Department of Health and Human Services

Questions & Answers

 Answers 
 
Suggest a Question
 
 My Notifications 
   
  Help  
Search
Browse
Category     View Category Hierarchy

    
Search Text (optional) Search Tips 
   
   Powered by RightNow Web
  Answer ID  
506
  Category  
Privacy of Health Information/HIPAA
  Disclosures Required by Law
  Date Updated  
08/24/2004 04:08 PM

 Printer Friendly Version of This Answer  Print Answer

 E-mail This Answer  E-mail Answer
  
  How does the HIPAA Privacy Rule relate to state public records laws?
  Question
  State public records laws, also known as open records or freedom of information laws, all provide for certain public access to government records. How does the HIPAA Privacy Rule relate to these state laws?
  Answer
  If a state agency is not a “covered entity”, as that term is defined at 45 CFR 160.103, it is not required to comply with the HIPAA Privacy Rule and, thus, any disclosure of information by the state agency pursuant to its state public records law would not be subject to the Privacy Rule.

If a state agency is a covered entity, however, the Privacy Rule applies to its disclosures of protected health information. The Privacy Rule permits a covered entity to use and disclose protected health information as required by other law, including state law. See 45 CFR 164.512(a). Thus, where a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law.

However, where a state public records law only permits, and does not mandate, the disclosure of protected health information, or where exceptions or other qualifications apply to exempt the protected health information from the state law’s disclosure requirement, such disclosures are not “required by law” and thus, would not fall within § 164.512(a) of the Privacy Rule. For example, if a state public records law includes an exemption that affords a state agency discretion not to disclose medical or other information where such disclosure would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law, and therefore is not permissible under § 164.512(a). In such cases, a covered entity only would be able to make the disclosure if permitted by another provision of the Privacy Rule.

As an example of how the Privacy Rule would apply in the case where an exemption exists in a freedom of information law, see the December 2000 Privacy Rule preamble discussion regarding the relationship of the Privacy Rule with the federal Freedom of Information Act (64 FR 82482).
 
  How well did this answer your question?
 
Very Helpful Somewhat Helpful Not Helpful   
 
  Related Answers
 
Back to Search Results
  Back to Search Results  

HHS Home | Questions? | Contact Us | Site Map | Accessibility | Privacy Policy | Freedom of Information Act | Disclaimers

The White House | FirstGov