 |
 |
 |
|
|
|
||||||
|
INTRODUCTION The Health Insurance Portability and Accountability Act (“HIPAA”) was enacted in 1996 to facilitate the exchange of health information in order to make financial and administrative healthcare transaction more efficient, while at the same time, protecting the privacy and security of those transactions. On December 28, 2000, final regulations were published by the United States Department of Health and Human Services (“HHS”) establishing federal privacy standards applicable to personal health information (“the HIPAA Privacy Standards”). Final amendments were adopted to the HIPAA Privacy Standards by HHS on August 14, 2002. All entities covered under these Standards, including health care providers, health plans, and health care clearinghouses, are required to achieve compliance by April 14, 2003. An essential step in that compliance process is determining the interplay between the HIPAA Privacy Standards and State laws relating to the privacy of personal health information. This issue, in turn, is dictated by specific provisions in the HIPAA Privacy Standards relating to the preemption of State laws. Rather than establish full federal preemption of State laws on the issue of the privacy of personal health information, the HIPAA Privacy Standards are specifically limited in a number of ways. A survey and educational process are required to sort through the numerous state laws, including constitutional provisions, statutes, regulations, and common law decisions, in order to determine which of these may be preempted. SCOPE OF WORK The survey set forth herein reviews all West Virginia statutes, the West Virginia Code and selected West Virginia State Court Rules that relate to the use or disclosure of personal health information. The survey does not examine regulations adopted by West Virginia agencies and approved by the West Virginia Legislature pursuant to the statutory authority contained in many of the surveyed statutes. These regulations (now codified in the Code of State Regulations) frequently track the language contained in the authorizing statutes, although it is possible that the regulations could expand or perhaps modify the statutory provisions in some material respect. Accordingly, a separate and independent review of any underlying regulations should also be undertaken as part of a covered entity’s compliance process. This survey also does not examine the Constitution of the State of West Virginia, West Virginia case law, or other sources that may have the “force and effect of law” under the HIPAA Preemption Standards. Nevertheless, this survey represents a substantial and important starting point for preemption analysis under HIPAA. UNDERSTANDING HIPAA PREEMPTION In order to be preempted, a State law must be determined to be contrary to these Standards. The HIPAA Privacy Standards provide that a State law is contrary to these Standards if a covered entity would find it impossible to comply with both laws, or if the State law stands as an obstacle to the accomplishment and execution of the full purposes of the Standards. Not all State laws that affect the privacy of personal health information are necessarily contrary to the HIPAA Privacy Standards. For example, the Standards themselves outline a number of permitted uses and disclosures of personal health information that may be made without a patient’s consent or authorization. These include uses and disclosures for treatment, payment, and health care operations; for reporting various public health issues; for reporting abuse, neglect, and domestic violence; for health oversight purposes; for use in certain judicial and administrative proceedings involving compulsory process; for reporting certain matters to law enforcement agencies; for reporting to medical examiners and funeral directors; for reporting to organ procurement agencies; for specified research purposes; for reporting threats involving the imminent threat to the health and safety of a patient or others; for reporting to various governmental agencies such as military, intelligence and correctional institutions; and for reports for a workers’ compensation. In many cases, it is possible for a covered entity to comply with both the HIPAA Privacy Standards and State law. In these instances, the HIPAA Privacy Standards do not displace the more stringent or protective elements of State law. The practical effect is that, in addition to complying with the federal Standards, covered entities must comply with the more stringent requirements of State laws as well. IN this sense, the HIPAA Privacy Standards merely establish a floor of universal privacy protections, which often are enhanced by more stringent or restrictive State requirements. If a State law affecting the privacy of personal health information
is indeed contrary to the HIPAA Privacy Standards, such State law is considered
preempted unless one of the following exceptions applies:
HOW TO USE THIS SURVEY This survey is in matrix form with seven columns. The first column is a general reference to the subject matter of the state law. The second column is the specific West Virginia Code citation or citations. The third column discusses the impact of this law upon the privacy of protected health information as defined in HIPAA. In the fourth column is the corresponding HIPAA cites to the State code. The fifth column states whether HIPAA has preempted this state law. If the answer is yes, the extent to which state law is preempted is described in the “Comments” column. The sixth column indicates whether state law is more stringent or more detailed or whether HIPAA is more stringent. The covered entities should generally follow the law that is more stringent, but may have to comply with both laws. Where the remark is “Both” in this column, the comments describe which part of the state law is more stringent or HIPAA is more stringent. This is being finalized and will be on the web site in the near future. Finally, the last column provides any commentary relevant to this analysis of the state law. COMMENTS We very much view this analysis as a work in progress. We encourage all individuals and entities that review this document to provide feedback. We are particularly interested in additional comments on various statutory provisions. In addition, it is likely that we have missed some statues that are impacted by the HIPAA Privacy Laws. Please e-mail any such comments to Steve Small, head of the Preemption Team, at ssmall@wvdhhr.org ACKNOWLEDGMENT This website has been adapted from a publication entitled “HIPAA Preemption: A Survey of West Virginia Law” prepared by James W. Thomas of Jackson Kelly PLLC. The State of West Virginia wishes to acknowledge the efforts and contributions of Mr. Thomas and Jackson Kelly PLLC to these issues, and their willingness to license the use of the aforementioned publication to the State. Jackson Kelly PLLC specifically reserves all rights and privileges under the copyright laws with respect to its work. |
