A Study Report to the Michigan Law Revision Commission

on Medical Information Privacy

 

The Michigan Law Revision Commission is currently studying the subject of medical information privacy in the State of Michigan. In 2001 the Commission retained the services of Professor Elizabeth Price Foley, Michigan State University-Detroit College of Law, and Associate Professor Vence L. Bonham, Department of Medicine, College of Human Medicine, Michigan State University, to examine this subject and to  prepare a preliminary report for the Commission.  Their report which follows focuses on five issues:

 

(1) patients= access to their own medical records,

 

(2) third-party access (e.g., insurers, managed care organizations, employers, pharmacies) to a patient=s medical records,

 

(3) third-party use of information contained in a patient=s medical records (e.g., researchers, peer review organizations, licensing boards),

 

(4) treatment of sensitive medical information with a high potential for stigmatization or discrimination (e.g., information related to HIV, mental health, substance abuse, sexually transmitted diseases, abortion, or genetic information), and

 

(5) the retention and disposal of medical records.

 

The Commission takes no position on any of these issues at this time nor does it make any recommendations to the Legislature at this time.  In 2002 Professors Foley and Bonham will be submitting legislative proposals to the Commission for its review and consideration.  The Commission will report to the Legislature on these proposals in its 2002 annual report.

 

 

Preliminary Report to

 

THE MICHIGAN LAW REVISION COMMISSION

 

on

 

MEDICAL INFORMATION PRIVACY

 

 

 Elizabeth Price Foley, J.D., LL.M.

Professor of Law

Michigan State University, Detroit College of Law

 

 

and

 

 

Vence L. Bonham, Jr., J.D.

Associate Professor, Department of Medicine,

College of Human Medicine, Michigan State University

 

 

Table of Contents

 

I.    Introduction    6

A.  Background..................................................................................................................... 6

(1) Enactment of HIPAA........................................................................................... 6

(2) HIPAA=s Scope................................................................................................. 7

(a) Who Is A ACovered Entity@ Under HIPAA?........................................... 7

(b) ABusiness Associates@ Under HIPAA..................................................... 9

(3) HIPAA Enforcement.......................................................................................... 10

(4) HIPAA Preemption............................................................................................ 10

B.  Limitations of This Report .............................................................................................. 13

 

II. Patients= Access to Their Own Medical Records         13

A.  Michigan Law................................................................................................................ 13

B.  Federal Law.................................................................................................................. 15

(1) The Privacy Act of 1974.................................................................................... 15

(2) Nursing Home Residents= Right of Access......................................................... 16

(3) Medicare + Choice Enrollees= Right of Access.................................................. 16

(4) Mammography Records..................................................................................... 17

(5)  HIPAA............................................................................................................. 17

(a) HIPAA=s General Right of Access......................................................... 17

(b)  Denials of Access Under HIPAA.......................................................... 18

(i).  Denials for which there is no right of review................................ 19

(ii).  Denial for which there is a right to external review...................... 20

 

III. Third Party Access to/Disclosure of a Patient=s Medical Records  21

A.  Michigan Law................................................................................................................ 21

(1) State Licensing Boards....................................................................................... 21

(2)  Private Accreditation and Peer Review Boards.................................................. 22

(3) Health Provider-Patient Evidentiary Privileges..................................................... 22

(4) Licensed Health Facilities= & Agencies= Records.............................................. 23

(5) Non-Profit Health Care Corporations= Records................................................. 23

(6) Pharmacy Records............................................................................................. 24

(7) Third Party Adminstrator (TPA) Records........................................................... 25

(8) Dental Records.................................................................................................. 25

(9) Nursing Homes= Records.................................................................................. 26

(10)  Governmental Agency Access to Records....................................................... 26

B.  Federal Law.................................................................................................................. 26

(1)  The Privacy Act of 1974................................................................................... 26

(2) Nursing Home & Home Health Agency Records................................................ 28

(3) Hospital Records............................................................................................... 28

(4) Medicare + Choice Records.............................................................................. 28

(5)  HIPAA............................................................................................................. 29

(a) Permitted Disclosures for Governmental Health Oversight Purposes......... 29

(b) Disclosures to Private Peer Review & Accrediting Organizations............. 29

(c) Disclosures for which Patient Consent is Required................................... 30

(d) Disclosures for which Patient AAuthorization@ is Required...................... 31

(e) When Is Consent or Authorization Not Required by HIPAA?................. 32

i.  General Exceptions...................................................................... 32

ii.  Disclosure/Use for Marketing & Fundraising Purposes................. 33

(f) Patients= Right to Accounting of Disclosures........................................... 35

(6)  The Freedom of Information Act....................................................................... 35

 

IV.  Privacy in Medical Research        36

(1)  Federal Law..................................................................................................... 36

(a) The Common Rule................................................................................. 37

(b) HIPAA.................................................................................................. 37

(c)  HIPAA Shortcomings............................................................................ 41

(2) Michigan Law.................................................................................................... 41

(3)  Other States...................................................................................................... 42

 

V.  Sensitive Medical Information       44

A.  Mental Health Information.............................................................................................. 44

(1)  Michigan Law................................................................................................... 44

(2)  Federal Law..................................................................................................... 47

B.  Substance Abuse Information......................................................................................... 47

(1)  Michigan Law................................................................................................... 47

(2)  Federal Law..................................................................................................... 48

C.  HIV/AIDS..................................................................................................................... 50

(1)  Michigan Law................................................................................................... 50

(2)  Federal Law................................................................................................................. 52

D.  Other Sexually Transmitted Diseases.............................................................................. 53

(1)  Michigan Law................................................................................................... 53

(2)  Federal Law..................................................................................................... 54

E.  Pregnancy/Abortion Services.......................................................................................... 54

(1)  Michigan Law................................................................................................... 54

(2)  Federal Law..................................................................................................... 55

F.  Child Abuse Information................................................................................................. 55

(1)   Michigan Law.................................................................................................. 55

(2)  Federal Law..................................................................................................... 56

G.  Genetic Information........................................................................................................ 56

(1)  Michigan Law................................................................................................... 56

(2) Federal Law...................................................................................................... 58

 

VI.  The Retention and Disposal of Medical Records........................................................................ 59

A.  Michigan Law................................................................................................................ 59

(1)  Health Maintenance Organizations..................................................................... 60

(2)  Nursing Homes................................................................................................. 60

(3)  Dentists= Offices.............................................................................................. 60

(4)  Hospices........................................................................................................... 60

(5)  Mental Health Hospitals, Sanatoria, & Psychiatric Facilities................................ 60

(6)  Methadone Treatment Programs........................................................................ 61

(7)  Pharmacies....................................................................................................... 61

(8)  Alteration of Medical Records or Charts............................................................ 61

B.  Federal Law.................................................................................................................. 62

(1) Mammography Facilities..................................................................................... 62

(2) Controlled Substances Prescriptions................................................................... 62

(3) Medicare Claims................................................................................................ 62

(4) Blood & Blood Products.................................................................................... 63

(5) Clinical Laboratory Reports................................................................................ 63

(6) OSHA Employee Medical Records.................................................................... 63

(7) HIPAA.............................................................................................................. 63

 

VII.  Issues Relating to the Privacy of Health Information on the Internet     64

(A)  Michigan Law.............................................................................................................. 64

(B)  Federal Law................................................................................................................. 64

(C) HIPAA Shortcomings.................................................................................................... 65

 

VIII.  Conclusion  67

(1) Business Associates/Definition of Covered Entity............................................................ 67

(a) General Limitations of Coverage for Business Associates..................................... 67

(b) Health-Related Web Sites.................................................................................. 68

(2) Sensitive Medical Information......................................................................................... 68

(3) Private Right of Action................................................................................................... 68

(4) Marketing/Fundraising Communications.......................................................................... 69

 

 

I.          Introduction

 

In the summer of 2000, the Michigan Law Revision Commission (MLRC) initiated a comprehensive review of Michigan laws regarding medical information privacy and commissioned a research project on the topic.  This report presents the preliminary findings and conclusions of that research.  In its charge, the MLRC indicated that it is particularly interested in knowing what Michigan=s medical record privacy laws are, and how they compare with laws enacted by the federal government, particularly the Health Insurance Portability and Accountability Act (AHIPAA@).  This report addresses these and other related matters.

 

A.  Background

 

An individual=s medical information is contained in numerous forms, including paper records and charts, electronic databases, and even oral information.  It is also possessed by a dizzying array of providers, health care institutions, and business entities, including physicians, hospitals, nursing facilities, pharmacies, insurers, employers, governmental agencies, third party administrators, and marketing firms.  Given the broad array of personal medical information that exists and its potentially wide dissemination--particularly in the age of computers--Americans have begun to express concerns about protecting the privacy of such medical information.  An August 2000 survey conducted by Gallup for the Institute for Health Freedom^[1] found that 78% of those surveyed felt that it was Avery important@ that their medical records be kept confidential.^[2] Not surprisingly, then, a January 1999 survey conducted by Princeton Survey Research Associates found that 1 in 7 Americans had done something out of the ordinary to keep personal medical information confidential, including providing inaccurate information to, or withholding information from, health care providers, doctor-hopping to avoid a consolidated medical record, paying out-of-pocket for care that is covered by insurance, and even avoiding care altogether.^[3]           

 

(1)   Enactment of HIPAA

 

In an attempt to address the public=s concern, most states, including Michigan, have enacted numerous scattered, uncoordinated laws providing varying degrees of access to, and

 

privacy protection for, medical information possessed by health care providers or institutions.  Because these state laws regarding medical information privacy were so varied and incomplete, Congress, as part of the Health Insurance Portability and Accountability Act of 1996 (AHIPAA@),^[4] imposed upon itself a three-year deadline for developing federal health privacy protections.^[5]  Recognizing that congressional agreement on such health privacy protections may not be politically feasible, HIPAA mandated that, if Congress could not reach agreement on federal health privacy protections within the three-year time period, the task would be delegated to the Secretary of the U.S. Department of Health and Human Services (AHHS@).^[6]  Perhaps not surprisingly, Congress did not meet its self-imposed deadline for developing federal health privacy protections.  The task thus fell to HHS, which promulgated proposed rules on November 3, 1999.^[7]  Final regulations were promulgated in late December 2000.^[8] 

 

(2) HIPAA=s Scope

 

(a) Who Is A ACovered Entity@ Under HIPAA?

 

It is important to note that the HIPAA privacy regulations are limited in scope; they do not cover all persons or entities that have access to personal health information.  More specifically, the HIPAA privacy regulations only directly cover three types of entities:

 

(1) health plans (e.g., managed care organizations and traditional insurers);^[9]

 

 (2) health care Aclearinghouses@ (i.e., entities that process health claims

 

 

 

information for providers and insurers);^[10] and

 

(3) health care providers^[11] (e.g., physicians, hospitals, pharmacists) who transmit any health information in electronic form.^[12]

 

It is only if a provider or entity falls within these three categories that the provider or entity is considered a Acovered entity@ under HIPAA.^[13]  Thus, while health plans and health care clearinghouses are always covered entities (and hence, subject to the privacy regulations), health care providers are covered entities only if they transmit health information in electronic form.^[14]  This is expected to cover most health providers, however, since most providers accept payments from insurers or managed care plans, which, in turn, generally requires that the providers transmit health information in electronic form (e.g., internet, e-mail, fax transmission, phone transmission, etc.). Moreover, another provision of HIPAA, the Electronic Data Interchange

(AEDI@) standards, establishes and requires the use of a uniform standard for electronic data interchange by covered entities^[15] and requires that, by October 16, 2003, all claims for reimbursement by Medicare submitted by providers must be submitted electronically pursuant to

the uniform standard.^[16]  With a few narrow exceptions, paper claims to Medicare will no longer be accepted.^[17]

 

(b) ABusiness Associates@ Under HIPAA

 

Covered entities are also required under HIPAA to impose contractual restrictions on the use or disclosure of individually identifiable health information by so-called ABusiness Associates.@^[18]  Thus, if a covered entity hires another company or consultant and provides them with access to protected health information, the covered entity=s contract with the Business Associate must establish the permitted and required disclosures of such information by the Business Associate, ^[19] and provide that the Business Associate will not further use or disclose the information other than permitted or required by the contract or as required by law, will use appropriate safeguards to prevent use or disclosure not permitted by the contract, and report (to the covered entity) any use or disclosure of the information not permitted by contract, of which it becomes aware.^[20]

 

It is important to note, however, that Business Associates are not directly subject to the HIPAA privacy regulations.  It is the covered entity, not the Business Associate, that is solely liable for violations of privacy by the Business Associate (although, of course, the covered entity may sue the Business Associate for breach of contract).   A covered entity will be deemed Anot in

 

compliance@ with the HIPAA privacy regulations due to breaches of privacy by a Business Associate if the covered entity knew of a pattern of activity or practice of the Business Associate that constituted a material breach or violation of the Business Associate=s obligation under the contract.^[21]  However, a covered entity will escape liability for the Business Associate=s practices if the covered entity took Areasonable steps@ to cure the breach or end the violation by the Business Associate and, if such steps were unsuccessful, either (1) terminated the contract, if feasible; or (2) if termination is not feasible, reported the problem to the Secretary.^[22]  Essentially, therefore, covered entities are held responsible for privacy breaches by a Business Associate only if the covered entity actually knew about the breach and did nothing to remedy it.

 

(3) HIPAA Enforcement

 

Any person who believes that a covered entity is not complying with the HIPAA privacy  regulations may file a complaint with the Secretary of HHS within 180 days of when the individual knew or should have known that the violation occurred.^[23]  The Secretary may, but is not required to, investigate such complaints.^[24]  If the Secretary opts to investigate and determines that non-compliance has occurred, the Secretary must notify the covered entity Aand attempt to resolve the matter by informal means whenever possible.@^[25]  If the Secretary determines that the matter cannot be resolved informally, the Secretary may, but is not required to, issue written findings (to both the covered entity and the complainant) documenting the non-compliance.^[26] 

 

Section 1176 of the HIPAA statute establishes a general penalty for failure to comply with the requirements and standards of the Act.  Specifically, the Secretary Ashall@ impose upon any person who violates the Act a penalty of not more than $100 for each violation, up to a maximum of $25,000 per calendar year for all violations of an identical requirement or prohibition.  Section 1177 of the Act specifically addresses Awrongful disclosure of individually identifiable health information@ and provides that a person who knowingly obtains or discloses individually identifiable health information in a manner prohibited by the Act Ashall@ be punished by a fine of not more than $50,000 and/or imprisonment for not more than one year.  If the violation is committed under false pretenses, the punishment escalates to a fine of not more than $100,000 and/or imprisonment for not more than 5 years.  If the violation is committed

 

Awith an intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm,@ the punishment again escalates to a fine of not more than $250,000 and/or imprisonment of not more than 10 years.

 

Neither the HIPAA statute nor regulations permit a private right of action for violations of the privacy provisions. 

 

(4) HIPAA Preemption

 

While the final regulations have provided significant new federal protections for the privacy of medical information, they are considered to be a minimum, or floor, of protection.  State laws contrary to and less protective than HIPAA=s protections are preempted; state laws that are Amore stringent@ than the HIPAA protections are not preempted,^[27] even if they are contrary to HIPAA.^[28]  Three categories of state laws are explicitly not preempted by HIPAA (even if they are less stringent that the protections afforded under HIPAA): (1) state laws that authorize or prohibit disclosure of protected health information about minors to parents, guardians, or persons acting in loco parentis (i.e., parental notification laws);^[29] (2) state laws that provide for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health investigations;^[30] and (3) state laws that require health plans to report or grant access to information for the purpose of audits, evaluation, or licensure, or certification of facilities or individuals.^[31]

 

A state (acting through its chief elected official or his/her designee) or others may request, in writing, that the Secretary except a state law from preemption.^[32]  The Secretary may except a state law from preemption of the Secretary finds one of the following: (1) that the state law is necessary to prevent health care fraud and abuse; (2) that the state law is necessary to ensure appropriate State regulation of insurance and health plans; (3) that the state law is necessary for state reporting on health care delivery or costs; (4) that the state law is necessary to serve a compelling need related to public health, safety, or welfare, (and, if a privacy standard is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served); or (5) that the state law has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances.^[33]

 

Given the general lack of understanding and awareness of state law regarding medical information privacy and the broad allowance under HIPAA for the continued operation of state law, the MLRC asked the authors of this report to survey both Michigan and federal law to determine the contours of the privacy of medical information.  Specifically, the authors were asked to focus on 5 issues:

 

 (1) patients= access to their own medical records;

 

 (2) third parties= access to a patient=s medical records (e.g., insurers, managed care     organizations, employers, pharmacies);