|
Opinion Letter No. 03-05
April 11, 2003
HIPAA and Part II of the Uniform Information Practices Act
There is no conflict between Part II of the Uniform
Information Practices Act (Modified), chapter
92F, Hawaii Revised Statutes ("UIPA"), and 45 C.F.R. Parts
160 and 164, the medical privacy rules
("HIPAA rules") promulgated by the federal Department
of Health and Human Services as required
by the Administrative Simplification subtitle of the Health Insurance
Portability and Accountability Act
of 1996, Public Law 104-191 ("HIPAA").
The UIPA does not require public disclosure of information that
is protected from unauthorized
disclosure by the HIPAA rules: such information will fall under
one or more UIPA exceptions to public
disclosure. The exception for information protected by federal laws
will always apply to information
that is protected under the HIPAA rules. In most instances the information
will also fall within the
UIPA exception for information whose disclosure would be an unwarranted
invasion of personal
privacy.
HIPAA does not have provisions comparable to the response deadlines
and other procedural
requirements for responding to UIPA requests for government records.
An agency should follow the
procedures set forth in the UIPA and chapters 2-71, Hawaii Administrative
Rules, when responding
to a request for government records that involves "protected
health information" as defined in the
HIPAA rules.
HIPAA does have provisions regarding a patient's access to the patient's
own medical records, which
are comparable to a person's right of access to personal records
under Part III of the UIPA. The
OIP did not discuss the interplay between the HIPAA rules and Part
III of the UIPA in this opinion.
|
