HIPAA Does Not Override Public Access To COVID-19 Data

By Al-Amyn Sumar
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our California newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (April 10, 2020, 3:22 PM EDT) --
Al-Amyn Sumar
Here in the U.S. and abroad, the sweeping efforts of governments to contain the spread of the coronavirus have raised thorny questions about the limits of individual privacy.

Among the most pressing questions is this: What information, if any, should states and localities publicly disclose about coronavirus patients?

There's no easy answer to that. But erring too much on the side of privacy rather than transparency, as some jurisdictions have, may stymie efforts to combat the pandemic and undermine the public's trust in government. As of late March, for instance, officials in some parts of California were releasing little more than the number of coronavirus cases on a county-wide basis.[1]

In Massachusetts, state officials went so far as to discourage cities and towns from releasing even the number of confirmed cases in their communities.[2] (The state later reversed itself, apparently.) To defend their decisions, these and other officials have invoked a 1996 federal law, the Health Insurance Portability and Accountability Act, which they say constrains their discretion to release individual health information to the public.

As it turns out, though, HIPAA does no such thing. As explained below, and as courts around the country have held, HIPAA simply does not apply where disclosure is mandated by another law, including a public records statute.

And even if it did apply, HIPAA reaches only covered entities and their business associates — and not all government agencies in possession of coronavirus data fall into that category. HIPAA does not restrict those the ability of those agencies — or excuse their obligation — to disclose documents made public by state open records laws.

Certainly, an agency may credibly claim that another legal provision, such as a personal privacy exemption in the applicable open records statute, exempts sensitive health information from disclosure. But these tend not to be blanket exemptions: They typically permit withholding only if the privacy interest at stake outweighs the public interest in disclosure.[3]

HIPAA, the Privacy Rule and the Required by Law Exception

Enacted in 1996, HIPAA introduced a variety of requirements that affect health insurance, health plans and health care providers.

However, its name has become most closely associated with rules, together with their implementing regulations, that specifically limit the use and disclosure of individually identifiable health information by health plans, most health care providers and certain entities that translate protected health information from one electronic format to another (known as covered entities).

The rules, collectively known as the privacy rule, also apply to individuals and entities that obtain protected health information when helping covered entities perform their function.[4]

The privacy rule generally provides that a covered entity and business associate may use and disclose protected health information without an individual's authorization only as HIPAA expressly requires or permits.[5] But the privacy rule contains an important exception: A covered entity may disclose information without an individual's written authorization "to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law."[6]

The preamble to the privacy rule elaborates on this provision's meaning. The required by law exception, the preamble says, was meant "to preserve access to information considered important enough by state or federal authorities to require its disclosure by law."[7] The preamble also speaks to the interplay between the exception and the federal Freedom of Information Act[8] — in particular FOIA's exemption for personal privacy, known as exemption 6:[9]

Uses and disclosures required by FOIA come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law if the uses or disclosures meet the relevant requirements of the law. Thus, a federal agency must determine whether it may apply an exemption or exclusion to redact the protected health information when responding to a FOIA request. When a FOIA request asks for documents that include protected health information, we believe the agency, when appropriate, must apply Exemption 6 to preclude the release of medical files or otherwise redact identifying details before disclosing the remaining information.

... Covered entities subject to FOIA must evaluate each disclosure on a case-by-case basis, as they do now under current FOIA procedures.[10]

Thus, although the drafters of the privacy rule appeared to believe that HIPAA-protected information in the hands of covered entities would generally fall within exemption 6, they made clear that HIPAA did not create a blanket exemption to disclosure in all circumstances.

To the contrary, the drafters explained that HIPAA did not alter the legal analysis under FOIA, thereby leaving the door open for journalists and others to argue for release of information (including during a pandemic) by arguing that the public interest in disclosure outweighs the privacy interest at stake.

HIPAA and Public Records Laws in the Courts

The state courts, where disputes about HIPAA's impact on public records laws have largely played out, have nearly all rejected government efforts to withhold information under HIPAA.

The first major decision on the issue appears to have come from the Ohio Supreme Court in 2006, in State ex rel. Cincinnati Enquirer v. Daniels.[11] The plaintiff, The Cincinnati Enquirer, sued the local health department after it declined to disclose lead-contamination notices. The notices had been issued to owners of residential property inhabited by children who, according to blood testing, had elevated levels of lead.

The court thoroughly rejected the agency's position that HIPAA made the notices exempt from disclosure. It assumed for the sake of argument that the agency was a covered entity, but nonetheless found that the notices did not contain protected health information within the meaning of HIPAA.

And the court did not stop there. More importantly, it held that HIPAA did not apply because disclosure of the notices was required by law. That was because the Ohio Public Records Act, like virtually any public records law, presumes that public records will be made available to the public.

In the years since Daniels, courts in at least four other states (including two state supreme courts) have found that their respective public records laws fall within HIPAA's required by law exception.

These courts rejected agency invocations of HIPAA — including by agencies that were indisputably covered entities under the law — to withhold a wide range of information, such statistical information about allegations of abuse and sexual assault at state mental health facilities,[12] the names of nearly a thousand people buried in a cemetery adjoining a former asylum,[13] and records concerning arrests and other allegations of misconduct for attorneys in a public defender's office.[14]

Pushing for Disclosure of COVID-19 Information

This case law should serve as a powerful rejoinder to agencies that deny public records requests on the basis of HIPAA. Let's say a state agency isn't entirely receptive to it, though. How else might a requester seeking coronavirus information push back? Here are at least three options:

First, go back to HIPAA's threshold criteria. As noted, HIPAA applies only to covered entities, such as health plans and health care providers. Government agencies and programs that discharge those functions, like Medicare and Medicaid, will fall within this category. Some agencies, like correctional departments, are hybrid entities that have components that provide health plans or operate as providers.[15]

Those specific components will be subject to HIPAA. But it's possible that these agencies have shared their coronavirus data with other governmental entities that are entirely beyond the reach of HIPAA – for example, governmental departments tracking the spread of the virus on a statewide basis.[16]

That may seem like a technical distinction, but being strategic about who receives a FOIA request — a government agency that is a covered entity or one that is not — could make all the difference. For the noncovered entity responding to a FOIA request, the policies underlying HIPAA may be persuasive, but mere citation of HIPAA as grounds to withhold data made presumptively public under state or federal open records laws likely is unlawful.

Instead, the government entity must examine the personal privacy exemption within the applicable open records law and engage in whatever balancing test it requires — a test that ought to account for the gravity of the situation we find ourselves in and the need for transparency to stop the spread of the virus.

For example, exemption 6 in the federal FOIA statute, which some state law privacy exemptions are patterned on, applies if the disclosure of information "would constitute a clearly unwarranted invasion of personal privacy."[17] Disclosure is required if the privacy interest at stake is de minimis or outweighed by the public interest in disclosure.[18]

Thus, depending on the circumstances and specific coronavirus information at issue, a requester may persuasively argue that the balance tips in favor of disclosure. If the requested information is individually identifiable, the case for disclosure may be challenging — but not necessary insurmountable. The strength of the privacy interest, which turns on the "likely stigma from disclosure,"[19] will be tempered significantly by the easily transmissible and now-widespread nature of the coronavirus disease. [20]

At the same time, the public interest in access to coronavirus data is significant. Disclosure permits the public to assess whether their elected officials are downplaying the seriousness of the pandemic and to judge the success of their efforts to combat it. All of that may make a compelling case for disclosure.

Second, and regardless of whether the request is directed at a HIPAA-covered entity, a requester might also disclaim any desire to obtain individually identifiable coronavirus information. Information that does not identify (or could not reasonably be used to identify) an individual is outside the scope of HIPAA and obviously poses less risk to individual privacy.[21] Indeed, the law affirmatively permits the disclosure of information that is de-identified before release.[22]

This argument is likely to have traction in bigger municipalities, where disclosing information like a patient's age or neighborhood could not reasonably lead them to be identified. It is a harder case to make in smaller towns and communities – despite the irony (which anyone who has lived in a small town can attest to) that residents tend to be well informed of the goings-on in their community, including who has been diagnosed with coronavirus.[23]

Third, the requester might also look to other relevant HIPAA exceptions. One such exception allows covered entities to disclose protected health information if they believe in good faith that disclosure "[i]s necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public."[24] That could be true here, at least in some cases. How can citizens make educated decisions about their health and safety if they are left in the dark about basic matters like the number of coronavirus cases in their community?

None of the above is meant to understate the difficulty of some choices state and local officials have to make in the effort to balance privacy with transparency during this crisis. But those choices must comply with the law. And when there is doubt, the presumption should always be more transparency, not less.

Al-Amyn Sumar is an associate at Ballard Spahr LLP.

The author is grateful to Leita Walker and Ed Leeds for their comments.

The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Thomas Fuller, How Much Should the Public Know About Coronavirus?, N.Y. Times (Mar. 28, 2020), https://nyti.ms/2Uvxlq0.

[2] Cody Shepard, Massachusetts DPH asks cities, towns not to release coronavirus numbers, The Enterprise (Mar. 28, 2020), https://bit.ly/2V45JYn.

[3] The caveat to this, of course, is that there may be state laws outside the state open records law that affect the analysis.

[4] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-91, 110 Stat. 1936, § 264; see generally 45 C.F.R. §§160, 164.

[5] 45 C.F.R. §164.502(a).

[6] 45 C.F.R. §164.512(a)(1) (emphasis added).

[7] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,667 (Dec. 28, 2000).

[8] 5 U.S.C §552.

[9] Id. §552(b)(6) (This section does not apply to matters that are . . . personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.").

[10] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,482 (Dec. 28, 2000).

[11] 844 N.E.2d 1181 (Ohio 2006).

[12] Abbott v. Tex. Dep't of Mental Health & Mental Retardation , 212 S.W.3d 648, 664 (Tex. Ct. App. 2006).

[13] State ex rel. Adams County Historical Soc'y v. Kinyoun , 765 N.W.2d 212, 218 (Neb. 2009).

[14] Flores v. Freedom of Info. Comm'n , 2014 Conn. Super. LEXIS 831, *5-7, 20 (Conn. Sup. Ct. Apr. 7, 2014); see also Or. Health & Sci. Univ. v. Oregonian Publ. Co., LLC , 403 P.3d 732, 742 (Or. 2017) ("Following the guidance provided in the Privacy Rule commentary, a covered entity responding to a public records request often could comply with both HIPAA and a law requiring disclosure of public records. In particular, under HIPAA's 'required by law' exception, a covered entity might be required by a law such as ORS 192.420(1) to disclose protected health information, thus complying with both laws."); A.G. Miss. Op. 2005-0595, 2005 Miss. AG LEXIS 347, *3-4 (Dec. 16, 2005) (emphasizing that "the HIPAA privacy rule permits a covered entity to use and disclose protected health information as required by other law," including the Mississippi Public Records Act) (citations omitted).

In a decision that pre-dates Daniels, a Louisiana appellate court denied access to 911 tapes partly on the ground that disclosure was barred by HIPAA. Hill v. E. Baton Rouge Parish Dep't of Emergency Med. Servs. , 925 So. 2d 17, 23 (La. Ct. App. 2005). The court did not, however, consider or even mention the "required by law" exception.

[15] See, e.g., Warren v. Corcoran , 2011 U.S. Dist. LEXIS 135012, *21 n.17 (N.D.N.Y. Oct. 20, 2011) (explaining that the New York State Department of Correctional Services is a "hybrid entity" under HIPAA) (citing, inter alia, 45 C.F.R. §§164.103, 164.105(a)(2)(ii), (iii)).

[16] See, e.g., Abbott, 212 S.W.3d at 664 n.11 ("Our conclusion that the information requested in this case is not confidential under the Public Information Act is buttressed by the fact that the reporter was able to obtain the requested information from another agency, the Texas Department of Protective and Regulatory Services, which is not a covered entity under HIPAA.").

[17] 5 U.S.C. §552(b)(6).

[18] E.g., Multi AG Media LLC v. Dep't of Agric. , 515 F.3d 1224, 1229 (D.C. Cir. 2008). Importantly, the "public interest" comes into play only to the extent it relates to FOIA's "core purpose" of "shed[ding] light on an agency's performance of its statutory duties." U.S. Dep't of Justice v. Reporters Comm. for Freedom of Press , 489 U.S. 749, 773, 775 (1989).

[19] Rosenfeld v. U.S. Dep't of Justice , 2012 U.S. Dist. LEXIS 28768, *15 (N.D. Cal. Mar. 5, 2012).

[20] Cf. Golub v. Enquirer/Star Group , 89 N.Y.2d 1074, 1077 (1997) (concluding in defamation case that "[c]ancer does not fall into the category of a loathsome disease since it 'is neither contagious nor attributed in any way to socially repugnant conduct'" (quoting Chuy v Philadelphia Eagles Football Club , 595 F.2d 1265, 1281 (3d Cir. 1979))).

[21] See 45 C.F.R. § 160.103.

[22] Abbott, 212 S.W.3d at 654 (citing 45 C.F.R. §§ 164.502(d), 164.514(a)). Like HIPAA, open record laws' privacy exemptions are typically not triggered if the information sought can't reasonably be linked to an individual. See, e.g., Torres Consulting & Law Grp., LLC v. NASA , 666 F. App'x 643, 645 (9th Cir. 2016) ("The Supreme Court has interpreted Exemption 6 as covering only information that is linked to an identifiable person," and collecting cases); Ayuda, Inc. v. FTC , 70 F. Supp. 3d 247, 271 (D.D.C. 2014) ("An agency cannot withhold information under Exemption 6 based on the 'mere possibilit[y]' that the release of such information will invade an individual's privacy interest." (citing Dep't of the Air Force v. Rose , 425 U.S. 352, 378, 381 n.19)).

[23] 45 C.F.R. §164.514 addresses the requirements for de-identification of protected health information, including geographical information.

[24] 45 C.F.R. §164.512(j)(1)(i)(A); see, e.g., Lawson v. Halpern-Reiss , 212 A.3d 1213, 1226 (Vt. 2019) (relying on §164.512(j) to grant summary judgment to defendant in privacy lawsuit).

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!