State of confusion: the HIPAA privacy rule and state physician-patient privilege laws in federal question cases

Suffolk Journal of Trial & Appellate Advocacy, Annual, 2007 by Jenna Phipps

I. INTRODUCTION

People expect that when they visit a doctor the information that is revealed in the visit and recorded in their medical records will be kept from the eyes of others. This may be a reasonable expectation in most situations, but not necessarily if the medical records are sought for use in court. No federal physician-patient privilege exists, and the existence and scope of such a privilege varies across states. (1) The passage of the Health Insurance Portability and Accountability Act (HIPAA) has led to confusion over the appropriate effect of state privileges in federal question cases. (2)

HIPAA required the Department of Health and Human Services (HHS) to promulgate rules relating to privacy of protected health information. (3) The resulting set of regulations, known as the HIPAA Privacy Rule, contains a section discussing the use of protected health information, such as medical records, in judicial proceedings. (4) Federal courts generally use federal evidentiary rules where federal law supplies the rule of decision. (5) Additionally, federal laws typically preempt contrary state laws. (6) HIPAA, however, contains a preemption clause stating that it will not "supercede [sic] a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." (7)

Courts have differed in their interpretation of HIPAA's preemption clause in cases whose subject matter jurisdiction is based on a federal question. (8) Some courts have held that HIPAA should always control in federal question cases. (9) Conversely, others have held that state privilege laws should apply if they are more stringent. (10) Still others have found middle ground, analyzing whether the particular state privilege law in question is more stringent than HIPAA without generalizing as to HIPAA's effect in all federal question cases. (11) This Note will argue that HIPAA should control in federal question cases, regardless of whether state privilege laws are more stringent. Future courts should acknowledge that Congress did not intend for HIPAA to incorporate state privileges. Courts should not compare the stringency of state privilege laws with HIPAA in federal question cases because this confuses the proper analysis and could lead to inappropriate control by state privilege laws in these cases.

Part II will provide an overview of relevant sections of HIPAA, along with Congress and HHS's intent. This section will also review the general doctrine of evidentiary privileges, various physician-patient and medical records privileges in states, and the theory of preemption. Part III will discuss various approaches taken by courts regarding the interpretation of HIPAA's preemption provision and the consequences that this has on which privilege law will apply in federal question cases. Part IV will analyze these approaches, and argue that HIPAA should preempt state privilege laws in federal question cases, regardless of the stringency of state law.

II. HIPAA, PRIVILEGES, PREEMPTION, AND CONGRESSIONAL INTENT

A. Overview of HIPAA and the Privacy Rule

Congress enacted HIPAA on August 21, 1996. (12) The purposes of HIPAA were to ensure more consistent health insurance coverage, reduce insurance fraud, and increase efficiency in insurance administration. (13) Many provisions, particularly those in the Administrative Simplification section, would implicate privacy issues because they would result in increased sharing of individuals' health information. (14) Congress therefore directed the Secretary of HHS to provide them with recommendations regarding appropriate standards to protect individuals' information privacy. (15) If Congress failed to enact legislation encompassing the recommended standards, then HHS was to issue regulations regarding privacy of protected health information. (16) The task fell to HHS when Congress did not enact such legislation.

In 2002, HHS promulgated the regulations known as the HIPAA Privacy Rule, which detail the measures that must be taken to properly handle protected health information. (17) Protected health information (PHI) is individually identifiable health information, meaning someone could potentially identify the individual by examining the health and demographic information contained in the PHI. (18) All health plans, health care clearinghouses, and health care providers who transmit health information electronically are considered covered entities and must abide by the regulations. (19)

One section of the Privacy Rule pertains to the use of protected health information in judicial and administrative proceedings, allowing disclosure of such information after certain detailed procedures are followed. (20) If the presiding court issues a subpoena, the covered entity may disclose medical records without providing notice to the patient. (21) If the subpoena or discovery request is not court-ordered, the covered entity may disclose the records after either providing notice to the affected individual or obtaining a qualified protective order. (22)