LISTEN TO POST • 18:01
The Minnesota Supreme Court has held that HIPAA “authorizes” disclosures for purposes of the Minnesota Health Records Act, and so consent was not required for a hospital to disclose certain individually identifiable health information to its institutionally related foundation for fundraising purposes.
A copy of Minnesota Supreme Court Case can be downloaded here.
- The Information Blocking Rule (IBR) prohibits health care providers from interfering with the access and exchange of electronic health information in an unreasonable manner. State laws containing similar “as authorized by federal law” exceptions to consent must be carefully considered when claiming the IBR’s Privacy Exception to “block” EHI.
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!
Last week, a colleague of mine shared an intriguing opinion published by the Minnesota Supreme Court, Schneider v. Children’s Health Care, finding that the Minnesota Health Records Act, (Minn Stat. 144.291-298 (2022)), which appears to allow health information to be disclosed without the patient’s consent where there is a “specific authorization in law,” can look to HIPAA as providing such “authority.” My first reaction was to declare to my colleague, “the Court got it wrong!” and “HIPAA is not an authorizing statute!” But, the Court’s reasoning and how a similar case might play out in other states are worth examining more closely.
This story starts after parents of a minor child received a notice from a Minnesota-based pediatric hospital (“Children’s”) informing them of a data breach caused by a third-party database vendor used by its institutionally related foundation (the “Foundation”). The parents argued that they never consented to Children’s disclosing their child’s health information to the Foundation; Children’s countered that the Minnesota statute did not require it to obtain consent because HIPAA specifically “authorizes” disclosures of certain demographic information by a hospital to its institutionally-related foundations for fundraising purposes under 45 CFR 164.514(f)(1). Ultimately, the Court agreed with the hospital.
As the Court points out, the crux of its analysis turns on the interaction between the Minnesota law and HIPAA. Section 144.293 of the Minnesota Statutes, titled “Release or Disclosure of Health Records,” states in relevant part:
Subd.2. Patient consent to release of records. A provider, or a person who receives health records from a provider, may not release a patient’s health records to a person without:
(1) a signed and dated consent from the patient or the patient’s legally authorized representative authorizing the release;
(2) specific authorization in law; or
(3) a representation from a provider that holds a signed and dated consent from the patient authorizing the release.
A plain reading of this statutory language supports a conclusion that patients’ health records may be disclosed if there is a “specific authorization in law” allowing it. Ok, no real issue there. But, the Court then writes that Section 164.502(a) of the HIPAA Privacy Rule says,
“[t]he HIPAA Privacy Rule generally prohibits a covered entity from disclosing protected health information unless such disclosure is authorized by the HIPAA Privacy Rule.”
Additionally, the Court finds that Section 164.514(f)(1) of the HIPAA Privacy Rule — governing “Uses and Disclosures [of PHI] for Fundraising” – grants exactly such authority, allowing Children’s to disclose limited PHI for fundraising purposes.
All well and good? Maybe, except that a lot of what the Court relies on it its opinion is not exactly what the HIPAA Privacy Rule actually says.
First, it cannot be overlooked that the Court appears to have inadvertently (or perhaps conveniently, but I make no presumptions here) swapped out the HIPAA Privacy Rule’s use of “permitted” with the Minnesota state statute’s use of the word “authorized.” Accurately, Section 164.502(a) of the HIPAA Privacy Rule actually says:
“A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the Privacy Rule] . . . .”
Query whether “permitted” and “authorized” are so easily interchangeable? Other provisions of the HIPAA Privacy Rule suggest perhaps not.
For example, Section 164.512(b) of the HIPAA Privacy Rule says:
“A covered entity may use or disclose protected health information for the public health activities . . . to: (i) A public health authority that is authorized by law to collect or receive such information . . . .”
Here, one might ask why government regulators specifically used the phrase “authorized by law” in this section instead of stating, for example, PHI can be disclosed to a public health authority that is “permitted by law” to collect such information? Could it be because “permitted” and “authorized” are not precisely interchangeable? Hmmm.
Looking next at the HIPAA Privacy Rule’s exception governing permitted disclosures for fundraising purposes, Section 164.514(f)(1) states in relevant part:
“a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of § 164.508 . . . .”
The fundraising exception does not expressly state that a covered entity is “authorized” to disclose certain PHI to its institutionally related foundation. What it does say is that a covered entity is not required to obtain a signed HIPAA-compliant authorization in advance of sharing certain PHI in such a manner for fundraising purposes. Putting aside the other procedural requirements a covered entity would need to first meet to avail itself of fundraising exception (e.g., statement in HIPAA NPP; opt-out right etc.), one might conclude that Section 164.514(f)(1) does not exactly read like a blanket “authorization by law” — as the Minnesota Supreme Court choose to find for purposes of interpreting its state statute.
So, what might other state courts do in a similar case?
The Schneider case is not legally binding on courts in other states. Yet, it might be cited as persuasive precedent by attorneys attempting to make comparable arguments based on their state’s law with wording similar to the Minnesota statute here. This made me wonder how such an argument might play out under a state statute dealing with sensitive information, like HIV/AIDS information.
In New Jersey any institution or person that maintains a record containing identifying information about a person who has or is suspecting of having AIDS or HIV infection is confidential and “may be disclosed only for the purposes authorized by [the New Jersey’s AIDS Assistance Act]. See N.J.S.A. 26:5C-7h. Generally, a signed written informed consent, which satisfies the onerous form requirements set forth in 42 C.F.R. 2.31, is required before HIV/AIDS information can be disclosed to any third party. However, N.J.S.A.26:5C-8b lists six (6) exceptions for when informed consent does not have to be obtained to disclose HIV/AIDS information:
- To “qualified personnel” for scientific research, provided the identity of the person associated with the HIV/AIDS information is not revealed and IRB-approved protocols are followed;
- To “qualified personnel” for the purpose of conducting management audits, financial audits, or program evaluation, so long as the identity of the person associated with the HIV/AIDS information is not revealed;
- To “qualified personnel” involved in the diagnosis and treatment of the person;
- To the NJ Department of Health (DOH) as required by State or federal law;
- As permitted by rules and regulations adopted by the Commissioner of NJDOH for the purposes of disease prevention and control; and
- In all other instances authorized by State or federal law.
Applying the rationale of the Minnesota Supreme Court to this New Jersey statute, all of the exceptions under the HIPAA Privacy Rule which permit PHI to be used and disclosed without a signed HIPAA Authorization (e.g., treatment, payment, health care operations etc.) would be considered “authorized” for purposes of applying the “authorized by federal law” exception in the New Jersey AIDS Assistance Act. This would mean, for example, that HIV/AIDS information arguably may be released to any other covered entity for its own health care operations activities, so long as the entity that receives the information also has or had a relationship with the individual who is the subject of the PHI being requested and certain other requirements are met. It also means that HIV/AIDS information could arguably be shared with third parties for a much larger list of possible purposes then just the 5 narrow exceptions specifically listed in the NJ AIDS Assistance Act.
Was this an outcome the New Jersey legislature intended when it enacted this exception to the NJ AIDS Assistance Act in 1984 before HIPAA even existed? . . . Would the New Jersey Supreme Court follow a similar rational to the Minnesota Supreme Court to support such an expanded interpretation of the NJ AIDS Assistance Act? . . . Does it matter if the information is considered “sensitive,” like HIV/AIDS identifying information, as opposed to simply demographic information, which was what the Minnesota Supreme Court was considering? . . . What about other states — how will they interpret similar language in their statutes?
SO. MANY. QUESTIONS.
Now add to this the impact of the Information Blocking Rule.
In its published Summary of the HIPAA Privacy Rule, HHS reiterates “a covered entity is permitted, but not required, to use and disclose PHI, without an individual’s HIPAA Authorization, for the following purposes or situations: (1) to the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.”
However, under the Privacy Exception to the Information Blocking Rule (IBR), an actor (e.g., health care provider; HIE/HIN) would only be permitted to decline providing access to or exchange of electronic health information (EHI) if a State or Federal law requires “one or more preconditions” to first be satisfied before such access or exchange is permitted. 45 C.F.R. 171.202(b). An individual’s signed consent is one such precondition which is often required under state law before certain information may be shared with a third party. However, if consent is not required, then an IBR actor cannot claim the Privacy Exception and must allow the access and exchange of EHI being requested (unless a different IBR exception applies).
With state laws like the NJ AIDS Assistance Act, which include an exception to consent when a use or disclosure is “authorized by law,” health care providers are caught in a real Catch-22 when attempting to determine how to interpret the interaction between state law and HIPAA. Get it wrong at the state level (i.e., you released HIV/AIDS information on the basis that HIPAA authorizes it, but a New Jersey court ultimately disagrees), and you might be subject to a personal lawsuit — like one permitted under the private right of action section of the NJ AIDS Assistance Act (see N.J.S.A. 26:5C-14 et seq.); Get it wrong at the federal level (i.e., you “block” the EHI from a requestor because you decide consent is required, but the OIG disagrees), then you might be looking at monetary penalties (for HIE/HINs) or disincentives (for eligible health care providers) under the Information Blocking Rule.
*sigh*
There might be some wiggle room, however.
For health care providers that are IBR actors, the definition of “information blocking” requires knowledge that their interference with access, exchange, or use of EHI is unreasonable. Therefore, if your state does not yet have a legally binding court opinion deciding that HIPAA’s exceptions all qualify under an applicable state law’s “as authorized by federal law” exception to consent (sorry, Minnesota, you’re out now), then the OIG should defer to any reasonable interpretation of how such state laws might be interpreted by the applicable state’s court when evaluating such actors for potential information blocking practices.
For HIE/HINs, the issue is a bit muddier. The definition of “information blocking” for these types of actors does not require knowledge of being unreasonable. HIE/HINs are strictly prohibited from any practice that they know or should know is likely to interfere with access, exchange, or use of electronic health information. So if an HIE/HIN initially obtains and stores EHI pursuant to a patient’s signed consent, the HIE/HIN may not subsequently interfere with a request for access and exchange of such EHI which is otherwise permitted by law. If a state law permits EHI to be shared “if authorized by law,” the HIE/HIN would be faced with having to allow EHI to be accessed and shared or risk being found to be engaging in information blocking. On the other hand, if an HIE/HIN receives and stores EHI pursuant to a data sharing contract or HIPAA BA agreement with a data source of the EHI (e.g., hospitals, providers etc.), ONC has specifically said that it would not expect an HIE/HIN to violate the terms of such “reasonable” restrictions that are NOT otherwise “unconscionable” (see my prior blog post discussing ONC’s views on restrictions in contracts and BAAs).
Had enough? . . . . Me too.
The takeaway is that this stuff is hard, and it’s getting harder. It shouldn’t have to be that way, but here we are.
If you organization is an “actor” subject to the Information Blocking Rule — i.e., a health care provider, HIE/HIN or certified developer of Health IT — make sure you consult with a knowledgeable privacy attorney to help you navigate these ever evolving minefields with health care data privacy.
