HIPAA’s privacy protections have changed the way healthcare providers communicate about medical information relating to specific patients. To facilitate medical and reimbursement practices, the Department of Health and Human Services enacted a regulation to allow providers and payors to disclose protected health information ("PHI") for "routine uses" (characterized as uses and disclosures of PHI for "treatment, payment, and health care operations") without jumping through the hoops of HIPAA’s consent requirements. A federal appeals court rejected challenges to this HHS regulation this week.
The challenge came in the form of Citizens for Health v. Leavitt. The plaintiffs, a coalition of organizations and individuals, argued that the "routine uses" regulation was invalid for a number of reasons but primarily because it violated the privacy rights of the Fifth Amendment and the free speech rights of the First Amendment. The Third Circuit rejected these arguments. The guarantees of the First and Fifth Amendments restrict government rather than private actions. Because the providers and payors disclosing the PHI under the regulation act in a private rather than governmental capacity, the permitted disclosures do not implicate Constitutional guarantees. Obviously, this is good news for healthcare providers concerned about HIPAA compliance.
The court also noted that HIPAA provides minimum privacy protections and that providers and payors may be subject to more stringent state law privacy protections. Consequently, the regulation is not the final word on provider’s privacy obligations.