The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule is a federal law that protects the privacy of patient health information held by “covered entities.” 1
HIPAA defines “covered entity” as health plans, health care clearinghouses, and health care providers who transmit health information in electronic form related to certain types of transactions.2
“Health care providers” who “transmit health information in electronic form” are “covered entities” and must comply with HIPAA. “Health care providers” are defined to include both individual providers such as physicians, clinical social workers, and other medical and mental health practitioners, as well as hospitals, clinics and other organizations.3 Health care providers are only subject to HIPAA, however, if they transmit health information regarding certain types of health transactions electronically.
The transactions that will make HIPAA applicable include any of the following when done electronically: submitting claims to health insurers, making benefit and coverage inquiries to insurers, making inquiries about submitted claims, and sending health care authorization requests, among others.4 The fact that a school based program or provider may not use electronic records onsite does not automatically mean it is exempt from HIPAA. Providers may be transmitting electronic health information in another way, for example, by using a billing service that does. That said, there will be providers who are not subject to HIPAA because they do not transmit health information in electronic form related to covered transactions. The U.S. Department of Health and Human Services offers a “Covered Entity Chart” that a provider can use to determine whether the provider is subject to HIPAA.5 (See Covered Entities for further information.) Even if a health provider meets the definition of “covered entity,” some of its records may be subject to FERPA instead of HIPAA when working at or with a school. (See HIPAA, FERPA, Both or Neither? A Flowchart for Decision-Making.)
Most covered entities work with other organizations and individuals in order to provide health care. Examples include attorneys, data processors, and accountants. A “business associate” is an individual or organization that receives, creates, maintains, or transmits “protected health information” as part of certain types of work it does on behalf of a covered entity. The type of work must be directly related to activities the covered entity does that are regulated by HIPAA, such as claims processing or billing, or services that support that work such as legal, actuarial, transcription, accounting, consulting, management, accreditation, or financial services.6 (See endnote 6 for more examples.) In most cases, the covered entity must enter into a business associate contract with this individual or organization in order to share protected health information.
Indirectly, yes. A covered entity cannot share information with a business associate unless the covered entity has received written assurances from the business associate that the business associate will protect “protected health information” in compliance with HIPAA. HIPAA outlines what this written agreement must include before a covered entity may share health information with the business associate. These contracts cannot obligate a business associate to do something that otherwise conflicts with other laws, however, such as FERPA. Providers always should consult legal counsel regarding such contracts and whether an organization qualifies as a “business associate” in the first place.7
The HIPAA Privacy Rule limits covered health providers from disclosing what HIPAA calls “protected health information” (PHI).8 “Protected health information” is individually identifiable health information in any form, including oral communications as well as written or electronically transmitted information.9
Protected health information does not include information subject to FERPA. HIPAA explicitly states that health information held in an education record subject to FERPA is not “protected health information.”10 In other words, if FERPA applies, HIPAA does not, and FERPA and HIPAA can never apply to the same information at the same time.
California has its own laws that protect the confidentiality of medical and mental health information.11 One of the most comprehensive set of statutes is called the California Confidentiality of Medical Information Act (CMIA). It applies to medical information held by the health care providers, health care services plans and contractors, as each is defined in state law.12 The CMIA parallels HIPAA in many ways; however, in some situations, it actually provides greater confidentiality protections than HIPAA.
Federal privacy regulations under HIPAA usually supersede – or “preempt” – state laws, but HIPAA states that if a state’s law is more protective of individual privacy, then providers should follow the state law.13 Thus, California health providers typically are following both HIPAA and state law.
There are two other ways that California law becomes particularly important to understanding HIPAA. HIPAA grants rights to sign authorizations and to access a minor’s protected health information based in part on who is authorized to make health decisions for the minor. State law determines who has those consent rights in many cases.14 Similarly, HIPAA says a parent’s right to access records when the parent did not consent for the child’s care will depend in part on state law.
Finally, it is important to note that in addition to state and federal statute, licensed health professionals may practice under state ethical and licensing regulations that also include obligations related to confidentiality. These principles may impose greater confidentiality obligations than HIPAA.
Generally, health care providers cannot disclose information protected by HIPAA and without a signed authorization.15 An authorization form must include specific elements to be valid under HIPAA and CMIA. (See Requirements for Release of Information Forms in Additional Resources.)16 HIPAA and California law also define who must sign the authorization.17
A parent, guardian or another person with authority under the law to make health decisions for an unemancipated minor usually must sign authorizations to release the minor’s information.18 However, if the minor consented or could have consented for the health care under California’s minor consent laws for the health care, the minor must sign the authorization. Some of California’s minor consent laws are highlighted in Covered Entities in Additional Resources.
REAL WORLD EXAMPLE
Jake, 16, needs a general physical. He is authorized to consent to his own health care under California law because he is 15-years-old or older, not living with his parents, and managing his own financial affairs.
Because he can consent to his own care, he can sign authorizations to release the related health information. (See California Minor Consent Laws in Additional Resources.)
The default rule in HIPAA and CMIA is that release of protected health information requires a signed authorization; however, there are many exceptions to this rule.
Exceptions in HIPAA and CMIA allow, and sometimes require, health care providers to share health and mental health information without the need of a signed release. A few examples of these exceptions include:
- for treatment purposes19
- to avert a serious and imminent threat20
- for research21
- for payment purposes22
- for health care operations23
- to public health authorities as required by law24
- to report child abuse as required by law25
- when requested by the individual26
- additional exceptions also 27
Different conditions must be met before information may be shared under each exception. For example, the “treatment” exception under HIPAA and CMIA only allows a health provider to disclose information to other providers of health care, health care service plans, contractors, or other health care professionals or facilities and only for purposes of diagnosis or treatment of the patient.
So, it is important to understand the law before relying on an exception to disclose protected health information.
If a provider operates under HIPAA, it must meet all the administrative requirements in HIPAA and CMIA. This includes but is not limited to making sure the provider has a HIPAA-compliant “Notice of Privacy Practices” that it shares with clients28, a HIPAA and CMIA-compliant release form (See Requirements for Release of Information Forms in Additional Resources), and that it maintains records for the appropriate number of years, among many other things. Providers subject to HIPAA should consult their legal counsel regarding the many administrative requirements in HIPAA.