HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/LAW: Legal Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/LAW:
March 2004

"Subpoenas: First Comply with HIPAA & State Privacy Laws"

By Steve Fox & Michael D. Raffaele, Esqs., Pepper Hamilton LLP

Many of you have followed with interest the recent controversy about the Justice Department's subpoenas to Planned Parenthood affiliates nationwide. The Federal government served the subpoenas as part of its discovery in its defense against Planned Parenthood's suit to have the so-called "Partial Birth Abortion Ban" deemed unconstitutional. The Justice Department subpoenas sought the protected health information ("PHI") of women who had abortions in the second and third trimesters of their pregnancies.

The Planned Parenthood affiliates refused to respond to the subpoenas by claiming the protections of both HIPAA and state laws regarding the disclosure of protected health information. While the Justice Department withdrew the subpoenas after the Court hearing the main Planned Parenthood case denied the government's motion to compel production of the records, the subpoenas (and the responses by the Planned Parenthood affiliates) raise this question for covered entities:

QUESTION: If someone subpoenas our patients' PHI during civil litigation and there is a state law governing such disclosures, do we comply with HIPAA, state law or both?

ANSWER #1: Comply with HIPAA.
ANSWER #2: Comply with both.

Your choice between answer one and answer two depends on the content of your state's laws on PHI, and may depend on the type of suit. Let's assume that you receive a subpoena during a suit in which state privacy laws could apply.

Since Congress has clearly mandated that HIPAA "shall supersede any contrary provision of state law," there is no option for abiding by only state law instead of HIPAA. 42 U.S.C. § 1320d-7(a)(1) (implemented at 45 C.F.R. § 160.203). Where your state's protections for PHI are less stringent than HIPAA, your state's laws are contrary to HIPAA - it would be impossible to release the PHI under the state law without violating HIPAA. Therefore, you should always comply with HIPAA's provisions governing disclosure of PHI in response to a civil subpoena, see 45 C.F.R. 164.512(e), in any type of civil case if your state's protections for PHI are weaker than those offered by HIPAA. This applies in suits brought under either state or Federal law.

Following both HIPAA and state law is possible, however, because Congress has also said that where your state's law provides "more stringent" protections for PHI, you should apply both your state's privacy laws and HIPAA. 45 C.F.R. § 160.203(b). State law is more stringent than HIPAA where it "prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted" under HIPAA. 45 C.F.R. §160.202. Assuming that you receive a subpoena in a case where state privacy laws apply, your choice of whether to follow just HIPAA or both HIPAA and state law depends on whether your state's privacy laws for PHI are more stringent than HIPAA.

The more difficult question is whether the suit for which you receive the subpoena is a suit in which state privacy laws could apply. Your state's privacy laws will almost certainly apply in suits brought under the laws of your state. This includes suits in state court and Federal diversity suits – suits in which the Federal court applies state law.

Whether more stringent state privacy protections apply in Federal court in cases brought under Federal law is a matter of ongoing debate. Planned Parenthood and its affiliates took the position that more stringent state law privacy protections applied even though the case is a purely Federal matter.

At least one Federal court has agreed with their position. In National Abortion Federation v. Ashcroft, the Court applied Illinois state law privacy protections in a case brought in Federal court under Federal law. See National Abortion Fed. v. Ashcroft, 2004 U.S. Dist. LEXIS 1701 at *8 (N.D. Ill. February 6, 2004). The Court found that Illinois' privacy protections for PHI are more stringent than HIPAA. It then relied on the Illinois privacy law to quash a subpoena served on Northwestern Memorial Hospital. If Planned Parenthood and the Northern District of Illinois are correct, state privacy laws may apply in all cases where state PHI protections are more stringent than HIPAA.

In short, a covered entity and its counsel must make an independent determination of whether state privacy laws apply before responding to a subpoena seeking PHI. The covered entity must then decide whether state privacy laws concerning PHI are more stringent than HIPAA's protections, and if they are, comply with both HIPAA and state law. If the state laws are not more stringent, then the covered entity must make certain to comply with the requirements of 45 C.F.R. § 164.512.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner at the Washington, DC office of Pepper Hamilton LLP, www.pepperlaw.com . This article was co-authored by Michael D. Raffaele, Esq., an associate of Pepper Hamilton LLP. They may be reached at foxsj@pepperlaw.com. Disclaimer: This information is general in nature and should not be relied upon as legal advice.

Go to TOP