Two Court Cases Put Crack in HIPAA Privacy Wall

Article excerpt

Although the horror stories resulting from the three-year-old federal health privacy regulations are still mounting, there are two recent court cases that offer support for access to public records that officials want to close in the name of privacy.

In June, the Texas Court of Appeals ruled that the federal Health Insurance Portability and Accountability Act does not trump the Texas open records law. Judges ordered the state to release statistics about alleged sexual assaults at mental hospitals.

The case started in 2003, the same year the HIPAA regulations went into effect. Joe Ellis, an investigative producer at Dallas-based KDFW-W, learned about a female who had become pregnant while residing at a state institution. He requested statistics on alleged sexual assault and abuse incidents at state mental hospitals, subsequent investigations and the outcome of any investigations. Ellis did not ask for victims' names, only the facilities of any assaults.

The Texas Department of Mental Health and Mental Retardation cited HIPAA and denied Ellis' request. The Texas attorney general disagreed and said HIPAA did not preempt the state's open records law and that HIPAA allows disclosure of health information if it is "required by law."

A district court judge rejected the attorney general's argument but bought the department's line. The four-judge Court of Appeals rejected the department's logic, saying that just because public records laws aren't listed in the HIPAA rules doesn't mean they don't apply. (Abbott v. Texas Department of Mental Health and Mental Retardation).

In March, the Ohio Supreme Court reached a similar conclusion, ruling that Cincinnati Enquirer reporters had a right to look at lead paint violations. Journalists had asked the Cincinnati Health Department to provide "copies of the 343 lead citations and any others that were issued between 1994 and the present." The city balked, citing HIPAA and including a claim that it was a "covered entity" under the federal HIPAA rules.

The Enquirer asked the appeals court to overrule, but judges voted against the records release. On appeal, the Supreme Court ruled that lead citations and related reports did not contain protected health information ns defined by HIPAA

Furthermore, Supreme Court justices explained that, even if the citations and reports contained protected health information and even if it is determined that the Health Department operated as a "covered entity" as defined by HIPAA, the requested reports still would be public under the "required by law" exception in HIPAA (Cincinnati Enquirer v. Daniels).

Many legal experts see these two rulings as a promising way for the public to continue to get information it needs about important issues such as lead paint poisoning and sexual abuse in mental institutions. At the same time, there is still plenty of bad news created by the overbroad interpretation of HIPAA. …