An Ohio federal court has ruled that the confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA) do not excuse Ohio's Medicaid agency from disclosing patient information in a class action to enforce Medicaid's early and periodic screening, diagnosis and treatment (EPSDT) requirements.
The Ohio Legal Rights Service (OLRS) brought the proposed class action as the federally designated protection and advocacy agency charged with the protection of the rights of persons with mental illness, mental retardation, developmental disabilities and other disabilities. The named plaintiffs were individuals under age 21 whose disabilities made certain early childhood intervention services medically necessary.
The plaintiffs had asked for certification of a statewide class consisting of all Medicaid-eligible children up to the age of 21 who have been denied access to necessary services that should have been provided through Ohio’s EPSDT program. The Medicaid agency objected, and the court had ordered the parties to engage in discovery relevant to the class certification.
OLRS subpoenaed county agencies involved in the administration of the Medicaid and EPSDT programs to provide information on Medicaid recipients who might qualify as members of the proposed class. The counties and administrators of the Medicaid program argued that disclosure of this private health information was prohibited under Medicaid law, HIPAA and Ohio law.
Medicaid law
Soc. Sec. Act §1902(a)(7)(A) limits disclosure of protected information about Medicaid beneficiaries to purposes directly connected with the administration of the state Medicaid plan. The court found that 42 C.F.R. §431.302, which provides that establishing eligibility, determining the amount of medical assistance and providing services to recipients are directly connected with plan administration, permitted disclosure to OLRS in litigation concerning enforcement of Medicaid requirements. The court noted that OLRS was a particularly appropriate recipient of this information because of government-created role in the protection of patient's rights.
HIPAA requirements
The agencies' HIPAA argument also failed. The court noted that HIPAA, which prohibits many unconsented disclosures of private health information, permits disclosure: (1) when required by law; (2) to a health oversight agency for oversight activities authorized by law; and (3) in the course of administrative or judicial proceedings. OLRS qualified as a health oversight agency engaged in authorized oversight activities, so disclosures to it were permissible under HIPAA. Because the information was an appropriate subject of discovery in the litigation, disclosure in the litigation was not barred. The court directed the parties to negotiate the terms of an appropriate protective order to prevent unauthorized disclosure.
The Medicaid agency also argued that Ohio law contained more stringent protections of private health information than federal law and barred disclosure. However, the court ruled that the state law of privilege could not be applied in litigation in federal court to enforce rights under federal law.
SOURCE: G.D. v. Riley, S.D. Ohio, July 27, 2007.
For more information on this and related topics, consult the CCH® Medicare and Medicaid Guide.
Visit our News Library to read more news stories.
