HIPAA privacy rule doesn’t trump state law
HIPAA privacy rule doesn’t trump state law
Provider can disclose to P&A
A health care provider covered by the Health Insurance Portability and Accountability Act (HIPAA) may disclose an individual’s protected health information (PHI) to a state-designated Protection and Advocacy (P&A) system without that individual’s authorization, as the disclosure is required by law and complies with the law’s requirements.
That’s the short answer to a frequently asked question pertaining to the HIPAA privacy rule recently posted by the Department of Health and Human Services’ Office of Civil Rights (OCR).
New questions and answers are added regularly to the OCR privacy page at www.hhs.gov/ ocr/hipaa.
The response goes on to explain that the Developmental Disabilities Assistance and Bill of Rights Act (DD Act) provides for each state to designate a public or private entity as the P&A system to protect and advocate for the rights of individuals with developmental disabilities, including investigating incidents of abuse or neglect.
The P&A system designated in accordance with the DD Act is also the P&A system for purposes of the Protection and Advocacy for Individuals with Mental Illness Act (PAIMI Act) and is empowered to promote and support the rights of individuals with mental illness.
These statutes and the regulations implemented require access to records be provided to P&As under certain circumstances.
A provider covered by HIPAA may disclose PHI as required by the DD and PAIMI Acts to P&As requesting access to such records in carrying out their protection and advocacy functions under those acts.
Similarly, covered entities may disclose PHI to P&As when another federal, state, or other law mandates such disclosures, consistent with the requirements in such a law.
When disclosures are required by law, the privacy rule’s minimum necessary standard does not apply, since the law requiring the disclosure would establish the limits on what should be
disclosed.
With respect to disclosures required by law, the OCR response concludes, a provider cannot use the privacy rule as a reason not to comply with its other legal obligations. n
Provider can disclose to P&A A health care provider covered by the Health Insurance Portability and Accountability Act (HIPAA) may disclose an individuals protected health information (PHI) to a state-designated Protection and Advocacy (P&A) system without that individuals authorization, as the disclosure is required by law and complies with the laws requirements.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.