How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

3 HOW THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) AND OTHER PRIVACY LAWS AFFECT PUBLIC TRANSPORTATION OPERATIONS By Larry W. Thomas, The Thomas Law Firm, Washington, DC I. INTRODUCTION This digest analyzes the Health Insurance Portability and Accountability Act of 19961 (HIPAA) and other privacy laws as they affect transit agencies that possess health information about their patrons usually to qualify for para- transit services. Paratransit, an alternative to fixed route transit service, includes the specific type of transit required by the Americans with Disabilities Act2 (ADA), as well as all other de- mand-responsive transit services described in Sec- tion IX of this digest.3 Whereas fixed route service provides regular service along prescribed routes with designated stops or stations, paratransit ser- vice responds to specific calls or requests to trans- port patrons to their destinations, i.e., origin-to- destination transportation service. As defined in title 49 of the Code of Federal Regulations (C.F.R.), paratransit service provides “‘comparable transportation service required by the ADA for individuals with disabilities who are unable to use fixed route transportation systems.’”4 The ADA “put all transit operators into the paratransit business” that receive federal financial assistance administered by the Department of Transporta- tion.5 1 Pub. L. No. 104-171, 110 Stat. 1936 (1996). 2 Pub. L. No. 101-336, 104 Stat. 327 (1990). 3 Roy Lave & Rosemary Mathias, State of the Art of Paratransit, MILLENNIUM PAPERS, Transportation Re- search Board of the National Academies, Washington, D.C., hereinafter referred to as “Lave & Mathias,” available at http://onlinepubs.trb.org/onlinepubs/ millennium/00107.pdf. 4 GOV’T ACCOUNTABILITY OFFICE, GAO-13-17, ADA Paratransit Services: Demand Has Increased, but Little is Known about Compliance, at 1 (Nov 15, 2012) (quot- ing 49 C.F.R. § 37.3 in letter, dated Nov. 15, 2012, to the Hon. Tim Johnson and the Hon. Richard C. Shelby, Committee on Banking, Housing, and Urban Affairs, United States Senate), hereinafter referred to as “GAO Paratransit Report,” available at http://www.gao.gov/ products/GAO-13-17. 5 Lave & Mathias, supra note 3, at 1 (stating that the ADA requires “unconstrained ADA complementary paratransit service for eligible persons with disabilities In providing paratransit service transit agen- cies may receive and maintain health information on patrons in connection with applications, certifi- cations by physicians, and requests for service, as well as create databases that include the identity of patrons and their destinations and the purpose of, or reason for, requested service. Moreover, state and local government agencies may contract with a transit agency to serve as a broker to pro- vide coordinated transportation services. Coordi- nated transportation services typically provide service to ADA-patrons, Medicaid-recipients, and beneficiaries of other federal and state programs. A patron or his or her agent may provide health information directly to a transit agency or author- ize a covered entity (e.g., a health care provider) to disclose health information to a transit agency. Of primary concern for this digest is whether the pri- vacy and security rules established by HIPAA ap- ply to transit agencies possessing health informa- tion on their patrons. In brief, this digest concludes that a transit agency is not subject to HIPAA’s privacy and se- curity rules because of the need to have health information provided by patrons (or an entity cov- ered by HIPAA that patrons authorize to provide to the agency) to qualify for paratransit services. A transit agency is subject to HIPAA only if the transit agency meets HIPAA’s definition of a busi- ness associate (or is a subcontractor of a business associate subject to HIPAA) under 45 C.F.R. § 160.103 of the HIPAA rules. A person or entity meeting HIPAA’s definition of a business associ- ate of a person or entity covered by HIPAA (e.g., a health care provider) must have a business asso- ciate agreement in accordance with 45 C.F.R. § 164.504(e)(2) of the HIPAA rules. Even though some transit agencies have business associate and subcontractor agreements that state that HIPAA applies to the agreements, it does not appear that transit agencies meet HIPAA’s definitions of a business associate or subcontractor of one. There who cannot use fixed-route transit”); see 49 C.F.R. part 27 and § 27.7(a).

4 are many persons and entities in the United States that receive or have individuals’ health information, but are not subject to HIPAA. Even if HIPAA does not apply to a person or entity that receives health information, some state statutes impose an obligation on a person or entity not to disclose health information without an individual’s reauthorization of its disclosure. Even in the absence of a state statute, persons or entities that disclose an individual’s health infor- mation may be subject to civil claims under state constitutional or statutory provisions or at com- mon law for invasions of privacy and other claims in tort or for breach of contract. The first seven sections of this digest discuss HIPAA and whether various entities are subject to HIPAA’s privacy and security provisions appli- cable to the protection of protected health infor- mation (PHI) as defined by HIPAA. Part II of this digest discusses HIPAA and the most recent amendments to the Act by the Health Information Technology for Economic and Clinical Health Care (HITECH) Act of 20096 that was included in the American Recovery and Reinvestment Act of 2009 (ARRA).7 This digest discusses the most re- cent final rule (January 2013) issued by the United States Department of Health and Human Services (HHS) on HIPAA in response to HITECH. This digest explains HIPAA’s application to covered entities, business associates of covered entities, subcontractors of business associates, and hybrid entities (Sections III to VI). This di- gest analyzes how PHI is defined by HIPAA and discusses HIPAA’s Privacy Rule and Security Rule as defined by HHS in its most recent final rule (Sections VII and VIII). This digest discusses whether a transit agency is subject to HIPAA ei- ther by receiving health information from patrons or by receiving PHI from a covered entity (Section IX). This digest discusses other important aspects of HIPAA including whether PHI must be produced in response to a subpoena, discovery request, or a request under a freedom of information act (FOIA) or similar law (Section X). Other sections of this digest explain when HIPAA preempts state law (Section XI); the administrative enforcement of HIPAA by HHS (Section XII); and whether ju- dicial claims under the United States Constitu- tion or a federal statute may be brought for a 6 Pub. L. No. 111-5, tit. XIII, 123 Stat. (2009), 115, 42 U.S.C. § 17921. 7 Pub. L. No. 111-5, 123 Stat. 115 (2009). wrongful use or disclosure of PHI (Section XIII). This digest concludes the discussion of HIPAA with a brief literature review of HIPAA (Section IX). Because the law on the privacy of health infor- mation is “highly fragmented,”8 the remainder of the digest discusses the privacy of health informa- tion under other federal and state laws. This di- gest analyzes the ADA and regulations (Section XV) and other federal laws’ applicability to the privacy of health information (Section XV and Appendix A). This digest highlights state laws that prohibit the disclosure of health information without an individual’s reauthorization of disclosure (Sec- tions XVI and XVII) and discusses civil actions that may be brought under state law for the wrongful use or disclosure of one’s health infor- mation (Section XVII). This digest also discusses whether HIPAA ap- plies to registries or databases that transit agen- cies may want to create on patrons and their health requirements for use during emergency operations (Section XVIII). Finally, to the extent not discussed elsewhere herein, this digest discusses the industry stan- dards and best practices used by transit agencies to protect the privacy of patrons’ health informa- tion (Section XIX). A survey was used to determine if transit agen- cies receive health information from patrons or receive PHI from covered entities or a business associate of a covered entity. The survey was not conducted for the purpose of an empirical study or analysis. Rather, the survey sought to determine if transit agencies have health information on pa- trons and how they acquire and protect the infor- mation. The transit agencies’ responses to the survey are discussed throughout this digest and in Section XIX. Of 48 transit agencies that responded to the survey, 17 agencies reported having health infor- mation on individuals for whom the agencies pro- vide transportation to doctors, hospitals, clinics, or other health care providers and locations.9 As 8 Eric S. Pasternack, HIPAA in the Age of Electronic Health Records, 41 RUTGERS L. J. 817, 830 (2010), here- inafter referred to as “Pasternack.” 9 East Bay Paratransit Consortium (EBPC) on behalf of AC Transit, Oakland, CA; Greater Attleboro-Taunton Regional Transit Authority (GATRA), Taunton, MA; Greater New Haven Transit District (New Haven Tran- sit), Hamden, CT; Hillsborough Area Regional Transit Authority (HART), Tampa, FL; Kitsap Transit (Kitsap), Bremerton, WA; Knoxville Area Transit (KAT), Knox-