TO: Commercial Health Insurers, Blue Cross and Blue Shield of Massachusetts, Inc., and Health Maintenance Organizations
FROM: Julianne M. Bowler, Commissioner of Insurance
DATE: March 7, 2003
RE: HIPAA Privacy Notices and Preemption of State Law as it Pertains to Privacy Notices

The purpose of this bulletin is to ensure that all carriers who issue privacy notices pursuant to the requirements of Title 45 of the Code of Federal Regulations ("CFR") Parts 160 and 164 are aware of and carefully take into consideration the preemption issue presented by the federal law and Chapter 175I of the Massachusetts General Laws ("M.G.L.").

Background

On December 28, 2000, the federal government's Secretary of Health and Human Services ("HHS") released final privacy regulations relating to the protection of patients' individually identifiable health information as mandated by the Health Insurance Portability and Accountability Act of 1996 ("HIPPA"). On August 14, 2002, HHS issued the final set of modifications to the regulations. According to 45 CFR 164.534, most covered entities are to comply with the federal regulatory requirements by April 14, 2003, with the exception of small health plans (those with annual receipts of $5 million or less) who must comply by no later than April 14, 2004. Detailed information about the privacy rule is available at http://www.hhs.gov/ocr/hipaa.

Massachusetts Law

M.G.L. c. 175I, "Insurance Information and Privacy Protection," governs the disclosure and use of personal information by an insurance institution, insurance representative or insurance-support organization which in the case of life, health and disability insurance collects, receives or maintains information in connection with an insurance transaction or engages in an insurance transaction with a natural person who is a resident of the Commonwealth. The particular sections of Massachusetts law that appear to be pertinent in the process for determining whether state law or federal law is applicable, are as follows:

  • Section 4 - Notice of information practices contents;
  • Section 6 - Use of forms authorizing disclosure of personal or privileged information as disclosure authorization forms; limitations;
  • Section 8 - Personal information collected; availability to individuals;
  • Section 9 - Corrections to factual errors or misrepresentations in recorded personal information; notification of corrections;
  • Section 10 - Adverse underwriting decisions; statement of specific reasons to applicant, policyholder or individual proposed for coverage;
  • Section 11 - Previous adverse underwriting decisions; requests for information; and
  • Section 13 - Disclosure of personal or privileged information; restrictions.

Preemption of State Law

Under the federal law, if the federal law and state law are contrary to the extent that both cannot be applied, it must be determined which law applies. Generally, a state law is preempted if it conflicts with the federal law. Under certain specific exceptions, a state law can be saved from preemption. One of these exceptions is if the state law is "more stringent." As defined in 45 CFR 160.202, a state law is considered "more stringent" if it meets one or more of the following criteria:

  • With respect to use or disclosure, state law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under the federal law, except if the disclosure is either (1) required by the Secretary of HHS in connection with determining compliance with federal law or (2) to the individual who is the subject of the individually identifiable health information. 45 CFR 160.202(1);
  • With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of such information, state law permits greater rights of access or amendment. 45 CFR 160.202(2);
  • With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, state law provides the greater amount of information. 45 CFR 160.202(3);
  • With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of such information, state law provides requirements that narrow the scope or duration, increase the privacy protections afforded, or reduce the coercive effect of the circumstances surrounding the express legal permission. 45 CFR 160.202(4);
  • With respect to recordkeeping or requirements relating to accounting of disclosures, state law provides for the retention or reporting of more detailed information or for a longer duration. 45 CFR 160.202(5); or
  • With respect to any other matter, state law provides greater privacy protection for the individual who is the subject of the individually identifiable health information. 45 CFR 160.202(6).

Other specific exceptions to state law preemption under the federal law are:

  • The determination by the Secretary of HHS under 45 CFR 160.204 that the provision of state law is necessary as described under 45 CFR 160.203(a);
  • The provision of state law, including state procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. 45 CFR 160.203(c); or
  • The provision of state law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals. 45 CFR 160.203(d).

The Division of Insurance ("Division") is currently reviewing the federal law to determine in which instances state law is preempted. In order that residents of the Commonwealth are aware that additional rights may be available under Massachusetts law, the Division requests that carriers make this clear within their privacy notices. Carriers are not required to file privacy notices with the Division. Privacy notices submitted to the Division will be placed on file and not reviewed.

If you should have any questions regarding this bulletin or in determining whether Massachusetts law is preempted, please contact the Office of the General Counsel at 617-521-7309