There are no published California cases discussing the intersection of the CPRA and the Health Insurance Portability and Accounting Act of 1996 (HIPAA) (42 U.S.C. § 1320(d)). Generally, Section 7927.705 of the CPRA authorizes an agency to withhold “[r]ecords, the disclosure of which is exempted or prohibited pursuant to federal or state law, including, but not limited to, provisions of the Evidence Code relating to privilege.” Cal. Gov’t Code § 7927.705.
HIPAA’s protections extend to “health information,” and “individually identifiable health information,” as those terms are defined under Section 1320(d). Even when records implicate such information, however, HIPAA authorizes disclosure or protected health information to the extent such disclosure is “required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” CFR §164.512(a)(1). Interpreting this provision, other courts have held that the disclosure mandates of a state’s public records act allows disclosure of protected health information under HIPAA even absent require authorizations. See, e.g., Adams Cty. Historical Soc’y v. Kinyoun, 765 N.W. 2d 212 (2009); Cincinnati Enquirer v. Daniels, 844 N.E. 2d 1181, 1187-88 (Ohio 2006); Abbott v. Texas Dep’t. of Mental Health, 212 S.W. 3d 648 (Tex. App. 2006). This is so even if the open records laws do not specifically require disclosure of public records generally absent specific exemptions. See Abbott, 212 S.W. 3d at 663 n. 10, 664. Thus, courts have ruled that in considering exemptions under a state’s open records act, the public agency may not rely on HIPAA’s privacy rule to thwart disclosure. Id. (citing 65 Fed. Reg. at 82482 and discussing federal Freedom of Information Act disclosure laws as qualifying under Section 164.512(a)). California courts likely would follow suit.