What is a good rule of thumb when developing different levels of information access?

Feature

In most cases, state laws will not be preempted by HIPAA.

By JENNIFER DAW HOLLOWAY

Monitor Staff

January 2003, Vol 34, No. 1

Print version: page 28

4 min read

Comment:

With the Health Insurance Portability and Accountability Act (HIPAA) privacy rule compliance date--April 14--fast approaching, psychologists must explore how the new federal rules interact with their current state laws.

HIPAA's privacy rule governs how health-care providers handle the use or disclosure of protected health information (PHI). In effect, PHI is defined as individually identifiable health information relating to the condition of a patient, the provision of health care or payment for care. All states already have privacy laws that apply to such information. Areas such as patient consent, access to records and subpoena rights, to name a few, are included under HIPAA as well as state laws.

So, will HIPAA's rules preempt state laws?

"The general standard is that if a state law is more protective of the patient, then it takes precedence over HIPAA," says Doug Walter, legislative and regulatory counsel in APA's Practice Directorate.

Conversely, if a state law is less stringent than HIPAA, then HIPAA takes over, he says.

The following examples illustrate the interplay between state laws and HIPAA and how that will affect psychologists:

• Consent for payment, treatment and health-care operations. Dr. Smith, a psychologist in Utah, has scheduled a new patient. When the patient comes for her general appointment, Dr. Smith's office must be sure she signs a consent form for the disclosure of her records. Utah law requires that psychologists obtain signed consent, while the HIPAA privacy rule does not require consent. So, Utah law applies instead of HIPAA in this case because the state law gives patients greater privacy protection. Other states may have similar laws that would take precedence over HIPAA.

• Patient access to psychotherapy notes. Under HIPAA, patients are granted access to their records, with the exception of "psychotherapy notes," better known as what psychologists traditionally call "process notes." But in some states, such as Vermont, patients can access their psychotherapy notes under state law. So, when a patient of Vermont practitioner Dr. Jones asks to see his notes, Dr. Jones must permit the patient to see the notes. Because Vermont law provides greater rights from the patient's standpoint for the patient to access his or her psychotherapy notes, it takes precedence over the HIPAA requirements. Again, several other states may have such protective laws.

• Subpoena of patient records. Dr. Milton, a psychologist in New Hampshire, receives a subpoena requesting one of his patient's records. Attached to the subpoena is a notice from the requesting party's attorney stating that her office has made diligent but unsuccessful efforts to reach the patient to serve notice that his records are being requested. This is an adequate attempt to notify the patient under HIPAA and, therefore, the psychologist would not be barred from producing the patient's records if HIPAA took precedence. However, under New Hampshire law, psychologists are precluded from producing their patients' records for a third party absent a court order or patient consent. New Hampshire law is more protective than HIPAA with respect to records subpoena. Therefore, state law preempts HIPAA in this case.

There are myriad examples--aside from the three above--of how state laws may take precedence over HIPAA. The simple rule of thumb is that any provision--in state laws or HIPAA--that gives greater protection to patients' privacy or right to access their own health information takes precedence. The HIPAA privacy rule "won't impair the effectiveness of state laws that are more protective of privacy," says Russ Newman, PhD, JD, APA's executive director for practice. And, he notes, in states where protective laws haven't been enacted, HIPAA will not prevent states from enacting laws that provide greater patient privacy protection.

HIPAA assumes that practitioners know the ins and outs of their state laws, but figuring out which law will take precedence involves a complicated analysis of state statutes, regulations and common law decisions.

The APA Practice Organization and the APA Insurance Trust are developing comprehensive resources for psychologists that will facilitate compliance with the HIPAA privacy rule. Along with several offerings, a new product, "HIPAA for Psychologists"--which will include the necessary state-specific forms that comply with both the HIPAA privacy rule and relevant state law--will be available for purchase online at the Practice Organization's new practitioner portal.

This article is the first in a three-part series on HIPAA topics. The next piece, on HIPAA's psychotherapy notes requirement, will appear in February.

Comment:

What should be the first step in the security Rule implementation process?

What is a minimum necessary rule?

What is the HIPAA privacy Rule?

What practices would you put in place to ensure compliance with HIPAA?