Attorney General's Opinion
Attorney General, Richard Blumenthal
March 30, 2007
Honorable Jeanne Milstein
Office of the Child Advocate
18-20 Trinity Street
Hartford, CT 06106
Dear Ms. Milstein:
This letter responds to your request for a formal legal opinion concerning the
By way of background, HIPAA and its regulations protect the privacy of information related to an individual’s health, treatment or health care payment. They generally limit the use or disclosure of individually identifiable health information by covered entities, such as health care providers, without patient consent. However, numerous exceptions apply to the consent requirement.
We conclude that one of these exceptions, 42 C.F.R. § 164.512(a), clearly applies here and allows the Child Advocate, in furtherance of her Conn. Gen. Stat. § 46a-13l duties and within the scope of her powers under Connecticut law, to obtain health information that HIPAA would otherwise protect from disclosure without the patient’s consent. The applicable exception permits disclosures of health information that are “required by law.” 42 C.F.R. § 164.512(a). Specifically, the regulation allows covered entities to disclose information without patient consent “to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” 42 C.F.R. § 164.512(a)(l). The phrase “required by law” is defined as
a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information that is enforceable in a court of law, [including] subpoenas or summons issued by . . . a governmental inspector general, . . . an administrative body authorized to require the production of information . . . [or] a civil or authorized investigative demand.
42 C.F.R. § 164.103 (defining “required by law”). This definition is intended to be read broadly and encompasses mandates imposed by state, as well as federal, law. Final Commentary to HIPAA Regs., 65 Fed.
Accordingly, we conclude that
Very truly yours,
Assistant Attorney General
1 The Child Advocate is subject to the confidentiality provisions of
2 Should the recipient of the Child Advocate’s request refuse to provide the information sought, the Child Advocate may issue a subpoena to compel the production of the information and that subpoena is enforceable in Superior Court.
3 Although HIPAA generally does not govern disclosures required by state law, it does impose conditions on such disclosures where they involve (1) victims of abuse or neglect or domestic violence (not including child abuse); (2) judicial or administrative proceedings; or (3) disclosures for law enforcement purposes. 42 C.F.R. § 164.512(a)(2).
4 Other exceptions to HIPAA for governmental authorities "authorized by law to receive reports of child abuse or neglect" (45 C.F.R. §164.512(b)(i)(ii)), and for health oversight activities authorized by law, may also apply to the Child Advocate and provide further support for the conclusion that HIPAA does not prevent her from accessing health information necessary to the performance of her duties under Connecticut law.