 |
| HIPAA vs. California State
Law |
In protecting the privacy of personal health
information, any person or organization that creates, maintains, stores,
receives, shares or distributes personal health information in either paper or
electronic format is subject to BOTH the HIPAA Privacy Rule as well as all
their own state laws, statutes and codes.
 |
California health
care providers must identify California laws that compete with the HIPAA
Privacy regulations and compare them, and follow or implement the more
stringent where and when applicable. California laws that should be considered
when making the comparisons to the HIPAA Privacy rule include the California
Patient Access to Medical Records Act (PAMRA), the California Confidentiality
of Medical Information Act (CMIA), the Lanterman-Petris-Short Act (LPSA), and
all pertinent California Codes.
Laws protecting private health
information have been on the books in California for many years. In fact, over
the years California's many privacy legislative initiatives have made
California a national model among states in protecting a patient's medical
information.
With the enactment of the HIPAA Privacy Rule a national
standard was created to protect the health information of all US citizens.
California health care providers are required to follow all the HIPAA Privacy
Regulations except in cases where a California law, statute or code is more
stringent, in which case the HIPAA Privacy Rules are preempted.
HIPAA
preempts state constitutions, statutes, rules, regulations and common law when
it is contrary to HIPAA. If a similar state law is less stringent than HIPAA,
HIPAA applies. If a similar state law is more stringent than HIPAA, state law
applies.
|
More stringent
means that the state law either:
- Prohibits or restricts a use or
disclosure which is permitted under HIPAA;
- With respect to persons who are subject
of the health information, permits greater rights of access or amendment than
does HIPAA; or
- With respect to consents and
authorizations for use or disclosure of health information, narrows the scope
or duration, increases the privacy protections, or reduces the coercive effect
of the circumstances surrounding the authorization or consent.
California laws and statutes that are not contrary to the HIPAA
Privacy Rule remain in effect. A California law or statute is "contrary to" the
HIPAA Privacy Rule and therefore preempted when:
- A covered entity (not just health care
providers) would find it impossible to comply with both California and federal
requirements; or
- The provision of California law stands as
an obstacle to the accomplishment and execution of the HIPAA Privacy Rule.
The
responsibility for complaince falls squarely on the shoulders of all California
health care providers. They are responsible for identifying and comparing
conflicting laws, and following or implementing the more stringent or
applicable of the two.
Consider the following example. The HIPAA Privacy
Rule permits health care providers 30 days to respond to a patient's request to
access their health records. California law requires that a health care
provider respond within 5 business days. In this case, the "more stringent" of
the two requirements is California law and therefore the California law must be
followed to be compliant with both the HIPAA Privacy Rule and California law.
|
Below are general
overviews of similarities of the HIPAA Privacy Rule and California State laws
and following that are detailed section by section discussions of the
provisions of and statutes of both and how they interact. Recommendations and
considerations are also provided where applicable.
The HIPAA Privacy
Rule and California law share a lot in common. With few exceptions, both
prohibit the sharing of individually identifiable health information without a
patient's permission.
The HIPAA Privacy Rule generally imposes specific
conditions under which health information can be released without the patient's
permission. An individual's authorization must be obtained if a purpose is not
specified in the rule.
California law and the HIPAA Privacy Rule also
both give individuals the right to see, copy, and amend their health
information.
The HIPAA Privacy Rule applies to "health care providers"
who engage in certain various electronic transactions. The term "health care
provider" is broadly defined in the Privacy Rule and encompasses virtually
anyone who provides, bills for, or is paid for health care services or health
care supplies pursuant to prescription. It a broad range of professionally
licensed, and non-licensed, practitioners and professionals including doctors,
pharmacists, hospitals, group practices, clinics, counselors, physical
therapists, and numerous others. Under the HIPAAPrivacy Rule, all defined
"health care providers" are subject to the same set of requirements.
In
contrast, California law does not apply uniformly to all types of health care
providers. Some providers are subject to both California Confidentiality of the
Medical Information Act (CMIA) and the Patient Access to Medical Records Act
(PAMRA). Other are covered by California Confidentiality of Medical Information
Act (CMIA) but are not covered by the Patient Access to Medical Records Act
(PAMRA).
|
Because large
segments of California's Confidentiality of the Medical Information Act (CMIA)
and the Patient Access to Medical Records Act (PAMRA) will remain in affect
after the implementation of the HIPAA Privacy Rule, these differing groups of
health care providers will continue to be governed by different rules.
The HIPAA Privacy Rule differs from California law in the following key
areas:
- Health care providers are required to
provide all patients with a printed "notice of privacy practices" describing in
detail how the health care provider may use and disclose their protected health
information, as well as informing all patients of his/her rights with respect
to his/her protected health information.
- In certain circumstances, health care
providers are required to limit the health information they use and disclose to
the "minimum amount necessary" to accomplish the intended purpose.
- Before a health care provider can use or
disclose protected health information for the purposes of treatment, payment,
and health care operations, written consent must be obtained from the
patient.
- Health care providers are required to
have contracts with certain individuals and parties with whom they share
protected health information. These contracts must require those individuals or
parties to satisfactorily safeguard the information.
- Health care providers are required to
administer additional administrative requirements to comply with the Federal
Privacy Rule. This includes, for example, implementing security safeguards and
audit trails, training all employees, designating a privacy official, creating
and maintaining documentation of compliance, infractions and sanctions.
|
|
|
|
|
|
