Opinion
September 27, 2007
Raymond P. Taffora Deputy Attorney General
Mr. George Stanley Managing Editor Milwaukee Journal Sentinel 333 West State Street Milwaukee, WI 53201-0371
Dear Mr. Stanley:
You have asked for my advice on the applicability of the Federal Health Insurance Portability and Accountability Act ("HIPAA") to section 146.50(12)(b) of the Wisconsin Statutes given the following facts:
Pub.L. No. 104-191, 1996 U.S.C.C.A.N. (110 Stat.) 1936, codified in scattered sections of volumes 18, 26, 42 and 49, U.S. Code.
A reporter for the Milwaukee Journal Sentinel asked the City of Waukesha Fire Department to provide access to records of an ambulance dispatched by the Waukesha Fire Department. The assistant chief of the fire department provided a redacted copy of the ambulance report. The redacted report disclosed the ambulance provider and EMTs involved, the date of the call, the dispatch and response times of the ambulance, the location to which the ambulance was dispatched, the ambulance units sent and the other government agencies responding to the scene. The record did not identify the name, age and gender of the patient or the patient's condition and treatment. The fire department explained that it believed the redactions were required by HIPAA and sections 51.30(4)(a) and 146.82(1) of the Wisconsin Statutes. The fire department also relied on the "strong public and legislative policy" reflected in those privacy laws. The department then concluded that the public's right of inspection of the information was outweighed by the overriding public interest in confidentiality.
Approximately three weeks later the fire department supplemented its response because it had been advised that the United States Department of Health and Human Services ("HHS"), the federal agency that administers and enforces HIPAA, had opined that HIPAA allows the release of protected health information if that release is required under a public records law. The fire department concluded that section 146.50(12) was such a law and provided your newspaper with a supplemental response that included the name, address, and age of the person to whom medical services were provided and the location to which the patient was transported.
Although the particular incident giving rise to your inquiry has now been resolved, I have concluded that your question merits a full answer because it continues to recur with regularity. Consequently, record custodians and the public alike are in need of guidance.
Section 146.50(12)(a) requires that all records made by ambulance service providers, emergency medical technicians or first responders administering emergency care procedures be maintained as confidential patient health care records. Section 146.50(12)(b) provides a limited exception for certain disclosures, but only by ambulance service providers who also are "authorities" under the Wisconsin public records law:
Notwithstanding par. (a), an ambulance service provider, who is an authority, as defined in s. 19.32(1), may make available, to any requester, information contained on a record of an ambulance run which identifies the ambulance service provider and emergency medical technicians involved; date of the call; dispatch and response times of the ambulance; reason for the dispatch; location to which the ambulance was dispatched; destination, if any, to which the patient was transported by ambulance; and name, age and gender of the patient. No information disclosed under this paragraph may contain details of the medical history, condition or emergency treatment of any patient.
Under HIPAA, a covered entity may not use or disclose protected health information except as permitted by law. See 45 C.F.R. § 164.502(a). The definition of "covered entity" includes "[a] health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter." 45 C.F.R. § 160.103. "Health information" includes any information created or received by a health care provider and that relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 45 C.F.R. § 160.103. "Protected health information," with limited exceptions not applicable to the present analysis, includes individually identifiable health information that is transmitted by electronic media or maintained in electronic media or transmitted or maintained in any other form or medium. 45 C.F.R. § 160.103. "Individually identifiable health information" includes health information that is created or received by a health care provider and relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies the individual. 45 C.F.R. § 160.103. Information is considered to identify the individual if there is a "reasonable basis to believe the information can be used to identify the individual." Id.
In its response to your public records request, the Waukesha Fire Department concluded that it was a "health care provider" and apparently concluded that it was a "covered entity" under HIPAA. The facts provide no reason to question that conclusion. Because the Waukesha Fire Department is a covered entity, HIPAA provides that it may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. 45 C.F.R. § 164.512(a). "Required by law" is defined under HIPAA as "a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law." 45 C.F.R. § 164.103. "Required by law" includes statutes or regulations that require production of information. Id.
The threshold determination of whether a health care provider is a covered entity is essential to application of HIPAA privacy requirements and, therefore, to the discussion concerning their application that follows.
Recent court decisions from Ohio and Texas are helpful in understanding the intersection of HIPAA requirements and state public records laws.
In State ex rel. Enquirer v. Daniels, 844 N.E.2d 1181 (Ohio 2006), the court considered whether lead-contamination notices issued to property owners could be released under Ohio's public records law. The court first concluded that the reports did not contain protected health information and therefore were outside of the purview of HIPAA. The court went on to decide, however, that even if the records did contain protected health information the records would still be subject to release under 45 C.F.R. § 164.512(a), the "required by law" exception to HIPAA. Daniels, 844 N.E.2d at 1186-87.
The court noted that the Ohio public records act required disclosure of information unless prohibited by federal law, while federal law allows disclosure of protected health information if required by state law. Id. at 1187. The court next noted explanatory statements about section 160.512(a) made by HHS when the HIPAA Privacy Rule was implemented:
"[W]e intend [160.512(a)] to preserve access to information considered important enough by state or federal authorities to require its disclosure by law"; "we do not believe that Congress intended to preempt each such law"; and "[f]he rule's approach is simply intended to avoid any obstruction to the health plan or covered health care provider's ability to comply with its existing legal obligations."
Daniels, 844 N.E.2d at 1187 (quoting Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82667-68 (Dec. 28, 2000)).
The court then relied on HHS' statements about the specific interaction between HIPAA and the federal Freedom of Information Act. HHS had concluded that federal Freedom of Information Act requests come within the Privacy Rule exception that permits uses or disclosures required by law. Daniels, 844 N.E.2d at 1187 (quoting 65 Fed. Reg. at 82482). The court concluded, by analogy, that if the Ohio public records act required disclosure under Ohio law, disclosure did not violate HIPAA's privacy rale, so long as any disclosure met the relevant requirements of the Ohio public records law. Daniels, 844 N.E.2d at 1187.
The Texas Court of Appeals reached a similar conclusion. Abbott v. Texas Dept. of Mental Health, 212 S.W.3d 648 (Tex.App. 2006). The request in Abbott was for statistical information regarding allegations of abuse and investigations of abuse in Texas state facilities. The Department of Mental Health and Mental Retardation had denied the request, relying on the privacy provisions of HIPAA. The Texas Attorney General disagreed with the department's conclusion. The department contested the attorney general's opinion in district court. The district court agreed with the Department of Mental Health and Mental Retardation and the attorney general appealed. Abbott, 212 S.W.3d at 651-53.
Like the Ohio court, the Texas appeals court first concluded that the information sought was not protected health information. Abbott, 212 S.W.3d at 655-57. The court also concluded, however, that even if the information was considered protected health information under HIPAA, the Texas Public Information Act required that the information be released. The court held that the Public Information Act was a law that required disclosure of the information under 45 C.F.R. § 164.512(a)(1). The court also held that the general "required by law" provisions of 45 C.F.R. § 164.512(a) were not limited by the more specific provisions of other subsections of 45 C.F.R. § 164.512. Abbott, 212 S.W.3d at 660.
The court again noted the HHS commentary regarding resolution of potential conflicts:
The commentary specifies that
if a conflict appears to exist because a previous statute or regulation requires a specific use or disclosure of protected health information that the [privacy] rules below appear to prohibit, the use or disclosure pursuant to that statute or regulation would not be a violation of the privacy regulation because § 164.512(a) permits covered entities to use or disclose protected health information as required by law.
. . . In addition, in addressing concerns that were raised by the inclusion of section 164.512(a), the commentary provides . . . [with respect to information required to be disclosed by state or federal law] that it is not appropriate for HHS "to reassess the legitimacy of or the need for each of these mandates. . . . ". . . Finally, the commentary states that, given the variety of laws that might require disclosure of health information and the context in which they might arise, "we do not believe that Congress intended to preempt each such law unless HHS specifically recognized the law or purpose in the regulation.
Abbott, 212 S.W.3d at 663 (internal citations and bolding omitted).
Therefore, the Texas court concluded:
[Cjovered entities faced with a request for disclosure involving potentially protected health information must examine the information in light of HIPAA and the Privacy Rule to determine if the information is protected health information that is generally not subject to disclosure. If the request does not involve protected health information, then HIPAA and the Privacy Rule do not prohibit disclosure of the information. If the request asks for information that is protected health information, then the agency must ascertain if any exception to non-disclosure in the Privacy Rule applies. If no exception applies, the agency may release the information if potential identifiers are redacted or if a statistician determines that release of the information cannot be used to identify any individual. If an exception to non-disclosure does apply, the agency must release the information. For example, if the request is made under the authority of a statute that requires disclosure, then the exception found in section 164.512(a) applies, and the agency must disclose the information as long as the disclosure complies with all relevant requirements of the statute compelling disclosure. . . .
If a request for protected health information is made under the Public Information Act, then the exception to non-disclosure found in section 164.512(a) of the Privacy Rule applies, and the agency must determine whether the Act compels the disclosure or whether the information is excepted from disclosure under the Act. For example, if the information is considered confidential by judicial decision, statute, or the constitution, then the information is not subject to disclosure under the "confidential" exception to disclosure found in the Public Information Act.
Abbott, 212 S.W.3d at 662 (internal citations omitted). The court specifically rejected the argument that the preemption provisions of HIPAA, 45 C.F.R. §§ 160.202-160.203 required a different conclusion. Abbott, 212 S.W.2d at 664-65.
The Ohio and Texas decisions are consistent with the position taken by HHS on its website addressing frequent questions, http://www.hhs.gov/HIPAAfaq/permitted/require/506.html. In answer to a question concerning the relation between the HIPAA Privacy Rule and state public records laws, the HHS website states (as of March 26, 2007): "Thus, where a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law." The Texas appeals court noted and relied upon this advice. Abbott, 212 S.W.3d at 664.
Similarly, a federal district court considering the relationship of the 45 C.F.R. § 164.512(a)(a) "required by law" disclosure authorization to another provision of federal law also found persuasive the HHS commentary published with the Privacy Rule and advice provided on the HHS website. Protection Advocacy System, Inc. v. Freudenthal, 412 F. Supp. 2d 1211, 1216-17 (D. Wyo. 2006). That court had to determine whether provisions of several federal laws authorizing patient record access by agencies — like the plaintiff — providing protection and advocacy services to persons with developmental disabilities and mental illness constituted disclosures "required by law" for purposes of 45 C.F.R. § 164.512(a)(1). Protection Advocacy System, 412 F. Supp. 2d at 1212-16.
The court observed that the drafters of the HIPAA Privacy Rule clearly considered potential conflict with other laws, and addressed that potential conflict in the preamble to the regulations. The federal agency's interpretation of its own regulations was entitled to substantial deference, the court explained, and was controlling unless plainly erroneous or inconsistent with the regulations. Protection Advocacy System, All F. Supp. 2d at 1216. Discussing the section 164.512(a)(1) "required by law" exception, the court then noted that the Privacy Rule was not intended to create or change substantive law. Id.
Like the Texas court in Abbott, the federal court also noted approving advice on the HHS website regarding 45 C.F.R. § 164.512(a)(1) "required by law" disclosures to protection and advocacy agencies such as the plaintiff. HHS had designated its Office of Civil Rights ("OCR") to enforce the Privacy Rule, the court explained, and OCR actually operated the website providing the Privacy Rule advice approving disclosure to protection and advocacy agencies. Protection and Advocacy System, All F. Supp. 2d at 1218. That is the same HHS website noted above and referred to in Abbott.
The Wisconsin disclosure statute central to your inquiry is not the state public records law, sections 19.31- 19.37, but rather the ambulance service provider records disclosure statute, section 146.50(12)(b). Although this opinion therefore analyzes the interaction of HIPAA and section 146.50(12), the same type of analysis would apply to issues arising from the interaction from HIPAA, other patient health care record confidentiality requirements of Wisconsin law, see generally sections 146.81- 146.84 and 19.31-37. Resolution of those issues, however, are beyond the scope of this opinion.
Section 146.50(12)(b) of the Wisconsin Statutes mandates that an ambulance provider that is an "authority" for purposes of the public records law "may make available, to any requester," certain specified information from ambulance service provider records that otherwise would be confidential pursuant to section 146.50(12)(a). This office previously has concluded that despite the fact that section 146.50(12)(b) uses the term "may," the statute is not permissive. 78 Op. Att'y Gen. 71 (1989). Disclosure of the information specified in section 146.50(12)(b) instead is subject to the public records law and that custodians do not have total personal discretion to grant or deny access. The "may" in section 146.50(12)(b) therefore mandates that a custodian of ambulance service provider records apply the case-by-case analysis of the common law balancing test required by the public records law. 78 Op. Att'y Gen. 71, 76 (1989).
Although the balancing test often is explained as an exercise of "discretion" by a record custodian, e.g., Hempel v. City of Baraboo, 2005 WI 120, f 62, 284 Wis. 2d 162, 699 N.W.2d 551, it does not allow the records custodian unfettered discretion so as to make balancing test disclosures something other than "required by law." The Wisconsin public records law is very clear that disclosure is mandated except in those exceptional circumstances when a custodian, in the exercise of his or her judgment, determines that public policy interests favoring non-disclosure outweigh the presumption of disclosure. Hempel, 284 Wis. 2d 162, 1(63.
Under Wisconsin's public records law, and therefore under section 146.50(12), the records specified in section 146.50(12)(b) must be released unless the public's interest in nondisclosure outweighs the strong presumption of disclosure recognized in section 19.31. Because section 146.50(12)(b) is a state law that mandates disclosure, 45 C.F.R. § 164.512(a), as interpreted by the agency charged with interpreting and enforcing the federal law, allows disclosure of the information specified in section 146.50(12)(b) — when so determined by the records custodian using the balancing test analysis — despite the more restrictive general provisions of the HIPAA privacy rule. As noted, this conclusion is also consistent with the reasoning and conclusions of the Ohio and Texas courts.
This conclusion is also consistent with section 19.36(1), which provides: "Any record which is specifically exempted from disclosure by state or federal law or authorized to be exempted from disclosure by state law is exempt from disclosure under s. 19.35(1), except that any portion of that record which contains public information is open to public inspection as provided in sub. (6)." The HHS commentary teaches that records like those identified in section 146.50(12(b), disclosure of which is required by the Wisconsin public records law, are not records which are specifically exempted from disclosure by federal law. They are not, therefore, exempt from disclosure under section 19.36(1).
Sincerely,
J.B. Van Hollen Attorney General
JBVH:AL:cla
cc: Miles W.B. Eastman Assistant City Attorney City of Waukesha