A STUDY REPORT TO THE MICHIGAN LAW REVISION COMMISSION

Table of Contents

I. Introduction 6

A. Background..................................................................................................................... 6

(1) Enactment of HIPAA........................................................................................... 6

(2) HIPAA=s Scope................................................................................................. 7

(a) Who Is A ACovered Entity@ Under HIPAA?........................................... 7

(b) ABusiness Associates@ Under HIPAA..................................................... 9

(3) HIPAA Enforcement.......................................................................................... 10

(4) HIPAA Preemption............................................................................................ 10

B. Limitations of This Report .............................................................................................. 13

II. Patients= Access to Their Own Medical Records 13

A. Michigan Law................................................................................................................ 13

B. Federal Law.................................................................................................................. 15

(1) The Privacy Act of 1974.................................................................................... 15

(2) Nursing Home Residents= Right of Access......................................................... 16

(3) Medicare + Choice Enrollees= Right of Access.................................................. 16

(4) Mammography Records..................................................................................... 17

(5) HIPAA............................................................................................................. 17

(a) HIPAA=s General Right of Access......................................................... 17

(b) Denials of Access Under HIPAA.......................................................... 18

(i). Denials for which there is no right of review................................ 19

(ii). Denial for which there is a right to external review...................... 20

III. Third Party Access to/Disclosure of a Patient=s Medical Records 21

A. Michigan Law................................................................................................................ 21

(1) State Licensing Boards....................................................................................... 21

(2) Private Accreditation and Peer Review Boards.................................................. 22

(3) Health Provider-Patient Evidentiary Privileges..................................................... 22

(4) Licensed Health Facilities= & Agencies= Records.............................................. 23

(5) Non-Profit Health Care Corporations= Records................................................. 23

(6) Pharmacy Records............................................................................................. 24

(7) Third Party Adminstrator (TPA) Records........................................................... 25

(8) Dental Records.................................................................................................. 25

(9) Nursing Homes= Records.................................................................................. 26

(10) Governmental Agency Access to Records....................................................... 26

B. Federal Law.................................................................................................................. 26

(1) The Privacy Act of 1974................................................................................... 26

(2) Nursing Home & Home Health Agency Records................................................ 28

(3) Hospital Records............................................................................................... 28

(4) Medicare + Choice Records.............................................................................. 28

(5) HIPAA............................................................................................................. 29

(a) Permitted Disclosures for Governmental Health Oversight Purposes......... 29

(b) Disclosures to Private Peer Review & Accrediting Organizations............. 29

(d) Disclosures for which Patient AAuthorization@ is Required...................... 31

(e) When Is Consent or Authorization Not Required by HIPAA?................. 32

i. General Exceptions...................................................................... 32

ii. Disclosure/Use for Marketing & Fundraising Purposes................. 33

(f) Patients= Right to Accounting of Disclosures........................................... 35

(6) The Freedom of Information Act....................................................................... 35

IV. Privacy in Medical Research 36

(1) Federal Law..................................................................................................... 36

(a) The Common Rule................................................................................. 37

(b) HIPAA.................................................................................................. 37

(2) Michigan Law.................................................................................................... 41

(3) Other States...................................................................................................... 42

V. Sensitive Medical Information 44

A. Mental Health Information.............................................................................................. 44

(1) Michigan Law................................................................................................... 44

(2) Federal Law..................................................................................................... 47

B. Substance Abuse Information......................................................................................... 47

(1) Michigan Law................................................................................................... 47

(2) Federal Law..................................................................................................... 48

C. HIV/AIDS..................................................................................................................... 50

(1) Michigan Law................................................................................................... 50

(2) Federal Law................................................................................................................. 52

D. Other Sexually Transmitted Diseases.............................................................................. 53

(1) Michigan Law................................................................................................... 53

(2) Federal Law..................................................................................................... 54

E. Pregnancy/Abortion Services.......................................................................................... 54

(1) Michigan Law................................................................................................... 54

(2) Federal Law..................................................................................................... 55

F. Child Abuse Information................................................................................................. 55

(1) Michigan Law.................................................................................................. 55

(2) Federal Law..................................................................................................... 56

G. Genetic Information........................................................................................................ 56

(1) Michigan Law................................................................................................... 56

(2) Federal Law...................................................................................................... 58

VI. The Retention and Disposal of Medical Records........................................................................ 59

A. Michigan Law................................................................................................................ 59

(1) Health Maintenance Organizations..................................................................... 60

(2) Nursing Homes................................................................................................. 60

(3) Dentists= Offices.............................................................................................. 60

(4) Hospices........................................................................................................... 60

(5) Mental Health Hospitals, Sanatoria, & Psychiatric Facilities................................ 60

(6) Methadone Treatment Programs........................................................................ 61

(7) Pharmacies....................................................................................................... 61

(8) Alteration of Medical Records or Charts............................................................ 61

B. Federal Law.................................................................................................................. 62

(1) Mammography Facilities..................................................................................... 62

(2) Controlled Substances Prescriptions................................................................... 62

(3) Medicare Claims................................................................................................ 62

(4) Blood & Blood Products.................................................................................... 63

(5) Clinical Laboratory Reports................................................................................ 63

(6) OSHA Employee Medical Records.................................................................... 63

(7) HIPAA.............................................................................................................. 63

VII. Issues Relating to the Privacy of Health Information on the Internet 64

(A) Michigan Law.............................................................................................................. 64

(B) Federal Law................................................................................................................. 64

(C) HIPAA Shortcomings.................................................................................................... 65

VIII. Conclusion 67

(1) Business Associates/Definition of Covered Entity............................................................ 67

(a) General Limitations of Coverage for Business Associates..................................... 67

(b) Health-Related Web Sites.................................................................................. 68

(2) Sensitive Medical Information......................................................................................... 68

(3) Private Right of Action................................................................................................... 68

(4) Marketing/Fundraising Communications.......................................................................... 69

I. Introduction

In the summer of 2000, the Michigan Law Revision Commission (MLRC) initiated a comprehensive review of Michigan laws regarding medical information privacy and commissioned a research project on the topic. This report presents the preliminary findings and conclusions of that research. In its charge, the MLRC indicated that it is particularly interested in knowing what Michigan=s medical record privacy laws are, and how they compare with laws enacted by the federal government, particularly the Health Insurance Portability and Accountability Act (AHIPAA@). This report addresses these and other related matters.

A. Background

An individual=s medical information is contained in numerous forms, including paper records and charts, electronic databases, and even oral information. It is also possessed by a dizzying array of providers, health care institutions, and business entities, including physicians, hospitals, nursing facilities, pharmacies, insurers, employers, governmental agencies, third party administrators, and marketing firms. Given the broad array of personal medical information that exists and its potentially wide dissemination--particularly in the age of computers--Americans have begun to express concerns about protecting the privacy of such medical information. An August 2000 survey conducted by Gallup for the Institute for Health Freedom^{^[1]} found that 78% of those surveyed felt that it was Avery important@ that their medical records be kept confidential.^{^[2]} Not surprisingly, then, a January 1999 survey conducted by Princeton Survey Research Associates found that 1 in 7 Americans had done something out of the ordinary to keep personal medical information confidential, including providing inaccurate information to, or withholding information from, health care providers, doctor-hopping to avoid a consolidated medical record, paying out-of-pocket for care that is covered by insurance, and even avoiding care altogether.^{^[3]}

(1) Enactment of HIPAA

In an attempt to address the public=s concern, most states, including Michigan, have enacted numerous scattered, uncoordinated laws providing varying degrees of access to, and

privacy protection for, medical information possessed by health care providers or institutions. Because these state laws regarding medical information privacy were so varied and incomplete, Congress, as part of the Health Insurance Portability and Accountability Act of 1996 (AHIPAA@),^{^[4]} imposed upon itself a three-year deadline for developing federal health privacy protections.^{^[5]} Recognizing that congressional agreement on such health privacy protections may not be politically feasible, HIPAA mandated that, if Congress could not reach agreement on federal health privacy protections within the three-year time period, the task would be delegated to the Secretary of the U.S. Department of Health and Human Services (AHHS@).^{^[6]} Perhaps not surprisingly, Congress did not meet its self-imposed deadline for developing federal health privacy protections. The task thus fell to HHS, which promulgated proposed rules on November 3, 1999.^{^[7]} Final regulations were promulgated in late December 2000.^{^[8]}

(2) HIPAA=s Scope

(a) Who Is A ACovered Entity@ Under HIPAA?

It is important to note that the HIPAA privacy regulations are limited in scope; they do not cover all persons or entities that have access to personal health information. More specifically, the HIPAA privacy regulations only directly cover three types of entities:

(1) health plans (e.g., managed care organizations and traditional insurers);^{^[9]}

(2) health care Aclearinghouses@ (i.e., entities that process health claims

information for providers and insurers);^{^[10]} and

(3) health care providers^{^[11]} (e.g., physicians, hospitals, pharmacists) who transmit any health information in electronic form.^{^[12]}

It is only if a provider or entity falls within these three categories that the provider or entity is considered a Acovered entity@ under HIPAA.^{^[13]} Thus, while health plans and health care clearinghouses are always covered entities (and hence, subject to the privacy regulations), health care providers are covered entities only if they transmit health information in electronic form.^{^[14]} This is expected to cover most health providers, however, since most providers accept payments from insurers or managed care plans, which, in turn, generally requires that the providers transmit health information in electronic form (e.g., internet, e-mail, fax transmission, phone transmission, etc.). Moreover, another provision of HIPAA, the Electronic Data Interchange

(AEDI@) standards, establishes and requires the use of a uniform standard for electronic data interchange by covered entities^{^[15]} and requires that, by October 16, 2003, all claims for reimbursement by Medicare submitted by providers must be submitted electronically pursuant to

the uniform standard.^{^[16]} With a few narrow exceptions, paper claims to Medicare will no longer be accepted.^{^[17]}

(b) ABusiness Associates@ Under HIPAA

Covered entities are also required under HIPAA to impose contractual restrictions on the use or disclosure of individually identifiable health information by so-called ABusiness Associates.@^{^[18]} Thus, if a covered entity hires another company or consultant and provides them with access to protected health information, the covered entity=s contract with the Business Associate must establish the permitted and required disclosures of such information by the Business Associate, ^{^[19]} and provide that the Business Associate will not further use or disclose the information other than permitted or required by the contract or as required by law, will use appropriate safeguards to prevent use or disclosure not permitted by the contract, and report (to the covered entity) any use or disclosure of the information not permitted by contract, of which it becomes aware.^{^[20]}

It is important to note, however, that Business Associates are not directly subject to the HIPAA privacy regulations. It is the covered entity, not the Business Associate, that is solely liable for violations of privacy by the Business Associate (although, of course, the covered entity may sue the Business Associate for breach of contract). A covered entity will be deemed Anot in

compliance@ with the HIPAA privacy regulations due to breaches of privacy by a Business Associate if the covered entity knew of a pattern of activity or practice of the Business Associate that constituted a material breach or violation of the Business Associate=s obligation under the contract.^{^[21]} However, a covered entity will escape liability for the Business Associate=s practices if the covered entity took Areasonable steps@ to cure the breach or end the violation by the Business Associate and, if such steps were unsuccessful, either (1) terminated the contract, if feasible; or (2) if termination is not feasible, reported the problem to the Secretary.^{^[22]} Essentially, therefore, covered entities are held responsible for privacy breaches by a Business Associate only if the covered entity actually knew about the breach and did nothing to remedy it.

(3) HIPAA Enforcement

Any person who believes that a covered entity is not complying with the HIPAA privacy regulations may file a complaint with the Secretary of HHS within 180 days of when the individual knew or should have known that the violation occurred.^{^[23]} The Secretary may, but is not required to, investigate such complaints.^{^[24]} If the Secretary opts to investigate and determines that non-compliance has occurred, the Secretary must notify the covered entity Aand attempt to resolve the matter by informal means whenever possible.@^{^[25]} If the Secretary determines that the matter cannot be resolved informally, the Secretary may, but is not required to, issue written findings (to both the covered entity and the complainant) documenting the non-compliance.^{^[26]}

Section 1176 of the HIPAA statute establishes a general penalty for failure to comply with the requirements and standards of the Act. Specifically, the Secretary Ashall@ impose upon any person who violates the Act a penalty of not more than $100 for each violation, up to a maximum of $25,000 per calendar year for all violations of an identical requirement or prohibition. Section 1177 of the Act specifically addresses Awrongful disclosure of individually identifiable health information@ and provides that a person who knowingly obtains or discloses individually identifiable health information in a manner prohibited by the Act Ashall@ be punished by a fine of not more than $50,000 and/or imprisonment for not more than one year. If the violation is committed under false pretenses, the punishment escalates to a fine of not more than $100,000 and/or imprisonment for not more than 5 years. If the violation is committed

Awith an intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm,@ the punishment again escalates to a fine of not more than $250,000 and/or imprisonment of not more than 10 years.

Neither the HIPAA statute nor regulations permit a private right of action for violations of the privacy provisions.

(4) HIPAA Preemption

While the final regulations have provided significant new federal protections for the privacy of medical information, they are considered to be a minimum, or floor, of protection. State laws contrary to and less protective than HIPAA=s protections are preempted; state laws that are Amore stringent@ than the HIPAA protections are not preempted,^{^[27]} even if they are contrary to HIPAA.^{^[28]} Three categories of state laws are explicitly not preempted by HIPAA (even if they are less stringent that the protections afforded under HIPAA): (1) state laws that authorize or prohibit disclosure of protected health information about minors to parents, guardians, or persons acting in loco parentis (i.e., parental notification laws);^{^[29]} (2) state laws that provide for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health investigations;^{^[30]} and (3) state laws that require health plans to report or grant access to information for the purpose of audits, evaluation, or licensure, or certification of facilities or individuals.^{^[31]}

A state (acting through its chief elected official or his/her designee) or others may request, in writing, that the Secretary except a state law from preemption.^{^[32]} The Secretary may except a state law from preemption of the Secretary finds one of the following: (1) that the state law is necessary to prevent health care fraud and abuse; (2) that the state law is necessary to ensure appropriate State regulation of insurance and health plans; (3) that the state law is necessary for state reporting on health care delivery or costs; (4) that the state law is necessary to serve a compelling need related to public health, safety, or welfare, (and, if a privacy standard is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served); or (5) that the state law has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances.^{^[33]}

Given the general lack of understanding and awareness of state law regarding medical information privacy and the broad allowance under HIPAA for the continued operation of state law, the MLRC asked the authors of this report to survey both Michigan and federal law to determine the contours of the privacy of medical information. Specifically, the authors were asked to focus on 5 issues:

(1) patients= access to their own medical records;

(2) third parties= access to a patient=s medical records (e.g., insurers, managed care organizations, employers, pharmacies);

(3) third party use of information in a patient=s medical records (e.g., researchers, peer review organizations, licensing boards);

(4) treatment of sensitive medical information with a high potential for stigmatizing or discriminatory impact, such as information related to HIV, mental health/substance abuse, sexually transmitted diseases, abortion, or genetic information; and

(5) the retention and disposal of medical records.

Each of these areas will be addressed separately within this preliminary report.

B. Limitations of This Report

It should be noted that, while this report provides a comprehensive overview of the major laws relating to medical information privacy, it is not intended to be an exhaustive document. The final regulations implementing the privacy components of HIPAA, for example, were issued in late December 2000 and total over 360 pages in the Federal Register. The final regulations took effect April 14, 2001, although covered entities have until April 14, 2003 to actually comply with the rules.⁹ Because of the volume and complexity of the final rule, its relatively recent effective date, and the fact that most health care organizations are not expected to be in compliance with the rules for many months, it will undoubtedly take years for the full meaning and effect of the regulations to be well-understood. Likewise, except for the HIPAA regulations, our survey of state and federal law generally has been limited to a review of selected statutory law (as opposed to common law or implementing regulations), due to the sheer number, variety and complexity of relevant materials. Moreover, given that our task was to provide an overview

of state and federal laws relating to medical information privacy, we have not attempted to obtain or discuss privacy standards developed or required by private accrediting organizations (e.g., JCAHO).

II. Patients= Access to Their Own Medical Records

A. Michigan Law

Michigan law currently states that all licensed health facilities and agencies that provide services directly to patients Ashall adopt@ a policy describing the rights and responsibilities of admitted patients.¹⁰ Included in the list of statutorily specified minimum patients= rights is the right to inspect and copy his/her medical record upon request.¹¹ The law explicitly states that the enumerated patients= rights and responsibilities Aare guidelines@ and that no individual shall be criminally or civilly liable for failure to comply therewith.¹² Although no private right of action by an aggrieved patient is permitted, the Michigan Department of Public Health may seek administrative remedies, including license suspension/revocation or fines, against a licensed facility that denies patients= rights.¹³

Because this law only applies to licensed health facilities and agencies (i.e., licensed

institutions), it does not give patients a right to access medical records maintained outside the licensed institutional setting (e.g., a physician=s office). Thus, patients in Michigan do not have a statutory right to access general medical records maintained by physicians= offices or other non-institutional offices.

There is, however, more specific protection under Michigan law for patients receiving mental health services. The statutes provide such patients the right to access their mental health records, provided the patient has not been adjudicated legally incompetent and does not have a

legal guardian.¹⁴ The entity or person who maintains a mental health record is required to provide the patient with a copy of the record Aas expeditiously as possible@ but in no event later than the earlier of 30 days of receiving the patient=s request or, if the patient is receiving treatment from the holder of the record, before the patient is released from treatment.¹⁵ Access may be denied to the patient if, in the written judgment of the record holder, disclosure to the patient would be Adetrimental to the [patient] or to others.@¹⁶ Upon receipt of their mental health services record, a patient may challenge the accuracy, completeness, timeliness or relevance of the factual information contained in the record.¹⁷ The patient may insert a statement into the record that corrects or amends the information therein.¹⁸

B. Federal Law

(1) The Privacy Act of 1974

Under the Privacy Act of 1974,¹⁹ individuals have a right to examine, copy and amend records about them maintained by federal agencies²⁰ and contractors thereof,²¹ including medical records maintained by federal agencies such as the Center for Medicare and Medicaid Services (ACMS@).²² When a federal agency collects information from an individual, the Act requires that the agency notify the individual of the fact of collection, the authority under which the information is being collected, the principal purpose for the information, routine uses that may be

made of the information, whether the individual is required to supply the information, and any effects of not so providing.²³

A federal agency that refuses to comply with an individual=s request to examine or copy his/her own records is subject to a civil suit by the individual.²⁴ The statute states that the remedies for this situation are limited to the issuance of an injunction and order of production against the withholding agency²⁵ and assessment of reasonable attorney fees and other litigation costs incurred.²⁶

(2) Nursing Home Residents= Right of Access

As part of OBRA >87, Congress enacted a comprehensive set of rights for the residents of nursing homes.²⁷ The statute requires that nursing facilities receiving Medicaid reimbursement (as most nursing homes do) must maintain clinical records on all patients²⁸ and states that residents have the right to both Aconfidentiality of personal and clinical records@ but also Ato access to current clinical records of the resident upon request.@²⁹ Once a request for access to the patient=s clinical record has been made (by either the resident or the resident=s legal representative), the nursing facility must provide such access within 24 hours (excluding weekends or holidays).³⁰

(3) Medicare + Choice Enrollees= Right of Access

Medicare beneficiaries enrolled in Medicare + Choice plans (i.e., managed care or fee-for-service plans) have a statutory right to Atimely access@ to medical records or other information about them maintained by the plan.³¹ Unfortunately, the statute does not specify precisely what is meant by Atimely access,@ nor does the implementing regulation.³²

(4) Mammography Records

Federal law states that upon the request of the patient, a mammography facility must transfer the patient=s mammogram to either: (1) a medical institution; (2) a physician of the patient; or (3) the patient directly.³³ However, neither this statute nor its implementing regulation³⁴ appear to give the patient a right to demand that the mammography facility transfer the mammogram directly to the patient. In other words, the statute appears to permit a mammography facility faced with a patient=s transfer request to choose options 1 (medical institution) or 2 (physician) rather than 3 (transfer to patient directly).

(5) HIPAA

(a) HIPAA=s General Right of Access

A central feature of HIPAA is that individuals are granted a right to access their own protected (i.e., individually identifiable) health information³⁵ maintained by a provider, health plan, or a health plan=s business partner(s), if the health information is used, in whole or in part, to make health care treatment or payment decisions for the individual.³⁶ So-called Ade-identified@ health information is not covered by the regulation.³⁷

An individual=s right of access includes the right to inspect and copy such records and exists as long as a covered entity maintains the record in which the information is contained.³⁸ A covered entity has up to 60 days (from the date of receiving the patient=s request) to respond to a request if the information is maintained by the covered entity on-site, or up to 90 days to respond if the information is maintained off-site.³⁹

The final regulation also specifies that there are three types of information to which the patient does not have a right of access: (1) psychotherapy notes; (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, and (3) information maintained by a clinical laboratory subject to the Clinical Laboratory

Improvement Act (CLIA), 42 U.S.C. 263a et seq.⁴⁰

While the first two of these types of information are relatively self-explanatory, the third warrants brief explanation. The federal law regulating clinical laboratories, CLIA, requires clinical labs to disclose test results to Aauthorized persons,@ as defined by state law.⁴¹ If no state law defines Aauthorized persons,@ the federal law defines it as the person who orders the testB usually the health care provider. ⁴² Thus, if state law does not define the patient tested to be an Aauthorized person,@ the patient has no right to access the test results from the laboratory itself.⁴³ Assuming the laboratory reports the results to the patient=s health care provider, however, the provider is likely to be a Acovered entity@ subject to HIPAA; hence, the patient would have the right, pursuant to the HIPAA final regulation, to inspect and copy any results conveyed to the health care provider.⁴⁴ In this indirect way, then, most patients will ultimately have the right, pursuant to the HIPAA final regulations, to access their own medical records containing the results of clinical laboratory tests.

(b) Denials of Access Under HIPAA

In addition to the three situations in which a patient lacks a right of access (see supra

Section I(B)(1), HIPAA=s final regulations specify eight situations in which a patient does, in general, have a right of access, but under which a covered entity may denyBif they so desireBa patient=s request. If a covered entity opts to exercise its denial rights, it must notify the patient, in writing, of the basis for the denial and provide the patient with information regarding a right to review, if it exists.⁴⁵ Five of these eight bases for denial are absolute, in the sense that the patient does not have a right to demand a review of the denial. Three of the eight bases, however, are qualified, in the sense that a patient denied access for one of these three reasons is given a right to demand review from a licensed health care professional.

(i). Denials for which there is no right of review

As stated above, the regulations list five situations in which a covered entity may deny a patient access to his/her medical information and for which the patient will have no right to external review of this decision.

First, of course, information requested that falls within any of the three categories listed above (see supra Section I(B)(1)) may be denied.⁴⁶ Second, correctional institutions (or providers acting under the direction of correctional institutions) may deny an inmate=s request to copy his/her own medical information if obtaining a copy would Ajeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates or the safety of any officer, employee or other person at the correctional institution or responsible for transporting of the inmate.@⁴⁷ The regulation thus permits denial of the right to copy in situations involving a risk to health or safety, but it does not permit denial of the inmate=s right to inspect his/her medical information, which must still be honored, unless one of the other permissible denial situations applies.⁴⁸

Third, the regulations allow a covered entity to deny a request for access to information by patients who are participants in a treatment research study, but only during the time in which the research is in progress, and only if the patient explicitly consents to having such access denied during the course of the research.⁴⁹ Once the research study has ended, the patient=s right of access is automatically reinstated.⁵⁰ Fourth, a covered entity may deny access under HIPAA if the information requested is contained in records that are subject to the Privacy Act, and the Privacy Act would allow denial of access by the individual.⁵¹ Finally, the regulations permit a covered entity to deny access to information that is obtained from someone other than a health care provider acting under a promise of confidentiality and providing access Awould be reasonably likely to reveal the source of the information.@⁵²

(ii). Denial for which there is a right to external review

The final regulations specify three permissible bases for denying a patient=s requested

access to his/her medical information for which the covered entity must provide external review upon demand by the patient. If the patient demands review of the denial, the regulations specify that the covered entity will need to have the denial determination reviewed by a licensed health care professional.⁵³ This professional need not be a physician, but may be any other health care professional licensed by the state, including a nurse or a physician=s assistant.⁵⁴ The regulations specify that the health care professional who conducts the review must not have been involved in the original decision to deny access.⁵⁵

The three bases for denial for which a right to review attaches are as follows. First, access may be denied if providing access is Areasonably likely to endanger the life or physical safety of the individual or another person.@⁵⁶ The regulations make clear, however, that this basis for denial does not permit denial based upon the general Asensitivity@ of the medical information or the likelihood that the information will cause emotional or psychological harm.⁵⁷ It is only if the information is likely to result in physical violence that this basis for denial may be invoked. Under the second basis for denial for which a right to review attaches, however, emotional or psychological harm may be appropriately taken into account. Specifically, the regulations state that a patient may be denied access if the information requested makes a reference to a third party (other than a health care provider) and the patient=s health care provider has determined, in the exercise of professional judgment, that giving the patient access to such information is Areasonably likely to cause serious harm@ to the third party.⁵⁸ The regulations specifically state that denial may be based upon the likelihood not just of physical harm to the third party, but also the likelihood of emotional or psychological harm.⁵⁹

Third, access may be denied (with no right of review) if the access is requested by the patient=s personal representative and the covered entity has a Areasonable belief that the individual has been or will be subjected to domestic violence, abuse, or neglect by the personal representative@ or that allowing the representative=s access to the medical information may endanger the patient somehow and that it is therefore not in the patient=s best interests to allow the representative such access.⁶⁰

III. Third Party Access to/Disclosure of a Patient=s Medical Records

This section will discuss the various laws regarding whether, and to what extent, a third party may access a patient=s medical information. This would include, inter alia, access by entities such as insurers, employers, marketing companies, and governmental agencies.

A. Michigan Law

(1) State Licensing Boards

Michigan law provides authority to the Department of Consumer and Industry Services (DCIS) to investigate activities related to the practice of a health professional and order relevant testimony. Specifically, the statute says:

Sec. 16221. The department may investigate activities related to the practice of a health profession by a licensee, a registrant, or an applicant for licensure or registration. The department may hold hearings, administer oaths, and order relevant testimony to be taken and shall report its findings to the appropriate disciplinary subcommittee…⁶¹

The Attorney General, on behalf of a state licensing board, may request the circuit court to issue a subpoena requiring a health professional to produce books, papers, or documents (including medical records) pertaining to the investigation⁶² Failure to comply with the subpoena issued by result in discipline by the licensing board.⁶³ The department or a disciplinary subcommittee appointed may request and shall receive reports, including information from a licensed health care facility, as to disciplinary action taken by it against a health professional.⁶⁴

(2) Private Accreditation and Peer Review Boards

Michigan laws access for investigation laws do not directly apply to private peer review boards and private accreditation agencies. A health care corporation shall not disclose records containing personal data that may be associated with an identifiable member, or personal information concerning a member without the patient=s consent except when the disclosure is made to a governmental entity.⁶⁵

(3) Health Provider-Patient Evidentiary Privileges

Michigan law recognizes several patient-health provider evidentiary privileges.

Most notably, Michigan statutory law establishes a physician-patient evidentiary privilege, which states that a licensed physician or surgeon Ashall not disclose any information that the [physician or surgeon] has acquired in attending a patient in a professional character, if the information was necessary to enable that person to prescribe for the patient as a physician, or to do any act for the patient as a surgeon.@⁶⁶ In addition, Michigan statutes recognize an evidentiary privilege for mental health providers such as psychologists and psychotherapists.⁶⁷

Of course, these evidentiary privileges are just thatBevidentiary privilegesBand, as such, merely prevent the health provider from testifying in court as to what the patient has told him/her in his/her capacity as a health provider. Such privileges do not prevent the health provider from divulging a patient=s confidences outside the courtroom setting; however, the licensing statutes may prevent such disclosure. Specifically, Michigan statutes provide that the state licensing board may take disciplinary action against a licensed health care provider for “unprofessional

conduct.”⁶⁸ The statute specifies that “unprofessional conduct” includes “betrayal of a professional confidence.”⁶⁹ Thus, a provider who divulges information conveyed by a patient as confidential may face adverse action against his/her license.

(4) Licensed Health Facilities= & Agencies= Records

Michigan law provides that all licensed health facilities and agencies must adopt policies that include a right of each patient to have his/her medical records treated as confidential.⁷⁰ These policies adopted by licensed facilities and agencies should include a right of the patient to refuse dissemination of their records to third parties except as required for transfer to another health facility, by a third party payment contract, or by law.⁷¹ As with the situation regarding patient access to his/her own records, this law, by only applying to licensed health facilities and agencies, does not include physician=s offices, which are not licensed by the state. Thus, under current Michigan statutes, a patient does not have a legal right to stop his/her physician from disseminating medical records to a third party.⁷² And again, because the statute merely prescribes general guidelines for the policies that must be implemented by a licensed health facility or agency, there is no specific civil or criminal penalty for non-compliance.⁷³

(5) Non-Profit Health Care Corporations= Records

Michigan has enacted a specific statute regarding the disclosure of medical information by non-profit health care corporations (e.g., Blue Cross/Blue Shield). Specifically, the statute states that a non-profit health care corporation has a duty to use reasonable care to secure its member=s records from unauthorized access and to collect only personal data that is necessary for the proper review and payment of claims.⁷⁴ The Board of Directors of the non-profit health care

corporation must adopt specific corporate policies regarding the protection of member=s privacy and confidentiality of personal data.⁷⁵ These corporate policies must also specify that access within the corporation to a member=s personal data is limited to those persons with a Aneed to know@ only.⁷⁶ A non-profit health care corporation that violates this law is subject to criminal misdemeanor penalties of not more than $1,000 per violation and a private civil action for recovery of actual damages or $200, whichever is greater, in addition to reasonable attorneys= fees and costs.⁷⁷

In addition to these internal policies and responsibilities, the non-profit health corporation may not disclose identifiable personal data, including a member=s medical treatment records, without the prior, written, specific, informed consent of the member.⁷⁸ Exceptions are allowed for disclosure (without patient authorization) to courts, the state insurance commissioner, and governmental agencies or entities.⁷⁹ The statute also protects against re-disclosure by stating that if the patient has consented to allow the health care corporation to disclosure information to a third party, the corporation shall not release the patient=s information to such third party unless the third party agrees not to further disseminate the information without obtaining another prior, specific, written, informed consent by the patient.⁸⁰

(6) Pharmacy Records

Michigan law states that persons having custody or access to prescriptions shall not disclose their contents or provide copies thereof without the patient=s authorization, with seven exceptions: (1) the patient him/herself; (2) another pharmacist acting on behalf of the patient; (3) the prescriber who wrote the prescription; (4) a licensed health professional who is currently treating the patient; (5) an agency/agent of the government responsible for enforcement of laws relating to drugs and devices; (6) a person authorized by court order; (7) a person engaged in research projects or studies with protocols approved by the state licensing board.⁸¹ The statute

does not specify how patient authorization may be validly obtained, which suggests that any form of authorization -- oral or written--is permissible. Pharmacists who violate this confidentiality provision are subject to discipline by the state licensing board.⁸²

(7) Third Party Administrator (TPA) Records

Third party administrators (i.e., those entities hired to process insurance or benefit claims)⁸³ are under a statutory duty to treat as confidential personal data of an individual covered by a plan.⁸⁴ As such, the statute states that a TPA shall not disclose identifiable information on a patient to any third party without the patient=s prior consent, except as necessary to comply with

a court order, to verify or adjudicate claims, to conduct an ERISA audit, to purchase or make claims under excess loss insurance, to the Michigan Insurance Commissioner, or for other proper plan administration.⁸⁵ Because the statute does not specify precisely how the patient=s consent must be obtain, presumably it may be in oral or written form. The statute goes further,

however, and states that, once a patient has provided consent for the release of identifiable information to a third party, the third party is also under a duty to keep the information confidential unless the patient Aexecutes in writing another consent authorizing the additional release.@⁸⁶ It is thus clear that, at least with regard to re-disclosure, the patient=s authorization must be in writing.

Although this statutory protection appears on its face rather stringent, it does not appear to provide any penalties or remedy in the event that a TPA violates a patient=s confidentiality.⁸⁷

(8) Dental Records

Michigan law states that a patient=s dental records are confidential and privileged, and may not be disclosed without the written consent of the patient (or the patient=s attorney in fact or personal representative)⁸⁸ except in certain narrowly defined situations, including, inter alia, as necessary to defend a claim challenging the dentist=s professional competence, to make a claim for payment, pursuant to an audit or other good faith examination of the dentist=s records for correctness, pursuant to court order, or pursuant to a death examination by a medical examiner.⁸⁹

(9) Nursing Homes= Records

Licensed nursing homes are under a duty to keep patients= records confidential and Ashall not divulge or disclose the contents of a record in a manner that identifies a patient, except upon a patient=s death to a relative or guardian, or under judicial proceedings.@⁹⁰

(10) Governmental Agency Access to Records

Michigan law provides numerous allowances for access to a patient=s medical information by various governmental agencies (including the courts) under a wide variety of circumstances. Because of the variety and number of such statutes, only a few of the major exceptions will be documented here. The state insurance commissioner, courts, other “government entit[ies]” and other Agovernmental agenc[ies]@ are allowed to obtain access to records of patients who are members of non-profit health care corporations (e.g., Blue Cross/Blue Shield) without the need for obtaining the patient=s consent.⁹¹ The records of nursing homes are available to state regulators and inspectors who need to determine if the nurising home is in compliance with state and federal standards.⁹² The department of consumer and industry services is allowed to access the records of all health care facilities it regulates Ato the extent necessary to carry out the purpose@ of relevant laws it is charged with enforcing.⁹³

B. Federal Law

(1) The Privacy Act of 1974

The Privacy Act generally prohibits disclosure to any person (or to another agency) of any record maintained about an individual by a federal agency, unless the prior written request or consent of the individual is obtained.⁹⁴ Thus, for example, medical records maintained by agencies such as the Center for Medicare and Medicaid Services (CMS)⁹⁵ may not be disclosed without the individual=s consent, except in twelve specific situations, referred to as conditions of disclosure.⁹⁶ One permissible condition of disclosure permits disclosure of information to an employee of a federal agency if the employee needs the record to perform his/her duties.⁹⁷ Another permits disclosure for so-called Aroutine uses,@⁹⁸ which are defined as use of the record Afor a purpose which is compatible with the purpose for which it was collected.@⁹⁹

The Act also imposes a duty upon federal agencies to assure that their records are Aaccurate, complete, timely and relevant for agency purposes@ prior to disseminating any record about an individual to any third party (other than a federal agency).¹⁰⁰ Agencies are also required to Amake reasonable efforts@ to notify individuals when records pertaining to the individual are Amade available to any person under compulsory legal process when such process becomes a matter of public record.@¹⁰¹

The Act provides for both civil and criminal penalties for violation of the disclosure provisions. Specifically, intentional or willful violation by an agency of the provisions of the act subjects the agency to civil liability of actual damages sustained by the individual (but in no case shall the individual receive less than $1,000 as compensation for such injury), plus reasonable attorney fees and costs of bringing such civil action against the agency.¹⁰² Willful disclosure of an individual=s record by an officer or employee of an agency to any person or agency not

entitled to receive such record is punishable as a misdemeanor and fine of not more than $5,000.¹⁰³ Likewise, the knowing and willful request or obtainment of any individual=s record under false pretenses is punishable as a misdemeanor and fine of not more than $5,000.¹⁰⁴

(2) Nursing Home & Home Health Agency Records

As stated in Section II(B)(2) (relating Patient=s Access to Medical Records), the residents of nursing facilities receiving Medicaid reimbursement (virtually all nursing homes) have a statutory right to the confidentiality of personal and clinical records.¹⁰⁵ In addition, federal law requires, as a condition of participation in the Medicare program, that home health agencies are required to ensure the confidentiality of the clinical records of patients.¹⁰⁶

(3) Hospital Records

Federal regulations¹⁰⁷ require that, as a condition of participation in the Medicare program, hospitals must maintain medical records for every individual treated or evaluated in the hospital.¹⁰⁸ Records must be retained in their original (or legally reproduced) form for at least five years.¹⁰⁹ The regulations also require that the hospital Ahave a procedure for ensuring the confidentiality of patient records.@¹¹⁰ Furthermore, information from or copies of hospital records may be released only to Aauthorized individuals@ (not specified in the regulation) and Amust ensure that unauthorized individuals cannot gain access to or alter patient records.@¹¹¹ The regulation goes on to say that Aoriginal medical records must be released by the hospital only in accordance with Federal or State laws, court orders, or subpoenas.@¹¹² It is thus not clear, given the awkward working of this regulation, whether: (1) non-original medical records are somehow considered distinct from original medical records; and (2) the records Amay@ (as opposed to Amust@) be released in other, non-specified situations.

(4) Medicare + Choice Records

Federal law provides that health plans participating in the Medicare + Choice program must Aestablish procedures@ to Asafeguard the privacy of any individually identifiable enrollee information.@¹¹³ The implementing regulation associated with this statute, moreover, specifies, inter alia, that the Medicare + Choice plan must have procedures that specify: (1) for what purposes such information will be used within the organization and (2) to whom and for what purposes the plan will disclose the information outside the organization.¹¹⁴ Neither the statute nor regulations prohibit the plan from disclosing information to outside entities, nor does it give the enrollee a right to prohibit the plan from so disclosing.

(5) HIPAA

(a) Permitted Disclosures for Governmental Health Oversight Purposes

HIPAA provides that a permitted disclosure is for health oversight activities such as licensure, fraud and abuse investigations, and audits:

A(d) Standard: Uses and disclosures for health oversight activities. (1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: (i) The health care system; (ii) government benefit programs for which health information is relevant to beneficiary eligibility; (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.@

This provision would provide authority to state licensing boards to access personally identifiable health information to conduct oversight activities for licensure and disciplinary actions.¹¹⁵

(b) Disclosures to Private Peer Review & Accrediting Organizations

The HIPAA privacy rule applies directly only to health plans, health care clearinghouses, and certain health care providers. Thus, for purposes of obtaining access to protected health information, a private peer review or accrediting organization (e.g., JCAHO) would be a

ABusiness Associate@ of covered entities and thus regulated only indirectly, via contractual provisions with the covered entity.

(c) Disclosures for which Patient Consent is Required

The HIPAA final rule requires that health care providers who have a Adirect treatment relationship@¹¹⁶ with their patients must obtain the patient=s written consent in order to disclose¹¹⁷ or use¹¹⁸ protected health information to third parties when such disclosure or use is for the purpose of treating the patient, obtaining payment, or for health care operations.¹¹⁹ Importantly, the consent form may be combined with other types of written legal permission (e.g., informed consent for treatment) if the disclosure consent is visually and organizationally separate from such other written legal permission and is separately signed by the individual and dated.¹²⁰ The consent form must refer the individual to a notice that contains a detailed discussion of the provider=s health information practices.¹²¹ The consent form must also inform the patient that he/she has a right to ask the covered entity to request certain restrictions regarding the use or disclosure of the information, that the covered entity is not required to agree to such restrictions, and that the individual has the right to revoke the consent in writing.¹²²

Health care providers who do not have a direct treatment relationship with the patient (e.g., laboratories), health plans, and health care clearinghouses may use and disclose protected health information for purposes of treatment, payment or health care operations without obtaining patient consent. The final rule permits such entities to obtain patient consent, if they so choose.¹²³

One other significant aspect of the HIPAA consent requirement is that the final rule explicitly permits a provider or health plan to condition treatment or enrollment on obtaining the patient=s consent.¹²⁴ Thus, providers and institutions may, consistent with federal law, refuse to treat or enroll a patient if the patient does not consent to the disclosure of his/her medical records for purposes of treatment, payment, or health care operations.¹²⁵ Although patients are permitted to request that providers not share their medical information with others for the purpose of treatment, payment, or health care operations, providers are not required by law to agree to such a request. The HIPAA final regulations have thus been criticized by privacy advocates as essentially coercing consent from patients. On the other hand, CMS, in issuing the final regulations, recognized that Ait would be difficult, if not impossible, for health care providers to treat their patients and run their businesses without being able to use or disclose protected health information for [treatment, payment, or health care operations] purposes.@¹²⁶

(d) Disclosures for which Patient AAuthorization@ is Required

If the use or disclosure of protected health information is for a purpose other than treatment, payment, or health care operations, the rules are more stringent. No longer will mere Aconsent@ suffice; more is required. Specifically, the rules require Aauthorization@ by the patient, which (like consent) must be in writing, but (unlike consent) may generally not be combined with other documents and may not be made a condition to the individual=s treatment, eligibility for

benefits, payment, or health plan enrollment.¹²⁷ Moreover, unlike the open-ended consent, an authorization must contain an expiration date.¹²⁸

(e) When Is Consent or Authorization Not Required by HIPAA?

i. General Exceptions

One of the primary shortcomings of HIPAA is that it permits the disclosure of protected health information for many broadly defined purposes without the need for obtaining patient consent or authorization¹²⁹, including, inter alia: (1) disclosure to U.S. public health authorities or foreign governmental agency officials acting in collaboration with a public health authority;¹³⁰ (2) disclosure to any person subject to FDA jurisdiction in order to report adverse events, product defects, for purposes of product tracking or post-marketing surveillance, or to enable product recalls, repairs or replacement;¹³¹ (3) disclosure to health oversight agencies for oversight activities authorized by law;¹³² (4) disclosure required by other laws, including state laws;¹³³ (5) for law enforcement proceedings and activities;¹³⁴ (6) disclosure for judicial and administrative proceedings;¹³⁵ (7) disclosure to employers if the information relates to work-related illness or injury;¹³⁶ (8) disclosure to coroners, medical examiners and funeral directors regarding deceased

individuals;¹³⁷ (9) disclosure to organ procurement organizations¹³⁸, blood banks, sperm banks, tissue banks;¹³⁹ (10) disclosure for research purposes;¹⁴⁰ and (11) disclosure about victims of abuse, neglect, or domestic violence;¹⁴¹ and (12) disclosure for workers= compensation.¹⁴² When making these types of non-consent disclosures, covered entities are required to implement policies and procedures for disclosing the Aminimum necessary@ amount of health information.¹⁴³

ii. Disclosure/Use for Marketing & Fundraising Purposes

HIPAA states that a covered entity may use or disclose (to a Business Associate that assists the covered entity with such communication) protected health information for purposes of marketing¹⁴⁴ health-related goods or services in three situations:

(1) face-to-face marketing communications with the patient regarding the entity=s own services or products or the services/products of a third party (e.g., providing free samples or other information to the patient upon an office visit);¹⁴⁵

(2) providing the patient with products or services of nominal value that contain a marketing communication (e.g., distributing pens, calendars, toothbrushes, key chains,

etc. with the name of the covered entity on it or the name of a third party);¹⁴⁶ and

(3) marketing health-related products/services (offered by the covered entity or a third party) to the patient, but only if the communication identifies who is making the communication, states that the covered entity is being compensated for making the communication (if that is so), and informs the patient how to Aopt out@ of future marketing communications.¹⁴⁷ This provision does not allow a covered entity to disclose information to third parties, but merely allows the covered entity to inform patients about potentially beneficial health-related products/services offered by itself or third parties.¹⁴⁸ Covered entities will thus be permitted to inform patients of potentially beneficial drugs, treatments, or other health-related products/services.

HIPAA contains similar restrictions on fundraising by covered entities. Specifically, the final regulation states that a covered entity may use or disclose (to a Business Associate or institutionally-related foundation)¹⁴⁹ certain limited protected health information for purposes of conducting fundraising (for its own benefit only), so long as: (1) the covered entity includes, in the notice of privacy practices required by the regulation,¹⁵⁰ a statement that the entity may contact the individual to raise funds for the covered entity;¹⁵¹ and (2) the fundraising materials sent to the patient inform the patient how they may Aopt out@ of future fundraising communications.¹⁵² The regulation explicitly limits use/disclosure for fundraising purposes to two specific types of health information: (1) demographic information relating to the individual; and (2) dates of health care provided to the individual.¹⁵³ Any other protected health information may not be used or disclosed for purposes of fundraising.

Because the regulations require that the covered entity inform the patient of their right to Aopt out@ of future marketing or fundraising communications, the regulations may be viewed as providing covered entities with Aone free pass@ for such communications. Thus, covered entities may use or disclose protected health information to engage in marketing/fundraising communications once, but must give patients the right to Aopt out@ of future such communications if they so desire.

(f) Patients= Right to Accounting of Disclosures

Another significant aspect of HIPAA is that it establishes a right of individuals to obtain an accounting of any disclosures of protected health information by a covered entity within six years prior to the date of the requested accounting.¹⁵⁴ Exceptions are made for, inter alia, disclosures to carry out payment, treatment, or health care operations (i.e., necessary disclosures).¹⁵⁵ The accounting provided to the patient must include the name of the entity or person who received the information, the date of disclosure, a brief description of the information disclosed and a brief statement of the purpose of the disclosure.¹⁵⁶ The accounting generally must be provided to the patient within 60 days after receipt of the request therefore.¹⁵⁷

(6) The Freedom of Information Act

The Freedom of Information Act (AFOIA@)¹⁵⁸ requires the federal government to disclose,

upon request, many different types of information possessed by the federal government. Exemption 6 of FOIA, however, allows federal agencies to withhold Apersonnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.@ 5 U.S.C. ' 552(b)(6). Pursuant to the final HIPAA rules, HHS has taken the position that disclosures prohibited pursuant to HIPAA would also be subject to FOIA Exemption 6, thus avoiding most (if not all) potential conflicts between the two laws.

IV. Privacy in Medical Research

Biomedical, epidemiologic, and health services research based on the study of patient medical records has been instrumental in our understanding of outcomes, patterns of practice, use, and determinants of the cost of health care. Medical information used for health services research has helped to identify potential risks for under-treatment in systems of care, evaluate cost effectiveness of surgical procedures, and other important medical interventions methods and measures to assess the quality of care provided by health plans, hospitals, physician groups and individual physicians.¹⁵⁹ The State of Michigan and society overall must decide how best to pursue simultaneously the protection of individuals= right to privacy of health information while preserving justified research access to personally identifiable health information to conduct research to benefit society.¹⁶⁰

(1) Federal Law

Most research involving human subjects operates under the current Federal Policy for the Protection of Human Subjects known as the Acommon rule@ (codified for the Department of Health and Human Services (HHS) at Title 45 Code of Federal Regulations Part 46) and/or the Food and Drug Administration=s (FDA) human subjects protection regulations.¹⁶¹ These federal regulations have provisions that address confidentiality and are similar to, but separate from the HIPAA Privacy Rule=s provisions for research.¹⁶²

(a) The Common Rule

The Common Rule, which was developed largely to protect the rights and safety of human subjects, contains two general provisions to protect the privacy of health information used for research. Institutional Review Boards were required to be established pursuant to 45 C.F.R. 46 for the purpose of reviewing and having the authority to approve, require modification in, or disapprove all research activities covered by the regulations¹⁶³ including, (1) Provisions to protect the privacy of human research subjects and maintain the confidentiality of data, when appropriate, and (2) Requiring researchers to provide research subjects information regarding confidentiality and use of their health information as a part of the subjects= decision to consent to participate in the study. Basic element of informed consent shall include, Aa statement describing the extent if any, to which confidentiality of records identifying the subject will be maintained.@¹⁶⁴

A 1999 report by the General Accounting Office (GAO), Medical Records Privacy, reported that, AAccording to the Director of OPPR, confidentiality protections are not a major thrust of the Common Rule and IRBs tend to give it less attention than other research risks because they have the flexibility to decide when it is appropriate to review confidentiality protections.@¹⁶⁵ The Common Rule provides Institutional Review Boards with discretion to determine whether the research involves no more than minimal risk to the subjects and that informed consent may not be necessary to access personally identifiable health information.

Within the last several years, several universities= research programs have been halted because of failures of their Institutional Review Boards to protect human research subjects.¹⁶⁶ What roles if any should the State have in the protection of research subject=s privacy?

(b) HIPAA

The HIPAA final privacy rule requires that research¹⁶⁷ cannot be conducted that also involves clinical treatment where protected health information (APHI@)¹⁶⁸ is collected without obtaining the authorization for the use or disclosure of such information from the individual patient. Health information is any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.¹⁶⁹

Prior to initiating a research study a researcher must assess the extent to which information about the individual will be used by the research team, as well as used by and disclosed to parties outside of the research team. AExcept as otherwise permitted by '164.512(i), a covered entity that creates protected health information for the purpose, in whole or in part, of research that includes treatment must obtain an authorization for the use or disclosure of such information.@¹⁷⁰ The consent to use the information must contain:

(A) A description of the extent to which such protected health information will be used or disclosed to carry out treatment, payment, or health care operations;¹⁷¹

(B) A description of any protected health information that will not be used or

disclosed.¹⁷²

For example, if the covered entity/researcher intends to seek reimbursement from the research subject=s health plan for routine costs of care associated with the protocol, the authorization must describe types of information that will be provided to the health plan.@¹⁷³

The rule also creates a new review body called a APrivacy Board.@ A privacy board must: (1) have members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual=s privacy rights; (2) have at least one member who is not affiliated with the covered entity, and not affiliated with any entity conducting or sponsoring the research; and (3) not have any member participating in a review of any project in which the member has a conflict of interest.

The HIPAA final privacy rule provides a mechanism for researchers to waive authorization requirements for use of protected health information (PHI) for research purposes. The final rule provides that IRBs or the HIPAA created privacy boards have authority to make exceptions to the authorization requirements. The focus of the review is whether privacy interests of the individual will not be adversely affected.¹⁷⁴ A covered entity may receive authorization to use or disclose protected health information. Specifically, the regulations state as follows:

(2) Documentation of waiver approval by the Privacy Board or IRB. For a use or disclosure to be permitted based on a Privacy Board action the documentation must include all of the following:

C Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved;

C Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

C The use or disclosure of protected health information involves no more than minimal risk to the individuals;

C The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

C The research could not practicably be conducted without the alteration or waiver;

C The research could not practicably be conducted without access to and use of the protected health information;

C The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

C There is an adequate plan to protect the identifiers from improper use and disclosure;

C There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and

C There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.

$ A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure;

C A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair.¹⁷⁵

An IRB must follow the requirements of the Common Rule, including the normal review procedures. To use personally identifiable health information without authorization of the individual the researchers must document: (A) The use or disclosure of protected health information involves no more than minimal risk to the individuals; (B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals; (C) The research could not practicably be conducted without the alteration or waiver; (D) The research could not practicably be conducted without access to and use of the protected health information; (E) The privacy risks to individuals whose protected health information is to be used or disclosed are

reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research; (F) There is an adequate plan to protect the identifiers from improper use and disclosure; (G) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and (H) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use disclosure of protected health information would be permitted.¹⁷⁶

The research community including leading universities, medical schools, scientific societies, and pharmaceutical research, medical device and biotechnology firms have expressed concerns regarding the impact the Privacy Rule will have on research. AThe academic and industry research communities believe that the rule=s restrictions on the use and disclosure of protected health information for research purposes and limits on retention of research data will seriously impair our ability to conduct clinical trials, clinico-pathological studies of the natural history and therapeutic responsiveness of disease, epidemiologic and health outcome studies, and genetic research.@¹⁷⁷

(c) HIPAA Shortcomings

HIPAA Privacy Rule does not directly apply to researchers who are also not directly treating patients. The Privacy Rule applies to individually identifiable health information gained in the course of medical treatment. AThe odd result is that for research involving treatment, PHI is protected by this special authorization requirement, but for research that does not involve treatment, (which includes research that may yield vital and possibly harmful PHI, such as for example, personal genetic information), no such special authorization is specifically required. The best practice, nevertheless, would be for IRBs, institutions and researchers to require these authorizations for all human subjects research, regardless of whether that research includes medical treatment.@¹⁷⁸

(2) Michigan Law

Michigan Law regarding the use of medical records for purposes of research is limited. The relevant statute provides that data including written reports, statements, notes, memoranda and other records shared with the department in the conduct of a medical research project, for the purpose of reducing the morbidity or mortality from any cause or health condition are confidential and shall be used solely for the medical research purposes. The statute reads as follows:

Sec. 2631. Confidentiality of Information

The information, records of interviews, written reports, statements, notes, memoranda, or other data or records furnished to, procured by, or voluntarily shared with the department in the conduct of a medical research project, or a person, agency, or organization which has been designated in advance by the department as a medical research project which regularly furnishes statistical or summary data with respect to that project to the department for the purpose of reducing the morbidity or mortality from any cause or condition of health are confidential and shall be used solely for statistical, scientific, and medical research purposes relating to the cause or condition of health.^{^[179]}

This provision was enacted as a part of the Public Health Code of 1978. The provision is limited to research conducted by the Department of Community Health and does not apply to other medical research conducted in the State of Michigan. The law does not provide any express penalties for violation. MCL 333.2632 provides that furnishing data to the department in the conduct of a medical research project does not result in the loss of a privilege protecting the data.

MCL 333.2619 provides for the establishment of registry for cancer cases and other specified diseases. The law states, A(3) the department shall maintain comprehensive records of all reports submitted pursuant to this section. These reports shall be subject to the same requirements of confidentiality as provided in section 2631 for data or records concerning medical research projects.@^{^[180]} This provision is limited to the Department and designated persons; agencies or organizations provided the information for research purposes by the department. A cancer registry developed by a hospital, university or other organization are not covered by the provision.

(3) Other States

A state that has legislatively addressed in a comprehensive manner access to health information for purposes of research is Minnesota. In 1997, Minnesota passed a progressive law to protect the privacy of individuals’ health information. The law provides that patients’ health records cannot be used for research purposes without a reasonable effort to obtain the patient=s written consent.^{^[181]} Specifically providers must obtain the patients consent for release of health

records in writing. Authorization may be established if an authorization is mailed at least two times to the patient=s last known address with postage prepaid return envelope and conspicuous notice that the patient=s medical records may be released if the patient does not object.

In commentaries on the law researchers within the state of Minnesota expressed their concern as to how the law would adversely impact the research enterprise within the State of Minnesota.^{^[182]} This law has provided an opportunity for researchers to study whether a requirement to obtain consent prior to release of health information for research purposes would adversely affect the ability to conduct research. A 1999 study found that ARequiring a patient informed consent to gain access to medical records for a specific research study was associated with a low participation rate among members of one health plan in this observational study.@^{^[183]} In the study only 53% of the individuals contacted to participate responded and only 19% authorized the use of medical records and 34% declined.

V. Sensitive Medical Information

Certain types of medical information pose special privacy concerns because of the high potential for discrimination or stigmatization that often results from dissemination of such information. Included in this category generically described as Asensitive medical information@ includes information pertaining to HIV/AIDS, mental health or substance abuse treatment, abortion, child abuse and genetic information.

A. Mental Health Information

(1) Michigan Law

Michigan law has numerous special requirements for medical information pertaining to mental health services. One important statutory provision states that information contained in a record or acquired in the course of providing mental health services to a patient Ashall be kept confidential and shall not be open to public inspection.@¹⁷⁴ Once this general statement is made, however, the statute goes on to establish three separate categories of possible disclosure: (1) situations in which disclosure must be made; (2) situations in which disclosure may be made, provided patient consent (or a relevant proxy, such as a guardian) is obtained; and (3) situations in which disclosure may be made at the discretion of the record holder, without the need for patient consent.

With regard to the first categoryBi.e., situations in which disclosure of mental health information must be madeBthe statute lists seven (7) such situations: (1) compliance with a subpoena issued by a court or legislature; (2) to prosecuting attorneys as needed to participate in a proceeding governed by the act; (3) to the patient=s attorney (but only if the patient or, if applicable, his/her guardian or parent, consents); (4) if needed to comply with another provision of law; (5) if needed by the department of mental health; (6) if needed by the office of the auditor general; and (7) to a surviving spouse (or, if no surviving spouse, to the individual(s) most closely related to the patient within the 3d degree of consanguinity) for the purpose of applying for and receiving benefits.¹⁷⁵

With regard to the second categoryBi.e., situations in which disclosure may be made, with the patient=s consent (or, if applicable, his/her guardian, custodial parent, a court-appointed personal representative of the patient, or the executor of the estate of a deceased patient)--there are two (2) situations specified: (1) disclosure to another provider who is providing mental health services to the patient; or (2) disclosure to the patient (or his/her guardian or, if the patient is a minor, the patient=s parent) unless the holder of the information expresses its judgment, in writing, that Adisclosure would be detrimental to the recipient or others.@¹⁷⁶

Finally, the statute sets forth a third category, wherein disclosure of mental health information may be made by the record holder, without the need for obtaining the patient=s (or anyone else=s) consent. This type of disclosure is permissible in the Adiscretion of the holder of the record@ and is limited to three situations: (1) as needed for the patient to apply for or receive benefits; (2) as needed for the purpose of outside research, evaluation, accreditation, or statistical compilation; and (3) to a provider of mental health or other health services or a public agency if Athere is compelling need for disclosure based upon a substantial probability of harm to the recipient or other individuals.@¹⁷⁷ In the situation permitting disclosure for research, evaluation, accreditation, or statistical compilation, the statute specifies that the mental health information disclosed must be stripped of identifiable information Aunless the identification is essential in order to achieve the purpose for which the information is sought or if preventing the identification would clearly be impractical, but not if th subject of the information is likely to be harmed by the identification.@¹⁷⁸

In addition, there is a special Michigan statute that imposes upon mental health professionals a duty to disclose a communication by a patient involving a threat of physical violence against a reasonably identifiable third party, provided the patient has the apparent intent and ability to carry out such threat in the foreseeable future.¹⁷⁹ The mental health professional may generally discharge this duty by hospitalizing the patient or communicating the threat to the third party and relevant law enforcement authorities.¹⁸⁰ Mental health professionals and licensed mental health facilities are also under a statutory duty to report suspected criminal abuse of their patients to relevant law enforcement authorities, provided there is reasonable cause to suspect such abuse.¹⁸¹

Michigan law also provides special statutory protection for the mental health records of prisoners,¹⁸² which is essentially the same as the protections afforded to mental health information of non-prisoners, with one important difference. First, and most importantly, all of the disclosures of prisoners’ mental health information permitted by the statute are permissive, not mandatory.¹⁸³ As mentioned above, the statute establishing confidentiality of non-prisoner mental health information lists seven (7) instances in which disclosure of such information is mandatory.¹⁸⁴ These same seven instances are listed in the prisoner confidentiality statuteBwith one relatively minor difference¹⁸⁵B but they are permissive rather than mandatory disclosures. Thus, the holder of a prisoner=s mental health records is not required to disclose in these seven situations, whereas the holder of a non-prisoner=s mental health records is required to disclose. Ironically, in this regard, prisoners appear to enjoy a greater right to privacy with regard to mental health information than do non-prisoners.

(2) Federal Law

HIPAA provides heightened protection to Apsychotherapy notes.@¹⁸⁶ For most purposes, a covered entity may not disclose information contained in psychotherapy notes without specific patient authorization.¹⁸⁷ A health plan may not condition enrollment in the plan or provision of benefits under the plan upon an individual providing authorization for disclosure of psychotherapy notes.¹⁸⁸

B. Substance Abuse Information

(1) Michigan Law

Michigan law provides that records maintained in connection with a substance abuse treatment, rehabilitation, prevention, or emergency medical service are confidential.¹⁸⁹ Disclosure may be made with the patient=s written consent in three situations: (1) to health professionals for the purpose of diagnosing or treating the patient; (2) to any governmental personnel for the purpose of obtaining benefits to which the patient is entitled; or (3) to any other person specifically authorized by the patient.¹⁹⁰ Disclosure may also be made without the patient=s consent in four situations: (1) to medical personnel to the extent necessary to meet a bona fide medical emergency; (2) to qualified personnel for the purpose of conducting scientific research, financial audits or program evaluations, provided the identity of the individual is not disclosed by such personnel; (3) as ordered by a court of competent jurisdiction in order to determine whether an individual is under treatment by an agency; and (4) as ordered by a court for purposes of conducting a hearing to determine the need of a minor for substance abuse rehabilitation or treatment.¹⁹¹

There is a separate state statute that authorizes a treating physician (or other health professional acting on the advice and direction of a treating physician) to disclose information relating to substance abuse treatment given to or needed by a minor to the minor=s spouse, parent, guardian or person in loco parentis.¹⁹² This disclosure may be made for medical reasons in the judgment of the treating physician or other health professional, even if the minor expressly objects.¹⁹³

(2) Federal Law

Federal law provides that any program relating to substance abuse education, prevention, training, treatment, rehabilitation or research which conducted, regulated, or directly or indirectly assisted by any U.S. department or agency shall keep patient records confidential.¹⁹⁴ The statute provides for four general categories of exceptions to this general rule of confidentiality: (1) substance abuse records may be disclosed with the prior written consent of the patient;¹⁹⁵ (2) they may be disclosed (without patient consent) to Amedical personnel to the extent necessary to meet

a bona fide medical emergency;@¹⁹⁶ (3) they may be disclosed (without patient consent) to Aqualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation@ except that, in conducting such research/audits/program evaluation, such personnel may not disclose the identity of any individual patient;¹⁹⁷ and (4) they may be disclosed (without patient consent) by court order upon a showing of good cause.¹⁹⁸

The federal statute explicitly states that it does not preempt state laws regarding the reporting of incidents of suspected child abuse and neglect.¹⁹⁹ Penalties for violation of the law are subject to the imposition of fines in accordance with Title 18 of the U.S. Code.²⁰⁰

The commentary section of the HIPAA privacy regulation acknowledges that there are a number of health care providers who will be subject to both the federal substance abuse confidentiality statute and the HIPAA final regulations.²⁰¹ However, HHS states that, Ain most cases, a conflict will not exist between these rules.@²⁰² This is so because, while the HIPAA privacy rules do permit providers to make disclosures not permitted by the substance abuse statute, the Agency emphasizes that Abecause these disclosures are permissive and not mandatory, there is no conflict. An entity would not be in violation of the [HIPAA] privacy rules for failing to make these disclosures.@²⁰³ In other words, while a provider may be permitted to disclose under HIPAA, he/she is not required to do so. If he/she chooses not to disclose, there is no violation of either HIPAA or the federal substance abuse statute. If, on the other hand, the provider chooses to disclose, he/she will not violate HIPAA, but may violate the federal substance abuse statute. It is apparently left to the provider to choose whether or not to disclose under such circumstances.

C. HIV/AIDS

(1) Michigan Law

Michigan has numerous, scattered statutes relating to the privacy of medical information relating to HIV/AIDS.

As an initial matter, the statutes provide that all records relating to HIV/AIDS testing or test results are confidential under Michigan law.²⁰⁴ HIV or AIDS infected individuals may expressly authorize release of their HIV/AIDS records, but such authorization must be in writing.²⁰⁵ Information about HIV infection or AIDS may be released upon court order within tightly circumscribed parameters.²⁰⁶ The statute also permits disclosure to the state department, local health departments and health care providers if disclosure would (1) protect the health of an individual, (2) prevent further transmission, or (3) assist with the diagnosis and care of a patient.²⁰⁷ The information may also be disclosed to individuals who have had contact with the infected patient if the physician or local health officer determines that disclosure is needed to prevent a reasonably foreseeable risk of further transmission of the disease.²⁰⁸ Persons who violate the statute and release HIV/AIDS records without legal authority are subject to misdemeanor prosecution, with penalties of up to one year imprisonment and fines of not more than $5,000, in addition to civil liability for actual damages or $1,000, whichever is greater, plus costs and reasonable attorney fees.²⁰⁹

In addition to the above-referenced statute, Michigan has adopted a special statute dealing with the provision of treatment to minors who are, or who profess to be infected with, venereal disease or HIV.²¹⁰ Specifically, the statute states that treating physicians (or other health professionals acting on the advice and direction of the treating physician) may, but are not obligated to, disclose Afor medical reasons@ the treatment given or needed to the minor=s spouse, parent, guardian or person in loco parentis.²¹¹ Such disclosure may occur even if the minor objects thereto.²¹²

State law also provides that individuals who apply for a marriage license must check-off a box acknowledging that they have received information regarding the availability of HIV tests.²¹³ If a marriage license applicant chooses to undergo such testing and the results are positive, the statute provides that the physician (or her designee) Aimmediately shall inform both applicants of the test results@ and shall provide them with counseling.²¹⁴

Police officers, fire fighters, and certain emergency medical personnel who assists a patient who is subsequently transported to a health facility may, in certain instances, be notified that the patient was subsequently tested for HIV, HBV or other infectious agents.²¹⁵ If the police officer, fire fighter or other emergency medical personnel sustains a percutaneous, mucous membrane, or open wound exposure to the blood or bodily fluids of the emergency patient, they may request that the emergency patient be tested for HIV or HBV infection.²¹⁶ If the results of such test(s) are positive, the results may be disclosed to the exposed individual,²¹⁷ but the identity of the emergency patient shall not be revealed.²¹⁸ The exposed individual who receives the results of a test performed on an emergency patient may disclose such information to others Aonly to the extent consistent with the authorized purpose for which the information was obtained.@²¹⁹

Blood banks or other health facilities that receive donated blood that is tainted with HIV are required to immediately notify the local health department of the violation.²²⁰

Women who undergo an initial examination for pregnancy or who have recently delivered an infant may be tested for venereal disease, HIV (or antibody to HIV), and hepatitis B.²²¹ The statute makes it clear, however, that such tests are not required if the woman does not consent to be tested or if the health provider determines, in his/her professional opinion, that the tests are medically inadvisable.²²² If such tests are performed on the woman, the statute provides that the health providers shall make and retain a record of the tests and the test results (or, if no such tests were provided, the record Ashall contain an explanation of why the tests were not ordered.@).²²³ The statute also states that the test results and records relating thereto are not public records but Ashall be available to a local health department and to a physician who provides medical treatment to the woman or her offspring.@²²⁴

Each incoming prisoner in a state correctional facility shall be tested for HIV (or antibody to HIV).²²⁵ If the prisoner tests positive and subsequently behaves in a manner that could transmit HIV to others, the prisoner must be housed in administrative segregation.²²⁶ In addition, each positive test result must be reported to the department of community health.²²⁷

(2) Federal Law

Federal law provides that states may obtain federal grant money for carrying out programs to provide partner counseling and referral services, but only if the states receiving federal grant money comply with various federal requirements.²²⁸ One of the prerequisites for receiving federal grant money is that states must establish and carry out a program for partner notification (which must not disclose the identity of the infected individual).²²⁹ In addition, the state must require entities which provide HIV tests to Aconfidentially report the positive test results to the State public health officer in a manner recommended and approved by the Director of the Centers for Disease Control and Prevention, together with such additional information as may be necessary for carrying out such program.@²³⁰

Another federal statute, enacted as part of the Violence Against Women Act, provides that the victim of a sexual assault may obtain an order from a U.S. District Court requiring that the defendant be tested for the presence of HIV.²³¹ The test results may be communicated to both the victim and the defendant.²³² If the initial test is negative, follow-up tests may be ordered by the court six and twelve months from the date of the initial test.²³³ The statute further provides that the victim may disclose the test results only to Aany medical professional, counselor, family member or sexual partner(s) the victim may have had since the attack@ and that A[a]ny such individual to whom the test results are disclosed by the victim shall maintain the confidentiality of such information.@²³⁴ Any person who fails to maintain confidentiality of the test results may be held in contempt of court.²³⁵

D. Other Sexually Transmitted Diseases

(1) Michigan Law

An individual who is arrested and charged with certain crimes relating to enticing a child for immoral purposes,²³⁶ gross indecency,²³⁷ prostitution²³⁸ or criminal sexual conduct²³⁹ shall be examined or tested for venereal disease, hepatitis B, and for the presence of HIV or an antibody to HIV if the district court determines there is reason to believe the violation involved sexual penetration or exposure to a bodily fluid of the defendant.²⁴⁰ The examinations and tests administered shall be administered confidentially, except that the statute permits disclosure of test results in numerous situations: (1) to the victim or person who was exposed to the bodily fluids;²⁴¹ (2) to the court or probate court;²⁴² (3) to the state department of community health;²⁴³ (4) to the local health department;²⁴⁴ (5) to the department of corrections (if the defendant is placed in custody thereof);²⁴⁵ (6) as required by law;²⁴⁶ or (7) upon written authorization of the defendant.²⁴⁷

(2) Federal Law

There currently is no federal law that specifically addresses the confidentiality of medical information relating to sexually transmitted diseases.

E. Pregnancy/Abortion Services

(1) Michigan Law

State law states that the identity and address of a patient who is provided information relating to abortion services or who consents to an abortion is confidential and may be disclosed Aonly with the consent of the patient or by judicial process.@²⁴⁸ Given that the statute does not appear to require written consent, presumably oral consent is valid. In addition, a local health department that possesses a record containing the identity of such a patient may release such information only to a physician (or qualified person assisting the physician) in order to verify the receipt of information required by law (i.e., Michigan requires that certain specific material be given to individuals seeking an abortion prior to obtaining an abortion) and must destroy any records containing the identity and address of the patient within 30 days after providing the patient with such information/counseling.²⁴⁹

Michigan law also requires disclosure of a minor=s intent to obtain an abortion to at least one of the parents or the legal guardian of the minor.²⁵⁰ Consent must be obtained by both the minor and one of the parents or the legal guardian prior to performing an abortion on a minor.²⁵¹ Violation of this provision is a misdemeanor and may be the subject of a civil action, with punitive damages awardable.²⁵²

A treating physician (or other health professional acting on the advice and direction of the treating physician) may also, for medical reasons, inform the putative father of a child, or the spouse, parent, guardian or person in loco parentis of a minor, as to health care provided or needed by that minor relating to prenatal and pregnancy related care.²⁵³ Such information may be disclosed by the treating physician or other health professional even if the minor expressly objects.²⁵⁴

(2) Federal Law

There currently is no federal law specifically addressing the confidentiality of medical information relating to pregnancy or abortion services.

F. Child Abuse Information

(1) Michigan Law

Current state law provides that, upon written request by a family independence agency caseworker or administrator, a licensed health professional must release medical records that are pertinent to an investigation of child abuse if such records are needed to determine whether child abuse or neglect has occurred or to protect a child where there is a substantial risk of harm.²⁵⁵ Upon receiving such a request for medical records, the health professional must review the

records to determine if there is information pertinent to the investigation.²⁵⁶ If pertinent information is contained in the record, the health professional shall release the record(s) within fourteen days of receiving the request therefor.²⁵⁷ The statute explicitly states that no health professional-patient privileges are applicable to medical information released pursuant to the statute.²⁵⁸

A separate state statute requires numerous persons not employed by FIA to report suspected child abuse or neglect, including health professionals such as physicians, coroners, dentists, registered dental hygienists, medical examiners, nurses, and licensed emergency medical care providers.²⁵⁹ Such reports must be made orally and immediately, by telephone or otherwise; a written report must be completed within 72 hours after making the initial oral report.²⁶⁰

State law also provides that, prior to placing a child with foster parents, the foster parents shall be provided written information regarding the child=s history of abuse/neglect, all known emotional and psychological problems, and any behavior problems that might present any risk to the foster family.²⁶¹ The child placing agency shall explain to the foster parents that the information so provided about the child and the child=s family is confidential.²⁶² The statute does not provide a penalty for a violation of this confidentiality provision by the foster family.

(2) Federal Law

There currently is no federal law regarding the confidentiality of medical information related to child abuse or neglect.

G. Genetic Information

(1) Michigan Law

AThe advancement of human genetic technologies may prove the defining scientific achievement of the 21^st century. The success of the Human Genome Project in meeting its two main scientific goalsCidentifying the genes and sequencing the chemical bases in human DNACensures that the genetic revolution in science will continue apace as the new century progresses.@²⁶³ The implications of the genetic revolution are only beginning to be unraveled by scientists. By the year 2010, predictive genetic tests will be available for common conditions, allowing individuals who wish to know this information to learn their individual susceptibilities and to take steps to reduce those risks for which interventions are or will be available.²⁶⁴ By the year 2020 pharmacogenomics approach for predicting drug responsiveness will be standard practice for a number of diseases. Gene-based Adesigner drugs@ will be introduced to the market for diabetes mellitus, hypertension, mental illness, and many other conditions.²⁶⁵

Today certain genetic information can provide information important in the making healthcare decisions for individual tested and for family members but the information can also be misused.²⁶⁶ The State of Michigan has been a leader in genetic-related legislation. The State legislature in 2000 enacted laws to protect individuals from employment discrimination. An employer may not fail or refuse to hire, recruit or promote an individual because of a disability or genetic information that is unrelated to the individual=s ability to perform the duties of a particular job or position.²⁶⁷ An employer may not discharge or discriminate against an individual with respect to compensation or terms, conditions or privileges of employment because of genetic information.²⁶⁸ An employer cannot require an individual to submit to a genetic test to provide genetic information as a condition of employment or promotion.²⁶⁹ The law does not prohibit an individual from voluntarily providing to an employer genetic information that is related to the employee=s health and safety in the workplace and the employer using the information if provided.²⁷⁰ Health insurers, HMOs and nonprofit health care corporations cannot require enrollees, applicants, or their dependents to undergo genetic testing as condition of issuing, renewing or continuing an expense-incurred health insurance policy, nor can they require an enrollee, applicant, or their dependents to disclose whether genetic testing has been conducted (or the results of those tests) as a requirement of application for health care benefits.²⁷¹

The legislation enacted in 2000 was proposed as the result of the work of the Governor=s Commission on Genetic Privacy and Progress that released its Final Report and Recommendations in 1999. The Commission studied three issues related to genetic privacy: 1. Is there a specific need for state privacy laws concerning genetic information? 2. Should there be any exceptions allowing physicians to disclose genetic information? 3. Should there be considerations for research?²⁷²

The Commission recommended that the genetic information not have a special or exceptional status but be protected just as all medical information is protected. The Commission concluded that research uses are important and access can be controlled in a way that keeps confidentiality intact. The Commission determined that exceptions to confidentiality should exist for criminal investigations, court proceedings, paternity disputes, decedent identification, convicted criminals and newborn screening. The Commission stated: AAfter the federal government enacts privacy legislation the state can conduct an analysis to determine the need for any state legislation.@²⁷³

This Report to the Michigan Law Revision Commission provides an opportunity to determine whether further legislation may be needed to protect the privacy of personally identifiable genetic information.

(2) Federal Law

Genetic information that is collected by a researcher and not Acreated or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse is not covered by the Privacy Rule.²⁷⁴ A researcher could collect DNA samples and use them for research and conceivably be exempt from the Privacy Rule. Genetic information that is collected for treatment purposes or by an employer or insurer would be covered by the rules. Genetic information is not provided any special status or heightened protection under the Privacy Rule.

Several bills have been introduced to prohibit health insurance discrimination on the basis of genetic information. The Genetic Nondiscrimination in Health Insurance and Employment Act addresses the issue of privacy of genetic information:

e) DISCLOSURE OF PROTECTED GENETIC INFORMATION- A group

health plan, or a health insurance issuer offering health insurance coverage in connection with a group health plan, shall not disclose protected genetic information about an individual (or information about a request for or the receipt of genetic services by such individual or family member of such individual) toB

(1) any entity that is a member of the same controlled group as such issuer or plan sponsor of such group health plan;

(2) any other group health plan or health insurance issuer or any insurance agent, third party administrator, or other person subject to regulation under State insurance laws;

(3) the Medical Information Bureau or any other person that collects, compiles, publishes, or otherwise disseminates insurance information;

(4) the individual's employer or any plan sponsor; or

(5) any other person the Secretary may specify in regulations.²⁷⁵

The proposed federal law, if enacted, shall not be construed to supersede any provision of State law which establishes, implements, or continues in effect a standard, requirement, or remedy that more completely protects the confidentiality of genetic information or the privacy of an individual (or a family member of the individual) with respect to genetic information including information about a request for or the receipt of genetic services by an individual (or a family member of such individual) than does the proposed law.²⁷⁶

VI. The Retention and Disposal of Medical Records

A. Michigan Law:

Michigan has numerous, scattered statutes and administrative rules dealing with the retention or disposal of various types of medical records. There is clearly no uniform approach.

(1) Health Maintenance Organizations

HMOs are required to maintain accurate clinical records for each currently enrolled member.²⁷⁷ If a patient dies or disenrolls from the HMO, the HMO must safely store and preserve the record, either electronically or as an original record or microfilm.²⁷⁸ The administrative rules do not specify the minimum time period for retention of inactive enrollee files, but does state that the HMO Ashall adopt a policy concerning the length of time and provisions for the retention of inactive clinical records, which shall include a contingency plan for the retention of existing records in the event of cessation of operations.@²⁷⁹

(2) Nursing Homes

Nursing homes and nursing care facilities must maintain a clinical record for each patient in the home.²⁸⁰ These records must be maintained for a minimum of six (6) years from the date of discharge or, if the patient is a minor, three (3) years after the patient becomes an adult under state law, whichever is longer.²⁸¹

(3) Dentists= Offices

Dentists must maintain records of all dental treatments provided and must retain such records for at least ten (10) years after the performance of the last service to the patient.²⁸²

(4) Hospices

Hospices must maintain records of services rendered and must maintain then for at least five (5) years after death or discharge of the patient or, if the patient is a minor, at least three (3) years after the patient becomes an adult under state law, whichever is longer.²⁸³

(5) Mental Health Hospitals, Sanatoria, & Psychiatric Facilities

Mental health hospitals, sanatoria, and psychiatric facilities must maintain current records on each patient.²⁸⁴ There is no minimum retention period specified in the statutes or administrative code.

(6) Methadone Treatment Programs

Methadone treatment programs must maintain client records for a period of at least three (3) years after termination of treatment.²⁸⁵

(7) Pharmacies

Pharmacies must preserve their prescription records for at least 5 years,²⁸⁶ including prescriptions for controlled substances.²⁸⁷

(8) Alteration of Medical Records or Charts

The Michigan Penal Code makes it a felony for any health care provider to intentionally or willfully place (or direct another to place) in a patient=s medical record or chart misleading or inaccurate information regarding diagnosis, treatment or cause of a patient=s condition.²⁸⁸ A health care provider who recklessly places misleading or false information in a medical record or chart is guilty of a misdemeanor.²⁸⁹ Persons other than health care providers are also prohibited from altering medical records. Non-providers who intentionally, willfully, or recklessly place or direct others to place misleading or inaccurate information in a medical record or chart are guilty of a misdemeanor.²⁹⁰

Michigan law also states that a health care provider who intentionally or willfully alters or destroys (or directs another to alter or destroy) a patient=s medical records or charts for the purpose of concealing his or her responsibility for the patient=s injury, sickness or death is guilty of a felony.²⁹¹ Non-providers who engage in the same act are subject to misdemeanor punishment of imprisonment for not more than one year or a fine of not more than $1,000, or both.²⁹² A private right of action is explicitly prohibited for violation of these statutory provisions.²⁹³

B. Federal Law

(1) Mammography Facilities

Federal law requires that facilities performing mammography services must maintain a mammogram in the permanent records of the patient for a period of not less than 5 years, or not less than 10 years if no subsequent mammograms are performed at the facility (or longer if mandated by state law).²⁹⁴

(2) Controlled Substances Prescriptions

Pursuant to federal regulation, a DEA registrant must retain and make available inventories and records of controlled substances for at least 2 years from the date the drug is dispensed.²⁹⁵ Hospitals must maintain records showing the dates, quantity and batch or code marks of controlled substances used for inpatient substance abuse treatment or detoxification for at least 3 years.²⁹⁶

(3) Medicare Claims

The Medicare Intermediary Manual requires that providers who make claims for payment under the Medicare program must retain all original source documentation and medical records pertaining to the Medicare claim for at least 75 months after the claim is paid.²⁹⁷

(4) Blood & Blood Products

FDA regulations require that blood processing facilities must retain records of blood and blood product testing for not less than 5 years after the processing of the records has been completed, or 6 months after the latest expiration date, whichever date is later.²⁹⁸ If the blood or blood product does not have an expiration date, the records must be retained indefinitely.²⁹⁹

HHS regulations require clinical laboratories to retain records of blood and blood product testing for not fewer than 5 years after processing records have been completed, or 6 months after the latest expiration date, whichever is later.³⁰⁰

(5) Clinical Laboratory Reports

In addition to the requirement relating to blood and blood product testing just mentioned, federal regulations specify differing retention periods for records relating to various types of tests performed by clinical laboratories, including cytology (generally 5 years)³⁰¹ histopathology and pathology (generally 10 years)³⁰² and immunohematology (5 years).³⁰³ In addition, clinical labs must maintain the written authorization for any testing they perform for at least 2 years.³⁰⁴

(6) OSHA Employee Medical Records

Federal OSHA regulations require that any record regarding an employee=s exposure to a toxic substance must be retained by the employer for at least the duration of employment plus 30 years.³⁰⁵ Records relating to an employee=s exposure to noise must be maintained for at least 2 years.³⁰⁶

(7) HIPAA

HIPAA does not specify any time period for the retention or disposal of medical information. The HIPAA provision granting individuals the right to access their own medical information, for example, merely states that such right of access exists only Aas long as the protected health information is maintained in the designated record set.@³⁰⁷

VII. Issues Relating to the Privacy of Health Information on the Internet

There are thousands of health-related web sites.³⁰⁸ Individuals can surf the web for all types of health information, health advice, Internet extensions of physician group practices or hospital systems, online patient databases, and/or prescription and drug-related sites. AeHealth is touted as the future of health care, promising to transform the way health care entities conduct business and change the way patients relate to their health care providers. More than sixty-five million American Internet users have sought health and medical information online, and a study last fall by the Pew Internet & American Life Project showed that a significant number of them use this information to make important decisions about medical care for themselves and loved ones.@³⁰⁹

(A) Michigan Law

Michigan law does not provide any special protections for personally identifiable health information that is transmitted on the Internet.

(B) Federal Law

HIPAA applies to health plans, health care clearinghouses, and health care providers who transmit any health information in an electronic form in connection with a transaction covered by the Act.³¹⁰ However, many health web sites are not owned or operated by a covered entity. ADifferent rules may apply to different web sites offering the same services. Because only web sites that fit within the definition of a Acovered entity@ are required to comply with the privacy regulation, specific activities like filing a prescription, receiving e-mail alerts or getting a second opinion may be covered by the new regulation at one site and unregulated at another.@³¹¹

Electronic records have a special vulnerability that does not exist in paper records. Electronic transfer of information provides easy and efficient dissemination of the information, which can also create a greater chance of invasion of privacy. AA report of the Health Privacy Project in 1999 documented that major health web sites lack adequate privacy policies, and their practices are often in conflict with their existing privacy statements.@³¹²

Health care-related web sites promote their ability to provide consumers greater control of their health care. That the web sites provide information to assist the patient in being a partner with their health care provider in their medical decisions. However, numerous web sites require the consumer to provide personal information about their health. Web sites also collect information regarding the user without their knowledge. “A user might participate in a chat room where her e-mail addresses used as well. Additionally, a site may have banner advertisers that collect information without users ever knowing. Many of these sites track users through cookies. Cookies files allow a web site to know when a user has visited a sites and each page the user visits to create online user profiles. User profiles help sites determine what information, products, and services the visitor uses. They also allow sites to deliver specific content to users based on their previous online activities. Although cookies are only numbers assigned by a site to each user, personal data can be linked to the number when an individual provides identifiable information to the site (e.g., completing health assessments). A 1999 study of health Brelated web sites found, however, that profiling is not generally disclosed or explained to visitors of a site.@³¹³

(C) HIPAA Shortcomings

Many web sites are not covered by HIPAA regulations because they are not a covered entity.³¹⁴ AIn effect the most popular web sites such as eDirects.com and drkroop.com, will remain uncovered by the privacy rule because they are not run by health plans (such as health insurers or HMOs) or covered health care providers. The result is that the same activities conducted at different web sites will be subject to different legal treatment.@³¹⁵

Much information is transmitted that is not covered by the Privacy Rule. AFor users concerned about protecting their privacy, where they go (i.e., what sites they visit) will determine whether there are enforceable rules about how their health information is protected. More often than not, however, users will be getting health information and services from web sites that are not covered at all by the new federal health privacy regulations. Here are some examples of web sites that are not covered:

Some of the most popular health web sites are information-based. In other words, they provide people with information about general fitness and nutrition (e.g., www.foodfit.com), medical conditions (e.g., www.drkoop.com), and treatment options (e.g., www.medigenesis.com). Some offer a broad range of information, while other specializes in a certain drug or medical condition. They do not have an offline existence where they engage in covered activities like treating patients. They only furnish health information B they do not provide Ahealth care,@ as it is defined in the federal regulation.@³¹⁶

Certain web sites assess health status and ask the user to provide information regarding their health. “For example, www.HealthStatus.com offers free general health assessments as well as disease specific assessments to determine an individual=s risk for some of the leading causes of death.”³¹⁷ These sites collect personal information that can provide a third party personally identifiable health information of a sensitive nature.

A recent example of a privacy lapse involved Eli Lilly Pharmaceutical Company=s web site for the drug Prozac. On Prozac.com, the pharmaceutical company established a message service that more than 669 individuals enrolled to receive messages reminding the subscribers to take the company=s anti-depressant drug Prozac. In June 2000 the pharmaceutical company discontinued the program and while notifying the consumers that enrolled in the program that it was discontinued the company disclosed the email addresses of everyone who had signed up for the service. Upon receiving a request to investigate by the American Civil Liberties Union a complaint was filed by the Federal Trade Commission alleging that Lilly=s privacy statement on its web site was deceptive because Lilly failed to maintain or implement internal measures appropriate to protect sensitive consumer information.

AThe FTC complaint alleges that Lilly=s claim of privacy and confidentiality was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company=s unintentional June 27^th disclosure of Medi-messenger subscribers= personal information (i.e., e-mail addresses). In fact, according to the complaint, Lilly failed to: provide appropriate training for its employees regarding consumer privacy and information security; provide appropriate oversight and assistance for the employee who sent out the e-mail, who had no prior experience in creating, testing, or implementing the computer program used; and implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the e-mail. Lilly=s failure to implement appropriate measures also violated a number of its own written security procedures.@³¹⁸

Eli Lilly Company agreed to settle the complaint of unauthorized disclosure of sensitive personal information collected from consumers thorough its Prozac.com web site. The Director of the FTC=s Bureau of Consumer Protection stated: AEven the unintentional release of sensitive medical information is a serious breach of consumers= trust. Y Companies that obtain sensitive information exchange for a promise to keeps it confidential must take appropriate steps to ensure the security of that information.@³¹⁹

Health care web sites have access to significant amount of personal health information that is freely provided by consumers without any knowledge that information may be disclosed to a third party without the individuals consent. The HIPAA Privacy Rule does not apply to many of these organizations that are collecting this personal health information.

VIII. Conclusion

The enactment of HIPAA has radically transformed the landscape for the privacy of

medical information. Important new federal privacy protections now in place are only beginning to be understood and implemented. HIPAA=s full impact will take months or years to be fully understood and its intricate contours will likely continue to evolve as its impact becomes clearer. Nonetheless, several areas not addressed (or inadequately addressed) by HIPAA have already emerged, in which states (including Michigan) may wish to consider state legislative action. These gaps include:

(1) Business Associates/Definition of Covered Entity:

(a) General Limitations of Coverage for Business Associates

As detailed in this report, HIPAA does not directly regulate Business Associates of covered entities. Thus, any entity that receives private health information that is not a provider, health plan, or health clearinghouse is not covered by HIPAA. Although HIPAA attempts to indirectly regulate these Business Associates, this indirect regulation relies solely upon contractual provisions between the covered entity and the Business Associate. Specifically, the covered entity=s contract with the Business Associate must limit the Business Associate=s use/disclosure of protected health information to that provided for by the contract or as required by law. Furthermore, the contract must require that Business Associates notify the covered entity of any non-permitted use/disclosure of which the Business Associate becomes aware. If a Business Associate breaches these contractual provisions, the covered entity may be held responsible under HIPAA, but only if the covered entity knew of a pattern of activity by the Business Activity that constituted a material breach of their contractual obligations. Moreover, even if the covered entity has such knowledge, the covered entity will escape responsibility under HIPAA if it takes reasonable steps to cure/end the Business Associate=s breach.

HIPAA=s inability to directly regulate Business Associates is viewed as a significant shortcoming within the privacy regulations. State legislatures (such as Michigan) may wish to enact their own statutes that extend the HIPAA privacy protection regulations to Business Associates (as defined by HIPAA). Such statutes would, of course, need to specify state enforcement and penalties for non-compliance by Business Associates.

(b) Health-Related Web Sites

Particularly unregulated by HIPAA are numerous health-related web sites that collect personal health information. For example, web sites may collect information about medical condition/disease status of an individual and over-the-counter and prescription drug usage. Many of these web sites will not be Acovered entities@ subject to HIPAA. Thus, whether or not a health-related web site is covered by HIPAA will hinge upon who owns or controls the web site, a determination that the average consumer is not in a position to make. Indeed, because of HIPAA=s limited scope, two virtually identical web sites can be regulated differentlyB one subject to the stringent HIPAA protections, the other subject only to voluntary privacy policies (if any).

(2) Sensitive Medical Information

HIPAA essentially treats all protected health information the same. The only exception to this general rule is for psychotherapy notes, which receive heightened protection, requiring a specific patient authorization (as opposed to a blanket consent form, which is used for all other protected health information). HIPAA thus does not provide any special protections for other types of sensitive health information, including information related to genetics, HIV/AIDS, substance abuse, pregnancy/abortion, child abuse, and sexually transmitted diseases.

Existing Michigan statutes that specifically address these categories of sensitive health information should, presumably, remain in effect post-HIPAA because they are more stringent than the federal privacy rules and thus not subject to preemption. One category of sensitive health information not covered by Michigan law, however, is genetic information. Although Michigan has recently enacted anti-discrimination statutes relating to genetic information, these statutes do not address or provide privacy protections for genetic information. Additional privacy protections for genetic information may be desirable due to the stigmatization associated with such information, as well as the potentially broad-ranging adverse psychological and social effects on third parties (e.g., family members). Indeed, the adverse impact on third parties caused by the dissemination of genetic information makes genetic information unique from other types of sensitive health information and thus may necessitate additional protection here where it may not be warranted or necessary elsewhere.

The Michigan legislature thus may want to consider enacting additional statutes to provide heightened privacy protection for genetic information. For example, other states, such as California, have recently enacted special privacy protections for genetic information that require the use of a separate authorization for the release of such information and penalties for breach of privacy relating to such information.

(3) Private Right of Action

As mentioned in this report, HIPAA=s enforcement scheme does not permit an aggrieved citizen (whose privacy or right of access has been violated) to institute a civil suit to recover damages or seek appropriate injunctive relief. HIPAA only permits the Secretary of HHS to seek civil and criminal penalties against a covered entity that violates the privacy regulations. States (including Michigan) may wish to adopt their own statutes providing for a private right of action against covered entities (and Business Associates, if the state expands HIPAA to directly cover such Business Associates) for violation of the HIPAA privacy protections and/or denial of the patient=s right of access.

(4) Marketing/Fundraising CommunicationsError! Bookmark not defined.

HIPAA permits covered entities to use/disclose protected health information for marketing or internal fundraising purposes, so long as the covered entity has obtained from the patient a general treatment, payment and health care operations consent form and provides the patient with the right to Aopt out@ of any future marketing/fundraising communications. Some have criticized this approach as essentially providing entities with Aone free pass@ to use or disclose health information for such purposes. States (including Michigan) thus may wish to consider enacting legislation that would prohibit covered entities from using/disclosing protected health information to engage in any marketing or fundraising communications unless the patient has provided specific authorization for the entity to use/disclose health information to send such communications.

[1]The survey was conducted by telephone with 1,000 adults between August 11 and August 26, 2000. The margin for error of the survey is plus or minus 3 percent. The full survey report may be found at http://forhealthfreedom.org/Gallupsurvey/.

^{^[2]}An additional 14% of those surveyed felt that it was Asomewhat important@ that medical records be kept confidential, 5% thought it was Anot too important,@ and 3% felt that it was Anot at all important.@

^{^[3]}The results of this poll, conducted for the California HealthCare Foundation, are reported on the website of the Institute for Health Care Research and Policy, Georgetown University, at http://www.healthprivacy.org/usr_doc/Polling%20Data%2Epdf.

^{^[4]}Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified in various parts of 42 U.S.C.).

^{^[5]}Pub. L. No. 104-191, Title II, Subtitle F, ' 264(c)(1), 110 Stat. 2033 (1996).

^{^[6]}Id.

^{^[7]}64 Fed. Reg. 59,918 (Nov. 3, 1999).

^{^[8]}65 Fed. Reg. 82,801 (Dec. 28, 2000).

^{^[9]}Id. at 82,799 (defining Ahealth plan@). The definition of health plan is extremely broad, including, inter alia, self-insured ERISA plans, HMOs, traditional insurers, Medicare, Medicaid, Medigap policy issuers, issuers of long-term care insurance policies, employee welfare benefit plans that offer health benefits, CHAMPUS, the Indian Health Service, and SCHIP plans. Id. See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1171(5).

^{^[10]}AHealth care clearinghouse@ is defined as a Apublic or private entity, including a billing service, repricing company, community health management information system or community health information system , and Avalue added@ networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.

(2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.@

Id. at 82,799. See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1171(2).

^{^[11]}AHealth care provider@ is defined to include Aany [] person or organization who furnishes, bills, or is paid for health care in the normal course of business.@ Id. See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1171(3).

^{^[12]}Examples of the transmission of health information in electronic form include, inter alia: the filing of health claims or equivalent encounter information, enrollment or disenrollment in a health plan, determining eligibility for a health plan, health plan payment and remittance, and referral certification and authorization. See Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1173(a)(2).

^{^[13]}See 65 Fed. Reg. 82,799 (defining Acovered entity@).

^{^[14]}65 Fed. Reg. 82,802 (Section 164.104).

^{^[15]}See generally 45 C.F.R. ' 162.100 et seq. See also 65 Fed. Reg. 50,312 (Aug. 17, 2000).

^{^[16]}Administrative Simplification Compliance Act, Pub. L. No. 107-105, 115 Stat. 1003, at ' 3. This law was signed by President Bush on December 27, 2001.

^{^[17]}Id. The Administrative Simplification Compliance Act does state that the Secretary of HHS Ashall waive@ the requirement for submission of claims in electronic format if: (1) there is no method available for the submission of claims in an electronic format; or (2) the entity submitting the claim is a small provider of services or supplier; and (3) may waive the requirements in such unusual circumstances as the Secretary finds appropriate. Id. See also id. at ' 3(a)(2) (defining Asmall provider@).

^{^[18]}See 65 Fed. Reg. 82,798, ' 160.103 (defining Abusiness associate@).

^{^[19]}The contract may permit the Business Associate: (1) to Ause and disclose protected health information for the proper management and administration of the business associate@; and (2) to Aprovide data aggregation services relating to the health care operations of the covered entity.@ Id. at 82,808, ' 164.504(e)(2)(i).

^{^[20]}Id. at ' 164.504(e)(2)(ii).

^{^[21]}Id. at 82,808, at ' 164.504(e)(1)(ii).

^{^[22]}Id.

^{^[23]}Id. at 82,801. The Secretary may waive the 180-day time limit for good cause. Id.

^{^[24]}Id. at 82,802.

^{^[25]}Id.

^{^[26]}Id.

^{^[27]}See Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, Title II, Subtitle F, ' 264(c)(2), 110 Stat. 2033 (1996) (AA [health privacy] regulation promulgated [by HHS] shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed by the regulation.@).

^{^[28]}See id. at 82,801. The final regulation defines a Amore stringent@ state law as one which meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or

(ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; provided that, nothing in this subchapter may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian, or person acting in loco parentis of such minor.

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and

remedies, provides the greater amount of information.

(4) With respect to the form or substance of an authorization or consent for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.

(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

Id. at 82,800-01.

^{^[29]}Id. at 82,800.

^{^[30]}Id. at 82,801.

^{^[31]}Id.

^{^[32]}Id.

^{^[33]}Id.

⁹The effective date is extended by one year--to April 14, 2004--for small health plans.

¹⁰Mich. Comp. Laws ' 333.20201(1) (2001).

¹¹Id. at ' 20201(2)(b). Covered facilities include ambulance operations, clinical laboratories, county medical care facilities, freestanding surgical outpatient facilities, health maintenance organizations, homes for the aged, hospitals, nursing homes, and hospices. See id. at ' 333.20106(1)(a)-(k) (defining Ahealth facility or agency@).

¹²Id. at ' 333.20203(1). The statute goes on to say that the enumeration of patients= rights and responsibilities Ashall not be construed to expand or diminish other remedies at law available to a patient or resident under this code or the statutory and common law of this state.@ Id. at ' 333.20203(2).

¹³Id. at ' 333.20165(1)(f).

¹⁴Id. at ' 330.1748(4).

¹⁵Id. at ' 330.1748(4).

¹⁶Id. at ' 330.1748(6).

¹⁷Id. at ' 330.1749.

¹⁸Id.

¹⁹5 U.S.C. ' 552a.

²⁰Id. at ' 552a(d). Numerous agencies are exempted from Privacy Act requirements, including the Central Intelligence Agency and agencies Awhich perform[] as its principal function any activity pertaining to the enforcement of criminal laws.@ See id. at ' 552a(j).

²¹See id. at ' 552a(m).

²²CMS is the new name for the former Health Care Financing Administration (AHCFA@), the federal agency charged with administering the Medicare and Medicaid programs. CMS and its contractors collect personally identifiable information on Medicare patients, inter alia, to pay claims, determine benefits eligibility, make payment to managed care plans, monitor fraud and abuse, administer the secondary payer program, and conduct research and demonstration projects.

²³5 U.S.C. ' 552a(e)(3).

²⁴Id. at ' 552a(g)(1)(B).

²⁵Id. at ' 552a(g)(3)(A).

²⁶Id. at ' 552a(g)(3)(B).

²⁷See 42 U.S.C. ' 1396r. See also id. at ' 1396r(a) (defining Anursing facility@).

²⁸Id. at ' 1396r(b)(6)(C).

²⁹Id. at ' 1396r(c)(1)(A)(iv).

³⁰Id.

³¹42 U.S.C. ' 1395w-22(h)(3).

³²42 C.F.R. ' 422.118(d).

³³42 U.S.C. ' 263b(f)(1)(G)(i)(II).

³⁴See 42 C.F.R. ' 900.12(c)(4)(ii).

³⁵AProtected health information@ is broadly defined in the final regulation as Aindividually identifiable@ health information that is transmitted or maintained in any medium, whether electronic, oral, or written. 65 Fed. Reg. 82,805. AIndividually identifiable@ health information is defined as information that identifies the individual and is created by a provider, health plan, employer, or health care clearinghouse that Arelates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.@ Id. at 82,804.

³⁶65 Fed. Reg. 82,554, 82,823. The final regulation makes clear that health information that is not used to make treatment or payment decisions is not accessible to the patient. Examples given are Ainformation systems that are used for quality control or peer review analyses.@ See id. at 82,554.

³⁷Id. at 82,806. The regulations specify acceptable ways in which health information may be de-identified. See id. at 82,818.

³⁸Id. at 82,823.

³⁹Id. at 82,823-24.

⁴⁰Id. at 82,823.

⁴¹Id. at 82,554.

⁴²Id.

⁴³Id.

⁴⁴Id. (AWe note, however, that individuals have the right of access to this information if it is maintained by a covered health care provider, clearinghouse, or health plan that is not subject to CLIA.@).

⁴⁵Section 164.524(d) B at 323-24.

⁴⁶See id. at 82,823.

⁴⁷See id. at 82,555.

⁴⁸Id.

⁴⁹Id.

⁵⁰Id.

⁵¹Id.

⁵²Id.

⁵³Id.

⁵⁴Id.

⁵⁵Id. at 82,557. The reviewer must make a determination Awithin a reasonable period of time,@ id., and the covered entity must then promptly notify the patient, in writing, of the reviewer=s decision. Id.

⁵⁶Id. at 82,555. The regulations state that A[t]he most commonly cited example is when an individual exhibits suicidal or homicidal tendencies.@ Id.

⁵⁷Id.

⁵⁸Id.

⁵⁹Id. at 82,555-56.

⁶⁰Id. at 82,556.

⁶¹Mich. Comp. Laws ' 333.16221(e)(ii).

⁶²Id. at ' 333.16235(l).

⁶³Id. at ' 333.16221(h).

⁶⁴Id. at ' 333.16243(a).

⁶⁵Id. at ' 550.1406(l).

⁶⁶ Mich. Comp. Laws '600.2157. The statute also provides for situations in which the privilege may be waived. Id.

⁶⁷See id. at '' 333.18237, 333.20175.

⁶⁸See, e.g., id. at '333.16221(e).

⁶⁹Id. at '333.16221 (e)(ii).

⁷⁰ Mich. Comp Laws '333.20201.

⁷¹Id.

⁷²There is a possibility that a patient could sue his/her physician under common law privacy torts, such as the tort for publication of private facts or intrusion into seclusion. There is also the possibility, of course, that the state could take adverse action against the provider for Aunprofessional conduct.@

⁷³See Mich. Comp. Laws ' 333.20203. Again, as with the issue of patient access to his/her own records, there is the possibility of administrative fines being levied against a facility that actually denies the patient=s rights. Mich. Comp. Laws ' 333.20165.

⁷⁴Mich. Comp. Laws '550.1406(l).

⁷⁵ Id. at ' 550.1406(2).

⁷⁶Id. at ' 550.1406(2)(c).

⁷⁷Id. at ' 550.1406(3)-(4).

⁷⁸Id. at ' 550.1406(1). See also id. at ' 550.1105 (defining Ahealth care corporation@); id. at ' 550.1107 (defining Apersonal data@). The statute does permit a health care corporation to release, by telephone, a patient=s information to the patient him/herself, provided the identity of the patient can be identified. Id. at ' 550.1406(1).

⁷⁹Id. at ' 550.1406(l).

⁸⁰Id.

⁸¹ Id. at ' 333.17752(2).

⁸²Id. at ' 333.17768.

⁸³ See id. at ' 550.902(k) (defining AThird Party Administrator@ as Aa person who processes claims pursuant to a service contract and who may also provide 1 or more other administrative services pursuant to a service contract . . . .@).

⁸⁴Id. at ' 550.934(l).

⁸⁵Id. at ' 550.934(1)-(2).

⁸⁶Id.

⁸⁷See id. at ' 550.940 (defining prohibited conduct under the Third Party Administrator Act). See also id. at ' 550.950 (establishing penalties for violating statute).

⁸⁸Id. at ' 333.16648(l).

⁸⁹ For a complete list of exceptions, see Mich. Comp. Laws ' 333.16648(2).

⁹⁰Id. at ' 333.21743(2).

⁹¹Id. at ' 550.1406(1).

⁹²See id. at ' 333.21743(2).

⁹³Id. at ' 333.20155(11).

⁹⁴5 U.S.C. ' 552a(b).

⁹⁵ CMS is the new name for the former Health Care Financing Administration, the federal agency charged with administering the Medicare and Medicaid programs.

⁹⁶5 U.S.C. ' 552a(b)(1)-(12).

⁹⁷Id. at ' 552a(b)(1).

⁹⁸Id. at ' 552a(b)(3).

⁹⁹Id. at ' 552a(a)(7).

¹⁰⁰Id. at ' 552a(e)(6.

¹⁰¹Id. at ' 552a(e)(8).

¹⁰²Id. at ' 552a(g)(4).

¹⁰³Id. at ' 552a(i)(1).

¹⁰⁴Id. at ' 552a(i)(3).

¹⁰⁵42 U.S.C. ' 1396r(c)(1)(A)(iv).

¹⁰⁶42 U.S.C. ' 1395bbb(a)(1)(C). A separate statute requires that home health agencies actually maintain clinical records for each patient. 42 U.S.C. ' 1395x(o)(3).

¹⁰⁷The statutory provisions cited as authorizing this regulation are very general, merely providing the HHS Secretary with the authority to prescribe Asuch regulations as may be necessary@ to carry out the Medicare program. See 42 U.S.C. ' 1395hh(a).

¹⁰⁸See 42 C.F.R. ' 482.24.

¹⁰⁹Id. at ' 482.24(b)(1).

¹¹⁰Id. at ' 482.24(b)(3).

¹¹¹Id.

¹¹²Id.

¹¹³42 U.S.C. ' 1395w-22(h)(1).

¹¹⁴42 C.F.R. ' 422.118(a)-(b).

¹¹⁵C.F.R. ' 164.512(d).

¹¹⁶A Adirect treatment relationship@ is defined as Aa treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.@ Id. at 82,803. An Aindirect treatment relationship@ is defined as Aa relationship between an individual and a health care provider in which: (1) The health care provider delivers health care to the individual based on the orders of another health care provider; and (2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care , directly to another health care provider, who provides the services or products or reports of the individual.@ Id. at 82,804. Providers with indirect treatment relationships to patients are not required to obtain the patient=s consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. Id. at 82,810.

¹¹⁷ADisclosure@ is defined as Athe release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.@ Id. at 82,803.

¹¹⁸AUse@ is defined as Athe sharing, employment, application, utilization, examination, or analysis of [individually identifiable] information within an entity that maintains such information.@ Id. at 82,805.

¹¹⁹65 Fed. Reg. 82,510, 82,810, at ' 164.506(a). AHealth care operations@ is broadly defined and includes, inter alia, such things as quality assessment, reviewing the competency of providers or health plan, accreditation, licensing, or credentialing activities, underwriting, medical review, auditing, fraud and abuse detection and compliance, and business planning, development, or management. See id. at 82,803-04.

¹²⁰Id. at 82,810.

¹²¹Id. See also id. at 82,820 (detailing the notice requirements).

¹²² Id. at 82,810. If a covered entity agrees to a requested restriction by a patient, the restriction is binding on the entity. Id. In addition, a written revocation of consent to disclosure by a patient is only valid to the extent that the covered entity has not taken action in reliance on the patient=s consent. Id.

¹²³See id. at 82, 810, at ' 164.506(a)(4).

¹²⁴Id. at 82,810, at ' 164.506(b).

¹²⁵See id. at 82,511.

¹²⁶ Id. at 82,649.

¹²⁷Id. at 82,811. There are a few limited exceptions where such a condition may be imposed. See id.

¹²⁸Id. at 82,812.

¹²⁹See generally id. at 82,813-18 (listing uses and disclosures for which consent is not required).

¹³⁰Id. at 82,525.

¹³¹Id.

¹³²Id. at 82,528.

¹³³Id. at 82,524-25.

¹³⁴Id. at 82,531-33. This includes administrative and civil proceedings. Id. at 82,531. The final rules also explicitly state that covered entities are permitted to disclose protected health information for law enforcement purposes as required by other law, including state law. Id.

¹³⁵Id. at 82,529.

¹³⁶Id. at 82,526.

¹³⁷Id. at 82,534.

¹³⁸Id.

¹³⁹Id. at 82,477. The final rule states that Athe procurement or banking of organs, blood (including autologous blood), sperm, eyes or any other tissue or human product is not considered to be health care under this rule and the organizations that perform such activities would not be considered health care providers when conducting these functions.@ Id.

¹⁴⁰Id. at 82,535.

¹⁴¹Id. at 82,527.

¹⁴²Id. at 82,542.

¹⁴³See id. at 82,544, 82,819.

¹⁴⁴AMarketing@ is defined in the regulation as Aa communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.@ 65 Fed. Reg. 82,804 at ' 164.501.

¹⁴⁵Id. at 164.514(e)(2)(A); see also id. at 82,545 (discussing intent behind marketing provisions).

¹⁴⁶Id. at 82,819 at ' 164.514(e)(2)(B); see also id. at 82,545 (discussing intent behind marketing provisions).

¹⁴⁷65 Fed. Reg. 82,819 at ' 164.514(e)(2)(C); see also id. at 82,820 at '164.514(e)(3)(i).

¹⁴⁸See id. at 82,546 (discussing intent behind this provision).

¹⁴⁹An Ainstitutionally related foundation@ is a foundation that qualifies for Internal Revenue Code Section 501(c)(3) status and that has, in its charter statement, an explicit linkage to the covered entity. 65 Fed. Reg. 82,546.

¹⁵⁰For details on the information that must be divulged in the covered entity=s notice of privacy practices, see 65 Fed. Reg. 82,820-21, ' 164.520(b)(1).

¹⁵¹See id. at 82,820, ' 164.514(f)(2)(i).

¹⁵²Id. at ' 164.514(f)(2)(ii).

¹⁵³Id. at 164.514(f)(1)(i)-(ii).

¹⁵⁴Id. at 82,826, at ' 164.528.

¹⁵⁵Id. Exceptions are also made for disclosures for national security or intelligence purposes, to correctional institutions or law enforcement officials, etc. See id. at ' 164.528(a).

¹⁵⁶Id. at ' 164.528(b).

¹⁵⁷Id. at ' 164.528(c)(1). Under certain narrow circumstances, the covered entity may extend the time frame for providing the accounting by up to 30 days. Id.

¹⁵⁸5 U.S.C. ' 552 et seq.

¹⁵⁹Gostin, Health Services Research: Public Benefits, Personal Privacy and Propriety Interests, 129 Annals Med (10)83.

¹⁶⁰AAs the fundamental nature of care, and of health data and their uses, is changing dramatically, society mustCnowBexamine and redecide how much it cares about protecting health privacy. Health researchers must be certain that they are taking all reasonable measures to safeguard the data they collect and use, and to maintain the respect for privacy that is embodied in the very compact with society under which they work. And society must reformulate and update some of the rationales and criteria under which the health experience of individuals may be studied to benefit society.@ Lowrance, W.W. Privacy and Health Research, at http://aspe.os.dhhs.gov/adminsimp/PHRintro.htm.

¹⁶¹21C.F.R. ' 46.111(a)(7).

¹⁶²AQ: Do the Privacy Rule=s requirements for authorization and the Common Rule=s requirements for informed consent differ? A: Yes. Under the Privacy Rule, a patient=s authorization will be used for the use and disclosure of PHI for research purposes. In contrast, an individual=s informed consent as required by the Common Rule and FDA=s human subjects regulations is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of PHI.@ Office of Civil Rights HIPAA Privacy Technical Assistance HHS, 164.512I.001, at http://www.hhs.gov/ocr/hipaa/research.html.

¹⁶³45 C.F.R. ' 46.109 (1991).

¹⁶⁴Id. ' 46.116 (a)(5).

¹⁶⁵United States General Accounting Office Report to Congressional Requesters “Medical Privacy Records” (February 1999).

¹⁶⁶Stout, Citing Safety, U.S. Stops Human Research Aid at Duke, The New York Times, May 12, 1999 at Sec. A; Col. 2.; Brainard, Watchdog Agency Blocks New Human-Research Projects at U. of Illinois at Chicago, The Chronicle of Higher Education, September 10, 1999 at 20.

¹⁶⁷See 45 C.F.R. ' 164.501, “Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

¹⁶⁸Protected Health Information (PHI) is individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

¹⁶⁹45 C.F.R. ' 160.103.

¹⁷⁰45 C.F.R. ' 164.508(f).

¹⁷¹Id. at (f)(1)(ii)(A).

¹⁷²Id. at (f)(1)(ii)(B).

¹⁷³ Office of Civil Rights HIPAA Technical Assistance, HHS, 164.512I.001, at http://www.hhs.gov/ocr/hipaa/research.html.

¹⁷⁴See 45 C.F.R. ' 164.512(i).

¹⁷⁵ Id. at C.F.R. ' 164.512 (i).

¹⁷⁶C.F.R. ' 164.512(2).

¹⁷⁷Letter to HHS Secretary Thompson on HIPAA Privacy Regulations and Research, August 14, 2001, at http://www.aamc.org/research/Thompson.htm. MICH.COMP.LAWS. ' 333.2619(3) (1978).

¹⁷⁸Barnes and Krauss, The Effect of HIPAA on Human Subjects Research, BNA Health Law Reporter Vol. 10 No. 26, pp.1026 et. seq. (June 28, 2001).

[179]Mich. Comp. Laws ' 333.2619(3) 1978

^{^[180]}Mich. Comp. Laws ' 333.2631 (1978)

^{^[181]}The Minnesota statute provides:

(d) Notwithstanding paragraph (a), health records may be released to an external researcher solely for purposes of medical or scientific research only as follows:

(1) health records generated before January 1, 1997, may be released if the patient has not objected or does not elect to object after that date;

(2) for health records generated on or after January 1, 1997, the provider must:

(i) disclose in writing to patients currently being treated by the provider

that health records, regardless of when generated, may be released and that the patient may object, in which case the records will not be released; and

(ii) use reasonable efforts to obtain the patient's written general authorization that describes the release of records in item (i), which does not expire but may be revoked or limited in writing at any time by the patient or the patient's authorized representative;

(3) authorization may be established if an authorization is mailed at least two times to the patient's last known address with a postage prepaid return envelope and a conspicuous notice that the patient's medical records may be released if the patient does not object, and at least 60 days have expired since the second notice was sent; and the provider must advise the patient of the rights specified in clause (4);

(4) the provider must, at the request of the patient, provide information on how the patient may contact an external researcher to whom the health record was released and the date it was released. In making a release for research purposes the provider shall make a reasonable effort to determine that:

(i) the use or disclosure does not violate any limitations under which the record was collected;

(ii) the use or disclosure in individually identifiable form is necessary to accomplish the research or statistical purpose for which the use or disclosure is to be made;

(iii) the recipient has established and maintains adequate safeguards to protect the records from unauthorized disclosure, including a procedure for removal or destruction of information that identifies the patient; and

(iv) further use or release of the records in individually identifiable form to a person other than the patient without the patient's consent is prohibited.

Minn. Stat. '144.335-3a(d) (2001).

^{^[182]}“In addition to documenting clinical details that patients cannot readily recall, such information is crucial for identifying the patients who qualify for case-control studies of the cause of disease or for retrospective cohort studies of long-term prognosis or the effectiveness of treatment. Such studies complement prospective investigations and clinical trials, which invariably involve highly selected subgroups of patients. Under the new Minnesota law, patients who decline to provide the broad general authorization can be contacted to determine their willingness to participate in a particular study. This is administratively cumbersome, however, and it is likely that selection bias will be introduced into certain studies, especially at institutions unable to afford the considerable expense of obtaining prior authorization.” Melton, The Threat to Medical-Records Research, The New Eng. J. 337(20) 1466 (1997).

^{^[183]}Douglas, et al., Medical Records and Privacy: Empirical Effects of Legislation, HSR. 34(:1) (April 1999, Part II) 417-25, 422.

¹⁷⁴Mich. Comp. Laws ' 330.1748(1).

¹⁷⁵Id. at ' 330.1748(5).

¹⁷⁶Id. at ' 330.1748(6).

¹⁷⁷Id. at ' 330.1748(7).

¹⁷⁸Id. at ' 330.1748(7)(b).

¹⁷⁹See id. at ' 330.1946.

¹⁸⁰See id. at ' 330.1946(2).

¹⁸¹Id. at ' 330.1723.

¹⁸²Id. at ' 330.2004a(5).

¹⁸³Id. (Ainformation pertaining to a prisoner receiving mental health services from the corrections mental health program may be disclosed under 1 or more of the following circumstances . . . .@).

¹⁸⁴See id. at ' 330.1748(5).

¹⁸⁵The difference is that, with non-prisoner records, one of the situations in which mandatory disclosure is required is A[t]o a prosecuting attorney as necessary for the prosecuting attorney to participate in a proceeding governed by this act.@ Id. at ' 330.1748(5)(b). This exception is obviously not applicable to prisoners and thus is not found in the prisoner confidentiality statute. In its place, however, the prisoner confidentiality statute states that a record holder may disclose mental health information A[t]o the department of corrections if the information is necessary to protect the safety of the prisoner, other prisoners, or the public, or to protect the prisoner=s interactions with others in the state correctional facility.@ Id. at ' 330.2004a(5)(d).

¹⁸⁶APsychotherapy notes@ are defined as Anotes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual=s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.@ 65 Fed. Reg. 82,805.

¹⁸⁷Id. at 82,811. There are a few very limited exceptions wherein authorization is not required. See id.

¹⁸⁸Id.

¹⁸⁹Mich. Comp. Laws ' 333.6111.

¹⁹⁰Id. at ' 333.6112.

¹⁹¹Id. at ' 333.6113.

¹⁹²Id. at ' 333.6161(2).

¹⁹³Id.

¹⁹⁴42 U.S.C. ' 290dd-2(a). Substance abuse programs covered by the federal law thus include not only federally conducted or funded programs, but also federally licensed or certified programs and programs that are tax exempt. See 65 Fed. Reg. 82,482.

¹⁹⁵Id. at ' 290dd-2(b)(1).

¹⁹⁶Id. at ' 290dd-2(b)(2)(A).

¹⁹⁷Id. at ' 290dd-2(b)(2)(B).

¹⁹⁸Id. at ' 290dd-2(b)(2)(C). The statute says that good cause includes Athe need to avert a substantial risk of death or seriously bodily harm.@ Id. It also specifies that, in determining whether good cause for disclosure exists, the court Ashall weigh the public interest and the need for disclosure against the injury to the patient, to the physician-patient relationship, and to the treatment services.@ Id.

¹⁹⁹Id. at ' 290dd-2(e).

²⁰⁰Id. at ' 290dd-2(f).

²⁰¹See 65 Fed. Reg. 82,482.

²⁰²Id.

²⁰³Id.

²⁰⁴Mich. Comp. Laws ' 333.5131(1).

²⁰⁵Id. at ' 333.5131(5)(d).

²⁰⁶See id. at ' 333.5131(3). Information on HIV infection or AIDS may be released upon a court order or subpoena only if the court determines both: (1) that other ways of obtaining the information are not available or would not be effective; and (2) that the public interest and need for disclosure of the information outweighs the potential injury to the patient. Id. at ' 333.5131(3)(a). If a court finds both of these requirements satisfied, the court must limit disclosure to those portions of the patient=s record that are essential to fulfill the objectives of the court=s order, to persons whose need for the information is the basis for the court=s order, and include such other measures as considered necessary to limit disclosure for the protection of the patient. Id. at ' 333.5131(3)(b).

²⁰⁷Id. at ' 333.5131(5)(a).

²⁰⁸Id. at ' 555.5131(5)(b) (this is the so-called Apartner notification@ law). There is also a special section that permits notification of HIV/AIDS status to an employee of a school district if disclosure is needed to prevent a reasonably foreseeable risk of transmission to students. Id. at ' 555.5131(5)(c).

²⁰⁹Id. at ' 555.5131(8).

²¹⁰Id. at ' 333.5127(1).

²¹¹Id. at ' 333.5127(2).

²¹²Id.

²¹³Id. at ' 333.5119(2).

²¹⁴Id. at ' 333.5119(3).

²¹⁵Id. at ' 333.20191(1).

²¹⁶Id. at ' 333.20191(2).

²¹⁷Id. at ' 333.20191(4).

²¹⁸Id. at ' 333.20191(5).

²¹⁹Id.

²²⁰Id. at ' 333.11101. The same statute states that an individual shall not sell or donate his/her blood knowing that he/she has tested positive for HIV or an antibody to HIV. Id. The statute does not, however, establish a penalty for violation of this provision.

²²¹Id. at ' 333.5123(1).

²²²Id.

²²³Id. at ' 333.5123(2).

²²⁴Id. at ' 333.5123(3).

²²⁵Id. at ' 791.267(2).

²²⁶Id. at ' 791.267(3).

²²⁷Id. at ' 791.267(4).

²²⁸See generally 42 U.S.C. ' 300ff-38.

²²⁹Id. at ' 300ff-38(b)(3)(B).

²³⁰Id. at ' 300ff-38(b)(2).

²³¹42 U.S.C. ' 14011; see also United States v. Ward, 131 F.3d 335, 339-40 (3d Cir. 1997) (applying statute and discussing interpretation thereof).

²³²42 U.S.C. ' 14011(b)(1).

²³³Id. at ' 14011(b)(3).

²³⁴Id. at ' 14011(b)(5).

²³⁵Id. at ' 14011(b)(7).

²³⁶Mich. Comp. Laws ' 750.145a.

²³⁷See id. at '' 750.338 (gross indecency between male persons), 750.338a (gross indecency between female persons), 750.338b (gross indecency between male and female persons).

²³⁸See id. at '' 750.450 (aiders and abettors), 750.452 (keeping house of ill fame), 750.455 (pandering).

²³⁹See id. at '' 750.520b (criminal sexual conduct in the first degree), 750.520c (criminal sexual conduct in the second degree), 750.520d (criminal sexual conduct in the third degree), 750.520e (criminal sexual conduct in the fourth degree), 750.520g (assault with intent to commit conduct involving sexual penetration).

²⁴⁰Id. at ' 333.5129(3).

²⁴¹Id. at ' 333.5129(5). If the victim is a minor, the statute permits disclosure of the test results to the minor=s parents, guardian, or person in loco parentis. Id.

²⁴²Id. at ' 333.5129(6).

²⁴³Id. at ' 333.5129(6)(c).

²⁴⁴Id. at ' 333.5129(6)(b).

²⁴⁵Id. at ' 333.5129(7).

²⁴⁶Id. at ' 333.5129(6)(f).

²⁴⁷Id. at ' 333.5129(6)(e).

²⁴⁸Id. at ' 333.17015(19).

²⁴⁹Id. at ' 333.17015(20).

²⁵⁰Id. at ' 722.903.

²⁵¹Id.

²⁵²Id. at ' 722.907.

²⁵³Id. at ' 333.9132(4).

²⁵⁴Id.

²⁵⁵Mich. Comp. Laws ' 333.16281(1).

²⁵⁶Id.

²⁵⁷Id.

²⁵⁸This would include, inter alia, privileges such as the physician-patient privilege, the licensed professional counselor-patient privilege.

²⁵⁹Mich. Comp. Laws ' 722.623(1).

²⁶⁰Id.

²⁶¹Id. at ' 722.954(2).

²⁶²Id. at ' 722.954(3).

²⁶³Lawrence O. Gostin, James G. Hodge Jr and Cheye M. Calvo, September 2001, Genetics Policy and Law A Report for Policymakers, National Conference of State Legislatures September 2001.

²⁶⁴Francis S. Collins. Implications of the Human Genome Project for Medical Science. 285(5) JAMA 540-544, 543, February 7, 2001.

²⁶⁵Id. at 544.

²⁶⁶AThe collection, aggregation, and analysis of genetic information may be used to prevent or delay the onset of disease, alleviate the burden of illness, or assist people in planning their futures, but genetic information can be used for a variety of other, more controversial purposes not directly related to research or the delivery of appropriate medical care.@ Powers M., Justice and Genetics: Privacy Protection and Moral Basis of Public Policy, Chapter 19, Ethics and Law, 355-368.

²⁶⁷Mich. Comp. Laws ' 37.1202 (1) (a).

²⁶⁸Id. at (1)(b).

²⁶⁹Id. at (1)(h).

²⁷⁰Id. at (2).

²⁷¹Mich. Comp. Laws ' 550.1401 and ' 550.3407b.

²⁷²Michigan Commission on Genetic Privacy and Progress, Final Report and

Recommendations February 1999, at 46.

²⁷³Id.

²⁷⁴Id. at 160.163. See Definition of Covered Entity and Health Information

²⁷⁵H.R. 602 107^th Congress, Genetic Nondiscrimination in Health Insurance and Employment Act ' 2754 (c) (2001).

²⁷⁶Id. at H.R. 602 107^th Congress, ' 2754 (e) LIMITATIONS ON GENETIC TESTING AND ON COLLECTION AND DISCLOSURE OF PROTECTED GENETIC INFORMATION .

²⁷⁷Mich. Admin. Code r. 325.6801(1) (2000); see also id. at 325.6805 (describing minimum contents of patient records).

²⁷⁸Id. at 325.6810(1).

²⁷⁹Id. at 325.6810(2).

²⁸⁰Mich. Admin. Code r. 325.21102(1) (2000).

²⁸¹Id. at 325.21102(6). The statute specifies that if the nursing home goes out of business, the records must be transferred with the patient to another health care facility. Id. at 325.21102(7).

²⁸²Mich. Comp. Laws ' 333.16644(1) (2000); see also Mich. Admin. Code r. 338.11120 (2000).

²⁸³Mich. Admin. Code r. 325.13109 (2000).

²⁸⁴Mich. Comp. Laws ' 330.1141 (2000); see also id. at ' 330.1746; Mich. Admin. Code r. 330.1276 (2000).

²⁸⁵Mich. Admin. Code r. 325.14419(1) (2000).

²⁸⁶Mich. Comp. Laws ' 333.17752(1) (2001). The statute does not specify precisely when the 5 year retention clock begins ticking, but presumably it requires retention of a record of each prescription for at least 5 years from the date the prescription was filled. See also Mich. Admin. Code R. 338.480a.

²⁸⁷Mich. Comp. Laws ' 333.7303a(3). See also Mich. Admin. Code R. 338.3153a(3).

²⁸⁸Id. at ' 750.492a(1).

²⁸⁹Id. at ' 750.492a(1)(b). The misdemeanor punishment is limited to imprisonment for not more than one year, or a fine of not more than $1,000, or both. Id.

²⁹⁰Id. at ' 750.492a(1)(c)-(d). The statute specifies that non-providers who act intentionally or willfully are subject to punishment of imprisonment of not more than one year, or a fine of not more than $1,000, or both. Id. at ' 750.492a(1)(c). Non-providers who act recklessly, on the other hand, are guilty of a misdemeanor, although the statute does not specify any applicable penalty. Id. at ' 750.429a(1)(d).

²⁹¹Id. at ' 750.492a(2).

²⁹²Id.

²⁹³Id. at ' 750.492a(4) (AThis section does not create or provide a basis for a civil cause of action for damages.@).

²⁹⁴42 U.S.C. ' 263b(f)(1)(G)(i)(I).

²⁹⁵21 C.F.R. ' 1304.04.

²⁹⁶21 C.F.R. ' 291.505.

²⁹⁷Medicare Intermediary Manual, Pt. 3 (HCFA Pub. 13-3), ' 3601.4.

²⁹⁸21 C.F.R. ' 606.160(d).

²⁹⁹Id.

³⁰⁰42 C.F.R. ' 493.1107.

³⁰¹42 C.F.R. ' 492.1257(g).

³⁰²Id. at ' 493.1259(b).

³⁰³Id. at ' 493.1107, 493.1109, 493.1777(d)(1); see also 21 C.F.R. ' 606.160(d).

³⁰⁴42 C.F.R. ' 493.1105.

³⁰⁵29 C.F.R. ' 1910.1920. The medical records of employees who have worked for the employer less than one year need not be retained if the medical records are provided to the employee upon termination of employment. Id. at ' 1910.20(d)(1)(i)(C).

³⁰⁶Id. at ' 1910.95(m)(3).

³⁰⁷65 Fed. Reg. 82,823 (Dec. 28, 2000).

³⁰⁸ Eng, The eHealth Landscape: A Terrain Map of Emerging Information and Communication Technologies in Health and Health Care, The Robert Wood Johnson Foundation (2001).

³⁰⁹Hudson, Exposed Online: Why the new federal health privacy regulation doesn=t offer much protection to Internet users, Report of the Pew Internet & American Life Project, November 2001 at 1.

³¹⁰Id. '160.102(a).

³¹¹ Id. at iii.

³¹²Id at 5. Health care web sites have access to significant amount of personal health information that is freely provided by consumers without any knowledge that information may be disclosed to a third party without the individuals consent. The HIPAA Privacy Rule does not apply to many of these organizations that are collecting this personal health information. Report on the Privacy Policies and Practices of Health Web Sites, The California HealthCare Foundation (January 2000).

³¹³Id at 18.

³¹⁴ AFor example, both the local bricks and mortar CVS drug store and CVS.com will be required to obtain written permission to use an individual=s information to fill their prescription. In contrast, an online pharmacy that fills the same prescription but is not covered by the regulation, such as Abee Well Pharmacy, would not be required to obtain the patient=s written permission since it does not accept insurance.@ Id at 10.

³¹⁵Id at 7.

³¹⁶Id at 17.

³¹⁷Id.

³¹⁸Press Release, Federal Trade Commission, AEli Lilly Settles FTC Charges Concerning Security Breach,@ File No 012 3214, Jan.18, 2002.

³¹⁹Id.