Academic journal article Defense Counsel Journal

Understanding the Boundaries of the HIPAA Preemption Analysis

Academic journal article Defense Counsel Journal

Understanding the Boundaries of the HIPAA Preemption Analysis

Article excerpt

Who is Regulated by the Privacy Rule and What Information Does HIPAA Protect?

I. Introduction

THE Department of Health and Human Services (DHHS) published the final Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) on August 14, 2002.1 The compliance date for covered entities subject to the Privacy Rule was April 14, 2003 (April 14, 2004 for certain small health plans). The Privacy Rule, found at 45 C.F.R. Part 160 and Part 164, provides comprehensive federal protection for the privacy of certain health information. The Privacy Rule has been described as providing a "federal floor" of safeguards to protect the confidentiality of medical information.2 State laws which provide stronger privacy protection will continue to apply over and above the federal privacy protection. However, in litigated cases involving the application of state privacy laws, it is not apparent at this point which state laws will survive the HIPAA preemption analysis. These issues will likely be decided by judges on a case-by-case basis, which may lead to multiple, conflicting decisions within judicial districts. HIPAA also prescribes several methods by which a covered entity may release information in a judicial or administrative proceeding. This article will describe these various requirements for releasing this information.

II. Who is Regulated by the Privacy Rule?

Familiarity with the vocabulary of HIPAA aids in understanding how medical information may be released. The Privacy Rule regulates "covered entities." A covered entity (CE) is defined under the Code of Federal Regulations as:

1. A health plan;

2. A health care clearinghouse; and

3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by [this] subchapter.3

When litigants seek discoverable information, it is likely that they will at some point in the litigation seek medical information in the possession of a covered entity, usually a hospital subject to the Privacy Rule as a "health care provider."

III. What Information is Protected?

The Privacy Rule protects Individually Identifiable Health Information (IIHI) in the possession of covered entities. Individually identifiable health information is defined as "information that is a subset of health information, including demographic information collected from an individual. . ."4 Additionally, IIHI:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

i. That identifies the individual; or

ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.5

When IIHI is transmitted or maintained by a covered entity, it becomes Protected Health Information, or PHI:

Protected health information means individually identifiable health information:

1. Except as provided in paragraph (2) of this definition, that is:

i. Transmitted by electronic media;

ii. Maintained in electronic media; or

iii. Transmitted or maintained in any other form or medium.

2. Protected health information excludes individually identifiable health information in:

i. Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g;

ii. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv) (related to records of students held by post secondary educational institutions or of students 18 years of age or older, used exclusively for heath care treatment and which have not been disclosed to any one other than a health care provider at the student's request); and

iii. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.