Dear Ms. Milstein:
This letter responds to your request for a formal legal opinion concerning the Office of the Child Advocate’s (“Child Advocate”) right to obtain records from entities covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. § 1320d et seq, when requested by the Child Advocate to fulfill her statutory duties and responsibilities. As discussed below, we conclude that because state law specifically authorizes the Child Advocate to obtain confidential information, the exception to HIPAA’s privacy provisions for disclosures "required by law" applies, and HIPAA does not prevent the Child Advocate from requesting protected health information and does not provide a proper basis for entities receiving such requests to refuse to provide the relevant information based on a lack of patient consent.
By way of background, HIPAA and its regulations protect the privacy of information related to an individual’s health, treatment or health care payment. They generally limit the use or disclosure of individually identifiable health information by covered entities, such as health care providers, without patient consent. However, numerous exceptions apply to the consent requirement.
We conclude that one of these exceptions, 42 C.F.R. § 164.512(a), clearly applies here and allows the Child Advocate, in furtherance of her Conn. Gen. Stat. § 46a-13l duties and within the scope of her powers under Connecticut law, to obtain health information that HIPAA would otherwise protect from disclosure without the patient’s consent. The applicable exception permits disclosures of health information that are “required by law.” 42 C.F.R. § 164.512(a). Specifically, the regulation allows covered entities to disclose information without patient consent “to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” 42 C.F.R. § 164.512(a)(l). The phrase “required by law” is defined as
a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information that is enforceable in a court of law, [including] subpoenas or summons issued by . . . a governmental inspector general, . . . an administrative body authorized to require the production of information . . . [or] a civil or authorized investigative demand.
42 C.F.R. § 164.103 (defining “required by law”). This definition is intended to be read broadly and encompasses mandates imposed by state, as well as federal, law. Final Commentary to HIPAA Regs., 65 Fed. Reg. 82462, 82668 (Dec. 28, 2000).
Connecticut law grants the Child Advocate “access to, including the right to inspect and copy, any records necessary” to carry out her duties, including her investigatory duties. Conn. Gen. Stat. § 46a-13l(a) (setting forth the duties of the Child Advocate, including to investigate complaints) and § 46a-13m(a) (providing access to information necessary to carry out duties) (emphasis added). The Child Advocate has such access “[n]otwithstanding any provision of the general statutes concerning the confidentiality of records and information.” Conn. Gen. Stat. § 46a-13m(a).1 Thus, Connecticut law requires that covered entities disclose health information to the Child Advocate on her request.2 As a result, the "required by law" exception of 42 CFR §164.512(a) applies to requests by the Child Advocate for information necessary to carry out her statutory responsibilities, and HIPAA does not limit the Child Advocate’s access to such information, or provide a basis for covered entities to object to such access based on a lack of patient consent. See U.S. Dept. of Health and Human Serv., May a Covered Entity Disclose PHI to a Protection and Advocacy System Where the Disclosure is Required by State Law? (Answer ID 909) (noting that where disclosures are required by law the general “minimum necessary” standard does not apply and “a covered entity cannot use the Privacy Rule as a reason not to comply with its other legal obligations”).3
Accordingly, we conclude that Connecticut law gives the Child Advocate the specific right to request information, including confidential information, necessary to carry out her duties and responsibilities. HIPAA does not operate to limit the Child Advocate’s access to information necessary to carry out her responsibilities under Connecticut law and does not provide a proper basis for covered entities to object to requests by the Child Advocate for such information based on a lack of patient consent. 4
Very truly yours,
RICHARD BLUMENTHAL
ATTORNEY GENERAL
1 The Child Advocate is subject to the confidentiality provisions of Conn. Gen. Stat. § 46a-13n.
2 Should the recipient of the Child Advocate’s request refuse to provide the information sought, the Child Advocate may issue a subpoena to compel the production of the information and that subpoena is enforceable in Superior Court. Conn. Gen. Stat. § 46a-13m(a) & (c). HIPAA imposes independent requirements on such subpoenas and we recommend that the Child Advocate contact this office prior to issuing a subpoena for medical records for advice on compliance with those requirements. See 45 C.F.R. § 164.512(e).
3 Although HIPAA generally does not govern disclosures required by state law, it does impose conditions on such disclosures where they involve (1) victims of abuse or neglect or domestic violence (not including child abuse); (2) judicial or administrative proceedings; or (3) disclosures for law enforcement purposes. 42 C.F.R. § 164.512(a)(2).
4 Other exceptions to HIPAA for governmental authorities "authorized by law to receive reports of child abuse or neglect" (45 C.F.R. §164.512(b)(i)(ii)), and for health oversight activities authorized by law, may also apply to the Child Advocate and provide further support for the conclusion that HIPAA does not prevent her from accessing health information necessary to the performance of her duties under Connecticut law. Conn. Gen. Stat. § 46a-13l(a)(3) and 46a-13l(g); 45 C.F.R. § 164.512(d); see Ohio Legal Rights Serv. v. The Buckeye Ranch., 365 F. Supp. 2d 877, 891-93 (S.D. Ohio 2005) (holding that state agency protecting rights of persons with mental illness performed health oversight activities and could invoke HIPAA exception). Because it is clear that the exception discussed above applies, we need not address these additional exceptions.
