HHS Clarifies State Disclosures
Health Data Management (August 30, 2004)

The Department of Health and Human Services' Office for Civil Rights has issued guidance on when a state agency is required to comply with the HIPAA privacy rule in the course of releasing information under public records laws. Such "open records" or "freedom of information" laws are intended to offer public access to government documents.

If a state agency is not a covered entity under the privacy rule, it is not required to comply and any disclosure of information pursuant to state public records law would not be subject to the privacy rule, according to the guidance, available at www.hhs.gov/ocr/hipaa.

However, the situation gets complicated when a state agency is a covered entity. The privacy rule permits a covered entity to use and disclose protected health information as required by other law, including state law. If a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted under the privacy rule to make such a disclosure, "provided the disclosure complies with and is limited to the relevant requirements of the public records law," according to the guidance.

If a state public records law permits, but does not mandate disclosure of protected health information, or if exceptions or other qualifications apply to exempt protected health information from the state law's disclosure requirement, such disclosures are not required by law and would not fall under the privacy rule, according to the guidance.

Further, if a state public records law gives a state agency discretion not to disclose medical or other information that would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law and is not permissible under section 164.512(a) of the privacy rule, the guidance states. "In such cases, a covered entity only would be able to make the disclosure if permitted by another provision of the privacy rule."

The HHS Office for Civil Rights has enforcement jurisdiction over the HIPAA privacy rule.

Posted to HIPAAcomply 8/30/04