HIPAA and the Preemption of State Law - Module 4 of 5

Module 4: HIPAA and the Preemption of State Law 

In an advisory release recently sent to clients that are healthcare providers, Akerman LLP, one of the United States’ largest law firms, cautioned, “Smaller Providers need to remember that HIPAA is not the only law requiring the appropriate safeguarding of patient information. State practice acts also impose an obligation on practitioners to protect the confidentiality of such information.”[1] 

When Congress passed the Health Insurance Portability and Accountability Act of 1996, it sought to provide a federal framework for governing protected health information. Before HIPAA went into effect in 2003, however, numerous states had already enacted statues and rules regulating the privacy of healthcare information.[2] Even after the federal law’s passage, states continue to enact their own laws regulating healthcare information. 

In this module, we’ll address how HIPAA interacts with state laws, focusing on federal preemption of state law and the situations where federal preemption issues most frequently arise. 

The Supremacy Clause and Preemption 

The United States Constitution’s Supremacy Clause provides that the Constitution, and Laws and Treaties made pursuant to it, “shall be the supreme law of the Land.”[3] If there is a conflict between federal law and a state law in certain scenarios, federal law will override it. 

Federal law overrides state law when Congress expressly preempts state law by explicitly providing that federal law displaces a state law.[4] Congress can also impliedly preempt state law in two ways.[5]  First is field preemption, where federal regulation is so pervasive that Congress leaves the states with no room to supplement the federal law. The second form of implied preemption is conflict preemption, where compliance with both federal and state laws is impossible, thus leading to a conflict. 

HIPAA and Preemption 

HIPAA’s language provides that HIPAA’s provisions preempt any “contrary state law” addressing patient privacy and protected health information.[6] The regulations define “state law” to “mean a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.”[7] HIPAA defines a state law as “contrary” if:[8]

(1) the state law would make it impossible for the healthcare provider to comply with HIPAA and the state directive at the same time; or

(2) the state provision stands as an obstacle to the accomplishment of the full objectives of HIPAA.

HIPAA will thus preempt a state’s laws that meet either of these conditions. An example of a potentially “contrary state law” emerged in California in 2003.[9] At that time, analysts compared California law on the release of health information for research purposes with HIPAA’s regulations on the same topic. 

The California law permitted a health provider to release a patient’s medical information without the patient’s authorization for “bona fide research purposes” to public agencies, clinical investigators, and health care research organizations. On the other hand, HIPAA, which has an objective of guaranteeing security and the privacy of a person’s health information in all scenarios, permits the use of a patient's health information without patient authorization for research purposes only if it is shared with an institutional review board and only when the review board provides a description of why the information is needed for research, as well as adequate written assurances that the information will not be reused.[10] Here, both California and the federal government attempted to regulate release of patient information in the context of research, but California’s law was preempted because it was too lenient and stood as an obstacle to accomplishing HIPAA’s objective of always guaranteeing patient security and privacy. 

It should be noted that HIPAA has created a floor, not a ceiling, with regards to health privacy regulations. Thus, a state can pass a law more stringent than HIPAA to protect patient privacy.[11] A state law on patient privacy is “more stringent” than a corresponding HIPAA provision if the state law does any of the following:[12]

·         prohibits a use or disclosure of information when the federal law would permit it;

·         provides a patient with “greater rights of access or amendment” to his health information;

·         provides a patient with a “greater amount of information” about health information use, disclosure, rights, or remedies;

·         provides for more detailed recordkeeping or accounting of disclosures;

·         provides requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal permission for a disclosure of information; or

·         with respect to any other matter, the state law provides greater privacy protection of the information’s subject matter. 

In 2011, for example, Texas Governor Rick Perry signed into law House Bill 300, requiring a covered entity to provide a patient with electronic copies of his or her electronic health record within fifteen days of a written request.[13] Though this state law is not the same as the HIPAA rule on the subject, because the federal law gives a covered entity 30 days to comply with a written request for records, HIPAA doesn’t preempt it because the state law is more stringent as it shortens the time duration for a healthcare provider to comply with a patient request. 

HIPAA Standards and State Law Causes of Action

Whether HIPAA preempts a state’s laws is an issue that frequently arises in negligence actions, including the important 2014 case, Byrne v. Avery Center for Obstetrics & Gynecology.[14] The plaintiff instructed her doctor at the physician practice group not to share her medical records with a former significant other. Soon after, her estranged significant other filed a paternity suit and served the practice with a subpoena requesting the plaintiff's medical records at a court proceeding. The defendant did not alert the plaintiff to the subpoena, file a motion to quash it or appear in court. Instead, he mailed a copy of the plaintiff’s medical file to the court. Her former significant other then told the plaintiff that he had reviewed her records in the court file.

The plaintiff sued the practice alleging state common law claims of breach of contract, negligence and negligent infliction of emotional distress. She sued the practice and based her lawsuit on state law because HIPAA does not provide a private right of action. 

Still, in her negligence claim, she relied on the defendant’s failure to comply with HIPAA’s Privacy Rule, alleging that her physician responded to the subpoena without notifying her, a violation under HIPAA. The trial court dismissed her negligence claim, finding that there was nothing in the common law that made the unauthorized release of medical records actionable under state law. 

On appeal, the Connecticut Supreme Court held that even though HIPAA doesn’t provide an aggrieved party with a private cause of action, HIPAA doesn’t preempt the plaintiff from making a state law negligence claim. A HIPAA violation may be used to set the standard of care for a state law negligence claim.[15] It reasoned that Connecticut’s use of HIPAA to hold providers liable under common law causes of action such as infliction of emotional distress and breach of contract could provide more patient protection than HIPAA standing alone as a federal statute. Connecticut state laws thus expanded a patient’s privacy rights and were not preempted. 

The Connecticut Supreme Court’s decision was the first time that a state court recognized HIPAA requirements as a duty owed in a negligence case.[16] After the Connecticut Supreme Court decision, an aggrieved party in Connecticut can sue a HIPAA violator directly, even though HIPAA itself does not create a separate private right of action.

In the following years, other states have adopted Connecticut’s view that HIPAA does not preempt state law and that HIPAA can establish a standard of care applicable to state claims. An Indiana court held that a patient could sue a pharmacy for negligence after failing to monitor use and disclosure of protected health information by employees. There, a pharmacy employee disclosed the plaintiff’s prescription records, which were used to harass and extort the plaintiff. The Indiana appellate court held that the pharmacy and its employee were liable under negligence for the HIPAA violation and affirmed the trial court’s award of $1.8 million in damages.[17] 

Similarly, West Virginia’s state supreme court concluded that HIPAA did not preempt a patient’s state law tort claims arising from a hospital’s alleged unauthorized disclosure of the patient's confidential medical and psychiatric information because the state law claims were not inconsistent with HIPAA. Here, the state-law claims complemented HIPAA by enhancing the penalties for its violation and thereby encouraging covered entities to comply with HIPAA.[18]

Not all states have adopted Connecticut’s approach, however. Maine’s highest court heard a class action lawsuit filed by hospital emergency room patients against a hospital after the hospital’s security guard disclosed private health information to the police without their knowledge. The patients claimed that the unauthorized disclosure of their confidential health care information violated HIPAA and state law. Maine’s supreme court disagreed and held that HIPAA did not create a standard for violation of state law because HIPAA doesn’t provide a private cause of action.[19] 

State laws are inconsistent, so covered entities and related business associates should review relevant state laws to ensure that they comply with the laws under both HIPAA and any states where they do business. 

Ex Parte Communication  

HIPAA preemption issues also arise in the context of “ex parte communication” between lawyers and healthcare providers. Ex parte communication occurs when a party to a case talks to, or otherwise communicates directly with an interested party about the issues in the case without the other parties’ knowledge.[20] 

In many lawsuits where a plaintiff alleges a physical or mental injury, a defendant’s attorney often wants to talk with the plaintiff’s treating physician. One of HIPAA’s Privacy Rule exceptions allows for disclosure of protected health information “in the course of any judicial or administrative proceeding.” This exception applies in three cases. 

The first scenario is in response to a court order, so long as the physician discloses “only the protected health information expressly authorized” by the order. The second scenario involves a disclosure in response to a subpoena, discovery request, or other lawful court order, but only if the physician has received “satisfactory assurances” from the requesting party that it has undertaken “reasonable efforts” to give the patient notice of the request. The third scenario involves a physician’s disclosure in response to a subpoena, discovery request, or other lawful process lacking a court order if the physician has received “satisfactory assurance” from the requesting party that it has attempted to secure a qualified protective order.

State Law Approaches

Although Congress intended that HIPAA would establish certain national standards for health privacy, states differ in their approaches to privacy under state law. Some states have enacted more stringent laws than HIPAA protecting the privacy of personal health information. As with the standard of care in a negligence case, the laws on whether HIPAA preempts state law in the context of ex parte communication varies by state. Some state courts place importance on the fact that HIPAA does not preempt and prohibit ex parte communication. From this absence of regulation, some courts have inferred that state and federal law cannot be “contrary” because there are no federal laws on these subjects to which state laws can be compared. 

Other courts adopt stricter interpretations of HIPAA to hold that treating physicians are always forbidden from engaging in such communications unless it’s one of the three disclosures discussed earlier. A court taking a stricter interpretation that HIPAA preempts state laws permitting ex parte communication will analyze HIPAA’s stated policy goals of protecting a person’s private health information, the public policy underlying HIPAA. Courts will focus on the need to safeguard confidentiality in health records and some reason that a defendant’s attorney who conducts a private interview away from the patient or the patient’s lawyer can create troubling confidentiality problems. To these courts, the risks associated with the intentional or accidental disclosure of irrelevant and protected health information in an informal interview are too great to allow the interviews.[21] 

State courts have generally allowed their state legislatures and/or court decisions to determine whether the state applies rules that are stricter than HIPAA’s. For example, Tennessee has adopted very stringent laws limiting a defense attorney’s ability to communicate with an interested party without the plaintiff’s knowledge. Tennessee courts have concluded that HIPAA does not preempt Tennessee’s ban on ex parte communications with a plaintiff’s treating physician.[22] Conversely, the Michigan Supreme Court ruled that since Michigan state law permits ex parte communication and HIPAA does not address it, HIPAA doesn’t preclude such communication.[23]   

These laws continue to evolve and develop as Congress, state legislatures, government agencies and the courts face questions on the interaction between federal health privacy law under HIPAA and state laws affecting health information. As with other issues under HIPAA, health care providers and other covered entities should ensure compliance with all state laws where they do business. 

In our final module, we will discuss records retention best practices and policies for healthcare providers and health facilities to ensure compliance with HIPAA, the HITECH Act, and other relevant laws and regulations concerning protected health information.