Testimony on Implementation of the HIPAA Privacy Rule:
Application to Law Enforcement Agencies and Schools
Presented by Michael J. Mullen, Assistant Attorney General,
State of North Dakota
Before the National Committee on Vital and Health Statistics
Washington , D.C.
February 18, 2004
The Centers for Medicare and Medicaid (CMS) and the Office of Civil Rights (OCR) have been and are attempting to provide guidance regarding implementation of the HIPAA privacy rule. Further efforts to publicize authoritative guidance, provide greater coordination between federal agencies, and between federal, state, and local agencies, would be beneficial.
The United States Department of Justice has prepared excellent videos explaining how law enforcement agencies may obtain disclosure of protected health information from a covered entity under the HIPAA privacy rule. In North Dakota, the United States Attorney invited lawyers from the office of attorney general and state’s attorneys to attend the DOJ video presentations. The Department of Justice has also prepared model subpoenas and a hierarchy of sections of the privacy rule that should be used by a law enforcement agency seeking to obtain protected health information. It is unclear if these materials have been widely circulated and are available to local law enforcement agencies. (Obviously, a state or local law enforcement agency may need to comply with “more stringent” requirements of state law. But, having the benefit of the DOJ analysis of the privacy rule would provide an excellent starting point.)
Second, OCR is busy responding to technical questions regarding the application of the HIPAA privacy rule. The more prominent voice of the office of public affairs in the Department of Health and Human Services (HHS) should be used to publicize information that may be useful to state and local government officials, as well as the thousands of covered entities in the private sector. This comment applies not only to the application of the privacy rule to law enforcement, but also to schools as discussed below.
Third, OCR should make greater efforts to obtain the assistance of lawyers representing the American Hospital Association and the American Medical Association to clarify for the lawyers representing covered entities that are members of these associations the disclosure of protected health information that is permitted and required under the HIPAA privacy rule. Newspaper articles have reported several instances in which a hospital or other covered entity has refused to disclose protected health information under circumstances in which it appears the privacy rule permits disclosure. See Washington Post, “Hospital Bill Is Family’s Only Clue,” January 20, 2004, at p. B05 (failure of a hospital to disclose to law enforcement officials the correct address of a dead “hit and run” accident victim, which resulted in a two-week delay in notifying the victim’s family.)
As this Committee has previously noted:
A related [complicating] issue involves conflicts and overlaps between HIPAA [Health Insurance Portability and Accountability Act] and other federal laws dealing with privacy, including… the Family Educational Rights and Privacy Act (FERPA), … and other statutes and regulations.
Letter from John R. Lumpkin, M.D., M.P.H., Chair, National Committee on Vital and Health Statistics, to Honorable Tommy G. Thompson, Secretary, Department of Health and Human Services (November 25, 2002). Thus, even though the HIPAA privacy rule contains an explicit and apparently simple exclusion of “educational records” subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g, from the definition of ” protected health information,” 45 C.F.R. § 160.103(2)(i) , because screening of students in K-12 schools is frequently done by public health nurses who are members of the workforce of a public health authority (that is a covered entity), the question of which law applies to the results of students screening is not readily apparent. And, while the ultimate determination of whether a record may be disclosed depends on specific factual issues, e.g., was a screening exam a “noninvasive” examination, see 20 U.S.C. §1232h(c)(2)(A)(ii) and (c)(6)(B), or does state law provide “more stringent” protection of the privacy of a student’s health information, OCR and the Family Policy Compliance Office (FPCO) within the Department of Education  should provide an overview of the basic relationship between the HIPAA privacy rule and FERPA with a caveat that officials must examine the facts in each particular situation, including consideration of applicable state law. In the absence of authoritative federal guidance, the North Dakota Attorney General provided guidance to local public health nurses (who are members of the workforce of local public health authorities) as to the treatment of a K-12 student’s screening records. (See attachment A, letter from Michael J. Mullen Assistant Attorney General, to Darleen Bartz, privacy officer, North Dakota Department of Health (November 18, 2003).
Confusion Over Disclosure Permitted by the HIPAA Privacy Rule and Disclosure Required under State Law
The HIPAA privacy rule “permits” the disclosure of protected health information if the disclosure is “required” by state or other law. 45 C.F.R. § 164.502(a). Thus, a covered entity that fails to disclose protected health information as “required” by state law (except to the patient herself) does not violate the privacy rule. OCR needs to emphasize loudly and clearly that a covered entity such as a hospital or clinic may be subject to sanctions imposed by a state licensing agency, e.g., a state Department of Health, a board of medical examiners, etc., for failing to comply with mandatory state reporting requirements.
Enforcement and Penalties
While OCR has explained that it will proceed on a case-by-case basis and try to settle privacy complaints, OCR should emphasize the defenses available under the civil penalty section: “A penalty may not be imposed under subsection (a) of this section with respect to a provision of [the HIPAA rules] if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by the exercise of reasonable diligence would not have known, that such person violated the provision,” 42 U.S.C. § 1320d-5(b)(2), and also may be excused “if the failure to comply was due to reasonable cause and not willful neglect, and the failure to comply is corrected [within] 30 days…” 42 U.S.C. § 1320d-5(b)(3). Some balance is required to discourage covered entities from refusing to disclose PHI even when disclosure is permitted by the privacy rule.
Many special task forces of state and local agencies, which in some cases received dedicated funding, were established in the “ramp up” to the privacy rule. Most of them have disbanded. Any dedicated funding for HIPAA projects that remains is now directed (appropriately) to compliance with the Transactions and Code Sets rule. Therefore, it is even more important now than it was previously for OCR to develop effective, timely means of communication to all of the relevant “publics” – the information that is needed to achieve compliance with the privacy rule – while not interfering with patient care, public health, or law enforcement.
 The National Forum on Education Statistics Policies, Programs and Implementation Committee (PPI), Student Privacy Task Force, which apparently operates under the authority of the National Center for Education Statistics (NCES), which is an office within the United States to Department of Education, discussed the preparation of an “updated document (“Protecting the Privacy of Student Records”) [which] should include a discussion on ex parte orders and HIPAA.” Student Privacy Task Force (June 2002 Meeting Notes), found at – http://nces.ed.gov/forum/SPTFnotes_06_02.asp. Whether the update, including a discussion of the HIPAA privacy rule, has been completed and distributed is unknown.