NRPM: Standards for Privacy of Individually Identifiable Health Information. 2. State Laws.


The second body of privacy protections is found in a myriad of State laws and requirements. To determine whether or not the proposed rule would preempt a State law, we first identified the relevant laws, and second, determined whether state or federal law provides individuals with greater privacy protection.

Identifying the relevant state statutes: Health privacy statutes can be found in laws applicable to many issues including insurance, worker’s compensation, public health, birth and death records, adoptions, education, and welfare. For example, Florida has over 60 laws that apply to protected health information. According to the Georgetown Privacy Project 6, Florida is not unique. Every State has laws and regulations covering some aspect of medical information privacy. In many cases, State laws were enacted to address a specific situation, such as the reporting of HIV/AIDS, or medical conditions that would impair a person’s ability to drive a car. Identifying every State statute, regulation, and court case that interprets statutes and regulations dealing with patient medical privacy rights is an important task but cannot be completed in this discussion. For the purpose of this analysis, we simply acknowledge the complexity of State requirements surrounding privacy issues.

Lastly, we recognize that the private sector will need to complete a State-by-State analysis to comply with the notice and administrative procedures portion of this proposed rule. This comparison should be completed in the context of individual markets; therefore it is more efficient for professional associations or individual businesses to complete this task.

Recognizing limits of our ability to effectively summarize State privacy laws and our difficulty in determining preemption at the outset, we discuss conclusions generated by the Georgetown University Privacy Project in Janlori Goldman’s report, The State of Health Privacy: An Uneven Terrain. We consider Georgetown’s report the best and most comprehensive examination of State privacy laws currently published. The report, which was completed in July 1999, is based on a 50-state survey. However, the author is quick to point out that this study is not exhaustive.

The following analysis of State privacy statutes and our attempt to compare State laws to the proposed rule is limited as a result of the large amount of State-specific data available. To facilitate discussion, we have organized the analysis into two sections: access to medical information and disclosure of medical information. Our analysis is intended to suggest areas where the proposed rule appears to preempt various State laws; it is not designed to be a definitive or wholly comprehensive State-by-State comparison.

Access to Subject’s Information: In general, State statutes provide individuals with access to their own medical records. However, only a few States allow individuals access to virtually all entities that hold health information. In 33 States, individuals may access their hospital and health facility records. Only 13 States guarantee individuals access to their HMO records, and 16 States provide individuals access to their medical information when it is held by insurers. Seven states have no statutory right of patient access; three States and the District of Columbia have laws that only assure individuals’ right to access their mental health records. Only one State permits individuals access to records held by providers, but it excludes pharmacists from the definition of provider. Thirteen States grant individuals statutory right of access to pharmacy records.

The amount that entities are allowed to charge for copying of individuals’ records varies widely from State to State. A study conducted by the American Health Information Management Association 7 found considerable variation in the amounts, structure, and combination of fees for search and retrieval, and the copying of the record.

In 35 States, there are laws or regulations that set a basis for charging individuals inspecting and copying fees. Charges vary not only by State, but also by whether the request is related to a worker’s compensation case or a patient-initiated request. Charges also vary according to the setting. For example, States differentiate most often between clinics and hospitals. Also, charges vary by the number of pages and whether the request is for X-rays or for standard medical information.

Of the 35 States with laws regulating inspection and copying charges, seven States either do not allow charges for retrieval of records or require that the entity provide the first copy free of charge. Some States may prohibit hospitals from charging patients a retrieval and copying fee, but allow clinics to do so. It is noteworthy that some States that do not permit charges for retrieval sometimes allow entities to charge per-page rates ranging between $0.50 and $0.75. In States that do allow a retrieval charge, the per-page charge is usually $0.25. Eleven states specify only that the record holder may charge “reasonable/actual costs.”

Of the States that allow entities to charge for record retrieval and copying, charges range from a flat amount of $1.00 to $20.00. Other States allow entities to charge varying rates depending on the amount of material copied. For example, an entity may charge $5.00 for the first five pages and then a fixed amount per page. In those cases, it appears that retrieval and copying costs were actually combined. The remaining States have a variety of cost structures: One State allows $0.25 per page plus postage plus a $15.00 retrieval charge. Another State allows a $1.00 charge per page for the first 25 pages and $0.25 for each page above 25 pages plus a $1.00 annual retrieval charge. A third state allows a $1.00 per page charge for the first 100 pages and $0.25 for each page thereafter.

According to the report by the Georgetown Privacy Project, among States that do grant access to patient records, the most common basis for denying individuals access is concern for the life and safety of the individual or others. This proposed rule considers the question of whether to deny patient access on the basis of concern for the individual’s life or safety, concluding that the benefits of patient access most often outweigh harm to the individual. This issue, which is discussed in greater detail in other sections, has been resolved in favor of promoting patient access.

The amount of time an entity is given to supply the individual with his or her record varies widely. Many States allow individuals to amend or correct inaccurate health information, especially information held by insurers. However, few States provide the right to insert a statement in the record challenging the covered entity’s information when the individual and entity disagree. 8

Disclosure of Health Information: State laws vary widely with respect to disclosure of identifiable health information. Generally, States have applied restrictions on the disclosure of health information either to specific entities or to specific health conditions. Just two states place broad limits on disclosure of protected health information without regard for policies and procedures developed by covered entities. Most States require patient authorization before an entity may disclose health information, but as the Georgetown report points out, “In effect, the authorization may function more as a waiver of consent -- the patient may not have an opportunity to object to any disclosures. 9

It is also important to point out that none of the States appear to offer individuals the right to restrict disclosure of their protected health information for treatment. Thus, the provision of the proposed rule that allows patients to restrict disclosure of the their protected information is not currently included in any State law. Because the ability to restrict disclosure currently is not a standard practice, the proposed rule would require entities to add these capabilities to their information systems.

State statutes often have exceptions to requiring authorization before disclosure. The most common exceptions are for purposes of treatment, payment, or auditing and quality assurance functions -- which are similar to the definition we have established for health care operations, are therefore not subject to prior authorization requirements under the proposed rule. Restrictions on re-disclosure of protected health information also vary widely from State to State. Some States restrict the re-disclosure of health information, and others do not. The Georgetown report cites State laws that require providers to adhere to professional codes of conduct and ethics with respect to disclosure and re- disclosure of protected health information. What is not clear is the degree to which individual information is improperly released or used in the absence of specific legal sanctions.

Most States have adopted specific measures to provide additional protections with regard to certain conditions or illnesses that have clear social or economic consequences. Although the Georgetown study does not indicate the number of States that have adopted disease-specific measures to protect information related to sensitive conditions and illnesses, the analysis seems to suggest that nearly all States have adopted some form of additional protection. The conditions and illnesses most commonly afforded added privacy protection are:

  • Substance abuse;
  • Information derived from genetic testing;
  • Communicable and sexually-transmitted diseases;
  • Mental health; and
  • Abuse, neglect, domestic violence, and sexual assault.

We have included a specific discussion of disclosures for research purposes because if an entity decides to disclose information for research purposes, it will incur costs that otherwise would be associated with other disclosures under this rule. Some States place restrictions on releasing condition-specific health information for research purposes, while others allow release of information for research without the patient’s authorization. States frequently require that researchers studying genetic diseases, HIV/AIDS, and other sexually transmitted diseases have different authorization and privacy controls than those used for other types of research. Some States require approval from an IRB or agreements that the data will be destroyed or identifiers removed at the earliest possible time. Another approach has been for States to require researchers to obtain sensitive, identifiable information from a State public health department. One State does not allow automatic release of protected health information for research purposes without notifying the subjects that their health information may be used in research and allowing them opportunity to object to the use of their information. 10

Comparing State statutes to the proposed rule: A comparison of State privacy laws with the proposed rule highlights several of the proposed rule’s key implications:

  • No State law requires covered entities to make their privacy and access policies available to patients. Thus, all covered entities that have direct contact with patients will be required to prepare a statement of their privacy protection and access policies. This necessarily assumes that entities have to develop procedures if they do not already have them in place.
  • The proposed rule will affect more entities than are affected under many State laws. In the application of the proposed rule to providers, plans, and clearinghouses, the proposed rule will reach nearly all entities involved in delivering and paying for health care. Yet because HIPAA applies only to information that has been stored and transmitted electronically, the extent to which the proposed rule will reach information held by covered entities is unclear.
  • State laws have not addressed the form in which health information is stored. We do not know whether covered entities will choose to treat information that never has been maintained or transmitted electronically in the same way that they treat post- electronic information. We also do not know what portion of information held in non- electronic formats has ever been electronically maintained or transmitted. Nevertheless, the proposed rule would establish a more level floor from which States could expand the privacy protections to include both electronic information and non-electronic information.
  • Among the three categories of covered entities, it appears that plans will be the most significantly affected by the access provisions of the proposed rule. Based on the Health Insurance Association of America (HIAA) data 11, there are approximately 94.7 million non-elderly persons who purchase health insurance in the 35 States that do not provide patients a legal right to inspect and copy their records. We do not have information on how many of those people are in plans that grant patients inspection and copying rights although State law does not require them to do so. We discuss these points more fully in the cost analysis section.
  • Although the proposed rule would establish a uniform disclosure and re- disclosure requirement for all covered entities, the groups most likely to be affected are health insurers, benefits management administrators, and managed care organizations. These groups have the greatest ability and economic incentives to use protected health information for marketing services to both patients and physicians without individual authorization. Under the proposed rule, covered entities would have to obtain the individual’s authorization before they could use or disclose their information for purposes other than treatment, payment, and health care operations -- except in the situations explicitly defined as allowable disclosures without authorization.
  • While our proposed rule appears to encompass many of the requirements found in current State laws, it also is clear that within State laws, there are many provisions that cover specific cases and health conditions. Certainly, in States that have no research disclosure requirements, the proposed rule will establish a baseline standard. But in States that do place conditions on the disclosure of protected health information, the proposed rule may place additional requirements on covered entities.
  • State privacy laws do not always apply to entities covered by the proposed rule. For example, State laws may provide strong privacy protection for hospitals and doctors but not for dentists or HMOs. State laws protecting particular types of genetic testing or conditions may be similarly problematic because they protect some types of sensitive information and not others. In some instances, a patient’s right to inspect his or her medical record may be covered under State laws and regulations when a physician has the medical information, but not under State requirements when the information being sought is held by a plan. Thus, the proposed rule would extend privacy requirements already applicable to some entities within a State to other entities that currently are not subject to State privacy requirements.