Issues with HIPAA and nursing home care have arisen over disclosure of medical records of deceased residents. Several years ago, a federal appeals court had to decide a case involving HIPAA and nursing home care. The court had to decide whether a Florida medical records law requiring release of PHI of deceased individuals to their spouses or guardians, was preempted by (gave way to) the HIPAA Privacy Rule. A state law is preempted by HIPAA if that state law directly conflicts with HIPAA; that is, the state law is preempted if compliance with both the state and federal law is physically impossible. A state law is also preempted if the state law interferes with the objective of Congress in having passed HIPAA.
Issues with HIPAA and Nursing Home Care: How Did the Court Decide the Case?
The “HIPAA and Nursing Home Care” case hinged on the issue of whether the Florida law permitting PHI disclosure had to give way to the HIPAA Privacy Rule, which requires that PHI remain protected for 50 years after a patient’s death, with certain exceptions.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
In this case, Opis Management Resources, LLC v. Secretary, Florida Agency for Health Care Administration, a Florida law required nursing homes to disclose the medical records of deceased residents to certain individuals (spouses and attorneys-in-fact) who requested them.
During their course of business, the plaintiffs, Florida-based nursing homes, received requests from spouses and attorneys-in-fact for the medical records of deceased nursing home residents. The nursing homes refused to provide the records, claiming that, since under HIPAA, the parties asking for the records were not “personal representatives” (i.e., the individuals under the HIPAA Privacy Rule who are authorized to make such requests on behalf of a deceased individual), they were not entitled to the records. The spouses and attorneys-in-fact sued in trial (district) court, demanding release of the records under the Florida law. The trial court found HIPAA preempted the state law, and issued a ruling for the Florida state health agency.
When the case got to the federal appeals court, that court upheld the decision of the trial court. The appeals court found that the state law was preempted by the HIPAA Privacy Rule.
The appeals court noted that one of Congress’ objectives in enacting HIPAA was to help protect PHI confidentiality. Because the Florida law offered less stringent protections than the Privacy Rule, the Florida law, the court found that the Florida law interfered with Congress’ objectives and was therefore preempted by HIPAA.
The court also rejected the health agency’s requirement that it was possible to comply with both laws. The court read the language of the Florida law as not requiring an authorized individual to request the records (in contrast, the Privacy Rule requires the personal representative to have been authorized by the deceased individual). Since one law (HIPAA) required something that the other (the Florida law) did not, the court found it was impossible to comply with both. A nursing home could not both require and NOT require authorization for records release of a given patient. That is impossible.