Don’t Forget About State Law: Michigan Decision Reminds Health Care Providers of HIPAA Preemption Issue
Phillip C. Ross is a summer associate at Robinson, Bradshaw & Hinson, P.A. and a rising third-year student at Wake Forest University School of Law.
Many health care providers and other individuals and entities who deal with sensitive patient information may assume that if they comply with the Health Insurance Portability and Accountability Act (“HIPAA”), they need not worry further about the proper use or disclosure of patient data. However, a recent Michigan Court of Appeals decision served as a reminder to those individuals and entities that they must not only ensure compliance with HIPAA, but also any state laws that are more demanding than HIPAA.
HIPAA establishes regulations for the use and disclosure of Protected Health Information (“PHI”) held by “covered entities” (pdf) and “business associates.” PHI is any information held by a covered entity related to health status, provision of health care, or payment for health care that can be linked to an individual.
In Isidore Steiner, DPM, PC v. Marc Bonanni, No. 294016 (Mich. Ct. App. Apr. 7, 2011), the Michigan Court of Appeals held that HIPAA acts as a federal “floor” in establishing standards for the privacy of patients’ PHI. Although Bonanni was decided under Michigan law—and thus is not binding on other states—the decision is likely to be consistent among courts in other states.
