HIPAA Privacy Rule's impact on state public record laws

Handling state public records in healthcare organizations involves navigating the intersection of state public records laws and compliance with state agencies. Healthcare organizations, when dealing with state public records, should take necessary precautions.

What are state public records? 

State public records, governed by state public records laws, are documents and information maintained by government agencies at the state level, designed to be accessible to the general public. These records serve as a vital mechanism for transparency and accountability within government operations. 

State agencies, typically administered by the state's Secretary of State or a similar authority, are responsible for managing these records. State public records encompass a wide range of materials, including official documents, reports, files, and data, offering citizens the opportunity to obtain insights into government activities, decisions, and procedures. 

The Privacy Rule and state public records 

HIPAA's Privacy Rule and state public records laws intersect in protecting individuals' health information while maintaining transparency in government operations. The HIPAA Privacy Rule applies to covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, aiming to safeguard protected health information (PHI). On the other hand, state public records laws govern the accessibility of government records to the public. When state agencies that are covered entities under HIPAA are subject to state public records laws, a delicate balance is required. The Privacy Rule allows covered entities to disclose PHI when mandated by state public records laws, ensuring compliance with both sets of regulations. However, if state laws permit discretionary disclosures or include exceptions to protect privacy, covered entities must carefully evaluate whether such disclosures align with the Privacy Rule's provisions. 

Related: Understanding medical record retention requirements by state

What are the Privacy Rule's provisions?

1. Definition of PHI 
2. Permitted uses and disclosures of PHI
3. Minimum necessary standard
4. Patient rights and access to PHI
5. Authorization requirements
6. Business associate agreements
7. Security safeguards and link to the HIPAA Security Rule
8. Complaints and enforcement

See also: What are HIPAA's Privacy Rule provisions?

Disclosures required by law

1. State public records laws: Covered entities may be required to disclose PHI when mandated by state public records laws, which provide for public access to government records.
2. "Disclosure required by law" provision: The HIPAA Privacy Rule includes a provision allowing covered entities to use or disclose PHI to the extent required by law, including state law.
3. Compliance with state law: When a state public records law mandates the disclosure of PHI, covered entities are permitted by the Privacy Rule to make such disclosures, provided they adhere to the specific requirements of the state law.

Handling state public records in healthcare organizations

1. Identify covered entities: Determine whether your healthcare organization qualifies as a covered entity under the HIPAA Privacy Rule. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. If your organization falls under this definition, you must comply with HIPAA regulations.
2. Understand state public records laws: Familiarize yourself with the specific state public records laws that apply to your organization. These laws can vary significantly from state to state. Identify the agency responsible for administering these laws, often the state's Secretary of State or a similar authority.
3. Educate staff: Ensure that your staff, especially those responsible for records management and compliance, are well-informed about HIPAA and state public records laws. Provide training on how to handle public records requests and PHI disclosures.
4. Review and redact PHI: When responding to public records requests, review records carefully to identify any PHI. Redact or de-identify PHI as necessary to protect patient privacy. Ensure that redaction methods align with HIPAA requirements.
5. Notify affected parties: If a public records request involves the disclosure of PHI, consider notifying affected individuals as required by HIPAA. Follow HIPAA breach notification requirements when applicable.

State agencies and HIPAA compliant email

To ensure HIPAA compliant email communication when dealing with state public records laws, organizations can take specific steps. First, they can employ secure and encrypted email platforms that meet HIPAA's privacy and security standards, safeguarding the PHI contained in emails. Second, when these emails become part of public records, organizations can follow established procedures to appropriately redact PHI, protecting patient privacy while complying with transparency requirements. It's further necessary for healthcare organizations to work closely with state agencies to navigate this intersection effectively.