State public records laws, also known as open records or freedom of information laws, provide for certain public access to government records.  However, HIPAA requires covered entities to take measures to prevent unauthorized use or disclosure of protected health information (PHI). The intersection of HIPAA and state public records laws is discussed below.

Are State Public Records Laws Subject to the HIPAA Privacy Rule?

HIPAA regulations define covered entities as:

  • Health plans;
  • Healthcare clearinghouses; and
  • Healthcare providers who transmit health information in electronic form, in connection with transactions for which the Secretary of Health and Human Services (HHS) has adopted standards under HIPAA.

State public records laws are administered by state agencies. State public records laws are typically administered by the state’s Secretary of State (State Department). Whether state public records laws are subject to the HIPAA Privacy Rule first depends upon whether the state agencies administering the state public records laws are covered entities. If a state agency is not a covered entity, the agency is not required to comply with the HIPAA Privacy Rule. The agency, in such instances, administers its state public records laws, without being subject to HIPAA privacy regulations.

In many instances, state agencies are covered entities under the HIPAA Privacy Rule. A typical example of a state agency that is a covered entity is a state agency that administers health care, such as a state Department of Health.

The Privacy Rule applies to covered entity state agencies’ disclosures of protected health information (PHI), and permits covered entities to use and disclose protected health information under certain circumstances. Under one HIPAA Privacy Rule provision, covered entities may use or disclose protected health information, to the extent that such use or disclosure is required by law, including state law. This provision of the HIPAA Privacy Rule is colloquially referred to as the “disclosure required by law” provision.

When a state public records law requires that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law.

However, when a state public records law only permits, and does not require, the disclosure of protected health information, or where exceptions or other qualifications apply to exempt the protected health information from the state law’s disclosure requirement, such disclosures are not “required by law” and therefore, would not fall within the “disclosure required by state law” provision.

For example, if a state public records law includes an exemption that gives a state agency discretion not to disclose medical or other information where such disclosure would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law, and therefore is not permitted under the “disclosure required by law” Privacy Rule provision.  In such cases, a covered entity only would be able to make the disclosure if a different provision of the Privacy Rule permitted the disclosure. 

HIPAA and State Privacy Compliance

Satisfy state and federal HIPAA laws with streamlined software.

Global CTAs Image