HIPAA vs. Florida and HIPAA Wins!

Laura Gerdes Long

By Laura Gerdes Long

In a battle between a state statute and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. § 1320d to d-9), the Eleventh Circuit Court of Appeals has held that a Florida statute is preempted by HIPAA because it is an obstacle to the “accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.” OPIS Management Resources, LLC, et al. v. Secretary Florida Agency for Health Care Administration, No. 12-12593 (11th Cir. April 9, 2013).

OPIS, and the other plaintiff parties, are operators and managers of skilled nursing facilities in Florida. In the course of their operations, the nursing facilities received requests from spouses and attorneys-in-fact for the medical records of deceased nursing home residents. Because the parties requesting the records were not “personal representatives” pursuant to HIPAA and its implementing regulations, the facilities refused to disclose the records.  As a result, the requesting parties filed complaints with the U.S. Department of Health and Human Services Offices for Civil Rights, which concluded that the nursing facilities acted properly.

The Florida Agency for Health Care Administration, however, issued citations against the nursing facilities for violating Florida law by refusing to release the records because the state statute requires licensed nursing homes to release a former resident’s medical records to the spouse, guardian, surrogate, or attorney-in-fact of any such resident. Fla. Stat. § 400.145(1). Because of the conflicting interpretations of the relevant laws, the nursing facilities filed a complaint for declaratory judgment. The district court granted the nursing facilities’ motion for summary judgment, explaining that the Florida statute affords nursing home residents less protection than is required by the federal law; therefore, the state law is preempted by HIPAA.

Stricter Federal HIPAA Law Trumps State Law

At the heart of the issue is whether the state statute, in which the “unadorned text…. authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason and without regard to the authority of the individual making the request to act in a deceased resident’s stead,” conflicts with federal law, according to Judge Susan H. Black. Finding that it does conflict, the jurist wrote, the state law “frustrates the federal objective of limiting disclosures of protected health information” and is therefore “preempted by the more stringent privacy protections” imposed by federal law.

The Privacy Rule, promulgated under HIPAA, permits disclosures to the individual whose information is being protected, as well as disclosures to the individual’s personal representative.  45 CFR § 164.502(a)(1)(i), (g)(1) (“[A]covered entity must … treat a personal representative as the individual for purposes of this subchapter.”)

In Missouri, simply being an attorney or other representative of a deceased or incapacitated person does not automatically convert that person into a “personal representative” within the meaning of the HIPAA Privacy Rule. A legal proceeding – typically in the probate context – is required which places that official designation on a party.

How Long Is Health Information Protected?

Prior to March 26, 2013, the federal law did not contain any time limitation with respect to the disclosure of a deceased individual’s protected health information. As of March 26, 2013, “[a] covered entity must comply with the requirements of [the Privacy Rule] with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.” 45 CFR § 164.502(f). Stated another way, with the Final Omnibus Rule, which is based on statutory changes under the Health Information Technology for Economic and Clinical Health Act (HITECH), all protections and restrictions on protected health information of persons who have been deceased for 50 years have been removed. This change is intended to remove barriers to historical research.

This Florida case, together with the Final Omnibus Rule changes, illustrates that the federal government is serious about continuing to strive to enhance the standards for patient health information privacy and security. Not since the HIPAA Privacy and Security Rules were first implemented in 2003 have such sweeping changes occurred.

Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.


Comments are closed.