The U.S. Court of Appeals for the 11th Circuit recently ruled that a Florida law requiring nursing homes to disclose patient records of deceased patients was preempted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This case is important because it suggests that the question of whether HIPAA or state law is stricter may not always be binary or straightforward, and that in some cases state law will be seen as framing or contextualizing HIPAA and in other cases will be seen as less protective. Thus, while the HIPAA preemption principle is well-settled, the application of that principle still presents some uncertainty, especially given the varied nature of state law.
The U.S. Court of Appeals for the 11th Circuit ruled on April 9, 2013, that a Florida law requiring nursing homes to disclose patient records of deceased patients was preempted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Opis Management Resources LLC, et al., v. Secretary, Florida Agency for Healthcare Administration, Case No. 12-12593 (11th Cir. 2013). It is a well-established principle that HIPAA preempts less restrictive state law. For example, if a state law listed only six data fields that needed to be removed in order to de-identify information, the stricter 18-data field safe harbor standard enshrined in HIPAA would preempt that state law provision. This case is important because it suggests that the question of whether HIPAA or state law is stricter may not always be binary or straightforward, and that, in some cases, state law will be seen as framing or contextualizing HIPAA, while in others state law will be seen as less protective. Thus, while the HIPAA preemption principle is well-settled, the application of that principle still presents some uncertainty, especially given the varied nature of state law.
In this case, upon death of a patient in a nursing home, Florida law required a nursing home to provide the deceased patient's medical record to the "spouse, guardian, surrogate, proxy, or attorney in fact," including "medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature." Florida Statute Section 400.145. The HIPAA Privacy Rule permits disclosure of a deceased individual's protected health information (PHI) only to the deceased's "personal representative." A personal representative would include the executor, administrator or other person acting on behalf of an individual or his or her estate. (The HIPAA Final Omnibus Rule permits disclosure of a deceased person's PHI to a family member or other person "involved in the individual's care or payment for health care prior to the individual's death, protected health information of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.")
A number of Florida nursing homes refused requests from family members of deceased patients to disclose the deceased patients' medical records. The family members then filed complaints with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA. The OCR found that the nursing homes' actions were consistent with HIPAA. However, the Florida Agency for Health Care Administration (AHCA) issued citations to the nursing homes for violation of the Florida law. The nursing homes challenged AHCA's action in the U.S. District Court for the Northern District of Florida, and that court sided with the nursing homes and granted summary judgment to block AHCA's enforcement of the Florida medical record disclosure law.
On appeal, AHCA argued that the Florida law merely supplemented and did not conflict with HIPAA. Specifically, AHCA argued that the Florida law served as a definition of the term "personal representative," as used in HIPAA. Under that argument, anyone authorized to receive the medical record of the deceased patient under Florida law would be a personal representative under HIPAA. The court found that this argument was flawed because the Florida law did not empower individuals to act on behalf of the deceased, rather the court found that the Florida law authorized "sweeping disclosures, making a deceased resident's protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident's stead."
Overall, the court found that the Florida law "impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual's protected health information confidential." The key takeaway is that where a state's law is contrary to the requirements of HIPAA, it is likely preempted, such that a covered entity or business associate would not need to comply with that state's law. However, any such determination should only be made after appropriate analysis and advice from legal counsel.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.