”) A State law that is “contrary” to the PR will be “preempted,” unless “saved” by virtue of falling into one of the four following categories of exceptions (1) determination by the Secretary that the state law is not preempted (2) state law is “more stringent” than the PR (3) state law “provides for the reporting of disease, injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation or intervention (4) state law governs accessibility to, or the reporting of, information in the possession of health plans.

DIAGRAMMATIC REPRESENTATION OF PREEMPTION ANALYSES New York State privacy and confidentiality laws Exception (3): New York State laws providing for the reporting of disease, injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation or intervention EXCLUDED FROM FURTHER ANALYSIS Saved from Preemption (if “contrary”) Not Preempted (If “not contrary”) (i) Remaining New York State privacy and confidentiality laws (ii) “Contrary to” analysis (iii) “Not Contrary” State laws (iv) “Contrary” State laws (vi) (v) “More Stringent” State laws “Less Stringent” State laws NOT PREEMPTED CONTINUED ADHERENCE WITH MORE DETAILED OR RESTRICTIVE COMPONENTS OF STATE LAW REQUIRED SAVED FROM PREEMPTION PREEMPTED CONTINUED ADHERENCE REQUIRED CONTINUED ADHERENCE NOT REQUIRED

Laws Saved by Exception (3) and Disclosures Required by Law – Step (i) Exception (3) laws: Because NY State laws encompassed by exception (3) are “categorically” saved from preemption, these laws may be identified and excluded from further analysis. Example: NY Public Health Law §2001 imposes the duty to “report the existence of Alzheimer’s disease to the department when the physician…diagnoses or confirms the presence of that illness.” Result: Because Alzheimer’s falls within the “disease” category of exception (3), continued compliance with section 2001 is required. Providers must continue to comply with all State laws falling within exception (3)

Laws Saved by Exception (3) and Disclosures Required by Law – Step (i) Providers must also continue to comply with all “mandatory” NY State reporting laws not captured by exception (3). Compliance with these laws is “required” by State law and “permitted” by the PR under section 164.512(a). Therefore, they are “not contrary” to, and hence “not preempted” by, the PR.

“Contrary to” Analysis – Step (ii) A State law will be “contrary” to the PR where [45 CFR§160.202]: (i) It is “impossible” for a provider to comply with both State law and the PR (“Impossibility Test”). (ii) State law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the PR” (“Obstacle Test”). Provisions of State law and PR standards fall into one of three categories: (1) they require a use or disclosure of PHI (2) they prohibit a use or disclosure of PHI (3) they permit a use or disclosure of PHI

“Contrary to” Analysis – Step (ii) (cont.) All possible combinations between State law and the PR are summarized in the following chart:

“Contrary to” Analysis – Step (ii) (cont.) Example of “Not Contrary” State laws (step iii): A use or disclosure is “required” by NY State law, and is “permitted” by the PR Example: NY State law = “requires” providers to grant individuals access to specified PHI PR = “permits” providers to grant individuals access to the same specified PHI Result: “Not contrary” since the intent of both laws is the same, and providers can comply with both laws by providing access

“Contrary to” Analysis – Step (ii) (cont.) Example of “Contrary” State laws (step iv): A State law “prohibits”, expressly or by implication, a specified use or disclosure that is “permitted” by a standard, requirement or implementation specification of the PR, or vice versa Example: State law = “prohibits” disclosure to X without authorization of Y PR = “permits” disclosure to X without authorization of Y Result: “Contrary” since the intent of the laws are diametrically opposed (1) disclosure pursuant to the PR would entail a violation of State law (2) lack of disclosure in accordance with State law would frustrate (stand as an obstacle to) the accomplishment and execution of the full purposes and objectives of the PR

Stringency Analysis – Steps (v) and (vi) The term “more stringent” is defined at section 160.202 of the PR In general, State laws are “more stringent” than the PR where they: (i) are more restrictive with respect to the use and disclosure of PHI by Covered Entities (ii) offer greater rights of access to or amendment of PHI to individuals who are the subjects of the PHI “More stringent” State laws = “Saved” from Preemption (step v) “Less stringent” State laws = Preempted (step vi)

Stringency Analysis (cont.) Example: NY State law = “prohibits” release of HIV-related information pursuant to a general subpoena of medical records PR = “permits” disclosure of PHI pursuant to a general subpoena Result: (1) the laws are “contrary” to each other under the Obstacle Test (2) Since State law prohibits a disclosure that would otherwise be permitted by the PR, it is “more stringent” than, and hence “not preempted” by, the PR

Overall Effect of Preemption The practical effect of preemption is that providers must comply with the standards, implementation specifications and requirements of the PR in addition to, or as modified by, the more stringent requirements of contrary State laws and the more restrictive requirements of not-contrary State laws.

Overall Effect of Preemption (cont.) More restrictive components of the PR Less restrictive components of the PR Less restrictive components of State law More restrictive components of State law = State laws providers must comply with = PR = State laws

State And Court As Final Arbiters The application of this preemption analysis is not the final authority on preemption. Whether a provision of state law is “contrary” to the PR will not be definitively answered until addressed by the State legislature or adjudicated by a court of competent jurisdiction.

Example of a Recurring Preemption Theme: Personal Representatives What is a personal representative?: The PR defines the term “personal representative” as any person who has authority under applicable law to make health care decisions on behalf of: (i) an individual who is an adult or emancipated minor; or (ii) a parent, guardian, or other person acting in loco parentis with respect to an unemancipated minor.

Example of a Recurring Preemption Theme: Personal Representatives (cont.) Interaction between personal representatives under State law and personal representatives under the PR: Whether a person identified as a personal representative under State law will likewise qualify as a personal representative under the PR depends on whether State law grants to that person the authority to make “health care decisions” on behalf of the individual who is the subject of the PHI.

Example of a Recurring Preemption Theme: Personal Representatives (cont.) For Example: Health care proxies under New York State law are personal representatives under the PR: NY State proxy law defines the proxy decision maker as “an adult to whom authority to make health care decisions is delegated under a heath care proxy.” This is coterminous with the definition of personal representative under the PR. The proxy’s/personal representative’s authority commences upon a determination by the attending physician that the individual lacks capacity to make health care decisions. Preemption Conclusion: NY State laws permitting disclosure of PHI to health care proxies are “not contrary” to, and hence “not preempted” by the PR.

Preemption Example: Denial of Access (NY) PR: Under the PR, providers may deny access when access is likely to endanger the life or physical safety of the individual or another person preamble to the PR notes that providers may not deny access under this ground “on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.” but under the PR providers may deny access when PHI references another individual and access is reasonably likely to cause substantial harm to such other person, including substantial physical, emotional, or psychological harm (according to the Preamble).

Preemption Example: Denial of Access (NY) NY State law: Under NY State law, providers may deny patients access where review of information reasonably expected to cause “substantial and identifiable harm” to patients or others nothing in NY State law expressly prevents a provider from denying access because it is reasonably expected to cause emotional or psychological harm to the patient or to the other person nothing in NY State law requires that the “other person” harmed by the access to PHI be referenced in the PHI

Preemption Example: Denial of Access (NY) Result: Providers can comply with both laws by: (1) not denying access to the patient because it is reasonably likely to cause only emotional or psychological harm to the patient (2) denying access to the patient when it is likely to cause physical harm to the patient (3) continue to deny access when reasonably likely to cause substantial harm, including emotional or psychological harm, to another person referenced in the PHI

Integrating Preemption Results Into Compliance Planning PR compliance cannot be based solely on implementation of HIPAA standards PR compliance must integrate preemption analysis Compliance efforts should focus on more restrictive components of the PR and the more restrictive components of State law (see slides 13,14)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.