Under HIPAA, State Health Agencies Are Not Covered Entities - Letter to AZ Governor Ducey

Dear Governor Ducey:

Thank you for your extended leadership in this state of emergency.

AARP provides you the information herein to encourage state health agencies to publically make available the names of Long Term Care facilities with confirmed COVID19 cases.

AARP believes the Health Insurance Portability and Accountability Act (HIPAA) does not preclude a state health agency from releasing such information because it is not a covered entity as defined by federal law. Additionally, the Arizona government has the authority to identify nursing facilities that have been the site of COVID-19 infections. The primary statute governing confidentiality of medical records does not prevent disclosure, Arizona’s public health laws authorize disclosure, and its Public Records Law likely mandates disclosure if someone requests the information.

· Under HIPAA, State Health Agencies Are Not Covered Entities

HIPAA’s rules only apply to covered entities. A public health authority is not considered a covered entity and therefore is not subject to HIPAA. The regulations make clear that the term “covered entities” refers to health plans, health care clearinghouses, and certain health care providers. 45 C.F.R. § 160.103. The definition of providers includes “a hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, or, for purposes of section 1395f(g) and section 1395n(e) of this title, a fund.” 42 U.S.C. § 1395x(u). HIPAA also applies to a covered entity’s business associates, who are people or entities that perform functions or other activities for or on behalf of a covered entity that require them to receive, transmit or maintain PHI, such as claims processing. 45 C.F.R. § 160.103.

A public health authority, on the other hand, is “an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.” 45 C.F.R. § 164.501. Some state agencies may be hybrid entities; they may perform public health functions as well as covered entity functions (e.g., as a provider or health plan). HHS’s HIPAA decision tool concerning disclosures for emergency preparedness states that in that case (when the state health agency is a hybrid entity) there should be separation between the covered and non-covered divisions, and the non-covered entity is not subject to HIPAA.[1] In addition, the regulations make clear that the information held by the covered entity may be disclosed to the non-covered entity for public health purposes. 45 C.F.R. § 164.512 (see below, Use and Disclosure of PHI).

The HHS March 2020 Bulletin on COVID-19 and HIPAA clarifies that “[t]he [HIPAA] Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.”[2] In addition, guidance on the CDC website says, “after PHI is disclosed to a public health authority pursuant to the Privacy Rule, the public health authority (if it is not a covered entity) may maintain, use, and disclose the data consistent with the laws, regulations, and policies applicable to the public health authority.”[3]

· Protected Health Information Under HIPAA
HIPAA defines health information, individually identifiable health information, and protected health information. HIPAA limits the use and disclosure of protected health information (PHI). Whether publishing the name of a nursing facility with COVID-19 could be considered PHI turns on whether it is reasonably likely that the information could be used to identify the resident(s) with the virus. However, a determination that identification is PHI would only restrict the ability of nursing facilities or other covered entities to report this information publically.

Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 45 C.F.R. § 160.103

Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 160.103.

Protected health information (PHI) is the same as IIHI, but excludes some education records, employment records, records of people who have died more than 50 years ago. 45 C.F.R. § 160.103.

To de-identify health information so that it provides no reasonable basis for identification of an individual, and is not considered IIHI or PHI, certain information must be removed, including geographic subdivisions smaller than a State.[4] 45 C.F.R. § 164.502(d)(2).

· Use and Disclosure of PHI
The HIPAA regulations describe the circumstances under which PHI can be disclosed and used. See 45 C.F.R. § 164.500 et seq. There is also a recent HHS Bulletin that details many of these provisions, and how they allow for sharing of information in the current situation.[5] These conditions, described in more detail in the bulletin, include treatment of a patient, public health activities, and disclosures to family, friends, and others involved in an individual’s care. Although we already know that nursing facilities are sharing this information with the state, this bulletin makes clear reporting COVID-19 cases to state health authorities and others is fully permissible under HIPAA.

With respect to public health activities, the bulletin explains that HIPAA “recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization” to a public health authority, at the direction of a public health authority to a foreign government agency, and to persons at risk of contracting or spreading a disease. See 45 C.F.R. § 164.512(b)(1)(i) and (iv).

The bulletin also addresses disclosures to prevent or lessen a serious and imminent threat. It explains that without a patient’s permission, pursuant to 45 C.F.R § 164.512(j), health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.

· Current HIPAA Waiver
The current limited waiver of HIPAA sanctions has no impact on nursing facilities. On January 31, 2020, Secretary of HHS determined that a public health emergency exists nationwide, and had existed since January 27.[6] The limited waiver that took effect on March 15 waives sanctions and penalties against covered hospitals nationwide that have instated a disaster protocol that do not comply with certain provisions of the HIPAA Privacy Rule, including:
• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).

• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.

• the patient's right to request privacy restrictions. See 45 CFR 164.522(a).

• the patient's right to request confidential communications. See 45 CFR 164.522(b).[7]

This waiver only applies for up to 72 hours from the time the hospital implements such a protocol.

On April 2, 2020, HHS’s Office of Civil Rights (OCR) issued a notification of enforcement discretion, indicating that the agency will not impose penalties for violations of certain provisions of HIPAA’s Privacy Rule against healthcare providers or business associates for the good faith use and disclosure of PHI for public health and health oversight activities during the COVID-19 nationwide public health emergency.[8] Examples of good faith disclosures include to the CDC or a similar state public health authority for the purpose of preventing or controlling the spread of COVID-19, and with CMS or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response.[9]

· State Law
The Arizona government has the authority to identify nursing facilities that have been the site of COVID-19 infections. The primary statute governing confidentiality of medical records does not prevent disclosure, Arizona’s public health laws likely allow disclosure, and its Public Records Law likely mandates disclosure if someone requests the information.

Arizona Revised Statutes § 12-2292 makes medical records and the information they contain are confidential. This law prevents health care providers from disclose medical information unless authorized by law, but it does not prevent the state from disclosing medical information it obtains. By itself, this statute doesn’t authorize Arizona to release medical information, but it does not prevent it.

Arizona’s public health laws likely do allow the state to disclose the names of facilities with COVID-19. Under Arizona Revised Statutes § 36-787, the Department of Health Services also has “responsibility and authority for” “organizing public information activities regarding state public health emergency response operations.” This is a fairly broad grant of authority. In addition, the purpose of the statute is to collect and disseminate information to ensure public safety during a public health emergency. Moreover, unlike another section of the public health laws that explicitly specifies when certain information must be kept confidential, this part of the law contains no such limitations. These factors strongly indicate that the government can disclose information necessary to protect public health.

Governor Ducey declared an emergency on March 11, 2020, and relied on Arizona Revised Statute § 36-787 to issue Executive Order 2020-22, which requires nursing facilities to report each week how many residents test positive for COVID-19. Under this statute, the state can likely release the names of facilities with COVID-19 and the numbers reported each week.

Even if this statute by itself were read not to authorize disclosure, the state would have to make the information available in response to a public records request. Arizona’s Public Records Law strongly favors prompt disclosure of public records. See Office of the Attorney General, Arizona Agency Handbook § 6.2 (explaining that “as a general rule, ‘all records required to be kept under A.R.S. § 39-121.01(B), are presumed open to the public for inspection as public records.’” (quoting Carlson v. Pima County, 141 Ariz. 487, 491, 687 P.2d 1242, 1246 (1984))); A.R.S. § 39-121.01(D)(1).^[10]

The information the Department of Health compiles from nursing facilities constitutes a public record. See A.R.S. § 39-121.01(B) (specifying the broad range of records state agencies must maintain); A.R.S. § 41-151.18 (defining “Records”) Therefore, the Department of Health must disclose it in response to a request unless the disclosure would violate privacy. What counts as “private” varies based on context, but it generally concerns information that invades the privacy expectations of an individual. Examples given in the Arizona Agency Handbook include one’s date of birth, a state employee’s home address, and the audio of a 911 call. See Office of the Attorney General, Arizona Agency Handbook § 6.4.2. Arizona has claimed it does not want to disclose this information out of concern for privacy interests, but that’s not really at issue if the information being disclosed consists of the names of the facilities with COVID-19 and the number of residents infected given that no information about any individual would be released. If Arizona withholds the information, it must provide a legal basis for the decision.

There is another part of the public health laws that Governor Ducey has relied on to collect information, and that arguably does prevent the state from disclosing the information it obtains, but it does not trump § 36-787, the section discussed above. Arizona Revised Statutes § 36-782(B) (4) authorizes the governor to issue an “advisory” requesting information collection and sharing in response to a public health threat. Using this authority, Governor Ducey has authorized the Arizona Department of Health Services (Department of Health) and local health authorities to access medical information held by any facility. See Arizona Executive Orders 2020-13, 2020-23.

Arizona Revised Statutes § 36-783 requires health care providers, a term that encompasses nursing facilities,^[11] to comply with the advisory by reporting to the local health authority all information required by the “advisory.” It also makes clear that the information state and local health authorities receive through this reporting mechanism is confidential only if it comprises a trade secret or would harm a person’s or business’s competitive interests if disclosed.^[12] Here, naming facilities with COVID-19 would very likely harm the competitive interests of nursing facilities, so disclosure would not be allowed. But the important point is that § 36-783 only applies to information obtained under § 36-782. The statute explicitly states: The department and local public health authority shall maintain as confidential: (1) Any information or a particular part of information provided under this section that, if made public, would divulge the trade secrets of a person or business [and] (2) Other information likely to cause substantial harm to the person's or business' competitive position. Ariz. Rev. Stat. Ann. § 36-783(E). This provision does not apply to override the state’s broad power to “organiz[e] public information activities” in response to public health emergencies under § 37-787.

In short, Arizona law does not prevent the state from disclosing the names of nursing facilities whose residents have tested positive for COVID-19, or the number of people infected in each facility. Of course, if HIPAA prevented the disclosure of this information, it would override Arizona’s laws. But as described above, we do not believe HIPAA bars disclosure.

AARP commends the administration’s concern for the protection of individual privacy and hopes the names of facilities - not individuals - with confirmed cases of COVID19 will be made available, in the interest of public health, to the public.

I am available at your convenience to be of assistance in this endeavor. Thank you Governor.



Sincerely,


Dana Marie Kennedy, MSW
State Director AARP Arizona




[1] https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/multiple-roles-responsibilities/index.html

[2] https://www.hhs.gov/sites/default/files/hipaa-and-COVID-19-limited-hipaa-waiver-bulletin-508.pdf

[3] https://www.cdc.gov/privacyrule/Guidance/PRPH.htm

[4] The full list of identifiers are: names; geographic subdivisions smaller than a State, including street address, city, county, precinct and zip code, except for the initial three digits of a zip code; all elements of dates (except years) for dates directly related to an individual; telephone numbers’ fax numbers; e-mail addresses; social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plates numbers; device identifiers and serial numbers; web Universal Resource Locators (URLs); internet Protocol address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other unique identifying number, characteristic or code, except as permitted. 45 C.F.R. § 164.514.

[5] https://www.hhs.gov/sites/default/files/hipaa-and-COVID-19-limited-hipaa-waiver-bulletin-508.pdf.

[6] https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx

[7] https://www.hhs.gov/sites/default/files/hipaa-and-COVID-19-limited-hipaa-waiver-bulletin-508.pdf

[8] https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-of-enforcement-discretion.html; see also https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf?language=en

[9] https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf?language=en

[10] The Handbook is available at https://www.azag.gov/outreach/publications/agency-handbook.

[11] “Health care provider” is defined by reference to Ariz. Rev. Stat. § § 12-2291, which in turn refers to Ariz. Rev. Stat. § 36-401, which defines a health care facility as “every place, institution, building or agency, whether organized for profit or not, that provides facilities with medical services, nursing services, behavioral health services, health screening services, other health-related services, supervisory care services, personal care services or directed care services and includes home health agencies as defined in § 36-151, outdoor behavioral health care programs and hospice service agencies. Health care institution does not include a community residential setting as defined in § 36-551.” The carve-out at the end of the definition is for group homes that attend to the daily needs of individuals with developmental disabilities but do not provide medical care.