Vol. 76, No. 6, June 2003

Balancing Federal and Wisconsin Medical Privacy Laws

by Timothy A. Hartin

he new federal privacy regulations for health information (the "Privacy Rule" or "Rule") issued by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into effect on April 14, 2003.¹ Part I of this article, which appeared in the April 2002 Wisconsin Lawyer, gave an overview of the Privacy Rule. Part II discusses the interaction of the Privacy Rule and Wisconsin medical privacy laws by: 1) identifying some of the restrictions and obligations that the Privacy Rule imposes on Wisconsin health care providers that may affect customary uses or releases of information; and 2) indicating situations in which compliance with the Privacy Rule alone does not result in compliance with more stringent Wisconsin provisions. Specifically, Part II focuses on the interaction of the Privacy Rule with the Wisconsin patient confidentiality statute² and then briefly addresses the Wisconsin mental health treatment statute³ and the Wisconsin HIV test statute.⁴

Analyzing Privacy Rule Interaction with Wisconsin Law

The Privacy Rule preempts all conflicting state law, except for state laws that are more "stringent" because they provide greater privacy protections or greater rights for individuals.⁵ Effectively, this means that Wisconsin's existing privacy laws remain generally unchanged, as there are very few, if any, instances where Wisconsin law both conflicts with the Privacy Rule and is less stringent than the Privacy Rule. The administrative requirements imposed by the Privacy Rule generally have no counterpart under Wisconsin law and consequently will apply as set forth in the Privacy Rule without interacting with Wisconsin law. Patient rights guaranteed by the Privacy Rule raise few issues under the Wisconsin patient confidentiality or HIV test statutes, although the interaction of the Privacy Rule and the mental health treatment statute does result in some "hybrid" patient rights, as discussed below. Most of the issues created by the interaction of the Privacy Rule and Wisconsin law arise in connection with the use and disclosure of confidential medical information.

Both Wisconsin law and the Privacy Rule impose restrictions on the disclosure of confidential medical information and have similar conceptual structures for restricting the disclosure of this information. Each contains blanket prohibitions on the disclosure of medical information while allowing the individual who is the subject of the information (referred to below as the "patient") to authorize disclosure. Wisconsin law and the Privacy Rule also create a series of exceptions that allow disclosure without the patient's authorization.⁶

Given the parallel structure of Wisconsin law and the Privacy Rule, a practical approach to the question of how the Privacy Rule interacts with Wisconsin privacy law treats the Privacy Rule as the baseline for privacy obligations and then identifies any Wisconsin legal requirements that are more stringent. Thus, when confronted with the issue of whether a patient's written authorization is required for a given disclosure of information, the first question is whether the Privacy Rule allows the disclosure without the patient's authorization. If the Privacy Rule requires an authorization, then one should be obtained, and there will be no compliance issues under Wisconsin law, which also allows the release of health information with the patient's authorization. If the Privacy Rule allows the disclosure without the patient's authorization, the next question is whether Wisconsin law also allows the disclosure without authorization. If Wisconsin law requires the patient's authorization before health information can be disclosed, then the authorization must be obtained even though the Privacy Rule does not require it. The only time a disclosure can be made without a patient's authorization is when both the Privacy Rule and Wisconsin law permit.

Definitional Problems

As with any statutory or regulatory issue, the first concern is understanding and reconciling the relevant definitions. While the Privacy Rule and the Wisconsin patient confidentiality statute have very similar overall structures, potentially significant issues are raised by the Wisconsin statute's use of some significant undefined terms.

"Covered entity" versus "custodian of records." The Privacy Rule applies to "covered entities," defined as health plans, clearinghouses that translate electronic information from one format into another, and health care providers who electronically transmit health care information in specified transactions.⁷ The Wisconsin patient confidentiality statute does not limit its application to any particular class of persons or entities and appears to apply to anyone who possesses patient health care records. The Wisconsin statutory provisions allowing for enforcement refer to "custodians" of records and to "any person" who violates the statute.⁸ Thus, it appears that any covered entity that possesses patient health care records is subject to the Wisconsin patient confidentiality statute. However, the converse is not true. Many custodians of patient health care records subject to the Wisconsin patient confidentiality statute are not covered entities under the Privacy Rule and consequently will not be subject to the Privacy Rule.

"Protected health information" versus "patient health care records." The Privacy Rule regulates "protected health information," which is broadly defined as information, including demographic information, that is created or received by a covered entity and relates to the physical and/or mental health or condition of the patient, the patient's health care or payment for that health care.⁹ This protected health information is somewhat broader than the "patient health care record" protected by the Wisconsin patient confidentiality statute. The Wisconsin statute refers to "records related to the health of a patient prepared by or under the supervision of a health care provider ...,"¹⁰ and is generally understood to exclude demographic or identifying information that is not combined with medical information. Consequently, the Privacy Rule regulates a broader class of information than does the Wisconsin patient confidentiality statute. Some uses and disclosures of patient information previously outside the Wisconsin statute are regulated by the Privacy Rule and thus cannot be disclosed as before in Wisconsin.

"Use" and "disclosure" versus "release." The Privacy Rule refers to the "use" and "disclosure" of protected health information. "Use" refers to sharing and employment of and access to information within a covered entity, while "disclosure" refers to the release or transfer of information outside the covered entity.¹¹ The Wisconsin patient confidentiality statute uses the term "release," which is not defined. Clearly, "release" encompasses the disclosure of information as defined by the Privacy Rule. However, "release" may also encompass the use of this information within the entity holding the information. Certain of the exceptions that allow the release of information without patient consent refer to internal activities by staff of a health care provider or other records custodian.¹² Thus, a prudent starting point for analysis of this issue is to assume that "release" in the Wisconsin statute includes both use and disclosure as defined in the Privacy Rule.

Treatment, Payment, and Health Care Operations

Both the Privacy Rule and the Wisconsin patient confidentiality statute allow disclosure of patient information by health care providers without patient authorization for treatment and for payment purposes.¹³ Neither the Privacy Rule nor the Wisconsin statute imposes significant restrictions on the exchange of information for the purpose of treating the patient. Similarly, both the Privacy Rule and the Wisconsin statute allow providers to use or disclose information to obtain payment for themselves. The Privacy Rule further allows a provider to disclose protected health information to another covered entity or health care provider so the other entity or provider may obtain payment. Comparatively, the Wisconsin patient confidentiality statute only permits the release of records "to the extent the records are needed for billing, collection, or payment of claims"¹⁴ and does not address the question of whether a provider may release patient information so that another person or organization may seek payment. As a result, it is unclear whether patient health care records may be released for this purpose without patient authorization in Wisconsin.

The Privacy Rule allows health care providers to use and disclose protected health information without patient authorization for "health care operations," including a variety of activities that are related to the provision of treatment or obtaining or processing payment, including quality assessment and improvement activities, credentialing or evaluating health care practitioners, training, underwriting, medical review, legal services and auditing, business planning and development, and business management and general administrative activities.¹⁵ Of the activities defined as health care operations by the Privacy Rule, the Wisconsin patient confidentiality statute only explicitly allows the release of patient health care records without patient authorization for medical records management and certain audits, program monitoring, accreditation and health care services review activities by health care facility staff committees or accreditation or review organizations.¹⁶ Thus, in Wisconsin the release of confidential health information for a wide range of health care operations purposes apparently requires written authorization.

It seems likely that health care providers and others have assumed that the treatment and payment activities for which disclosure is allowed by the Wisconsin statute included the activities defined as health care operations by the Privacy Rule, as evidenced by many records custodians using and disclosing patient health care records for these purposes without patient authorization. However, this assumption is called into question by the explicit definition of these terms in the Privacy Rule, clearly distinguishing between treatment and payment on the one hand and health care operations on the other. Under the Privacy Rule, these categories are treated as mutually exclusive - an activity that is a "health care operation" is not a treatment or payment activity as those terms are defined in the Privacy Rule. Applying the Privacy Rule approach to these critical categories means that disclosing patient health care records for most health care operations without patient authorization (as allowed by the Privacy Rule) violates Wisconsin law.

Informal Agreement

If a patient's "informal agreement" has been obtained, the Privacy Rule allows the use and disclosure of protected health information without written authorization for facility directories and to family members or others involved in a patient's care or payment for that care.¹⁷ An informal agreement consists of notice and opportunity to object, and may be obtained orally. The Wisconsin patient confidentiality statute does not recognize oral authorization or agreement for the release of patient health care records.

Facility directories. A variety of health care facilities, including hospitals and nursing homes, traditionally create facility directories listing their current patients or residents and make them available to the public. This information has been released without patient authorization because the patient health care records protected by Wisconsin law have not been read to include the demographic or identifying information contained in a directory (the name of the patient, his or her location in the facility, and arguably a general description of his or her condition). In Wisconsin, if this information is not part of the protected patient health care record, it may be released without written authorization. However, under the Privacy Rule this release of information is allowed only with the patient's informal agreement. Because directory information cannot be disclosed pursuant to informal agreement except to clergy and persons who ask for the patient by name, the Privacy Rule requires written authorization from the patient for publicly posted facility directories, such as those commonly used in nursing homes.

Family and friends. Although relatively straightforward from a legal perspective, the release of information to family, friends, and others involved in the patient's care or payment for care presents difficult practical issues. Except for releases to personal representatives such as the parents of a minor, court-appointed guardians, or active health care agents, the Wisconsin patient confidentiality statute contains no provision allowing the release of patient health care records to family members or others without the patient's written authorization. Thus, the common practice of discussing a patient's condition, treatment, and outlook with the patient's spouse, children, or other family members or friends without the patient's written authorization is a violation of the Wisconsin patient confidentiality statute. Health care providers and others may mistakenly believe that they are fully complying with the law when they are in compliance with the Privacy Rule, but obtaining the patient's informal agreement under the Privacy Rule for these conversations does not cure the violation, as Wisconsin law does not recognize informal agreement. Regardless of whether the Wisconsin requirement for written authorization in these circumstances is in conflict with the Privacy Rule, Wisconsin law is more stringent and will continue in effect.

Unfortunately, strict application of Wisconsin law results in termination of discussions about medical care with spouses, family members, and others that are universally regarded as productive and even necessary in managing a patient's care. The written consent of patients to disclosures of their health information to family members or others may not be difficult to obtain in treatment settings, such as hospitals or nursing homes, that have formal intake procedures conducive to obtaining this kind of documentation. For other providers in other treatment settings, this provision of Wisconsin law presents a very real dilemma, placing compliance with the law in opposition to other values and activities on which the provider may place a high value.

Exceptions for Public Benefit Activities

The Privacy Rule and the Wisconsin patient confidentiality statute both contain long lists of public benefit exceptions - activities for which the patient's written authorization (or, in the case of the Privacy Rule, informal agreement) is not required.¹⁸ While there are too many public benefit exceptions (more than 20 in the Wisconsin patient confidentiality statute alone) to discuss individually in this article, an understanding of basic principles behind the interaction of the exceptions provided under Wisconsin law and the Privacy Rule may help providers and practitioners understand how to approach these situations as they arise.

Two principles underlie the exceptions listed in the Privacy Rule. First, many of the Privacy Rule exceptions are intended to preserve to some degree those provisions of state or federal law allowing or requiring the disclosure of confidential information without the patient's permission. Second, the Privacy Rule exceptions do not displace any other state or federal law limiting the disclosure of protected health information. If there is other law, including state law, that prohibits or limits the disclosure of confidential information, then disclosure is not allowed regardless of any exception under the Privacy Rule. Thus, disclosure of protected health information without the permission of the patient to whom the information relates is generally allowed only when there are "overlapping" exceptions in both the Privacy Rule and Wisconsin law.

Preservation of existing law. Most of the Privacy Rule exceptions refer to disclosures that are otherwise required or authorized by law and thereby are intended to preserve existing law allowing disclosure without patient authorization. For example, the Privacy Rule preserves existing Wisconsin law by creating exceptions allowing disclosure to "public health authorities or other appropriate government authorities authorized by law to receive reports of child abuse or neglect"¹⁹ and disclosure "to a health oversight agency for oversight activities authorized by law."²⁰ These Privacy Rule exceptions preserve, respectively, those provisions of the Wisconsin patient confidentiality statute allowing reporting of suspected child abuse, and allowing reporting to, or access by, various government agencies charged with oversight or licensing of health care providers.²¹

"Overlapping" exceptions. A covered entity must confirm that disclosure without a patient's authorization is allowed by both the Privacy Rule and Wisconsin law, because the exceptions created by the Privacy Rule and the Wisconsin patient confidentiality statute are not identical. For example, the Privacy Rule allows for disclosure of protected health information in response to a subpoena, discovery request, or other lawful processes that are not accompanied by a court order. On the other hand, Wisconsin allows disclosure in this situation only in response to a court order (which can encompass a subpoena signed by a judge). Hence, while the Privacy Rule allows disclosure in response to a subpoena or discovery request signed by an attorney that is unaccompanied by the patient's authorization, Wisconsin law prohibits the release of patient health care records in response to such a document.

On the other hand, some Wisconsin exceptions are broader than their counterparts in the Privacy Rule. For example, the Wisconsin patient confidentiality statute allows the release of patient information in response to a written request of a government agency to perform a legally authorized function (although this provision allows certain private pay patients to deny access).²² As a result, before a covered entity makes a disclosure in response to a written request by a government agency, it must also find an exception under the Privacy Rule allowing the disclosure - even though the written request is sufficient under Wisconsin law. Consequently, a Wisconsin provider could disclose patient information in response to a written request from a health oversight agency such as the Department of Health and Family Services (DHFS) Bureau of Quality Assurance in connection with a compliance survey or complaint investigation, because such a disclosure is allowed by both the Privacy Rule and the Wisconsin patient confidentiality statute. However, a Wisconsin provider may not disclose patient information in response to a written request from the Department of Workforce Development to conduct a study on workforce injuries, as there is no Privacy Rule exception that allows such a disclosure without patient authorization.

The overlap between the exceptions in the Privacy Rule and the Wisconsin patient confidentiality statute is significant. This is in large part because both sets of exceptions were drafted for the purpose of allowing access to information for the same basic set of public benefit activities. Of all the exceptions in the Privacy Rule, only a few have no counterpart in the Wisconsin patient confidentiality statute, including the Privacy Rule exceptions for medical surveillance of the workplace, for reporting domestic violence, reporting crime on the premises of the covered entity, and reporting crimes in emergencies. Although some exceptions from the Wisconsin patient confidentiality statute are limited by the Privacy Rule because the overlap between the Wisconsin exception and the Privacy Rule exception is not complete, it seems that all the Wisconsin patient confidentiality exceptions are at least partially preserved under the Privacy Rule.

Marketing

Demographic or contact information, such as mailing lists, is not generally considered part of the patient health care record under the Wisconsin patient confidentiality statute. Therefore, the release of this information for marketing purposes has not been significantly restricted in Wisconsin. The Privacy Rule requires patient authorization before patient mailing lists can be used for marketing, as defined by the Privacy Rule. The Privacy Rule contains a complex series of definitions and exceptions relating to the use or disclosure of protected health information for marketing activities. "Marketing" is broadly defined as any "communication about a product or service that encourages recipients of the communication to purchase or use the product or service."²³ Given the breadth of this definition, which includes a great many communications essential to the modern practice of medicine, several exceptions are carved out to allow normal patient treatment and other activities. These exceptions include communications that describe health-related products or services provided by the covered entity making the communication, communications that are part of the treatment of the patient, and communications for case management, care coordination, or to recommend alternative treatments, providers, or care settings.

Many health care providers in Wisconsin send newsletters or similar communications. A newsletter that is purely informational and does not encourage the purchase or use of a product or service is not a marketing communication as defined by the Privacy Rule. A newsletter that describes only health-related products or services provided by the covered entity sending the newsletter, or that directs or recommends alternative treatments, therapies, providers, or settings of care, is also not a marketing communication. However, a newsletter that contains any other marketing content, such as an advertisement for a health club not owned by the covered entity, or a description of the services of another health care provider that could be interpreted to encourage the purchase or use of the other provider's services, is a marketing communication and may not be sent to a patient without his or her written authorization.

Wisconsin Mental Health Statute

The Privacy Rule has relatively little effect on the current practices of Wisconsin mental health providers regarding the use and disclosure of mental health treatment records. This is because the Wisconsin mental health statute's privacy protections are generally more stringent than those of the Privacy Rule.

Mental health providers and legal practitioners should be wary of assuming that compliance with the Privacy Rule also constitutes compliance with the Wisconsin mental health statute. The Privacy Rule allows relatively broad use and disclosure of protected health information for treatment, payment, and health care operations without patient authorization, but the Wisconsin mental health statute does not. Wisconsin allows release of mental health treatment records without patient authorization for treatment purposes only within the mental health treatment facility where the patient is being treated and in emergencies.²⁴ Wisconsin allows release of mental health treatment records without patient authorization for billing or collection purposes only to the DHFS or a county department.²⁵ Finally, Wisconsin allows the release of mental health treatment records for only a handful of the health care operations recognized by the Privacy Rule, including management and financial audits, program monitoring and evaluation, and training.²⁶

The Wisconsin mental health statute's exceptions to the requirement for patient authorization are generally preserved by the Privacy Rule, as the Wisconsin exceptions tend to be narrower than the corresponding exceptions under the Privacy Rule. Relatively few of the Wisconsin mental health exceptions are limited by their Privacy Rule counterparts, because the Privacy Rule generally allows disclosure without patient authorization in a wider range of situations than does the Wisconsin mental health statute. The danger for mental health practitioners may arise from a mistaken belief that compliance with the Privacy Rule also means compliance with Wisconsin law.

Patient rights. The Wisconsin mental health statute grants mental health patients broad rights of access to their mental health treatment records as well as the right to amend their treatment records. With respect to patient rights, providers are obligated to recognize the broader grant of rights, so that a mental health patient's right to access and amend his or her records is a hybrid of the rights granted by the Privacy Rule and the Wisconsin mental health statute.

Even when the Wisconsin mental health statute would allow providers to deny patients access to their treatment records, this access must be provided unless the Privacy Rule also allows denial of access. The Wisconsin mental health statute allows the director of a treatment facility to restrict a patient's access to treatment records during the patient's treatment, except that access to records of medications and somatic treatments may not be denied.²⁷ The discretion of the treatment facility director to deny access is significantly restricted by the Privacy Rule, which only allows the denial of access in limited and defined situations. Conversely, the Wisconsin mental health statute gives a patient who has been discharged the right to access "any or all of his or her treatment records" as well as "a complete record of all medications and somatic treatments" and a copy of his or her discharge summary.²⁸ This post-discharge right of access is somewhat broader than the access rights guaranteed by the Privacy Rule. Before denying a mental health patient access to his or her treatment records, providers must make sure that both the Privacy Rule and the Wisconsin mental health statute allow such a denial.

Both the Privacy Rule and the Wisconsin mental health statute allow patients to amend their records. However, the right to amend granted by the Wisconsin mental health statute is narrower than the corresponding right under the Privacy Rule, because the Wisconsin statute only grants the right to challenge and request amendment of factual information.²⁹ Further, the Wisconsin mental health statute requires that the amendment be responded to by the provider within 30 days, which is a shorter deadline than the 60 days allowed by the Privacy Rule, and the Wisconsin statute does not recognize some of the grounds for refusal to amend that are granted by the Privacy Rule (for example, the records were not created by the provider, the records are not part of the patient's "designated record set," or the records are not subject to the patient's right of access). The compliance obligations imposed by the Privacy Rule and Wisconsin law result in a "hybrid" right of amendment combining the shorter deadline and fewer exceptions allowed by Wisconsin law for amendments of factual information with the Privacy Rule provisions that allow amendment of any other mental health treatment records.

Wisconsin HIV Test Statute

Like the Wisconsin mental health statute, the Wisconsin HIV test statute is generally more stringent than the Privacy Rule. While the Wisconsin HIV test statute allows for disclosure of HIV test results without patient authorization to health care providers who provide care to the patient, it does not allow the disclosure of HIV test results without authorization in order to obtain payment for services or for health care operations. The only exceptions are for preparation or storage of records, program monitoring and evaluation, and health care services reviews by specified organizations.

The exceptions to the requirement for written authorization by the HIV test subject under Wisconsin law tend to be narrower than their counterparts under the Privacy Rule, meaning that the Wisconsin exceptions will be preserved largely unaffected by the Privacy Rule. Most significantly, the Wisconsin HIV test statute allows disclosure of HIV test results without authorization to certain persons who may have been significantly exposed to the test subject.³⁰ The Privacy Rule, which contains an exception allowing disclosure to "a person who may have been exposed to a communicable disease ... if the covered entity or public health authority is authorized by law to notify such person,"³¹ preserves these notification provisions.

Conclusion

As of April 14, 2003 (the compliance date for the Privacy Rule for health care providers), privacy compliance in Wisconsin became a great deal more complex. Not only must health care providers come into compliance with the lengthy and complicated Privacy Rule, they must avoid two "traps for the unwary." First, they must avoid assuming that uses and disclosures of information customarily allowed in Wisconsin without patient authorization are permitted under the Privacy Rule, as the Privacy Rule imposes new restrictions on what may be done without patient authorization. Second, and perhaps more dangerous in the wake of innumerable Privacy Rule seminars and "generic" Privacy Rule compliance toolkits that do not take Wisconsin law into account, they must not assume that compliance with the Privacy Rule also amounts to compliance with Wisconsin privacy law. Wisconsin privacy law contains a number of provisions that are more stringent than the Privacy Rule and will continue to affect how health information is used and disclosed.

Endnotes

¹45 C.F.R. parts 160-164.

²Wis. Stat. § 146.82.

³Wis. Stat. § 51.30. See also Wis. Admin. Code chapter HFS 92 for accompanying regulations.

⁴Wis. Stat. § 252.15.

⁵45 C.F.R. § 160.203.

⁶Wis. Stat. § 146.82(1); 45 C.F.R. § 160.502.

⁷45 C.F.R. § 160.103.

⁸Wis. Stat. § 146.84.

⁹45 C.F.R. § 164.501.

¹⁰Wis. Stat. § 146.81(4).

¹¹45 C.F.R. § 164.501.

¹²Wis. Stat. § 146.82(2)(a)2.

¹³45 C.F.R. § 164.502(a)(1)(ii); Wis. Stat. § 146.82(2)(a)2.-3.

¹⁴Wis. Stat. § 146.82(2)(a)3.

¹⁵45 C.F.R. § 164.502(a)(1)(ii).

¹⁶Wis. Stat. § 146.82(2)(a)1.

¹⁷45 C.F.R. § 164.510.

¹⁸45 C.F.R. § 164.512; Wis. Stat. § 146.822(a).

¹⁹45 C.F.R. § 164.512(b)(1)(ii).

²⁰45 C.F.R. § 164.512(d).

²¹Wis. Stat. §§ 146.82(2)(a)5., 11.

²²Wis. Stat. § 146.82(2)(a)5.

²³45 C.F.R. § 164.501.

²⁴Wis. Stat. § 51.30(4)(b)6., 8.

²⁵Wis. Stat. § 51.30(4)(b)2.

²⁶Wis. Stat. § 51.30(4)(b)1., 6.

²⁷Wis. Stat. § 51.30(4)(d)1.

²⁸Wis. Stat. § 51.34(d)(2), (3).

²⁹Wis. Stat. § 51.30(4)(f).

³⁰Wis. Stat. § 252.15(2)(a)7m.

³¹45 C.F.R. § 164.512(b)(1)(iv).

Wisconsin Lawyer