Judges: W.A. DREW EDMONDSON, Attorney General of Oklahoma
Filed Date: 8/26/2004
Status: Precedential
Modified Date: 7/6/2016
Dear Administrator Rhoades,
¶ 0 This office has received your request for an official Attorney General Opinion in which you ask, in effect, the following question:
The Child Death Review Board Act, 10 O.S. 2001, §§ 1150-1150.4,1 requires the Child Death Review Board to review the deaths and near deaths of children, which at times requires the use of medical records. Does the federal Health Insurance Portability and Accountability Act of 1996 permit health care providers to disclose such protected health information to the Board without the authorization of the child or his or her parents or guardian?
¶ 1 Your question stems from some health care providers' refusal to release medical records to the Oklahoma Child Death Review Board ("Board") because of confidentiality and authorization requirements found in the federal Health Insurance Portability and Accountability Act ("HIPAA"), Pub.L. No.
1. Conduct case reviews of deaths and near deaths2 of children3 in this state;
2. Develop accurate statistical information and identification of deaths of children due to abuse and neglect;
3. Improve the ability to provide protective services to the surviving siblings of a child or children who die of abuse or neglect and who may be living in a dangerous environment;
4. Improve policies, procedures and practices within the agencies that serve children, including the child protection system[.]
Id. (footnotes added).
¶ 3 One of the Board's duties listed above is conducting case reviews of child deaths and near deaths. Id. If a child dies, the review process begins when the State's Office of the Chief Medical Examiner receives the death certificate. The Office of the Chief Medical Examiner conducts an initial review of child death certificates "in accordance with the criteria established by the Child Death Review Board and refer[s] to the Board those cases that meet the criteria established by the Board for specific case review." Id. § 1150.4(B). In the case of a child's near death, the Board receives its initial information from the Department of Human Services and law enforcement agencies. Id. § 1150.2(B)(4).
¶ 4 In conducting its case review, the Board has broad authority to obtain information about the child from both public and private entities. "Upon the request of the Board, every entity within the child protection system shall provide to the Board any information requested by the Board." Id. § 1150.4(C). "``Child protection system' means public and private agencies, medical personnel, courts, law enforcement agencies and legal, education and social service professionals with responsibilities related to child abuse and neglect[.]" Id. § 1150.1(2).
¶ 5 Besides being able to obtain "any information" it requests from people and entities in the child protection system, the Board has explicit statutory authority to:
8. Request and obtain a copy of all records and reports pertaining to a child whose case is under review including, but not limited to:
a. the medical examiner's report,
b. hospital records,
c. school records,
d. court records,
e. prosecutorial records,
f. local, state, and federal law enforcement records, including, but not limited to, the Oklahoma State Bureau of Investigation (OSBI),
g. fire department records,
h. State Department of Health records, including birth certificate records,
i. medical and dental records,
j. Department of Mental Health and Substance Abuse Services and other mental health records,
k. emergency medical service records, and
l. Department of Human Services' files.
Id. § 1150.2(B) (emphasis added). Finally, if the above information is not sufficient to complete its review, the Board may "request the preparation of additional information and reports as determined to be necessary . . . including, but not limited to, clinical summaries from treating physicians, chronologies of contact, and second opinion autopsies[.]" Id. § 1150.2(B)(10).
¶ 6 If any person or entity refuses to give the Board the information it requests, it can enforce its request by subpoena.
A. In any investigation relating to the functions of the Child Death Review Board pursuant to Section 1150.2 of Title 10 of the Oklahoma Statutes, the Director of the Oklahoma Commission on Children and Youth, if recommended and approved by the Child Death Review Board and the legal counsel for the Governor, may require the production of, by subpoena, any records, including books, papers, documents, and other tangible things which constitute or contain evidence which the Board finds relevant or material to the investigation, if the Board has been unable to obtain the necessary information by requesting it.
Id. § 1150.2a.
¶ 7 State law requires the Board to keep confidential the information it receives, and grants a private right of action to an individual who has been harmed by an unauthorized disclosure by the Board.
Confidential information provided to the Board shall be maintained by the Board in a confidential manner as otherwise required by state and federal law. Any person damaged by disclosure of such confidential information by the Board, its local boards or their members, not authorized by law, may maintain an action for damages, costs and attorney fees[.]
Id. § 1150.2(B)(8). Confidential information, documents, and records in the Board's possession are not subject to subpoena or discovery in any civil or criminal proceeding. Id. § 1150.2(B)(9). Further, case reviews and discussions by the Board concerning individual child deaths or near deaths must be conducted in executive session. Id. § 1150.2(C). These discussions, as well as any writings resulting therefrom, are privileged and not admissible in evidence in any proceeding.Id.
¶ 8 From the above statutes, we see that the Board has sweeping authority to request and obtain information, including medical records, from public and private entities in cases of child death or near death. However, you indicate that some entities, such as hospitals, have refused to comply with the Board's requests for medical records in child death or near death cases. The entities claim that HIPAA prohibits such disclosure without a court order or the individual's (or his or her parent's or guardian's) authorization. Therefore, we next examine what effect HIPAA has on the State laws cited above.
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
¶ 10 The United States Department of Health and Human Services has published regulations and standards designed to keep protected health information confidential. See generally
45 C.F.R., subtit. A, subch. C, pts. 160, 164 (2003). These standards create a mandatory "federal floor of privacy protection," but do not supersede other applicable laws that provide greater privacy protection. Standards for Privacy of Individually Identifiable Health Information,
¶ 11 Among the entities (called "covered entities") subject to HIPAA and its regulatory standards are "health care providers," defined as "any . . . person or organization who furnishes, bills, or is paid for health care in the normal course of business."
¶ 12 Unquestionably, the medical records the Board seeks during its case reviews qualify as an individual child's protected health information. The issue is what effect HIPAA has on the Board's statutes. HIPAA expressly preempts contrary state laws.Id. § 160.203. For example, if a covered entity would find it impossible to comply with both state and federal requirements regarding the privacy of individual health information, or if a state law is an obstacle to accomplishing HIPAA's objectives, the relevant state law is considered "contrary" to HIPAA. Id. § 160.202.
¶ 13 To determine whether the Board's statutes are contrary to HIPAA's provisions, we would normally engage in a preemption analysis. However, when the state law falls under any exceptions provided by the federal law such an analysis is not necessary. In this case, HIPAA provides certain exceptions permitting a covered entity to disclose protected health information. Specifically, HIPAA does not preempt State laws relating to reporting disease or injury, child abuse, birth or death, public health surveillance, or public health investigation and intervention.Id. § 160.203(c). The relevant HIPAA regulation granting this exception provides as follows:
A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:
. . . .
(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.
Id. (emphasis added).
¶ 14 Further, if
A covered entity may use or disclose protected health information without the written authorization of the individual, . . . or the opportunity for the individual to agree or object . . ., in the situations covered by this section. . . .
. . . .
(b) Standard: uses and disclosures for public health activities.(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to:
(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions[.]
(ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect[.]
Id. § 164.512 (emphasis added).
¶ 15 HIPAA defines "[p]ublic health authority" in pertinent part as "an agency or authority of the United States, aState, a territory, a political subdivision of a State or territory, or an Indian tribe, . . . that is responsible forpublic health matters as part of its official mandate." Id. § 164.501 (emphasis added).
¶ 16 Public health matters include reporting disease or injury, child abuse, birth or death, public health surveillance, or public health investigation and intervention. Id. § 160.203(c). Given the Board's express statutory duty to monitor and investigate child deaths and near deaths due to suspected abuse or neglect in an effort to improve the policies, procedures, and practices within the agencies that serve children, 10 O.S. 2001,§ 1150.2[
¶ 17 As the Board falls within one of HIPAA's exceptions to disclosure of individual health information due to its public health surveillance and investigation activities, there is no need to determine whether a conflict exists between HIPAA and the Board's statutes which would require preemption of the State laws. Therefore, HIPAA does not contravene the Board's authority to request and receive individual health information from HIPAA-covered entities, such as hospitals, for certain children, even without the child's, parent's or guardian's authorization. As stated earlier, the Board has statutory authority to subpoena relevant or material information, such as medical records, which health care providers refuse to disclose. 10 O.S. 2001, §1150.2a[
¶ 18 It is, therefore, the official Opinion of the AttorneyGeneral that:
1. The Oklahoma Child Death Review Board has statutory authority to request from health care providers medical records of children who have died or suffered near death due to suspected abuse or neglect. 10 O.S. 2001, § 1150.2[10-1150.2 ].2. Oklahoma law requires that all entities within the State child protection system, which includes both public and private agencies, provide to the Child Death Review Board any information it requests. 10 O.S. 2001, §§ 1150.4(C), 1150.1(2).
3. The federal Health Insurance Portability and Accountability Act ("HIPAA") specifically permits disclosure of protected health information, including medical records, to state public health authorities, including the Child Death Review Board, without obtaining authorization from a child or his or her parents or guardian.
45 C.F.R. § 164.512 (b)(1)(i), (ii) (2002).W.A. DREW EDMONDSON Attorney General of Oklahoma
DEBRA SCHWARTZ Assistant Attorney General