Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Even information security pros don't use encryption | Main | The List Keeps Growing...Fidelity Investments Laptop Stolen »

A true first test of HIPAA?

There was an interesting story this weekend about how the Ohio Supreme Court ruled the Ohio law guaranteeing people access to government records outranks HIPAA.  This ruling was reported to be "the nation’s first ruling weighing a state’s open-records law against provisions of the federal Health Insurance Portability and Accountability Act."  Basically a newspaper wanted to view lead-paint citations issued by the local health department.  "The Cincinnati Health Department denied access to 10 years’ worth of lead-paint citations, saying they contained children’s private health information because they listed the addresses of homes with lead hazards."

But is it really a test of HIPAA?  The first question would be, is the local health department a Covered Entity under HIPAA?  Well, does it fall under the definition of a healthcare provider?  Hmm... well, they are not listed as a healthcare provider on the The Health Improvement Collaborative of Greater Cincinnati.  Are they a healthcare insurer?  Not listed in that section, either.  Are they a clearinghouse?  Well, it is doubtful.

They are, however, listed within the "Public Sector" section.  Let's check out the Cincinnati Health Department website using the link provided... oops!  An invalid URL.  Gee, looks like it should be a .gov site...

Okay...let's see, where is the website for the Cincinnati Health Department?  Ahh...here it is, a .gov URL, which makes sense.  So, does it indicate that it is a healthcare provider, insurer/payer or clearinghouse?  Appears to be a provider; according to the website, "The Cincinnati Health Department provides many services to the community such as medical and dental care; inspections required under Cincinnati Municipal Code, Ohio Revised Code, and Board of Health Regulations; health education; litter and weed control; and maintaining birth and death records. The Department also investigates communicable disease outbreaks and is a partner in the regional medical response system for responding to medical emergencies in Cincinnati and the surrounding communities."

Now we need to determine if the Department, as a provider, furnishes, bills or receives payment for healthcare (things necessary to be a CE).  Upon a quick skim it appears they probably do, but I cannot verify this.

Let's assume they are a CE then.

Next question to ask is, what information was in the records?  Lead paint citations and the associated addresses.  Well, addresses ("geographic subdivisions smaller than a state") are one of the 18 items identified as PHI (actually individually identifiable health information) within the HIPAA regs.

An interesting passage from the Dispatch report:  "Justice Terrence O’Donnell wrote, however, that city citations contained no medical information, nor did they list names, ages or any other personal information. And even if they had, O’Donnell wrote, HIPAA doesn’t shield information that other laws require to be made available. "The Ohio Public Records Law requires disclosure of these reports and HIPAA does not supersede state disclosure requirements," he wrote."

Okay...very interesting!!  This judge says HIPAA does NOT supersede state disclosure requirements.  However, HIPAA regs state that HIPAA applies if it is stronger than the state requirements.  But then...wait...there are also exceptions to state preemption! 

Bear with me.  There is a Privacy Rule state preemption exception category called "public health and vital statistics" that allows providers to report diseases or injuries, child abuse, births, or deaths, or those that authorize public health surveillance, or public health investigation or intervention.  Ahhh...perhaps this is the loophole. 

So, apparently if this information can be reported as part of public health surveillance or investigation, then it goes into the state government records, to which the public is then guaranteed access?  Perhaps.  Ask your lawyer for his or her interpretation; you'll probably get 20 different opinions if you ask 20 different lawyers.

Aye yi yi...wouldn't it be nice to have just one all-encompassing federal privacy law that covered all industries and personal information equally?  (That's another blog posting...sometime in the near future.) 

Cases like these in Ohio certainly do not help to clarify compliance activities, and they really don't set any precedents, only stir the pot of confusion.

Technorati Tags









 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on March 21, 2006 7:01 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/29

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.