HEALTHCARE / PRIVACY LAW
Health Information Privacy:
The Federal Floor's State Elevator
September 7, 2001
By Christopher C. Gallagher*
Glasser LegalWorks conference "HIPAA Privacy Compliance"
July 25, 2001, Washington, D.C.
September 20-21, 2001, Chicago, Illinois
Download this document:
healthprivacy.pdf (9 pages, 156 kb)
Introduction
If you are in the health care benefit business as an insurer, a health plan or a third party administrator (TPA), your world has been significantly altered by the passage of two federal laws whose privacy rules govern your use and disclosure of personal information. Your business will never be the same. Complex and somewhat inconsistent regulations now affect your business model and corporate culture. The management of health information is now afflicted with complex choice of law issues that add further stress.
Ironically, these comprehensive federal laws could help resolve the chaos resulting from today's patchwork of state health information protection laws, but they probably won't because in fact they offer no preemptive uniformity. Indeed for multiple state operations they have only made matters worse.
Beginning July 1, 2001 in most states, Gramm-Leach-Bliley (GLB) regulates the use and disclosure of health information by insurance "Licensees." HIPAA's Privacy Rule now in place, is subject to change at the margin, but it is here to stay. Mandatory compliance begins April 14, 2003. It directly applies to health plans, and indirectly to those who do business with health plans. For most companies who deal with health information, both GLB and HIPAA must be observed. Planning for coordinated compliance must be undertaken now.
This presentation is designed to assist in this dual compliance process. It briefly explains the common principles underlying both laws. It walks through HIPAA's reverse "preemption" process, then examines GLB's "Sarbanes Amendment," so-called, which also defers to existing state privacy protection law. By focusing on health insurance, health plans and health management TPA's, it offers guidance for regulatory compliance until today's uncertainties are cleared up by the Courts or the Congress.
Finally, this presentation is likely to demonstrate how the promised stability of the proliferating "federal floor" doctrine is becoming a policy nightmare more likely to result in consumer confusion than consumer protection.
Choice of law and conflicts issues are always difficult. Applying double different reverse preemptions is daunting. Identifying existing state law, then moving through the comparative evaluation processes of HIPAA and GLB is highly labor-intensive, especially for multi-state operations. But however counterintuitive it may seem, it is very clear that these federal laws protect the powers of states to regulate privacy protection. They firmly establish the doctrine of a "federal floor," which means that their federal directives must yield to stronger state laws.
Indeed GLB goes even further by offering to transfer the actual design and enforcement of its precepts to state insurance authorities. With insurance, GLB itself will vary among the individual states. Health information privacy law uniformity is now dependent upon the discretion of powerful state insurance commissioners, who realize that nationwide uniformity is important, but still regard state sovereignty as sacred. Moreover, health information privacy and security are politically charged, and likely to attract publicized enforcement. It thus becomes critical to comply correctly, however difficult.
Download entire article:
healthprivacy.pdf (9 pages, 156 kb)
Covering:
The Common Principles
Health Benefit Providers
HIPAA
GLB
Health Insurers
Health Plans
Third Party Administrators
Conclusion
*Christopher C. Gallagher is admitted in New Hampshire.
Return to top of page
Return to Healthcare Law Articles
Return to Firm Publications
