Several weeks ago, I posted about the new standard medical release form that all Ohio providers are required to honor. As I mentioned in that post, pursuant to Ohio Administrative Code Section 5160-1-32.1, effective February 3, 2019, all Ohio providers must honor a standard authorization form.
You can find a link to a copy of the new standard medical release form, as well as a copy of the statute itself, in my previous post: Does Ohio’s New Standard Medical Release Form Apply to Workers’ Compensation Claims?
I realized, however, that this new standard medical release form might not be the end of the story. I can imagine a large hospital system refusing to honor the standard release, claiming that despite the new Ohio law, they would still be open to liability under the Health Insurance Portability and Accountability Act (“HIPAA”). So, I decided to take a look at HIPAA, how it interacts with Ohio law regarding the release of protected health information, and see what I could find out.
In short, since Ohio’s privacy laws are more stringent than the HIPAA requirements, compliance with Ohio law regarding the release of information should satisfy a health care provider’s obligations under HIPAA. I’ll discuss that in a little more detail below, with the following disclaimer.
I’m a workers’ compensation and employment attorney, not an expert in federal health privacy law. Since this new release form has only been mandatory for one week now, there is no case law to guide me on this subject. What follows is a discussion of how the two statutes should interplay, in my opinion. We will have to see what time brings.
Federal law supersedes state law but, as described in sections §160.201, §160.202, §160.203, §160.204 and §160.205 of HIPAA, if the state law is “more stringent” than the requirements of HIPAA, the federal and state laws are complementary, and both apply. If state law is “contrary” to HIPAA, then the requirements of HIPAA control.
One case in the Northern District Court of Appeals (the Federal District Court that covers Northeastern Ohio) has already held that Ohio’s privacy laws are “more stringent” than federal HIPPA requirements; Turk v. Oiler, 732 F. Supp. 2d 758 (N.D. Ohio 2010). Accordingly, Ohio’s health privacy law is not superseded by HIPAA.
Ohio’s privileged communications law permits disclosure of protected health information for several reasons, including “by consent.” See ORC 2317.02(B)(1)(a)(i). Since the new Ohio Administrative Code Section specifically mandates that all health providers honor Ohio’s standard medical release form, compliance with Ohio law should satisfy the health care provider’s obligations under HIPAA.
The Ohio Bureau of Workers’ Compensation has not yet taken a formal position on the new medical release form. As I noted in my last post, the Ohio Department of Medicaid indicated that the release form was not specific to Medicaid issues. I’m also going to discuss this issue with the Industrial Commission, and see how they intend to deal with this new change in the law. As always, I will keep you posted.