It comes as a surprise to many requesters of medical records that healthcare providers can implement policies that are stricter than both HIPAA and state law. This is because HIPAA was designed to permit the adoption of more stringent federal and state laws, as well as healthcare provider policies, to further safeguard Protected Health Information (PHI).

As Health Information Management (HIM) professionals are aware, the HIPAA privacy rule serves as a “federal floor” of privacy protections for patients’ PHI, meaning that it sets the minimum standards that healthcare providers must follow for disclosure.

States can enact laws that provide additional protections for PHI as long as they are not contrary to HIPAA, meaning that it should not be impossible for a healthcare provider to comply with both HIPAA and the state law; state law should not be an obstacle to accomplishing the purposes and objectives of HIPAA. Most states have adopted laws to further protect certain types of PHI from disclosure that are not specifically addressed by HIPAA or other federal laws, such as mental health records and PHI related to a patient’s treatment for AIDS/HIV.

Additionally, many healthcare providers have implemented their own disclosure policies that are more restrictive than both HIPAA and applicable state laws. For example, HIPAA and some states permit the disclosure of PHI when subpoenaed as long as it is accompanied by “satisfactory assurance” – documentation that the patient subject to the subpoena was notified and was given opportunity to object to the disclosure. A healthcare provider, however, can choose to adopt a more restrictive policy in the interest of protecting patient privacy, such as requiring that subpoenas be accompanied by a HIPAA-compliant authorization or a court order signed by a judge.

Facilities, however, should be cautious before adopting policies that are more stringent than HIPAA and state law because such policies may be seen as restricting a patient’s access to PHI. For example, it may seem more secure to only process requests for copies of PHI with a healthcare provider’s authorization. However, if such a policy was adopted and a HIPAA-compliant authorization were rejected, the facility may be subject to a complaint with the Office of Civil Rights (OCR) for restricting a patient’s access to their PHI. Thus, healthcare providers need to make sure that their policies do not run contrary to the objectives of HIPAA and the applicable state laws.

Given the myriad of federal and state laws related to disclosure of PHI, it is important that healthcare providers and their HIM staff adopt Release of Information (ROI) policies that do not contradict the applicable federal and state laws. MRO’s ROI specialists who work at our clients’ facilities are trained on how to disclose PHI according to the applicable federal and state laws and facility policies to ensure they remain compliant with all relevant rules and regulations.

This is the third post of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.