Opinion No.

Rebecca F. Ward, LCSW Chair, Social Work Licensing Board 2020 W. 3rd, Suite 503 Box 250381 Little Rock, AR 72225

Dear Ms. Ward:

You have presented the following question for my opinion:

What general effects will the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (particularly the provisions concerning the dissemination of patient/client information by health care providers, which go into effect in April, 2003) have on state regulatory boards such as the Social Work Licensing Board? How will HIPAA interface with the Arkansas Freedom of Information Act and the Arkansas Administrative Procedure Act?

RESPONSE

The questions you have posed are very broad. The myriad of possible issues that are raised by these questions cannot be adequately addressed in the abstract. For this reason, I can only provide you with a very general response. I will be happy to address more specific questions as they arise in specific fact situations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) [P.L. 104-191; 110 Stat. 1936]1 is designed to enable individuals to carry their health insurance from one job to another without interrupting coverage. Because such portability will necessitate an increased number of transactions involving transfers of private medical information pertaining to covered persons, a related concern of the HIPAA is the protection of such private information. To this end, the HIPAA authorizes the promulgation of various administrative regulations to protect the confidentiality of private medical information.

The privacy regulations (45 C.F.R. Parts 160 and 164), which require compliance by April, 2003,2 establish parameters for the use and disclosure of "protected health information." These regulations are voluminous, and I will not attempt to recite them. Generally, however, the regulations accomplish the following: they prohibit the disclosure by covered entities of protected health information without the required consent, authorization, or agreement; they require notice by covered entities of the use and disclosure of protected health information to the affected individual; they require covered entities to develop and implement privacy policies and physical safeguards to protect health information; they require the designation of a privacy officer within the covered entity who is to be responsible for the development and implementation of a privacy policy for the covered entity; they require the designation by covered entities of a contact person or administrative office who is to be responsible for receiving complaints concerning compliance with the privacy policy of the covered entity; and they require covered entities to impose sanctions upon members of the entity's workforce who fail to comply with the entity's privacy policies. Various exceptions can apply to the foregoing requirements in certain factual situations. Covered entities are subject to penalties for failure to comply. In addition to the above-described privacy requirements, covered entities must comply with various other security regulations that govern electronic transactions. See, e.g., 45 C.F.R. §§ 142 and 162.

The privacy regulations apply to "covered entities." The "business associates" of covered entities are also affected. Before discussing the impact of the privacy regulations upon state administrative agencies, I will set forth the definitions of some of the key terms.

"Protected health information," for purposes of the HIPAA, is defined as follows:

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in any medium described in the definition of electronic media at Sec. 162.103 of this subchapter; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i) Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and

(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).

45 C.F.R. § 164.501.

"Covered entity" is defined as follows:

Covered entity means:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

45 C.F.R. § 160.103.

"Business associate" is defined as follows:

Business associate: (1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in Sec. 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in Sec. 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.

45 C.F.R. § 160.103.

Although the above-quoted definitions have not yet been judicially interpreted for the purpose of determining their applicability to state administrative agencies, it is my opinion (based upon the unambiguous language of the definitions) that generally, state regulatory boards3 are neither "covered entities" nor "business associates" of covered entities. Nevertheless, it is clear that state regulatory boards may well have occasion to deal with covered entities and to obtain possession of protected health information in the course of carrying out their statutory duties. The privacy regulations recognize this fact, and expressly permit the disclosure of protected health information by covered entities to regulatory agencies in the course of administrative and judicial proceedings, including proceedings for "health oversight" purposes (which includes professional licensure and disciplinary purposes), see 45 C.F.R. § 512(d), and proceedings for law enforcement purposes (such as investigations), see 45 C.F.R. § 512(f).

The regulations set forth various conditions for the disclosure of protected health information by a covered entity in the context of an administrative or judicial proceeding. These conditions are detailed, but generally involve notifying the person who is the subject of the protected health information prior to the disclosure, and giving that person an opportunity to object. In some cases, a protective order may be necessary. Following is the entire text of 45 C.F.R. § 164.512(e), which discusses generally the disclosure of protected health information in connection with an administrative proceeding:

(e) Standard: Disclosures for judicial and administrative proceedings.

(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or

(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:

(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or

(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.

(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protecting health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);

(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:

(1) No objections were filed; or

(2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.

(iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or

(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.

(v) For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(1)(ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:

(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and

(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

(vi) Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(iv) of this section.

(2) Other uses and disclosures under this section. The provisions of this paragraph do not supersede other provisions of this section that otherwise permit or restrict uses or disclosures of protected health information.

45 C.F.R. § 164.512(e).

Each state administrative agency would be well advised to consult with its legal counsel concerning the extent to which the substance of the above-quoted provision should be incorporated into the agency's own rules, regulations, and internal policies.

It should be noted that the above-quoted provision appears to address only the disclosure of protected health information by the covered entity in the course of a judicial or administrative proceeding. It does not address the disclosure of such information by the judicial or administrative entities themselves who, in the course of such proceedings, obtain possession of such information. It is my opinion that disclosure by those entities will either be governed by any protective order that is applicable, or by the provisions of other applicable law, including state law.

A question therefore arises as to whether a conflict exists between the privacy regulations and any applicable open records requirements under Arkansas law. If so, the HIPAA's privacy regulations will take precedence, since they expressly preempt state law. See45 C.F.R. § 160.2034 . More specifically, a question arises as to whether the open records requirements of the Arkansas Freedom of Information Act (A.C.A. § 25-19-101 et seq.) and the various openness requirements of the Arkansas Administrative Procedure Act (A.C.A. § 25-15-201 et seq.) would require judicial and administrative entities to disclose protected health information that would otherwise be kept private under the HIPAA's privacy regulations.

Although the question of whether a conflict exists can only be determined with reference to a particular provision under consideration, it is my opinion, as discussed more fully below, that the HIPAA's privacy regulations do not, as a general matter, appear to conflict with the Arkansas Freedom of Information Act or the Arkansas Administrative Procedure Act, about which you have specifically inquired. State law will generally exempt protected health information from disclosure by judicial and administrative entities in a manner that is consistent with the spirit of HIPAA's privacy regulations. Again, numerous exceptions may apply in certain instances, and the applicability of any exception can only be determined on a case-by-case basis.

Under the Arkansas Freedom of Information Act, "medical records" are expressly protected from disclosure. A.C.A. § 25-19-105(b)(2). Although the act does not define the term "medical records," the Attorney General has consistently interpreted the term to refer to "records containing information relating to the treatment or diagnosis of a medical condition." See, e.g., Ops. Att'y Gen. Nos. 2001-091; 2000-226; 2000-122; 99-110; 98-202; 89-147. In Arkansas DOH v. Westark ChristianAction, 322 Ark. 440, 910 S.W.2d 199 (1995), the concurring justice suggested a similar interpretation, adopting the following definition of "medical records" from the Arkansas Rules of Evidence: "any writing, document, or electronically stored information pertaining to, or, created as a result of, treatment, diagnosis or examination of a patient."Westark, 322 Ark. at 452, citing A.R.E. Rule 503(a)(5).

These interpretations of the term "medical records" will in most cases encompass "protected health information," as defined in the HIPAA's privacy regulations. See 45 C.F.R. § 164.501, quoted above. Such information therefore would in most cases fall within the exemption for medical records under the Freedom of Information Act and would thus not be subject to disclosure under the open records requirements of the act. Accordingly, I conclude that as a general matter, the open records requirement of the Arkansas Freedom of Information Act does not conflict with the HIPAA's privacy regulations. (I reiterate that exceptions may apply under certain factual circumstances.) Similarly, because the exemptions of the Freedom of Information Act will apply to records that are the subject of administrative proceedings before state administrative agencies (and any medical records involved in such proceedings are therefore exempt from disclosure to the public), I conclude that any provisions of the Arkansas Administrative Procedure Act requiring the openness of records that are the subject of an agency's proceedings do not conflict with the HIPAA's privacy regulations.

A further question may be raised as to whether the open meetings requirement of the Arkansas Freedom of Information Act and the open hearings requirements of the Arkansas Administrative Procedure Act conflict with the HIPAA's privacy regulations by requiring open discussion of protected health information. It is my opinion that this potential problem can be avoided in the same way that the problem is avoided with regard to the discussion in open meetings of the contents of other exempt records. I have previously opined that agencies can find a way of discussing such information even in a public meeting, without violating confidentiality requirements, by taking such measures as referring to individuals by number and by otherwise declining to mention personally identifying information. See Op. Att'y Gen. No. 2001-040.

As I stated at the outset of this opinion, the views expressed herein are necessarily very broad and general, because the numerous issues that may arise out of the implementation of the HIPAA's privacy regulations cannot be addressed in a specific manner in the abstract. Again, I will be happy to address in a more specific manner any particular issues that you may wish to present to me.

Assistant Attorney General Suzanne Antley prepared the foregoing opinion, which I hereby approve.

Sincerely,

MARK PRYOR Attorney General

1 The various provisions of the HIPAA are codified at the pertinent locations in Titles 18, 26, 29, and 42 of the United States Code.

2 Covered entities may apply for an extension for compliance.See P.L. 107-105.

3 You have specifically inquired about state regulatory boards, such as the Social Work Licensing Board, and the views expressed in this opinion are limited to such boards. I do not address herein the question of whether other state entities might constitute covered entities for purposes of HIPPA.

4 There are some exceptions to preemption, the applicability of which must be considered on a case-by-case basis. Id.