HIPAA

HIPAA Compliance:

A Complicated Interplay of Federal Rule and State Laws

Sifting through the complex language and ambiguity of a federal law or regulation in order to understand what is required for compliance is a very complicated process. That process becomes even more challenging when the regulation interacts with a host of other laws and statutes.

Such is the case with the federal Privacy Rule stemming from the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Privacy Rule establishes patients' rights and requires that health professionals implement various policies and procedures regarding the use of and access to health care information. Practicing psychologists face a Privacy Rule compliance deadline of April 14, 2003

Psychology leaders emphasize that the Privacy Rule cannot be considered in a vacuum when it comes to determining what the regulation requires. Complying with HIPAA necessitates comparing provisions of the Privacy Rule with related state laws, statutes, and common law decisions pertaining to health care delivery. The Privacy Rule requires a complex and extensive analysis to determine which provisions of relevant law -- whether federal or state -- take precedence.

That is because the HIPAA Privacy Rule establishes a "floor" in creating a minimum level of privacy for the protection of health care information. Generally speaking, a provision of law is considered more protective of health consumers if it results in less information being released to insurance companies and other third parties, or if it gives patients greater access to their health care information.

Provisions of state law that are stricter in protecting a patient's health information take precedence over related provisions of the HIPAA Privacy Rule - that is, the state provisions are not preempted by HIPAA. State laws that are either contrary to or not as strict as the HIPAA Privacy Rule in protecting a patient's health information are preempted.

The APA Practice Organization and the APA Insurance Trust have spent many hours over the past year doing a state-by-state preemption analysis specifically related to psychology practice. The work has involved contacting entities on the state level such as psychology licensing boards, state attorney generals' offices, outside counsel for state and provincial psychological associations, and others for help in sorting through the complexities of state laws and statutes.

A number of factors contribute to the complexity of a state preemption analysis. The U.S. Department of Health and Human Services has published hundreds of pages of "guidance" governing the interpretation and application of the Rule. Figuring out what parts of the Privacy Rule apply to solo and small psychology group practices, and how the Rule applies, is tricky; much of the guidance provided by HHS was designed for large health facilities and medical professionals.

Practitioners need to make sure they do not overlook pertinent state-level requirements in instances where HIPAA imposes no related federal requirement. For example, virtually all states require general patient consent or authorization for the release of protected health information, even though the HIPAA Privacy Rule was stripped of requirements pertaining to general patient consent.

The results of a state preemption analysis must be incorporated into designated materials for patients. For example, in order to comply with the HIPAA Privacy Rule, the applicable findings from the preemption analysis must be reflected in the required Notice and other forms that health professionals must provide to their patients.

Doing the necessary preemption analysis is a long-term and ongoing process, not a discrete task. There is no provision in HIPAA that prevents states from enacting new and/or more stringent laws regarding patient record privacy. That suggests that continued HIPAA compliance would require consideration and review of changes in applicable state law, along with appropriate changes in policies and procedures governing patient record protection.

The APA Practice Organization and the APA Insurance Trust have developed a HIPAA Privacy Rule compliance tool designed specifically for practicing psychologists. Practitioners may learn more about the product, known as HIPAA for Psychologists, online at www.apapractice.org or at www.apait.org.