But HIPAA protects me! Well no…
What in the world is HIPAA and what does it do? I hear this question a lot and have learned over the years that many people do not understand what HIPAA is and what rights it protects. With the passage of SQ 788 and everyone’s questions about privacy, legality, guns, and jobs regarding cannabis I thought it was important that we talk about what HIPAA is and what it does.
First, HIPAA stands for Health Insurance Portability and Accountability Act of 1996. No one wants to write that long title out let alone remember it so it was quickly abbreviated to HIPAA.
The law has 5 titles or sections which address different things relating to health care and health insurance as follows:
Title 1 – Health Insurance for displaced workers, pre-existing condition limitations, continued coverage
Title II – administrative simplification of health care by creating national standardized health care coding & transactions, reduction of fraud, and creation of “covered entities.” It also established the Privacy Rule.
Title III – pre-tax medical spending accounts
Title IV – group health plan guidelines
Title V – company-owned life insurance policies.
Most people in their everyday life are concerned about the Privacy Rules. Have you tried to obtain your medical records recently? It seems similar to getting a mortgage. You have to provide everything but the blood type of your first born especially if you are trying to obtain records for someone other than yourself. The reason this is such a pain in the privacy rules of HIPAA.
First, the Privacy Rule only applies to “covered entities.” If a business does not meet the definition of a “covered entity” under HIPAA they are not subject to the HIPAA privacy rule or the so-called protections against the disclosure of your health information. Your lawyer is not a covered entity. DHS is not a covered entity. Your friend’s mother’s sister’s cousin who saw your health records is not a covered entity. It may not be appropriate for them to disclose certain health information but the disclosure does not violate HIPAA if they are not a covered entity.
So who are covered entities? They are health plans, health clearinghouses, and health care providers who transmit health information in electronic forms. The US Health and Human Services website www.hhs.gov has a great information sheet that provides a lot of information about the privacy rule and how it applies.
I’ve seen lots of statements recently about the OMMA or OSBI “violating HIPAA” if they give over certain information. IF the OMMA or OSBI do not satisfy the definition of health plans, health clearinghouses, and health care providers who transmit health information in electronic forms then they aren’t HIPAA covered entities and your information is not protected from disclosure due to HIPAA. The HHS information sheet gives exact definitions of these entities.
Another way to know if a business or organization is a HIPAA covered entity is by considering whether the entity gave you notice of your rights and the privacy practices. HIPAA requires covered entities to provide notice of their privacy practices to consumers. This is why when you go to your doctor’s office you get a packet of information that says “Notice Of Privacy Rights” across the top or front of the document. The notice is required to advise the patient the ways that the protected health information may be used and disclosed. If you did not get a Notice of Privacy Rights from your lawyer, state agency or other entity then it’s time to start questioning whether they are in fact a covered entity. Again if not a covered entity then you don’t have HIPAA privacy rights.
Notice must be provided at the beginning of services being offered, by posting notice at the facility, by furnishing it as soon as practical in emergency situations, upon request and electronically available on the entity’s website. Covered entities that directly treat a patient must obtain a written acknowledgment of receipt of privacy rights. So, if on the first instance you use someone you believe is a provider and if you don’t receive the HIPAA privacy rules at the beginning of your appointment, if they aren’t posted at the facility, if they aren’t on the website and/or no one gave you a form to sign acknowledging that you were provided these rights, then this is a very good indication that you are not dealing with a HIPAA covered entity. If after all that and you still think you are dealing with a HIPAA covered entity and you haven’t been advised of your rights, the lawyer’s advice is to run quickly in the other direction because the provider doesn’t know what is supposed to be done.
Additionally, when HIPAA was enacted Congress acted so as to “preempt the field” on this issue. What this means is Congress took the required affirmative action necessary to say that they are the only arbiters of this area of law and conflicting state law is trumped by federal law. Your state cannot have a state provision making a business or agency a HIPAA entity when the agency doesn’t meet the definitions under federal law.
If you will now notice there are no HIPAA privacy disclosure on the OMMA website or the OSBI website. This is because the OMMA and the OSBI are not HIPAA covered entities. Therefore, if these entities give out your information they are not violating HIPAA in doing it.
Medical cannabis businesses are not covered entities. Medical cannabis businesses are illegal under federal law and HIPAA is federal law. Your patient information is only as private with these entities as you keep it and that they take efforts to protect. This means that it is possible for law enforcement to get copies of patient listings and harass you and it doesn’t violate HIPAA. OMMA can send notice to your employer and it doesn’t violate HIPAA. OMMA can broadcast your entire medical history to everyone and it doesn’t violate HIPAA because OMMA is not a HIPAA covered entity and is therefore not subject to the privacy protection requirements in the law. If you search the OMMA website for “HIPAA” it returns “No results were found for HIPAA”
All of this is important to know so that when you are dealing with your private health care information you understand who can and cannot disclose information. Additionally, if you as the patient put your information out into the public realm such as Facebook, Instagram or Twitter, there are no social media HIPAA protections to prohibit redisclosure by unscrupulous individuals.
HIPAA is not the be all or end all on the protection of your private health information. You are the protector of that information. If you do not want the government to have that information or for a friend to have it then you have to understand that your rights under the legalization of cannabis under SQ 788 are very limited and that much of the information can be disclosed. If you do not want that information getting out into the public realm and then you as a consumer have to decide who is going to know your information and to what extent. A broad federal law is not going to jump in and save you from yourself and your own disclosure of information.
About The Author
Rachel Bussett-Simco is a trial attorney and has been practicing law in Oklahoma for the last 15 years. She is the owner of Bussett Legal Group a boutique full-service law firm in Oklahoma City. Rachel and her team are the attorneys leading the fight to ensure proper implementation of SQ 788 in Oklahoma and are poised to be one of the only law firms in Oklahoma that will be able to provide services to all aspects of the medical cannabis industry in Oklahoma. The firm practices in all areas including civil litigation, business law, employment, criminal, family, personal injury, bankruptcy, social security, and tribal matters. Rachel is licensed to practice in all of Oklahoma’s state and federal courts, the 10th circuit court of appeals, the Chickasaw Nation, and the State of Missouri. In addition to her legal practice, Rachel is the President of Scissortail Acceleration Company, a preeminent cannabis consulting business in Oklahoma.