There are no published California cases discussing the intersection of the CPRA and the Health Insurance Portability and Accounting Act of 1996 (HIPAA) (42 U.S.C. § 1320(d)). Generally, Section 7927.705 of the CPRA authorizes an agency to withhold “[r]ecords, the disclosure of which is exempted or prohibited pursuant to federal or state law, including, but not limited to, provisions of the Evidence Code relating to privilege.” Cal. Gov’t Code § 7927.705.
HIPAA’s protections extend to “health information,” and “individually identifiable health information,” as those terms are defined under Section 1320(d). Even when records implicate such information, however, HIPAA authorizes disclosure or protected health information to the extent such disclosure is “required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” CFR §164.512(a)(1). Interpreting this provision, other courts have held that the disclosure mandates of a state’s public records act allows disclosure of protected health information under HIPAA even absent require authorizations. See, e.g., Adams Cty. Historical Soc’y v. Kinyoun, 765 N.W. 2d 212 (2009); Cincinnati Enquirer v. Daniels, 844 N.E. 2d 1181, 1187-88 (Ohio 2006); Abbott v. Texas Dep’t. of Mental Health, 212 S.W. 3d 648 (Tex. App. 2006). This is so even if the open records laws do not specifically require disclosure of public records generally absent specific exemptions. See Abbott, 212 S.W. 3d at 663 n. 10, 664. Thus, courts have ruled that in considering exemptions under a state’s open records act, the public agency may not rely on HIPAA’s privacy rule to thwart disclosure. Id. (citing 65 Fed. Reg. at 82482 and discussing federal Freedom of Information Act disclosure laws as qualifying under Section 164.512(a)). California courts likely would follow suit.
Georgia’s Attorney General has officially opined that HIPAA does not prevent the release of information on copies of death certificates about the cause of death of an individual, as well as conditions leading to the person’s death and information concerning surgical proceedings, if any, conducted on the deceased. Ga. Opp. Atty. Gen. No. 07-4 (2007).
There is no conflict between the UIPA and HIPAA rules. “In any case where the HIPAA rules bar release of a record, the UIPA’s exception for records protected by federal law will apply to exempt the protected health information from public disclosure.” HIPAA and Part II of the Uniform Information Practices Act, OIP Op. Ltr. No. 03-05 (Apr. 11, 2003).
“Health information obtained by Dirigo Health under this chapter that is covered by the federal Health Insurance Portability and Accountability Act of 1996 or [state statute] . . . is confidential and not open to public inspection.” 24-A M.R.S.A. § 6907(2).
No Vermont case has specifically addressed the interplay between the Public Records Act and HIPAA but the Public Records Act exempts from public inspection and copying “[r]ecords which by law are designated confidential or by a similar term” and “[r]ecords which by law may only be disclosed to specifically designated persons.” 1 V.S.A. § 317(c)(1)-(2). The Vermont Supreme Court has recognized the tension between the exception for confidential materials and the State’s intent to have free and open examination of public records. Norman v. Vt. Office of Court Adm'r, 2004 VT 13, ¶ 4, 844 A.2d 769, 770-71 (Vt. 2004).
The Virginia exclusion concerning health information makes no specific reference to HIPAA. However, the general structure of the Act, which gives effect to disclosures “prohibited by law,” along with general principles of federal preemption, indicate that the Act is not a vehicle for circumventing the requirements of HIPAA or for expanding its rules of confidentiality by implication. State law has provisions concerning the exercise of access rights by incarcerated persons, minors, and students. Va. Code Ann. § 2.2-3705.5.1.