03-05Posted on Apr 11, 2003 in Formal Opinions
Opinion Letter No. 03-05
April 11, 2003
HIPAA and Part II of the Uniform Information Practices Act
There is no conflict between Part II of the Uniform Information Practices Act (Modified), chapter 92F, Hawaii Revised Statutes (“UIPA”), and 45 C.F.R. Parts 160 and 164, the medical privacy rules (“HIPAA rules”) promulgated by the federal Department of Health and Human Services as required
by the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”).
The UIPA does not require public disclosure of information that is protected from unauthorized disclosure by the HIPAA rules: such information will fall under one or more UIPA exceptions to public disclosure. The exception for information protected by federal laws will always apply to information that is protected under the HIPAA rules. In most instances the information will also fall within the UIPA exception for information whose disclosure would be an unwarranted invasion of personal privacy.
HIPAA does not have provisions comparable to the response deadlines and other procedural requirements for responding to UIPA requests for government records. An agency should follow the procedures set forth in the UIPA and chapters 2-71, Hawaii Administrative Rules, when responding to a request for government records that involves “protected health information” as defined in the HIPAA rules.
HIPAA does have provisions regarding a patient’s access to the patient’s own medical records, which are comparable to a person’s right of access to personal records under Part III of the UIPA. The OIP did not discuss the interplay between the HIPAA rules and Part III of the UIPA in this opinion.