Under the HIPAA Privacy Rule right of access, patients can access, inspect, and copy their medical records, but not psychotherapy notes. However, in Vermont, a psychologist must allow a patient to access his or her psychotherapy notes. The Vermont law gives patients greater access rights, and therefore supersedes HIPAA.
Subpoena of Patient Records.
Psychologists frequently receive subpoenas requesting patient medical records. HIPAA requires that a psychologist attempt to reach the patient to give notice that the records are being requested. As long as the psychologist has made “diligent but unsuccessful” efforts to reach the patient, the psychiatrist may then produce the records in response to the subpoena. Under New Hampshire law, however, a psychologist may not produce patient records in response to a subpoena unless the patient has consented to the release of the records, or a court has ordered the psychologist to release the records. Since New Hampshire law gives patients greater protection with respect to subpoenas of medical records, New Hampshire law preempts HIPAA on the subject.
When Does State Privacy Law Supersede HIPAA: Right of Access
The issue of when does state privacy law supersede HIPAA frequently arises with state right of access deadlines. Under HIPAA, healthcare providers must act on individual requests for access within 30 calendar days after receipt of the request. If the provider cannot provide the records within that time, the provider may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which it will provide the records. In New York, by contrast, providers must generally provide patients access to their records within 10 days of a written request. Since New York law gives patients greater rights over their records than HIPAA, New York law supersedes HIPAA.
State privacy laws do not always supersede HIPAA. The issue of when does state privacy law supersede HIPAA may come up in the context of research. In a 2003 California court case, the California law permitted a health provider to release a patient’s medical information without the patient’s authorization for “bona fide research purposes” to public agencies, clinical investigators, and healthcare research organizations. HIPAA, however, permits the use of a patient’s health information without patient authorization for research purposes only if it is shared with an institutional review board and only when the review board provides a description of why the information is needed for research, as well as adequate written assurances that the information will not be reused. The court held that the