On October 19, 2017, the Oregon Supreme Court denied a public records request by The Oregonian Publishing Company, LLC (The Oregonian), a newspaper, to Oregon Health and Sciences University (OHSU), a public health and research university. The Oregonian’s request sought information in tort claim notices involving OHSU patients and students. The Court concluded that for the patient notices, the requested information contained protected health information (PHI), the disclosure of which is prohibited by the federal Health and Insurance Portability and Accountability Act of 1996 (HIPAA) and, specifically, the HIPAA Privacy Rule, which regulates the confidentiality of PHI. The Court remanded the issue of whether tort claims filed by students were exempt from disclosure under the federal Family Educational Rights and Privacy Act (FERPA). This alert explains the Court’s decision and provides recommendations to HIPAA-covered entities, including institutions of higher education.
The Court’s Decision
The case arose when, pursuant to Oregon’s public records law, The Oregonian requested a list of tort claims filed against OSHU, including claim number, claimant full name, attorney full name, date of alleged tort, date of tort claim notice and whether it is closed or open. The request applied to a number of types of tort claims. OSHU objected to certain of the disclosures, citing prohibitions under HIPAA, FERPA and Oregon state law.
The Court determined that, with respect to the patient claims, the information requested fell within the scope of the definition of PHI under HIPAA. HIPAA defines PHI to include individually identifiable information that is transmitted or maintained in any form or medium. The Court reasoned the requested information contained identifiers that, in combination, qualify as PHI. Further, the Court noted that in order for PHI to be considered de-identified and thus not subject to the Privacy Rule protections, 19 separate identifiers must all be removed, “including the very information requested by The Oregonian here.” Consequently, OSHU could not disclose the PHI without patient authorization unless an exception under HIPAA applied.
While The Oregonian argued that the disclosure was permissible because there is a HIPAA exception for disclosures “required by law,” the Court explained that the applicability of that exception is dependent upon state law. Here, the Court reasoned that Oregon’s public record request law exempts from disclosure certain confidential information. Since Oregon law designates PHI as confidential, Oregon law prohibits disclosure of the PHI without a patient’s written authorization.
The Court declined to analyze whether FERPA, which protects student education records, prohibited the disclosure of tort claims brought by students against OHSU because the parties had not sufficiently developed their arguments on the issue. Accordingly, the Court remanded this issue to the circuit court for further review.
Takeaways for HIPAA-Covered Entities
In light of this decision, HIPAA-covered entities, including higher education institutions that are HIPAA-covered entities, should:
- Understand what constitutes PHI and the requirements to protect PHI under the HIPAA Privacy Rule;
- Ensure there are appropriate policies and procedures in place to protect the confidentiality of PHI;
- Train employees in the handling of PHI; and
- Consult an attorney when a non-routine request for information is received.