Part 3: Uses and Disclosures (FAQ 60 of 65)
60. What Are Uses and Disclosures Required by Law?
We want to discuss the category of uses and disclosures required by law. For purposes of this discussion, we will focus on disclosures rather than uses. HIPAA recognizes that other laws sometimes require the disclosure of health records. In one of the shortest sections dealing with disclosure, HIPAA says that a covered entity can make a disclosure that is required by law.
What does this mean? It means that any federal, state or local law requiring disclosure of medical records remains in force. (A law means a statute or a regulation.) For example, when a state law requires a physician to report a suspected case of child abuse to a state agency, the HIPAA rule does not interfere with that disclosure (although it establishes some conditions on the disclosure). If a city passed an ordinance that said that the entire medical record of any individual hospitalized in a local hospital must be published in full in the local newspaper, HIPAA would permit that disclosure too.
We do not expect to see laws requiring newspaper publication of records of hospitalized patients any time soon. We just want to point out the breadth of the HIPAA deference to other laws. Any law, no matter what its purpose or scope, that requires disclosure is sufficient for HIPAA's purposes. If another law says disclose, then HIPAA says disclosure is permitted but only to the extent of the requirements of the other law. Any compulsion about disclosure comes from that other law and not from HIPAA, however.
For some disclosures allowed by HIPAA, the rule provides that the procedures established by HIPAA continue to apply to covered entities even when disclosures are made under the authority of other laws. This is a complicated area, and you may want to skip the rest of this paragraph. For example, HIPAA allows disclosures to report suspected cases of abuse, neglect, or domestic violence to the proper authorities. Most or all states have comparable laws. HIPAA includes a set of procedures that a covered entity must comply with before or after making a disclosure of abuse, neglect, or domestic violence. Under some specified circumstances, the covered entity making the disclosure must inform the subject of the disclosure (i.e., the victim) about the disclosure. However, the rule specifies that in some circumstances, notifying the victim will place the victim in greater peril so telling the victim is not always required. The HIPAA rule says that if state law mandates disclosure about abuse, the covered entity making the disclosure must still comply with the HIPAA procedures. HIPAA also imposes additional duties for disclosures for judicial and administrative proceedings and for disclosures for law enforcement purposes.
However, for other allowable disclosures, none of the conditions in HIPAA applies if another law requires disclosure. For example, the HIPAA rule allows disclosures for health research under a lengthy and complex set of conditions. If a covered entity wants to make a disclosure for research, it must comply with all of the HIPAA conditions. However, if a state law requires disclosure for health research with fewer or no conditions, then HIPAA says that the disclosure can be made without complying with any of HIPAA's conditions.
This is complicated stuff, and we have not covered all the nuances. The covered entities that make disclosures need to pay close attention to the details. The message for patients is that many laws affect the confidentiality of health records. If you thought that no one disclosed your medical records without your approval, keep reading to see how wrong you were.