Don’t Forget About State Law: Michigan Decision Reminds Health Care Providers of HIPAA Preemption Issue
Many health care providers and other individuals and entities who deal with sensitive patient information may assume that if they comply with the Health Insurance Portability and Accountability Act (“HIPAA”), they need not worry further about the proper use or disclosure of patient data. However, a recent Michigan Court of Appeals decision served as a reminder to those individuals and entities that they must not only ensure compliance with HIPAA, but also any state laws that are more demanding than HIPAA.
HIPAA establishes regulations for the use and disclosure of Protected Health Information (“PHI”) held by “covered entities” (pdf) and “business associates.” PHI is any information held by a covered entity related to health status, provision of health care, or payment for health care that can be linked to an individual.
In Isidore Steiner, DPM, PC v. Marc Bonanni, No. 294016 (Mich. Ct. App. Apr. 7, 2011), the Michigan Court of Appeals held that HIPAA acts as a federal “floor” in establishing standards for the privacy of patients’ PHI. Although Bonanni was decided under Michigan law—and thus is not binding on other states—the decision is likely to be consistent among courts in other states.
The reason? HIPAA explicitly provides that where a state law is more protective of patients’ PHI than the applicable provision of HIPAA—that is, where the state law is more “stringent”—the state law will prevail (pdf).
Breaking Down Bonanni. In Bonanni, the Family Foot Center (the “Center”)—a covered entity—sought to enforce a non-compete agreement with one of its former physicians (Dr. Marc Bonanni). The Center believed that Dr. Bonanni had solicited its patients in violation of the agreement, and as part of pre-trial discovery, the Center requested Dr. Bonanni’s patient lists. Dr. Bonanni objected to this request, asserting that HIPAA and Michigan law protected this information from disclosure unless the Center first gained the consent of the patients in question. The Center filed a motion to compel the disclosure of this information, and the Michigan Court of Appeals chose to apply Michigan law instead of HIPAA.
Generally, HIPAA requires patient consent for the disclosure of PHI, just like Michigan law. However, with respect to responding to a subpoena or discovery request, HIPAA and Michigan law are in conflict. While a HIPAA exception allows for an entity to disclose an individual’s PHI without a written authorization in this situation, Michigan law contains no such exception. In Bonanni, the Court held that Michigan’s law provided more stringent protections than HIPAA for the PHI at issue, and so it applied Michigan privilege law in denying the Center’s discovery motion.
What Bonanni Teaches Us About PHI. The Bonanni ruling certainly limits the information that physicians can release during legal proceedings in Michigan. This will also likely be true in other states with similar discovery laws, as evidenced by a recent California Supreme Court ruling upholding a lawsuit (pertaining to the disclosure of medical records to a credit reporting agency) brought under a state medical information statute with provisions more stringent than HIPAA (Brown v. Mortensen (pdf), Case No. S180862 (Cal. Jun. 16, 2011)). There, too, the court held that HIPAA “authorized and encouraged further state regulation” in matters of patient medical privacy.
However, individuals and entities in every state deal with PHI in many other mediums and contexts outside of a discovery request during litigation, and Bonanni’s broader lesson is that HIPAA serves only as a federal floor when it comes to patient privacy provisions.
For instance, a Health Information Exchange (“HIE”) (also known as a Health Information Organization (“HIO”)) deals with PHI through the use of electronic health records (“EHRs”). An EHR contains sensitive patient data—including certain demographic information that would identify the patient—and it follows the patient to any and all hospitals to which he or she goes. The HIE/HIO pulls in data relating to that patient from the insurance company or government agency, from hospitals and physician offices, labs, pharmacies and other sources of clinical and administrative data. Then, the HIE/HIO provider may, among other things, analyze the patient information and derive alerts and recommendations to turn the data into actionable information. The benefits of such a program are wide-ranging, from simply reducing paper to creating an accessible information portal that enables physicians to coordinate care, use clinical research to devise the best treatments, encourage prevention and better manage chronic conditions.
In short, the effective use of EHRs by HIE/HIOs and other HIPAA covered entities is central to the continued progress of personalized medicine. Nevertheless, while an EHR program may provide a number of important benefits, it is also susceptible to PHI security issues under HIPAA and/or any other “more stringent” state laws, which could present the same state law preemption issue addressed in Bonanni.
For example, if an HIE/HIO—or any other entity subject to HIPAA—wished to use PHI in the course of conducting research, HIPAA would allow (pdf) such a use of PHI with individual authorization, or without individual authorization under limited circumstances. State law, however, may not be as flexible, and many states may lack a research exception to the use of PHI or may require different standards for individual authorization. In such a scenario, the more stringent state law is likely to prevail, restricting the ability of the HIE/HIO or other HIPAA-covered organization to use PHI to conduct research, no matter how important.
As shown by this hypothetical, despite the importance of PHI to the development of EHRs and the advancement of research essential to personalized medicine’s progress, Bonanni and Brown each make clear that that individuals and companies utilizing PHI must consider more than just HIPAA compliance. In fact, those individuals and entities who operate at a regional or national level would need to consider multiple (or even all) states as part of an effective compliance strategy.
Individuals and entities who deal with PHI should contact a qualified attorney who will undertake a detailed analysis of the applicable federal, state, and local laws prior to making any disclosure, transmission, or other use of PHI. By considering all sources of law, and not just the federal rule, health care providers, researchers and technology developers can minimize the inherent risk in dealing with PHI and work towards full compliance with privacy laws.