There are no California cases discussing the intersection of the CPRA and the Health Insurance Portability and Accounting Act of 1996 (HIPAA) (42 U.S.C. § 1320(d)). Generally, Section 6454(k) of the CPRA authorizes an agency to withhold “[r]ecords, the disclosure of which is exempt or prohibited pursuant to federal or state law, including, but not limited to, provisions of the Evidence Code relating to privilege.” Cal. Gov’t Code § 6254(k).
HIPAA’s protections extend to “health information,” and “individually identifiable health information,” as those terms are defined under Section 1320(d). Even when records implicate such information, however, HIPAA authorizes disclosure or protected health information to the extent such disclosure is “required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” CFR §164.512(a)(1). Interpreting this provision, other courts have held that the disclosure mandates of a state’s public records act allows disclosure of protected health information under HIPAA even absent require authorizations. See, e.g., Adams Cty. Historical Soc’y v. Kinyoun, 765 N.W. 2d 212 (2009); Cincinnati Enquirer v. Daniels, 844 N.E. 2d 1181, 1187-88 (Ohio 2006); Abbott v. Texas Dep’t. of Mental Health, 212 S.W. 3d 648 (Tex. App. 2006). This is so even if the open records laws do not specifically require disclosure of public records generally absent specific exemptions. See Abbott, 212 S.W. 3d at 663 n. 10, 664. Thus, courts have ruled that in considering exemptions under a state’s open records act, the public agency may not rely on HIPAA’s privacy rule to thwart disclosure. Id. (citing 65 Fed. Reg. at 82482 and discussing federal Freedom of Information Act disclosure laws as qualifying under Section 164.512(a)). California courts likely would follow suit.
Georgia’s Attorney General has officially opined that HIPAA does not prevent the release of information on copies of death certificates about the cause of death of an individual, as well as conditions leading to the person’s death and information concerning surgical proceedings, if any, conducted on the deceased. Ga. Opp. Atty. Gen. No. 07-4 (2007).
No Vermont case has specifically addressed the interplay between the Public Records Act and HIPAA but the Public Records Act exempts from public inspection and copying “[r]ecords which by law are designated confidential or by a similar term” and “[r]ecords which by law may only be disclosed to specifically designated persons.” 1 V.S.A. § 317(c)(1)-(2). The Vermont Supreme Court has recognized the tension between the exception for confidential materials and the State’s intent to have free and open examination of public records. Norman v. Vt. Office of Court Adm'r, 2004 VT 13, ¶ 4, 844 A.2d 769, 770-71 (Vt. 2004).