HIPAA Preempts Less Protective State Law Concerning Medical Records of Deceased Nursing Home Residents, Eleventh Circuit Rules
Written by Lillian Moon
In addition to requirements to safeguard increasingly vast amounts of patient data, healthcare providers also need to be mindful of when that data can be used and disclosed. One key challenge in that area is understanding whether state or federal law applies. The U.S. Eleventh Circuit Court of Appeals (which covers Florida, Georgia, and Alabama), held that the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law, Section 400.145, that allowed for the release of medical records of deceased residents of nursing homes to specified individuals without prior authorization. Opis Management Resources, LLC et al. v. Secretary Florida Agency for Health Care Administration.
The plaintiffs, comprised of several nursing home facilities, filed suit in federal district court challenging the Florida Agency for Health Care Administration’s (“AHCA”) citations to the facilities for their refusal to disclose deceased residents’ medical records to surviving spouses, family members, and attorneys-in-fact who were not personal representatives under the relevant HIPAA provisions. The nursing homes asked a federal district court judge to declare that Florida Statute § 400.145 was preempted by HIPAA. The district (trial) court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.
On appeal, the Eleventh Circuit affirmed the district court’s grant of summary judgment concluding that Section 400.145
impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual’s protected health information confidential.
As the court explained, HIPAA includes a preemption clause providing that HIPAA supersedes any contrary state law provision, including any state law which “stands as an obstacle to the accomplishment and execution of [HIPAA’s] full purposes and objectives.” In other words, if a state law provides for less stringent protection than that already provided by HIPAA, it is preempted or superseded by HIPAA. HIPAA, however, does not preempt state laws providing more stringent protections.
Since 2000, the federal Department of Health and Human Services has issued extensive regulations, known as the Privacy Rule, that establish procedures by which protected health information (“PHI”) may be used or disclosed by a covered entity or business associate. Under the most recent set of regulations issued in January, HIPAA protection of PHI for deceased individuals remains in effect for a period of fifty (50) years after the individual’s death. The Privacy Rule further provides that PHI may be disclosed to a personal representative (one who under applicable state law is an executor, administrator or other individual with the authority to act on behalf of a deceased person or the individual’s estate). Additionally, a covered entity may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. In such a case, PHI of the deceased can be released to the extent it is relevant to such person’s involvement in the care or payment for the care.
Section 400.145, Florida Statutes, provides in pertinent part that “[u]nless expressly prohibited by a legally competent resident, any nursing home licensed pursuant to this part shall furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a current resident, . . . or of a former resident, . . . a copy of that resident’s records which are in the possession of the facility.” The court found that although the statute lists a number of individuals to whom records could be disclosed, it “does not empower or require an individual to act on behalf of a deceased resident,” and, therefore, does not identify any of those individuals to qualify as personal representatives under HIPAA. Therefore, the statute provides a much broader class of individuals than under HIPAA to whom the deceased’s PHI may be disclosed without authorization. Additionally, the Florida statute does not contain the same limitations or restrictions as the Privacy Rule with regard to releasing PHI of a deceased individual to those involved in the individual’s care or who paid for it and only to the extent the information is relevant to the person’s involvement or payment. Accordingly, the court found HIPAA provided more stringent protections of PHI than the Florida statute and held HIPAA preempts Section 400.145.