There was an interesting story this weekend about how the Ohio Supreme Court ruled the Ohio law guaranteeing people access to government records outranks HIPAA. This ruling was reported to be "the nation’s first ruling weighing a state’s open-records law against provisions of the federal Health Insurance Portability and Accountability Act." Basically a newspaper wanted to view lead-paint citations issued by the local health department. "The Cincinnati Health Department denied access to 10 years’ worth of lead-paint citations, saying they contained children’s private health information because they listed the addresses of homes with lead hazards."
But is it really a test of HIPAA? The first question would be, is the local health department a Covered Entity under HIPAA? Well, does it fall under the definition of a healthcare provider? Hmm… well, they are not listed as a healthcare provider on the The Health Improvement Collaborative of Greater Cincinnati. Are they a healthcare insurer? Not listed in that section, either. Are they a clearinghouse? Well, it is doubtful.
They are, however, listed within the "Public Sector" section. Let’s check out the Cincinnati Health Department website using the link provided… oops! An invalid URL. Gee, looks like it should be a .gov site…
Okay…let’s see, where is the website for the Cincinnati Health Department? Ahh…here it is, a .gov URL, which makes sense. So, does it indicate that it is a healthcare provider, insurer/payer or clearinghouse? Appears to be a provider; according to the website, "The Cincinnati Health Department provides many services to the community such as medical and dental care; inspections required under Cincinnati Municipal Code, Ohio Revised Code, and Board of Health Regulations; health education; litter and weed control; and maintaining birth and death records. The Department also investigates communicable disease outbreaks and is a partner in the regional medical response system for responding to medical emergencies in Cincinnati and the surrounding communities."
Now we need to determine if the Department, as a provider, furnishes, bills or receives payment for healthcare (things necessary to be a CE). Upon a quick skim it appears they probably do, but I cannot verify this.
Let’s assume they are a CE then.
Next question to ask is, what information was in the records? Lead paint citations and the associated addresses. Well, addresses ("geographic subdivisions smaller than a state") are one of the 18 items identified as PHI (actually individually identifiable health information) within the HIPAA regs.
An interesting passage from the Dispatch report: "Justice Terrence O’Donnell wrote, however, that city citations contained no medical information, nor did they list names, ages or any other personal information. And even if they had, O’Donnell wrote, HIPAA doesn’t shield information that other laws require to be made available. "The Ohio Public Records Law requires disclosure of these reports and HIPAA does not supersede state disclosure requirements," he wrote."
Okay…very interesting!! This judge says HIPAA does NOT supersede state disclosure requirements. However, HIPAA regs state that HIPAA applies if it is stronger than the state requirements. But then…wait…there are also exceptions to state preemption!
Bear with me. There is a Privacy Rule state preemption exception category called "public health and vital statistics" that allows providers to report diseases or injuries, child abuse, births, or deaths, or those that authorize public health surveillance, or public health investigation or intervention. Ahhh…perhaps this is the loophole.
So, apparently if this information can be reported as part of public health surveillance or investigation, then it goes into the state government records, to which the public is then guaranteed access? Perhaps. Ask your lawyer for his or her interpretation; you’ll probably get 20 different opinions if you ask 20 different lawyers.
Aye yi yi…wouldn’t it be nice to have just one all-encompassing federal privacy law that covered all industries and personal information equally? (That’s another blog posting…sometime in the near future.)
Cases like these in Ohio certainly do not help to clarify compliance activities, and they really don’t set any precedents, only stir the pot of confusion.
Technorati Tags
HIPAA
HIPAA compliance
state preemption
health department
privacy
News
medical privacy
government
security
law