If a state agency is not a “covered entity”, as that term is defined at 45 CFR 160.103, it is not required to comply with the HIPAA Privacy Rule and, thus, any disclosure of information by the state agency pursuant to its state public records law would not be subject to the Privacy Rule.
If a state agency is a covered entity, however, the Privacy Rule applies to its disclosures of protected health information. The Privacy Rule permits a covered entity to use and disclose protected health information as required by other law, including state law. See 45 CFR 164.512(a). Thus, where a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law.
However, where a state public records law only permits, and does not mandate, the disclosure of protected health information, or where exceptions or other qualifications apply to exempt the protected health information from the state law’s disclosure requirement, such disclosures are not “required by law” and thus, would not fall within § 164.512(a) of the Privacy Rule. For example, if a state public records law includes an exemption that affords a state agency discretion not to disclose medical or other information where such disclosure would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law, and therefore is not permissible under § 164.512(a). In such cases, a covered entity only would be able to make the disclosure if permitted by another provision of the Privacy Rule.
As an example of how the Privacy Rule would apply in the case where an exemption exists in a freedom of information law, see the December 2000 Privacy Rule preamble discussion regarding the relationship of the Privacy Rule with the federal Freedom of Information Act (64 FR 82482).