How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

39 observes that “HIPAA does not prohibit non- covered entities, such as those organizations that operate electronic health record databases, from disclosing protected health information;”388 that there are also numerous “unrestricted uses of pa- tient information outside of treatment and bill- ing;” and that “as the number of people with ac- cess to patient information increases, so too does the risk that the security of that information may be compromised (citation omitted).”389 Yet another commentator contends that “[g]enerally, it is not the patient who decides how and when disclosure of personal health information occurs. The privacy rule, where applicable, decides (footnote omit- ted).”390 Of course, as discussed in this digest, most states have privacy laws, some of which are more restrictive than HIPAA. Some states’ laws, more- over, are intended to prevent the further dissemi- nation of a person’s health information, even if the recipient of the information is not subject to HIPAA, without a specific authorization from the subject of the information.391 XV. APPLICABILITY OF OTHER FEDERAL LAWS A. Americans with Disabilities Act and the Rehabilitation Act of 1973 According to HHS, the information protected by the two primary federal disability nondiscrimina- tion laws, the ADA392 and the Rehabilitation Act of 1973,393 “falls within the larger definition of ‘health information’ under the Privacy Rule.”394 Although this digest does not involve the pri- vacy of employee’s health information, it should be noted that HIPAA does not apply to employers, not even to covered entities in their capacity as an employer.395 However, employers such as transit cords, 2007 U. ILL. L. REV. 681, 714 (2007), hereinafter referred to as “Terry & Francis.” 388 Pasternack, supra note 8, at 827. 389 Id. at 828. 390 Ayres, supra note 42, at 982. 391 See Sections XVI.C–XVI.E. 392 42 U.S.C. § 12101, et seq. (2013). 393 29 U.S.C. § 701, et seq. (2013). 394 65 Fed. Reg. 82485. See also the Workforce In- vestment Act of 1988, 29 U.S.C. § 2938 (barring dis- crimination on the basis of disability). 395 U.S. DEP’T HEALTH AND HUMAN SERVICES, OFFICE OF THE SECRETARY, 45 C.F.R. PARTS 160 AND 164 STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE agencies “are subject to the federal disability non- discrimination laws and, therefore, must protect the confidentiality of all medical information con- cerning their applicants and employees.”396 More- over, “[i]f an employer-sponsored group health plan is closely linked to an employer, the group health plan may be subject to ADA confidentiality restrictions,” as well as to HIPAA.397 Employers who are at “greater risk” for privacy violations are those who are handling health information that is subject to the provisions of the ADA.398 In regard to paratransit and the ADA, several transit agencies responding to the survey ob- served that paratransit services are subject to ADA requirements, in particular parts 27, 37, and 38 of title 49 of the C.F.R. The purpose of Part 27 is to carry out § 504 of the Rehabilitation Act. Sec- tion 27.7(a) of part 27 provides, inter alia, that [n]o qualified handicapped person shall, solely by reason of his disability, be excluded from par- ticipation in, be denied the benefits of, or other- wise be subjected to discrimination under any program or activity that receives Federal financial assistance administered by the Department of Transportation. Part 37 establishes the requirements for com- plementary paratransit service399 and the ADA paratransit eligibility standards.400 Under 49 HEALTH INFORMATION; FINAL RULE, 67 Fed. Reg. 53182, 53192 (Aug. 14, 2002), available at http://www.gpo.gov/fdsys/pkg/FR-2002-08-14/html/02- 20554.htm. 396 65 Fed. Reg. 82485-82486. 397 Id. at 82486. Covered entities under HIPAA that receive federal financial assistance are subject to § 504 of the Rehabilitation Act and its regulations. See 29 U.S.C. § 794 (2013). The regulations impose restrictions on recipients of federal funds concerning “the disclosure of medical information regarding persons who apply to or participate in a federal financially assisted program or activity.” Id. 398 Philip Gordon, Two Recent Decisions Illuminate for Employers the Broad Contours of ADA Confidential- ity vs. the Narrow Boundaries of HIPAA Privacy (July 22, 2011), hereinafter referred to as “Gordon,” available at http://www.littler.com/2011/07/articles/federal- privacy-laws/two-recent-decisions-illuminate-for- employers-the-broad-contours-of-ada-confidentiality-vs. 399 49 C.F.R. § 37.121 (2013). 400 49 C.F.R. § 37.123 (2013). The section states: (a) Public entities required by § 37.121 of this subpart to provide complementary paratransit service shall pro- vide the service to the ADA paratransit eligible indi- viduals described in paragraph (e) of this section. (b) If an individual meets the eligibility criteria of this section with respect to some trips but not others, the in-

40 C.F.R. § 37.125, each entity that must provide complementary paratransit must establish a proc- ess for determining ADA paratransit eligibility. The process strictly limits ADA paratransit eligi- bility to individuals described in 49 C.F.R. § 37.123. Section 37.131 of title 49 of the C.F.R. es- tablishes the service criteria for complementary paratransit service under the ADA. Part 38 of ti- tle 49 of the C.F.R. provides minimum guidelines and requirements for accessibility standards un- der the ADA. If a state uses FTA § 5311 funding to pay a pri- vate entity to operate a fixed route service, the department of transportation (DOT) disability nondiscrimination regulations regarding comple- mentary paratransit service are applicable. Al- though state and local governments may delegate the performance of ADA functions to private enti- ties, public entities must continue to fulfill their responsibilities to provide service to passengers. When a public entity enters into a contractual or other arrangement (including, but not limited to, a grant, subgrant, or cooperative agreement) or relationship with a private entity to operate fixed route or demand responsive service, the public entity shall ensure that the private entity meets the requirements of this part that would apply to the public entity if the public entity itself provided the service.401 Transit agencies responding to the survey re- ported that they maintain strict confidentiality of their patrons’ health information that is provided for certification for paratransit service.402 How- ever, the term “privacy” appears only once in part 37: “All documents and other information concern- dividual shall be ADA paratransit eligible only for those trips for which he or she meets the criteria. (c) Individuals may be ADA paratransit eligible on the basis of a permanent or temporary disability. 401 49 C.F.R. § 37.23(a) (2013). See FTA, Paratransit Requirements for § 5311-Funded Fixed-Route Service Operated by Private Entities, available at http://www. fta.dot.gov/12325_3892.html. 402 Response of EBPC (stating that the agency is re- quired to follow all regulations under the ADA); Re- sponse of KAT (stating that the ADA applies “only in how it relates to paratransit requirements”); Response of Pierce Transit (stating that that “DOT/ADA Rules require a paratransit eligibility process which has re- quired Pierce Transit to handle HIPAA-related infor- mation”); and Response of Whatcom (stating that it is subject to DOT and ADA laws and regulations and that it collects and maintains files “in accordance with ADA and DOT regulations for the specific purpose of author- izing and providing complementary paratransit service for disabled passengers”). ing the planning procedure and the provision of service shall be available, upon request, to mem- bers of the public, except where disclosure would be an unwarranted invasion of personal privacy (emphasis added).”403 The term “privacy” does not otherwise appear in parts 27, 37, and 38, nor do the terms “confidential,” “medical,” “health,” “health information,” “health records,” or “physi- cian,” or for that matter “HIPAA.” Metro Transit reported that it maintains the confidentiality of its records in accordance with the ADA Paratransit Eligibility Manual. In a sec- tion entitled “Observing Privacy Rights” the Man- ual states that [t]he medical information that may be gathered as part of the ADA paratransit eligibility certification process should not be shared with any other party. This would in- clude specific diagnosis provided by professionals and in- formation about the nature of disabilities provided by the applicant. Access to eligibility files should be limited and those with access to these files should be informed and instructed to respect the privacy of applicants. This should include in-house staff as well as any third-party contractors used in the determination process.404 According to the Manual, health information obtained for certification may be shared with other transit providers, such as when they “call to obtain more detailed information about a person’s ability to travel if that person has requested ser- vice in another area as a visitor.”405 EBPC stated that it receives and maintains certain health information on riders that are cer- tified to use the ADA paratransit program, infor- mation that comes directly from the applicant and that on occasion is verified by a medical profes- sional. EBPC also reported that for the purpose of scheduling rides for certified riders “an electronic client file is established in the database. The cli- ent file only contains information necessary for the rider’s trip to be scheduled in a way that is safe for the rider and the driver.”406 Information in the database that may be shared with a driver includes whether mobility devices are used; whether a service animal accompanies a rider; whether a rider has vision issues; whether a rider travels with a personal care attendant; whether a rider may never be left alone; whether a rider is 403 49 C.F.R. § 37.137(b)(2) (2013). 404 U.S. DEP’T OF TRANSPORTATION, AMERICANS WITH DISABILITIES ACT (ADA) PARATRANSIT ELIGIBILITY MANUAL, (DOT-T-93-17, Sep. 1993), hereinafter re- ferred to as the “ADA Paratransit Eligibility Manual,” available at http://ntl.bts.gov/DOCS/ada.html. 405 Id. 406 Response of EBPC.