14.27 Coordination with Other Laws
14.27.1 POLICY STATEMENT
In addition to being subject to HIPAA, the Health Plan may also be subject to other state and federal laws regarding medical information and privacy. The Health Plan intends to comply with all applicable state and federal laws. However if there is a conflict between the laws, the Health Plan will resolve the conflict according to this Coordination with Other Laws policy.
14.27.2 POLICY INTERPRETATION AND IMPLEMENTATION
| Floor | The HIPAA regulations are the floor above which other laws may create more narrow restrictions. No law, whether federal or state, may allow less restriction than HIPAA. |
| Apply Both Laws | If a potential conflict exists, the Health Plan shall attempt to find a way to comply with both laws. For example, if one law permits disclosure, but HIPAA does not, the Health Plan could obtain an individual authorization and succeed in complying with both laws. |
| Follow the Law that Requires Use or Disclosure | If another federal law requires disclosure or use of PHI that HIPAA prohibits, the Health Plan may use or disclose the PHI in accordance with the other federal law. This is not a violation of HIPAA. HIPAA’s privacy rules allow the Health Plan to use or disclose PHI as required by other federal laws. |
| Follow the More Specific Law | If there is a very specific law regarding use or disclosure of PHI that is in conflict with HIPAA, the more specific law should be followed. For example, if HIPAA allows an individual a right to access test results, but a specific federal law prohibits that type of disclosure, the specific law should be followed. |
| State Law Preemption | HIPAA provides for preemption of state laws that are less restrictive than HIPAA. However, HIPAA does not preempt state laws that are more restrictive. If the Health Plan encounters a conflict between HIPAA and a state law, the Health Plan should follow the more restrictive law. |
| Record Retention | A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. |
| Privacy Officer | The Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (651) 696-6280. |
| Violations | Violations of this policy will be subject to discipline. |