Dear Mr. Robert Baum
You have asked for our opinion concerning application of the federal medical privacy regulations that went into effect earlier this year under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). HIPAA contains a selective preemption provision that places custodians of medical information in the position of determining whether federal or State law governs disclosure of that information in various circumstances. You ask for guidance on when the new federal regulations preempt existing State law concerning confidentiality of medical records. In our opinion, the relationship of HIPAA to existing State laws turns on the answers to certain questions:
(1) First, one must determine whether a conflict actually exists — i.e., is the State provision "contrary" to HIPAA in the sense that:
(a) it is impossible to comply with both the requirements of HIPAA and the State law; or
(b) compliance with the State law would be inconsistent with the objectives of HIPAA? In most situations there will be no conflict between State and federal law and therefore no need to apply the HIPAA preemption provision, although the HIPAA regulations may create requirements additional to those under State law.
(2) Second, if there appears to be a genuine conflict between the HIPAA regulations and State law, a custodian of medical records should then consider the following questions:
(a) Does the State statute fall under the exclusions in HIPAA for public health or regulatory reporting?
(b) Is the State statute "more stringent" than its HIPAA counterpart?
(c) Has the Secretary of Health and Human Services ("HHS") determined that the State statute is either "necessary" to achieve one of the permissible State objectives listed in HIPAA, or that it addresses controlled substances?
If the answer to any of these questions is yes, the State provision is not preempted by HIPAA. If the answer to all of these questions is no, then HIPAA preempts that aspect of State law.1
I HIPAA Enacted in 1996, the HIPAA statute affected several aspects of the health care system. See Pub.L. 104-191, 110 Stat. 1936. For example, it provided for portability (i.e., transferability) of health insurance coverage for people changing employment. A major portion of HIPAA, titled "Administrative Simplification," amended the Social Security Act with the purpose of increasing health care system accountability and preventing fraud and abuse. Id., Title II, Subtitle F. That portion of HIPAA required HHS to develop a program to simplify the filing and payment of health insurance claims by promoting the use of electronic claims. In concert with this expansion of electronic claims, HIPAA also compelled the development of systems to protect the security and privacy of health care information. To carry out this charge, HHS adopted regulations governing the confidentiality of medical records, which became effective April 14, 2003. See 45 C.F.R. Parts 160 and 164. The HIPAA regulations, also referred to as the "Privacy Rule," establish national standards for the protection of health information. According to HHS, "[a] major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being." Office of Civil Rights, Department of Health and Human Services, Summary of the HIPAA Privacy Rule (May 2003 rev.) at p. 1.2
The HIPAA regulations attempt to achieve that goal in language that is based on elaborate definitions of key terms. The regulations govern the confidentiality of "protected health information" in the custody of "covered entities." The term "covered entity" encompasses health plans, health care clearinghouses,3 and providers who transmit health information electronically. 45 C.F.R. § 160.103. "Protected health information" is individually identifiable health information maintained or transmitted in any form or medium. 45 C.F.R. § 164.501.4 The regulations do not restrict the use or disclosure of "de-identified" information — i.e., health information that neither identifies nor provides a reasonable basis to identify an individual. See45 C.F.R. § 164.502(d), 164.514(a), (b).
In essence, the regulations provide that "[a] covered entity may not use or disclose protected health information, except as permitted or required by [the HIPAA regulations]. 45 C.F.R. § 164.502(a). HIPAA requires a covered entity to extend these restrictions by contract to its "business associates" who receive protected health information to assist in its treatment, payment, and health care operations.45 C.F.R. § 164.502(e)(1), § 164.504(e).5 The remainder of the regulations details when and how protected health information may be disclosed. In general, a covered entity must notify a patient of its privacy practices and must obtain the patient's authorization for disclosure of the patient's health information, unless the disclosure is for treatment, payment, or health care operations or otherwise meets specified exceptions. See 45 C.F.R. § 164.506, 164.508, 164.512.
The HIPAA regulations also confer certain affirmative rights on patients. A patient generally has a right to inspect and obtain a copy of his or her medical records. 45 C.F.R. § 164.524. In addition, the regulations provide standards and procedures for an individual to seek an amendment of a medical record. 45 C.F.R. § 164.526. Subject to a number of exceptions, an individual is also entitled to an accounting of disclosures of his or her medical records. 45 C.F.R. § 164.528.
II HIPAA Preemption A. Federal Preemption Under the Supremacy Clause of the federal Constitution,6 when Congress passes a law to regulate a particular field, the resulting federal law may completely preempt state law in several ways. First, Congress may expressly preempt state law. Second, in the absence of express preemption, preemption is implied when Congress intends that federal law "occupy a given field." Third, state law will be preempted when it actually conflicts with federal law. California v. ARC Am. Corp., 490 U.S. 93, 100-101 (1989). Conflict between state and federal law is not presumed, and whenever possible, state and federal provisions should be construed in a manner to make them compatible. See Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947); 84 Opinions of the Attorney General ___ (1999) [Opinion No. 99-010 (June 1, 1999) slip op. at pp. 6-7; but see The Supreme Court, 1999 Term, 114 Harv. L.Rev. 339 (2000) (arguing that the presumption is not a strong one and is often violated). Moreover, even when it expressly preempts state law, Congress does not always do so entirely. Instead, Congress sometimes selectively preempts state law, preserving part of state law by a savings clause. See 2 Rotunda Nowak, Treatise on Constitutional Law (3d ed. 1999), § 12.1 at p. 200. HIPAA contains a selective preemption provision with respect to medical record confidentiality. It establishes a general rule of federal preemption of state law. However, HIPAA saves state law in several ways: it carves out two major areas in which its rules are inapplicable; it provides for administrative determination of two other types of exceptions; and it defers to state law when a state provision is "more stringent" than the corresponding federal provision.7 In practice, the HIPAA regulations do not effect a wholesale federal preemption of the field of medical record privacy, but rather establish a national floor of medical privacy protection. See 65 Fed Reg. 82461, 82580 (December 28, 2000) (Discussion of Comments, Final Privacy Rule).
B. General Rule under HIPAA: Express Statutory Preemption Subject to certain exceptions, Congress expressly adopted the general rule that the HIPAA statute, and any "standard or implementation specification" adopted under HIPAA "shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records ... to be maintained in written rather than electronic form." 42 U.S.C. § 1320d-7(a)(1).
C. Statutory Exceptions to HIPAA Preemption Congress designated two areas of state law, known as "statutory carve-outs," where HIPAA does not trump or override state law. Another statutory provision preserves any state law that is "more stringent" than the federal standard.
1. Public Health In one exception, HIPAA lists a number of activities carried out under state public health laws. In particular, Congress provided that "[n]othing in this part shall be construed to invalidate or limit" the authority, power, or procedures established under any law for the following areas:
1. the reporting of disease or injury;
2. the reporting of child abuse;
3. the reporting of birth or death;
4. public health surveillance;
5. public health investigation; or
6. public health intervention.
42 U.S.C. § 1320d-7(b); 45 C.F.R. § 160.203(c). Under this exception, state and local health departments and other agencies may continue to conduct traditional state public health activities without conforming their activities to HIPAA.
2. State Regulatory Reporting by Health Plans Another statutory exception expressly saves certain other state regulatory reporting, licensure, and investigatory activities from federal preemption. These include requirements that a health plan report or provide access to information for:
1. management audits;
2. financial audits;
3. program monitoring and evaluation;
4. facility licensure or certification; or
5. individual licensure or certification.
42 U.S.C. § 1320d-7(c); 45 C.F.R. § 160.203(d). This allows state health departments and licensing boards to continue traditional state licensure and programmatic review and evaluative activities concerning health plans8 without having to conform to HIPAA.
3. "More Stringent" State Law HIPAA also provides an exception for a state law that is "contrary" to the federal regulations if the provision of state law "imposes requirements, standards, or implementation specifications that are more stringent than" the comparable federal standard. Pub.L. 104-191, § 264(c)(2) incorporated by reference in 42 U.S.C. § 1320d-7(a)(2)(B) (emphasis added);9 see also 45 C.F.R. § 160.203(b).
HHS has fleshed out this savings clause through definitions in the HIPAA regulations. First, the regulations set the bar high for finding a conflict between HIPAA and state law. They define "contrary" to mean either: 1) that an entity would find it impossible to comply with both the state and federal provisions ("impossibility test"); or 2) that the provision of the state law stands as an obstacle to the full purposes and objectives of HIPAA ("obstacle test"). 45 C.F.R. § 160.202.
Similarly, HHS has defined the term "more stringent" to mean that the state law would: restrict a disclosure permitted under HIPAA, grant an individual greater access to the individual's own health information, more severely restrict the scope or duration of authorized access by another person, require greater record-keeping, or generally provide greater privacy protection to the individual who is the subject of the record. 45 C.F.R. § 160.202.
D. Administrative Exceptions State law is also not preempted if the Secretary of HHS makes certain determinations. These administrative exceptions to federal preemption fall into two categories.
1. Necessity A state law survives federal preemption if the Secretary of HHS determines that the state law is "necessary" for one of the following reasons:
1. to prevent fraud and abuse;
2. to ensure appropriate state regulation of insurance and health plans;
3. for state reporting on health care delivery or costs, or
4. for other purposes.
42 U.S.C. § 1320d-7(a)(2)(A)(i); 45 C.F.R. § 160.203(a)(1). Under the HIPAA regulations, a state law provision is "necessary" for "other purposes" when it serves a "compelling need related to public health, safety, or welfare" and the Secretary determines that the intrusion into privacy permitted by the state law is outweighed by the compelling need that the law serves. 45 C.F.R. § 160.203(a)(1)(iv).
Application of this "necessity" exception is difficult to gauge because, while the regulations set forth procedures for a state to seek the requisite determination from the Secretary, they do not state a timetable for HHS to make that determination. 45 C.F.R. § 160.204. It is not clear how permissive HHS will be in allowing current state regulatory activities that may be contrary to HIPAA to continue under the "necessity" exception. Therefore, for the purpose of an initial preemption analysis, we will not assume that a "necessity" exception will apply.
2. State Law Addressing Controlled Substances State law is also not preempted if the HHS Secretary determines that the state provision at issue "addresses controlled substances."42 U.S.C. § 1320d-7(a)(2)(A)(ii). The HHS regulations interpret this exception to cover situations in which the state law "has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances [as defined under federal or state law]." 45 C.F.R. § 160.203(a)(2). This carves out state laws used in the civil or criminal regulation of controlled substances. While it appears unlikely that the HHS Secretary will be restrictive in making these exception determinations, a state must apply to HHS for a determination. See 45 C.F.R. § 160.204.
III State Medical Records Law The Maryland Confidentiality of Medical Records Law ("State medical records law") appears in Annotated Code of Maryland, Health-General Article ("HG") § 4-301 et seq. That law sets forth restrictions on the disclosure of medical records that, like the HIPAA regulations, are designed to preserve the confidentiality of medical information pertaining to individuals. For purposes of the statute, "medical record" is defined broadly and includes information transmitted in any form, if the information is identified with a particular patient and relates to the health care of that patient. HG § 4-301(g).
Under the medical records law, a patient has certain rights to inspect and obtain copies of medical records, and to have corrections made to those records. HG § 4-304. The law requires health care providers and others to preserve the confidentiality of medical records, although it permits disclosure with the written authorization or stipulation of the patient or another authorized person.10 HG §§ 4-302, 4-303, 4-306 (b)(6)(ii). It also delineates those limited circumstances in which medical records may or must be disclosed without the permission of the patient. HG §§ 4-305, 4-306. See generally Warner v. Lerner,348 Md. 733, 738-40, 705 A.2d 1169 (1998). Even when disclosure is authorized, the Maryland law restricts the use and redisclosure of the records by the person receiving them. HG § 4-302(d).11 Special restrictions apply to mental health records. HG § 4-307. Finally, the State medical records law creates liability rules and penalties for a failure to comply with the law. HG §§ 4-308, 4-309.
IV Preemption Analysis A. In General Many provisions of the federal HIPAA regulations and the State medical records law are easily harmonized, especially given the presumption against finding a conflict between federal and state law that would result in preemption of State law. Both laws are similarly structured. Each regulates disclosure of health care information by health care providers. Compare 45 C.F.R. § 160.102, 160.103 with HG §§ 4-301(h),4-302(a). Each establishes a general rule protecting the confidentiality of patient records. Compare 45 C.F.R. § 164.502(a) with HG § 4-302(a). Patients are to have ready access to their own records and an ability to amend those records. Compare 45 C.F.R. § 164.524,164.526 with HG § 4-304. Access is granted to others who provide ancillary treatment, payment, or other health care operations for patients. Compare 45 C.F.R. § 164.506 with HG § 4-305(b). Other disclosures generally require patient authorization. Compare45 C.F.R. § 164.508 with HG § 4-303. Certain limited disclosures without patient authorization, for recognized public purposes, are required or permitted. Compare 45 C.F.R. § 164.512 with HG § 4-306. Both laws punish violations with civil and criminal penalties. Compare 42 U.S.C. § 1320d-5, 1320d-6 with HG § 4-309. There are also significant differences between the two laws.
HIPAA and its regulations regulate only certain "covered entities" — basically, providers who engage in electronic transactions, health plans, and claims clearinghouses. See 45 C.F.R. § 160.102(a). By contrast, the State law, by placing restrictions on redisclosure of records, extends to anyone who receives medical records. See HG § 4-302(g). The State medical records law is much less detailed than the HIPAA regulations; it focuses sparingly on whether disclosures are authorized for specific purposes. By contrast, HIPAA is extraordinarily prescriptive, specifying the management of health care information and personnel in significant detail. Thus, while Maryland law and HIPAA, for the most part, have similar disclosure and nondisclosure provisions, HIPAA is much more detailed. Yet those additional HIPAA requirements do not necessarily create a conflict with the State law.
B. Specific Applications By necessity, an opinion cannot answer all of the myriad questions that may arise about the relationship of the State medical records law and the HIPAA regulations. However, a review of selected examples will illustrate the analysis that must be applied to answer those questions.
1. Redisclosure of Information HIPAA controls only "covered entities," which are health plans, claims clearinghouses, and providers that transmit information in electronic form. 45 C.F.R. § 160.102, 160.103 Indeed, HIPAA requires authorization forms to state that, once information is disclosed to a third party pursuant to an authorization, its confidentiality is not protected by HIPAA. 45 C.F.R. § 164.508(c)(1)(vi). The State medical records law primarily regulates health care facilities and providers, and their agents and employees, but also precludes any person from redisclosing medical record information, except as authorized by the patient or as otherwise permitted by law. HG § 4-302(d).
The two laws thus appear to be inconsistent. However, Maryland's redisclosure provision survives preemption for two reasons. First, the restrictions on redisclosure are not contrary to HIPAA, as it is not impossible to comply with both HIPAA and those restrictions. Nor do the redisclosure restrictions pose an obstacle to HIPAA, but rather supplement it. Thus, under the HIPAA regulations, the Maryland redisclosure restrictions are not a State law "contrary" to HIPAA.
Second, even if the Maryland provision could be characterized as contrary to HIPAA, it survives preemption because it is "more stringent" than HIPAA — that is, it provides greater protection for patient information. Thus, the Maryland restrictions on redisclosure of medical records are not preempted by HIPAA.12
2. Hospital Physician Disciplinary Reports and Subpoenas
Maryland law requires a hospital to file a report with the Board of Physicians, the State physician licensing board, when it has disciplined a physician. Annotated Code of Maryland, Health Occupations Article ("HO"), § 14-413. The report must include the reason for the discipline. Often this report induces the physician licensing board to issue a subpoena to the hospital and physician for medical records. Under the State medical records law, the hospital and physician must comply with the subpoena and disclose those records to the board, whether or not the patient has authorized or consented to the disclosure. HG §§ 4-306(b)(2), 4-307(k)(1)(vi)1.
The obligation to comply with this reporting requirement and any subpoenas are not affected by HIPAA. For health plans, the State reporting and individual licensure or certification activities are statutorily carved out of the ambit of HIPAA, so Maryland law is unaffected and no further preemption analysis is required. For providers, HIPAA allows disclosure of health care information for health oversight activities authorized by law, including licensing and disciplinary activities. 45 C.F.R. § 164.512(d).
Thus, these disclosures fit within the class of disclosures compelled under State law and permitted under HIPAA.13 If State law compels disclosure of health information and HIPAA is either inapplicable or permissive regarding the disclosure, then disclosure mandated by State law may continue unabated.
3. Patient Authorization Forms Both HIPAA and the State medical records law allow for disclosures made with the authorization of a patient or other "person in interest." They each specify necessary elements for an authorization to be valid.
Under HIPAA, an authorization must contain: 1) a description of the information to be disclosed; 2) identification of the persons to whom the information is to be disclosed; 3) identification of the person authorized to disclose the information; 4) a description of the purpose of the disclosure; 5) an expiration date for the authorization; 6) a note that the authorization may be revoked; 7) a warning that any released information may be beyond the reach of HIPAA; 8) a statement regarding whether the Privacy Rule allows benefits to be conditioned on granting the authorization; 9) a signature and date, and 10) if the authorization is made by a personal representative of the patient, that person's capacity. 45 C.F.R. § 164.508(c). If health information is to be used for marketing and the entity disclosing the information will receive remuneration in connection with that marketing, the authorization form must disclose that fact. 45 C.F.R. § 164.508(a)(3)(ii).
The State medical records law specifies five elements for an authorization: 1) the document must be in writing; 2) it must be signed and dated by the "person in interest"; 3) it must include the name of the disclosing provider; 4) it must identify the party to whom records are disclosed; and 5) it must state the period of time the authorization is valid. HG § 4-303(b). The Maryland law, with a couple of exceptions, sets a maximum length of one year for an authorization to be valid. HG § 4-303(b)(4).
In this case, the provisions are slightly different, but easily accommodated, and thus not "contrary" for purposes of preemption. An authorization that contains the necessary HIPAA elements will also comply with the Maryland law if it contains an expiration date of no longer than one year. The HIPAA regulations specifically allow for additional elements in an authorization form, so long as they are not inconsistent with the elements required by HIPAA. 45 C.F.R. § 164.508(b)(1)(ii). The federal warning that any redisclosure of information may not be protected under federal law should be tempered with a statement that wrongful redisclosure is prohibited under Maryland law.
The specific expiration limit in Maryland law and the limits on redisclosure do not conflict with HIPAA and are both more stringent than the HIPAA regulations. Thus, HIPAA does not preempt those provisions. Of course, an authorization form must contain all of the HIPAA elements as well.
4. Fees for Copies of Records The Maryland medical records law governs fees for records provided to a person in interest "or any other authorized person" who requests a copy of a medical record. HG § 4-304(c). In particular, it allows providers to charge a preparation and retrieval fee of up to $15, a copying fee of up to 50 cents per page, and actual postage and handling fees, all subject to annual adjustment for inflation as measured by the Consumer Price Index. HG § 4-304(c)(3)-(4).14
HIPAA sets some limits on the fees that an individual may be charged for access to the individual's own health records. It allows covered entities to impose a reasonable, cost-based fee, provided that the fee includes only the cost of copying, postage, and preparation of any summary (if a summary is requested by the patient).45 C.F.R. § 164.524(c)(4). HHS has indicated that the cost of retrieving or handling information in response to a patient request for records was deliberately excluded from the list of permissible charges. See 65 Fed. Reg. 82461, 82557 (December 28, 2000).
It thus appears that there is a conflict between the Maryland law and HIPAA with respect to the charges that may be assessed against a patient who requests a copy of the patient's own records. The Maryland law allows a provider to charge an adjusted retrieval and handling charge of $15 or more; HIPAA, as clarified by the HHS commentary, does not. The Maryland provision is preempted by the HIPAA regulations, insofar as it applies to patient requests.15 The authorization under Maryland law to charge a 50-cents-per-page inflation-adjustable copying fee and actual postage costs appears to remain valid as not contradicted by, and perhaps filling a void left open under, HIPAA.
5. Parental Access to Records of Unemancipated Minors HIPAA looks to state law regarding parental access to the records of unemancipated minors. The HIPAA regulations give a parent in such situations the right to view the minor's records to the extent that state law allows it. 45 C.F.R. § 164.502(g)(3). Thus, HIPAA defers to state law and reflects any ambiguity found in state law.
The State medical records law ties the ability of a parent to exercise rights regarding disclosure of a minor child's records to the minor's capacity under Maryland law to consent to treatment. HG § 4-301(k)(4), (5). Specifically, a minor has the same capacity as an adult to consent to treatment for drug abuse, alcoholism, venereal disease, pregnancy, contraception, injuries from rape or sexual offense, and initial medical screening of the minor into a detention center. HG § 20-102(c). A minor at least 16 years old has the right to consent to treatment for mental or emotional disorders. HG § 20-104. There is a special rule related to the provision of abortion. HG § 20-103. For mental health and abortion services, physician professional judgment plays a role in the decision whether to disclose information to the parent about the treatment of a minor. HG §§ 20-103(c) and 20-104(b).
Since HIPAA expressly defers to state law on this subject, there is no preemption issue.
6. Research A complex area in HIPAA involves disclosures for research purposes. The State medical records law does not regulate disclosure of medical information if the information is not individually identifiable, or, alternatively, allows researcher access without the patient's prior authorization if the researcher acknowledges a duty not to redisclose any individually identifiable information and complies with institutional review board requirements. HG §§ 4-301(g) and 4-305(b)(2)(i). HIPAA establishes detailed standards, linked with other federal regulations, for institutional or privacy review board waiver of the need for patient authorization for the disclosure of health information.45 C.F.R. § 164.501 and 164.512(i). HIPAA also allows certain disclosures without patient authorization or formal waiver from an institutional review or privacy board for preparation of research protocols and for research on decedents. 45 C.F.R. § 164.512(i). In addition, it permits the disclosure of protected health information without certain identifying information pursuant to a "limited data set agreement." 45 C.F.R. § 164.514. In this regard, unlike State law, HIPAA specifies certain elements that must be eliminated from the health information to make the disclosed information not identifiable. On this topic, insofar as HIPAA is more detailed, federal law supplements, but does not supplant, the requirements of State law.
V Conclusion In these early stages of HIPAA implementation, significant questions regarding federal preemption are likely to arise. The relationship of HIPAA to existing State laws will turn on the following analysis:
(1) First, one must determine whether a conflict between HIPAA and State law actually exists — i.e. is the State provision "contrary" to HIPAA in the sense that:
(a) it is impossible to comply with both the requirements of HIPAA and the State law; or
(b) compliance with the State law would be inconsistent with the objectives of HIPAA?
In most situations there will be no conflict between State and federal law and therefore no need to apply the HIPAA preemption provision, although HIPAA may effectively supplement the requirements of State law.
(2) If there appears to be a genuine conflict between the HIPAA regulations and State law, a custodian of medical records should then consider the following questions:
(a) Does the State statute fall under the exclusions in HIPAA for public health or regulatory reporting?
(b) Is the State statute "more stringent" than its HIPAA counterpart?
(c) Has the HHS Secretary determined that the State statute is either "necessary" to achieve one of the permissible State objectives listed in HIPAA, or that it addresses controlled substances?
If the answer to any of these questions is yes, the State provision is not preempted by HIPAA. If the answer to all of these questions is no, then HIPAA preempts that aspect of State law.
J. Joseph Curran, Jr. Attorney General
C. Frederick Ryland Assistant Attorney General
Robert N. McDonald Chief Counsel Opinions and Advice
1 This opinion discusses the interplay of HIPAA and the State medical records law. Other federal laws, such as drug and alcohol confidentiality regulations, may also restrict health information disclosures in specific circumstances. See 42 U.S.C. § 290dd-2. Similarly, other State laws govern disclosure of specific health care information. See, e.g., Annotated Code of Maryland, State Government Article, § 10-617 (disclosure of medical information in the custody of State and local entities); Annotated Code of Maryland, Health-General Article ("HG"), § 18-337 (disclosure of positive HIV status). Finally, the constitutional right of privacy also may restrict disclosure in some circumstances. See Dr. K v. Board of Physician Quality Assurance, 98 Md. App. 103, 632 A.2d 453 (1993), cert. denied, 334 Md. 18,637 A.2d 1191, cert. denied, 513 U.S. 817 (1994).
2 See www.hhs.gov/ocr/privacysummary.pdf.
3 Health care clearinghouses include billing services and similar networks. 45 C.F.R. § 160.103.
4 "Health information," in turn, is defined as "any information, whether oral or recorded in any form or medium, that:
(1) is created by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
45 C.F.R. § 160.103.
5 See Kutzko, et al., HIPAA in Real Time: Practical Implications of the Federal Privacy Rule, 51 Drake L.Rev. 403, 418 (2003) (arguing that the HIPAA regulations essentially "pass through" the confidentiality restrictions from "covered entities" to "business associates").
6 United States Constitution, Article VI.
7 This rather complex scheme has generated some confusion as to when federal or state law prevails. See Bishop, The Final Patient Privacy Regulations under the Health Insurance Portability and Accountability Act — Promoting Patient Privacy or Public Confusion?, 37 Ga. L.Rev. 723, 724-28 (2003).
8 The regulations define "health plan" to include employee welfare benefit plans, HMOs, health insurers, and a variety of other entities. 42 C.F.R. § 160.103.
9 This savings provision was designed to go into effect only if the HIPAA privacy standards were promulgated by agency rulemaking by HHS, rather than by Congressional action. Pub.L. 104-191, § 264(c)(1). Since Congress did not enact a comprehensive medical privacy law by statute, but instead delegated the task to HHS, the provision is effective.
10 The statute employs the term "person in interest," which is defined as:
(1) An adult on whom a health care provider maintains a medical record;
(2) A person authorized to consent to health care for an adult consistent with the authority granted;
(3) A duly appointed personal representative of a deceased person;
(4)(i) A minor, if the medical record concerns treatment to which the minor has the right to consent and has consented under Title 20, Subtitle 1 of this article; or
(ii) A parent, guardian, custodian, or a representative of the minor designated by a court, in the discretion of the attending physician who provided the treatment to the minor, as provided in § 20-102 or § 20-104 of this article;
(5) If paragraph (4) of this subsection does not apply to a minor:
(i) A parent of the minor, except if the parent's authority to consent to health care for the minor has been specifically limited by a court order or a valid separation agreement entered into by the parents of the minor; or
(ii) A person authorized to consent to health care for the minor consistent with the authority granted; or
(6) An attorney appointed in writing by a person listed in paragraph (1), (2), (3), (4), or (5) of this subsection.
HG § 4-301(k).
11 The statute states:
A person to whom a medical record is disclosed may not redisclose the medical record to any other person unless redisclosure is:
(1) authorized by the person in interest;
(2) otherwise permitted by [the medical records law]
(3) permitted under [the law concerning disclosure of child abuse records]; or
(4) directory information.
12 The State medical records law allows disclosure of a medical record only as permitted by that law or "as otherwise provided by law." HG § 4-302(a)(2). It might be argued that this provision makes a permissive disclosure under HIPAA also a permissive disclosure under the State medical records law. However, this construction would be at odds with the stated policy that HIPAA sets minimum standards for confidentiality of medical records and explicitly defers to "more stringent" State laws.
13 An eight-page chart listing various mandatory disclosures under State law was compiled by the Health Law Section of the Maryland State Bar Association and is available on the MSBA website. See http://www.msba.org/sec_comm/health/docs/req_chart.pdf.
14 Fees for record searches and copies of records provided by State facilities regulated by the Department of Health and Mental Hygiene are governed by the Public Information Act. See HG § 4-304(c)(2)(i).
15 Because HIPAA contains no restrictions on charges assessed against non-patients for retrieval and copying of records, there is no conflict with Maryland law with respect to fees for third party requests.
*Page 3