Dear President Sparks
¶ 0 This office has received your request for an official Attorney General Opinion in which you ask, in effect, the following questions:
1. Under the Health Insurance Portability and AccountabilityAct of 1996 ("HIPAA"), may a professional licensing agency suchas the Board of Dentistry obtain protected health informationabout an individual, other than the one under investigation, whenthe professional licensing agency is conducting an investigationpursuant to its statutory duties to regulate licensees? 2. Under HIPAA, may a professional licensing agency, whenconducting an administrative investigation, obtain protectedhealth information of an individual other than the one underinvestigation from a covered entity upon a verbal request, or isa subpoena required?
I. Background Of The Statutory Duties Of The Oklahoma Board Of Dentistry ¶ 1 The Oklahoma Board of Dentistry ("Board") was created by the Legislature pursuant to Article V, Section 39 of the Oklahoma Constitution. The Board is to "implement and enforce the provisions of the State Dental Act." 59 O.S. 2001, § 328.7[59-328.7](A).
¶ 2 Among the provisions of the State Dental Act ("Dental Act") to be implemented and enforced by the Board are the following:
Issue licenses or permits after examinations to determine the qualifications of applicants (see 59 O.S. Supp. 2004, § 328.15[59-328.15](B)(1));
"Investigate and issue investigative and other subpoenas, pursuant to Article II of the Administrative Procedures Act" (id. § 328.15(B)(7));
"Initiate individual proceedings and issue orders imposing administrative penalties," including, but not limited to probation, suspension or revocation of a license and monetary penalties "against any dentist, dental hygienist, dental assistant, dental laboratory technician, or holder of a permit to operate a dental laboratory who has violated the State Dental Act or the rules of the Board" (id. § 328.15(B)(8));
Conduct "inspections of dental offices and dental laboratories and their business records" (id. § 328.15(B)(9));
"Hire one or more investigators to conduct investigations of alleged violations of the Dental Act or the rules of the Board" and commission an investigator as a certified peace officer for the purpose of enforcing the Dental Act and rules of the Board as they relate to individuals who hold licenses or permits issued by the Board (id. § 328.15(B)(14)).
See 59 O.S. Supp. 2004, § 328.15[59-328.15](B).1
¶ 3 Pursuant to the authorization granted in Section 328.15 of Title 59, the Board's investigator investigates alleged violations of the Dental Act and conducts inspections of dental offices and business records. See id. § 328.15(B)(9), (14). Administrative subpoenas are issued under the Dental Act to further the investigations. See id. § 328.15(B)(7); OAC195:3-1-2(b). The Board hears complaints presented to it by the investigator under the Administrative Procedures Act, and determines whether a violation of the Dental Act or rules of the Board has occurred and what administrative penalty, if any, is appropriate. 59 O.S. Supp. 2004, § 328.44a[59-328.44a](A); OAC 195:3-1-6, 3-1-7.
¶ 4 It is in the context of the Board's status as an agency charged with licensing, inspecting, investigating and penalizing dentists, dental hygienists, dental assistants and those associated with dental laboratories that you have asked the above questions. The answers require an analysis of the statutorily authorized duties of the Board balanced against the privacy provisions of HIPAA. First, an explanation of HIPAA as it relates to your questions is necessary.
II. HIPAA ¶ 5 On August 21, 1996, the President signed HIPAA into law.See Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191 (codified as amended in scattered sections of 42 U.S.C.) [hereinafter HIPAA]. HIPAA is organized into five titles. See id. The portion of HIPAA that is relevant to your questions was enacted pursuant to Title II. There were two goals of Title II: to prevent health care fraud and abuse, and to reduce the costs and administrative burdens of health care by replacing the many nonstandard formats used nationally with a single set of electronic standards. See id.
Subtitle F directed the Secretary: (1) to adopt standards and data elements for the electronic exchange of individually identifiable health information in connection with the delivery of, and payment for, health care services; and (2) to adopt standards for the security, integrity, and confidentiality of electronically stored or transmitted health care information.
Citizens for Health v. Thompson, ___ F. Supp. 2d ___2004 WL 765356, at 2 (E.D. Pa. 2004) (emphasis added). It is the second part of Title II with which we are concerned here.
¶ 6 Basically, HIPAA required the Secretary of Health and Human Services to develop regulations concerning the disclosure of an individual's health information by any entity known as a "covered entity."2 Covered entities include doctors, hospitals, dentists, pharmacies, pharmacists and many more health care related entities far too numerous to mention.
¶ 7 HIPAA represents a national effort to protect the privacy of such individually identifiable health information. See Standards for Privacy of Individually Identifiable Health Info.,65 Fed. Reg. 82,462 (Dec. 28, 2000) (to be codified at45 C.F.R. pts. 160, 164). The regulations are designed to address public concerns over a "substantial erosion of the privacy surrounding individually identifiable health information." Id. at 82,462. The regulations restrict disclosure by covered entities of an individual's3 "protected health information" by most health care providers without obtaining an individual's authorization. 45 C.F.R. § 164.502(a) (2005). "Protected health information" is individually identifiable health information in any form or medium. Id. § 160.103. While HIPAA and its accompanying regulations support the broad policy of protecting this individually identifiable health information, the regulations allow for disclosures by certain covered entities without authorization for "national priority purposes," which include health oversight activities by "health oversight agencies."4 65 Fed. Reg. at 82,524.
¶ 8 According to the comments made to the promulgation of HIPAA regulations, while privacy is a fundamental right to be protected, some balance is required.
It also became clear from the comments and our fact-finding that we have expectations as a society that conflict with individuals' views about the privacy of health information. We expect the health care industry to develop treatment protocols for the delivery of high quality health care. We expect insurers and the government to reduce fraud in the health care system. We expect to be protected from epidemics, and we expect medical research to produce miracles. We expect the police to apprehend suspects, and we expect to pay for our care by credit card. All of these activities involve disclosure of health information to someone other than our physician.
65 Fed. Reg. at 82,471. How the needs for privacy of protected health information and professional licensing agencies' "need to know" information has been balanced under HIPAA will be addressed below.
III. A Professional Licensing Agency May Be A Health Oversight Agency Performing Health Oversight Activities Under 45 C.F.R. § 164.512(d), To Whom A Covered Entity May Disclose Protected Health Information If The Professional Licensing Agency Is Authorized By Law To Oversee The Health Care System. ¶ 9 HIPAA regulations provide certain circumstances in which individuals about whom information is sought need not be notified of or give authorization for the disclosure of protected health information. See 45 C.F.R. § 164.512 (2005). Thus, the first task is to determine whether disclosures maybe made by a covered entity to professional licensing agencies ("Agency"), such as the Board, under 45 C.F.R. § 164.512 within the meaning of the HIPAA regulations, when the Agency is conducting statutorily authorized administrative investigations.
A. A Professional Licensing Agency is a Health OversightAgency.
¶ 10 HIPAA regulations provide a specific exception from HIPAA requirements for health oversight activities by a health oversight agency. 45 C.F.R. § 164.512(d)(1).5 Thus, the relevant questions become whether an Agency is a "health oversight agency," performing "health oversight activities" in its investigations.
¶ 11 The HIPAA regulations define a "health oversight agency" as:
[A]n agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
45 C.F.R. § 164.501 (2005) (emphasis added).
¶ 12 In determining whether an Agency is a "health oversight agency," the question is whether the Agency operates under a grant of authority and is authorized to oversee a professional practice, such as the practice of dentistry. This is a question to be answered by each Agency, but the Board as an example is helpful. The State of Oklahoma regulates and controls the practice of dentistry as part of its police powers to protect public health and safety. Cryan v. State, 583 P.2d 1122,1124-25 (Okla.Crim. 1978). The Legislature declared its intention of exercising this power with the Dental Act, which provides that the practice of dentistry is "subject to regulation and control in the public's best interest." 59 O.S. 2001, §328.2[59-328.2]. Furthermore, the Legislature charged the Board with the responsibility "for the enforcement of the provisions of the State Dental Act against all persons who are in violation thereof." 59 O.S. Supp. 2004, § 328.49[59-328.49](A).
¶ 13 In addition, the Legislature provided the Board with the authority "to formulate, adopt, and promulgate rules as may be necessary to regulate the practice of dentistry in this state and to implement and enforce the provisions of the State Dental Act," including performing investigations and inspections. 59 O.S.Supp. 2004, § 328.15[59-328.15](A), (B)(7). The Board is also authorized to establish a review panel to investigate complaints, which includes the power to seek evidence. Id. § 328.43a(C). Thus, the Board, under the definition in the HIPAA regulation quoted above, is a health oversight agency. Whether each professional licensing Agency in Oklahoma is a health oversight agency is a determination to be made based upon a review of that agency's authorizing statutes and is beyond the scope of this Opinion.6 See 74 O.S. 2001, § 18b[74-18b](A)(5).
B. A Professional Licensing Agency Conducts Health OversightActivities.
¶ 14 The HIPAA regulations and commentary concerning the meaning of "health oversight activities" demonstrate that investigations conducted by licensing agencies are such activities. Under 45 C.F.R. § 164.512(d), disclosures are permitted to health oversight agencies for health oversight activities, which in pertinent part are:
[A]uthorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
. . . .
(iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards[.]
Id. § 164.512(d)(1) (emphasis added).
¶ 15 The comments to 45 C.F.R. § 164.512(e) support the proposition that an Agency, when conducting an investigation authorized by law whether in an administrative proceeding or not, is conducting a health oversight activity:
[T]he fact that protected health information is the subject of a matter before a court or tribunal does not prevent its disclosure under another provision of the rule, such as § . . . 164.512(d), . . . even if a public agency's method of requesting the information is pursuant to an administrative proceeding. For example, where a public agency commences a disciplinary action against a health professional, and requests protected health information as part of its investigation, the disclosure [may] be made to the agency under paragraph (d) of this section (relating to health oversight) even if the method of making the request is through the proceeding.
65 Fed.Reg. at 82,530 (emphasis added). See also Scott D. Stein, What Litigators Need to Know About HIPAA, 36 J. Health L. 433, 440 (2003) ("health oversight activity" is broad enough to include "any audit, civil investigation, criminal investigation, administrative investigation, inspection,licensure action, disciplinary action, or other activity related to oversight of: (1) "[t]he health care system").
¶ 16 In conclusion, a professional licensing Agency is generally a health oversight agency and conducts health oversight activities. As such, a covered entity may disclose protected health information to a professional licensing Agency under45 C.F.R. § 164.512(d)(1), subject to the exception and limitations noted below.
IV. HIPAA Exceptions To The Permitted Disclosure of Protected Health Information By Covered Entities To A Licensing Agency In The Course Of A Health Oversight Activity; Exceptions To The Exception ¶ 17 A general exception to the ability of a covered entity to disclose protected information for health oversight activities under HIPAA is for "an investigation or other activity in which the individual is the subject of the investigation or activity."45 C.F.R. § 164.512(d)(2). Under this general exception, personal health information for that individual could not be released without authorization from the subject of the investigation.7 For example, a Board request for personal health information of a dentist it was investigating would not be a health oversight activity under the regulations.
¶ 18 However, a limited exception to the non-disclosure exception of Section 164.512(d)(2) exists in HIPAA, permitting disclosure of protected health information concerning the individual being investigated for disclosures for judicial and administrative proceedings. 45 C.F.R. § 164.512(e). This limited exception allows the protected information of the individual being investigated to be disclosed without notice to the individual. See id. A disclosure may be made "[i]n response to an order of a court or administrative tribunal."Id. § 164.512(e)(1)(i).
¶ 19 This regulation allows disclosure even if the request concerns the individual who is the subject of the civil or administrative proceeding. If the request is not pursuant to an order of a court or administrative tribunal, but is made through "a subpoena, discovery request, or other lawful process," the information may still be provided by the covered entity if it receives adequate assurances that reasonable efforts have been made to ensure that the individual has notice of the request.Id. § 164.512(e)(1)(ii).
¶ 20 In summary, the general rule and the exceptions provide: if an Agency is exercising authority under state law when it requests individual health information from a covered entity during an investigation, a covered entity may provide this information without notice or authorization from the individual whose information is being requested, unless the information requested is protected health information of the licensee who is the subject of the investigation. Under those circumstances, the covered entity may request that the Agency have an order from a court or its administrative tribunal to disclose protected health information without notice or authorization from the individual whose information is sought.
¶ 21 Another, very narrow exception exists to the Section 164.512(d)(2) non-disclosure rule. An employee of a covered entity may qualify as a whistleblower and provide protected health information to a professional licensing agency without notice to an individual, such as a dentist, who is a covered entity that is under investigation. 45 C.F.R. § 164.502(j). Whistleblowers8 may provide protected health information to a health oversight agency which is authorized by law to "investigate or otherwise oversee the relevant conduct or conditions of the covered entity," (id. § 164.502(j)(1)(ii)(A)), provided that the person has a good faith belief that the covered entity engaged in unlawful conduct or conduct that "violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public[.]" Id. § 164.502(j)(1)(I).
V. A Professional Licensing Agency May Be Limited In Obtaining Protected Health Information From A Protected Entity If An agency Activity Is Other Than A Health Oversight Activity Under 45 C.F.R. § 164.512(d). ¶ 22 As explained above, for health oversight activities covered entities are permitted to disclose protected health information about an individual without his/her written authorization. However, for circumstances other than health oversight activities authorized by Section 164.512(d)(1), or where it is responding to a court or administrative tribunal order under Section 164.512(e),9 the covered entity must comply with certain limitations in releasing the information. For example, the provisions containing limitations10 govern disclosures about abuse, neglect or domestic violence victims, disclosures in response to a subpoena or other lawful process in judicial or administrative proceedings and disclosures for law enforcement purposes. 45 C.F.R. § 164.512(c), (e), (f).
VI. What Process Must Be Used to Obtain The Protected Health Information By A Health Oversight Agency? ¶ 23 You next ask whether the Board must issue a subpoena or may make a verbal request to obtain information about someone other than the subject of an investigation.11 The regulations do not require a subpoena for requests as part of health oversight activities. 45 C.F.R. § 164.512(d).12 However, a subpoena, or some other lawful process, may be required if the request is for protected personal health information of the individual being investigated and is not accompanied by an order of a court or administrative tribunal.Id. Therefore, whether a subpoena is required would depend on whether the activities fall under the definition of "health oversight activities" or whether the request is for protected personal health information for the person being investigated. This is a factual determination, not to be answered in an Attorney General Opinion. 74 O.S. § 18b[74-18b](A)(5).
¶ 24 It is, therefore, the official Opinion of the AttorneyGeneral that:
1. A professional licensing agency such as the Board of Dentistry may obtain protected health information about an individual other than one under investigation without notice to the individual whose information is being obtained when the professional licensing agency is conducting an investigation pursuant to its statutory duties to regulate licensees. 45 C.F.R. § 164.512(d)(1).
2. If the licensee being investigated is the individual whose protected health information is sought, the licensing agency is not conducting "health oversight activities" under 45 C.F.R. § 164.512(d)(2).
3. If a professional licensing agency is not conducting a health oversight activity, a covered entity may be able to disclose protected health information without notice to or authorization from the individual whose health information is being disclosed, if any one subsection of 45 C.F.R. § 164.512(a),(c),(e), or (f)-(l) applies.
4. Under 45 C.F.R. § 164.512(d)(1), a covered entity may respond to a verbal request for protected health information for health oversight activities of a professional licensing agency, including administrative investigations and disciplinary actions, without a subpoena.
5. If the protected health information requested pertains to the individual who is the subject of the investigation, the activity is not a health oversight activity in which a verbal request is authorized. 45 C.F.R. § 164.512(d)(2). Whether a verbal request is authorized by another section of 45 C.F.R. § 164.512 is beyond the scope of this Opinion. 74 O.S. § 18b(A)(5).
W.A. DREW EDMONDSON Attorney General of Oklahoma
GRETCHEN GROVER HARRIS Assistant Attorney General
1 Section 328.15 was amended in the First Regular Session of the Fiftieth Legislature with an effective date of November 1, 2005. The amendment is not relevant to your inquiry. See 2005 Okla. Sess. Laws ch. 377, § 2.
2 A covered entity is: "(1) A health plan. (2) A health care clearinghouse. (3) A health care provider. . . ." or "a business associate of another covered entity." 45 C.F.R. § 160.103 (2005). A health care clearinghouse is a public or private entity that processes health information received from another entity into a different format. Id.
3 Under HIPAA, an "individual" is "the person who is the subject of protected health information." 45 C.F.R. § 160.103 (2005).
4 Whether a professional licensing agency is a health oversight agency that conducts health oversight activities is discussed in Part III of this Opinion.
5 Other subsections of 45 C.F.R. § 164.512 allow disclosure of personal health information as required by law, § 164.512(a), for reporting child abuse (c), or to a law enforcement agency (f).
6 While there seems to be no relevant judicial authority whether a professional licensing agency is a health oversight agency, health care commentators have said:
The Regulations define a "health oversight agency" as a public agency authorized by law to conduct oversight activities relating to the health care system. . . . Among the health oversight agencies to whom a covered entity could provide health information are: state insurance commissions; state healthprofessional licensure agencies, including Boards of MedicalExaminers and Boards of Nursing. . . .
Richard L. Murray, Jr. Patrick T. O'Rourke, Confidentialityof Medical Records and the Health Insurance Portability andAccountability Act of 1996, 30-MAR Colo. Law 65, 68 (2001) (emphasis added). See also Scott D. Stein, What LitigatorsNeed to Know About HIPAA, 36 J. Health L. 433, 440-41 (2003).
7 This clause provides for the exception to health oversight activities:
For the purpose of the disclosures permitted by paragraph (d)(1) of this section, a health oversight activity does not include an investigation or other activity in which theindividual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:
(i) The receipt of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.
45 C.F.R. § 164.512(d)(2) (emphasis added). An administrative licensing investigation would not be directly related to i, ii, or iii and thus, the exception to the authority of a licensing agency to health oversight activity would apply.
8 Under Section 164.502(j)(1), a whistleblower may be a member of the covered entity's workforce or a business associate thereof.
9 The ability of an Agency to obtain protected health information through process in a civil or administrative proceeding will be discussed in Part VI, below.
10 The limitations vary from exception to exception. See,e.g., 45 C.F.R. § 164.512(c), (e), (f).
11 This Opinion does not address requirements which may be specific to an Agency by statute or regulation.
12 This section of the regulations does not provide for a specific form of the request, only that the request be "authorized by law." 45 C.F.R. § 164.512(d)(1). The comments to Section 164.512 point out that a covered entity would need to verify the authority for the request, but "that covered entities may reasonably rely on assertions of authority made by government agencies." 65 Fed. Reg. at 82,530. Other subsections do require specific forms for the request to disclose protected health information. See 45 C.F.R. § 164.512(e)(1) ("(i) In response to an order of a court or administrative tribunal . . .; or (ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal. . . ."); see also id. § 164.512(f) ("for a law enforcement purpose to a law enforcement official. . . . (1) . . . [p]ursuant to process").