Lawmakers in Tennessee are allegedly that Governor Bill Haslam violated the Health Insurance Portability and Accountability Act (HIPAA) of 1996 by releasing information in reference to government officials who are currently enrolled in Tennessee's health insurance program.
Earlier this year, Governor Haslam released the names, premium amounts, and other information about various government officials. Under Tennessee's Public Records Act, it's perfectly acceptable and legal to obtain this information. However, HIPAA's Privacy Rule states that Protected Health Information (PHI) may only be disclosed to individuals and entities whom have the authority to receive it. Assuming Governor Haslam released PHI without the officials' consent, he could find himself in hot water with the Department of Health and Human Services (HHS).
So, did Tennessee Governor Bill Haslam violate HIPAA by releasing information about government officials' healthcare? While some people may argue otherwise, the general belief is that he did not violate HIPAA. There are two key pieces of information which Haslam is using to his defense: first and foremost, the information wasn't classified as Protected Health Information. Yes, it contained the names and healthcare premiums for government officials, but it didn't contain enough personally identifiable information for it to be classified as PHI. Secondly, there's no indication that the information was released by a covered entity – an element that's necessary for a HIPAA violation in this circumstance.
Andree Sophia Blumstein further explained that there's no violation here since the HIPAA Privacy Rule contains an exception that allows the disclosure of PHI when the disclosure is required by law.
“Even assuming that the information was disclosed by a covered entity and even assuming that the information is PHI, there is no violation of the HIPAA Privacy Rule. The Privacy Rule contains exceptions. As specifically applicable here, the Privacy Rule includes an exception that allows the disclosure of PHI when disclosure is ‘required by law,” said Andree Sophia Blumstein, Slattery and Solicitor General.
In any case, this story raises some questions about when it's acceptable to disclose medical/healthcare-related information and when it's not. As stated by Blumstein, the HIPAA Privacy Rule contains several exceptions which allow the disclosure of Protected Health Information, and one of those exceptions is when it's required by law. When in doubt, thought, it's generally best to err on the side of caution and not release the information.