HIPAA: To Preempt or Not To Preempt? That is the Question (Especially in Litigation)
by Cheryl S. Camin, Esq., Gardere Wynne Sewell, LLP, Dallas, Texas
The Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have been enforceable since April 14, 2003 (for HIPAA covered entities except small health plans). Although it is now likely that most covered entities (covered healthcare providers, health plans, healthcare clearinghouses and Medicare Part D drug card sponsors) have implemented and are comfortable with the requirements of the HIPAA Privacy Rule; however, it is a different story in regard to determining whether or not a particular state law governing the privacy of health information is preempted by or preempts HIPAA.
As a general rule, the Privacy Rule preempts any contrary state law. However, state laws that are contrary to and more stringent than the Privacy Rule are generally not preempted. A state law is more stringent if the state law provides more protections, or, in other words, has the specific purpose of protecting the privacy of health information or affects the health information in a direct, clear, and substantial way.
Only very recently have there been court decisions providing guidance on HIPAA preemption analyses. Most of these recent decisions involve questions regarding access to health information in connection with litigation. This article reviews some of these decisions.
District of Columbia
In Kalinoski v. Evans, the United States District Court for the District of Columbia determined that a District of Columbia law imposing strict limitations on disclosure of the personal notes of mental health professionals is more stringent than HIPAA and therefore is not preempted. In this case, a social worker who was providing counseling services to the plaintiff moved to quash a defendant's subpoena seeking disclosure of the counseling records. Based on D.C. law, the court determined that HIPAA does not prevent the D.C. law’s applicability. However, in this Title VII case, the court concluded that HIPAA and other federal common law regarding privilege is applicable to this federal question case. Under HIPAA, the counselor’s records were discoverable because the plaintiff had signed an appropriate authorization for their disclosure. Consequently, the court denied the motion to quash, finding that the subpoena, which was otherwise valid and enforceable, could not be avoided based on D.C. law.
A different result was reached in a similar case in U.S. v. Diabetes Treatment Center of America. The United States District Court for the District of Columbia considered the applicability of a Florida law regarding patient privacy rights in a case presenting federal questions under the False Claims Act. Like the court in Kalinoski, the court determined that the Florida law was more stringent than HIPAA and therefore not preempted. The Florida law considered by the court permits disclosure of patient records only after (1) redaction of all private patient health information or individual identifying information; (2) consent of the patient; or (3) notice to the non-party patient and an opportunity to be heard on the issue of disclosure. HIPAA, by comparison, allows disclosure without notice to the non-party patient, where there is an appropriate court order. Unlike the Kalinoski court, however, this court applied the Florida law to deny discovery of the requested records.
In Law v. Zuckerman, the United States District Court for the District of Maryland reviewed whether HIPAA preempts a Maryland law governing ex parte communications between a lawyer and a treating physician of an adverse party, who has placed his or her medical condition at issue. The court concluded that because HIPAA allows the release of “oral” medical records only after certain conditions are met, HIPAA is more restrictive and therefore preempts the Maryland law.
In In re Diet Drug Litigation, a New Jersey state trial court analyzed whether HIPAA preempts New Jersey common law with respect to ex parte communications with treating physicians. In Stempler v. Speidell, the New Jersey Supreme Court determined that ex parte interviews between defense counsel and a plaintiff’s treating physician are allowed when (1) the plaintiff provides an authorization; and (2) defense counsel provides plaintiff’s counsel with reasonable notice of the time and place for the interviews, provides the physician with a description of the expected scope of the interview, and indicates with clarity that the doctor’s participation in the interview is voluntary.
The trial court concluded that HIPAA and the Stempler ex parte interview requirements can co-exist, and the Stempler interview itself is not preempted. The court added, however, that the Stempler requirements for an ex parte interview fall below the standards under HIPAA. Due to the timing of the request for ex parte interviews in this mass tort case (the motion was decided only 33 days before trial), the court did not have a chance “to fully explore all aspects of implementing the Stempler procedures.” In the interim, the court allowed ex parte interviews, but required that they be recorded and transcribed, and that all transcripts be made available to plaintiffs’ counsel at the time of each physician’s deposition.
Similarly, in Smith v. American Home Products Corp., the New Jersey state court found that HIPAA does not conflict with the informal discovery technique permitted under Stempler. However, the court found that the Stempler safeguards fall below HIPAA with respect to psychotherapy notes and medical records irrelevant to the litigated medical condition in the case, and are thus preempted. In particular, the court advised that authorization forms must be revised to comply with HIPAA to prevent “overreaching demands.”
In Valli v. Viviani, a New York trial court held that HIPAA does not preempt a state law that permits interviews with treating physicians in the trial stages of litigation. In this case, the defendant requested that the plaintiff be compelled to (i) execute a release permitting counsel for the defendant to interview the treating physician, who was to be a witness at trial; and (ii) provide authorization for patient records to be used at trial. The court explained that HIPAA expressly permits a doctor to disclose protected health information in the course of any judicial proceeding in response to a subpoena, if the doctor is assured that the patient received notice of the request or the defendant’s attorney secured a protective order. However, HIPAA requires that counsel also provide the doctor with a written statement that notice was given to the patient in time for the patient to raise an objection to the court, and that the time has elapsed without objections being made. The court in this case directed that the defendant's counsel follow the notice requirements upon service of the trial subpoena, and the plaintiff provide the HIPAA compliant authorizations for the trial records.
In Browne v. Horbar, M.D., a New York trial court reviewed whether a urologist, who was sued for medical malpractice and wrongful death of a patient, may obtain a qualified protective order permitting the urologist’s attorneys to communicate ex parte with the patient’s treating oncologist. In this case, the court discussed how HIPAA may authorize the court to issue a subpoena. However, the court was not compelled to issue such a subpoena.
The court discussed how private interviews outside the patient or patient representative’s presence may be troubling in connection with confidentiality issues. For example, a treating physician may release information about the patient that has not been communicated to the patient. In addition, there is a risk that the defense counsel may inquire into matters that do not relate to the condition at issue, and no one is present to ensure that the patient’s rights are not violated.
In Hawes v. Golden, the Court of Appeals of Ohio determined that Ohio Law permitting the discovery of medical evidence relevant to wrongful death cases is not preempted by HIPAA. Under Ohio law, a plaintiff waives the decedent’s physician-patient privilege upon filing a wrongful death action. The plaintiff in this case argued that this state law is preempted by HIPAA, because HIPAA does not have any comparable waiver provision. The court disagreed and concluded that the Ohio law and HIPAA are not in conflict in light of HIPAA’s provisions allowing for the release of medical records pursuant to a court order, subpoena, or discovery request, and allowed discovery of the requested medical records.
On November 1, 2004, the Texas attorney-general published a 465-page report that provides a HIPAA preemption analysis of Texas laws relating to the privacy of individually identifiable health information. This report analyzes 19 Texas statutory provisions and, as to each, determines whether (i) HIPAA preempts such state law, and (ii) compliance with both state law and HIPAA would be facilitated by further clarification of the state law.
In addition to the above listed states, many other state courts have analyzed HIPAA’s preemptive scope. To date, these cases, for the most part, involve matters in which parties are requesting access to health information in connection with litigation. In the future, it is likely that there will be many more court decisions relating to HIPAA preemption determinations in connection with litigation as well as health privacy and security matters.