Federal regulations promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA) limit the use and disclosure of protected health information by covered health care providers, health care clearinghouses, and health plans.
Protected health information is defined as any information (in any form) that is created or received by a covered health care provider or other specified entity related to the health care, payment for health care, or physical or mental condition of an identifiable individual.
Under the federal HIPAA privacy rule, a covered health care provider generally may disclose protected health information only
with the authorization of the individual or the individual’s personal representative;
to other health care providers, health plans, or others for the purpose of treatment, payment, or health care operations;
as otherwise required by law;
to report suspected child abuse or neglect to an authorized government agency;
to report suspected abuse, neglect, or domestic violence (other than child abuse or neglect) to an authorized government agency subject to specified conditions;
to an authorized government agency in connection with health oversight activities;
to a public health authority for specified public health activities;
in response to a court order;
to law enforcement officers in specified circumstances;
to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; or
as otherwise expressly permitted or required by the federal privacy rule.
The federal HIPAA privacy rule generally preempts state laws to the extent they are inconsistent with the federal rule. A state law that permits the use or disclosure of protected health information by a covered health care provider is inconsistent with the federal rule if the federal rule neither requires nor permits the use or disclosure of protected health information in the situation addressed by the state law. A state law, however, is not inconsistent with the federal rule if the state law requires the disclosure of protected health information or if the state law imposes more stringent requirements with respect to privacy than the federal rule.
If a county social services department has been designated as a “hybrid entity,” the federal HIPAA privacy rule will apply only to the use or disclosure of protected health information by those units that have been designated as covered health care components and will not affect the use or disclosure of health information by other units of the department. The HIPAA privacy rule, however, also will have some impact on the ability of social services agencies to obtain protected health information from covered health care providers when federal or state law does not require health care providers to disclose information to the county social services department.