4.31 Federal and State Laws Protecting Health Care Information
The federal Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) was adopted to implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. The Privacy Rule limits the use and disclosure of protected health information (PHI). See generally 45 C.F.R. pts. 160, 164, subparts A, E. Washington's Uniform Health Care Information Act (HCIA), chapter 70.02 RCW, also protects the confidentiality of health care information. However, both federal and state law allow for disclosure to public health authorities.
A. HIPAA Privacy Rule.
- Covered entities. The Privacy Rule applies to three types of entities, referred to as "covered entities": health plans, health care clearinghouses, and health care providers who transmit certain transactions electronically. 45 C.F.R. § 160.102(a).
- Hybrid entity status. A single legal entity that performs both covered and non-covered functions may designate itself as a hybrid entity. If a covered entity is a hybrid entity, then the privacy requirements apply only to the health care components of the entity. See 45 C.F.R. §§ 164.103, .105.
- Protected Health Information. “Protected health information” (PHI) is defined as “individually identifiable health information . . . that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or media.” 45 C.F.R. § 160.103.
- “Individually identifiable health information” is defined as information that . . .
i. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
ii. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(A) That identifies the individual; or
(B) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Id.
- General rule. A covered entity may not use or disclose PHI except as permitted or required by the Privacy Rule. 45 C.F.R. § 164.502.
- Public health departments as covered entities. If a covered entity also is a public health authority, the covered entity is permitted to use PHI in all cases in which it is permitted to disclose PHI for public health activities under 45 C.F.R. § 164.512(b)(1). 45 C.F.R. § 164.512(b)(2).
- Contrary state law preempted. The Privacy Rule requirements preempt contrary provisions of state law, with certain exceptions. Where a state law is more stringent than the Privacy Rule, the state law is not preempted. See 45 C.F.R. § 160.203.
B. Washington HCIA.
- Health care providers and facilities. The HCIA applies to health care providers and facilities. See generally chapter 70.02 RCW.
- Health care provider. A "health care provider" means a person who is licensed, certified, registered, or otherwise authorized by the law of Washington to provide health care in the ordinary course of business or practice of a profession. RCW 70.02.010(9).
- Health care facility. "Health care facility" means a hospital, clinic, nursing home, laboratory, office, or similar place where a health care provider provides health care to patients. RCW 70.02.010(6).
- Health care information. “Health care information" is defined as “any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and directly relates to the patient's health care . . ..” RCW 70.02.010(7).
- General rule. A health care provider or health care facility may not disclose health care information without a patient's written authorization, except as authorized by RCW 70.02.050. RCW 70.02.020(1).
- Exceptions. RCW 70.02.050 contains a variety of exceptions under which health care providers and health care facilities are either permitted to or required to disclose health care information.
- State or local agencies obtaining health care information. State or local agencies obtaining information pursuant to RCW 70.02.050 shall establish record acquisition, retention, and security policies that are consistent with chapter 70.02 RCW. RCW 70.02.050(3). Cf. discussion supra §§ 4.11.C.1.a (local health departments shall maintain confidentiality of notifiable conditions case reports), 4.11.C.1.b (the state Department of Health shall maintain confidentiality of reports of cases and suspected cases).
4.32 Disclosures Related to Communicable Disease Control
A. Disclosures Permitted by HIPAA.
- Disclosures otherwise authorized by law. A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with, and is limited to, the relevant requirements of such law. 45 C.F.R. § 164.512(a).
- Disclosures for public health activities. A covered entity may disclose PHI for public health activities and purposes to:
- A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
- A public health authority or other government authority authorized by law to receive reports of child abuse or neglect;
- A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purposes of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity;
- A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or
- An employer, about an individual who is a member of the workforce of the employer, under specific circumstances. 45 C.F.R. § 164.512(b)(1).
- Disclosures to avert a threat to health and safety. A covered entity may, consistent with applicable law and ethical standards of conduct, use or disclose PHI, if the covered entity, in good faith, believes the use or disclosure:
- Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
- Is to a person or persons reasonably able to prevent or lessen the threat. 45 C.F.R. § 164.512(j)(1)(i).
B. Disclosures Permitted by HCIA.
- To federal, state, or local public health authorities to the extent required by law. A health care provider shall disclose health care information about a patient without the patient's authorization if the disclosure is to federal, state, or local public health authorities, to the extent the health care provider is required by law to report health care information. RCW 70.02.050(2)(a).
- To federal, state, or local public health authorities when needed to protect the public health. A health care provider shall disclose health care information about a patient without the patient's authorization if the disclosure is to federal, state, or local public health authorities when needed to protect the public health. Id.
- To avoid or minimize an imminent danger. A health care provider or health care facility may disclose health care information to any person if the health care provider or facility reasonably believes that the disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual. RCW 70.02.050(1)(d).
- No obligation. There is no obligation under chapter 70.02 RCW on the part of the provider or facility to so disclose. Id.
C. Disclosures by Local and State Health Departments.
- Cases and suspected cases. A case or a suspected case is information reported to local health departments under the requirements of chapter 246-101 WAC. See supra § 4.11. See also WAC 246-101-010(4), (41).
- Disclosures. Local health departments and the state Department of Health are prohibited from disclosing report information identifying an individual case or suspected case, except to:
- Employees of the local health department, or other official agencies needing to know for the purpose of administering public health laws and the regulations in chapter 246-101 WAC;
- Health care providers, specific designees of health care facilities, laboratory directors, and others for the purpose of collecting additional information about a case or suspected case as required for disease prevention and control. WAC 246-101-515(1), -610(1).
NOTE: Special rules apply to sexually transmitted diseases and mental health records. No person may disclose the identity of any person related to testing or treatment for a sexually transmitted disease, except as authorized in chapter 70.24 RCW. RCW 70.24.105. No person may disclose mental health records, including the fact of admission, except as authorized in RCW 71.05.390.
4.33 Public Records Act
During a communicable disease outbreak, public agencies might receive requests under the Public Records Act for records related to the outbreak. Whether an agency must release a record will depend, in part, on whether the record is health care information under the HCIA. See infra § 4.33.A. Information that identifies a person who is in isolation because of a confirmed communicable disease is health care information. However, other records about the outbreak may not clearly be health care information, for example a list of persons who may have been exposed to a communicable disease.
A. Protection of Health Care Information. Washington's Public Records Act provides that the HCIA applies to the inspection and copying of health care information of patients. RCW 42.56.360(2). See supra § 4.31.B.
B. Responses to Requests for Public Records.
- Response within five business days. Within five (5) business days of receiving a public record request, an agency must respond by either:
- Providing the record;
- Denying the request; or
- Acknowledging that the request has been received and providing a reasonable estimate of the time the agency will require to respond to the request. RCW 42.56.520.
- Additional time to respond to request. Additional time to respond to a request may be based upon the need to:
- Clarify the intent of the request;
- Locate and assemble the information requested;
- Notify third persons or agencies affected by the request; or
- Determine whether any of the information requested is exempt and that a denial should be made as to all or part of the request. Id.
C. Court Protection of Public Records.
- Motion and affidavit for injunction. A motion and affidavit to enjoin examination of any specific public record may be made by:
- An agency or its representative; or
- A person who is named in the record or to whom the record specifically pertains. An agency may notify such persons. RCW 42.56.540.
- Basis for injunction. The court may enjoin examination of the record if examination would:
- Clearly not be in the public interest and would substantially and irreparably damage any person; or
- Substantially and irreparably damage vital governmental functions. Id.