Application of Nevadas Medical Information Confidentiality Law under the HIPAA Privacy Standards

In contrast, most of Nevada’s confidentiality laws were drafted at a time when medical confidentiality laws were viewed as applying only to “external disclosures”; that is, the transmission or disclosure of medical information outside of the provider’s internal operation to third parties. Few ever viewed Nevada’s law as applying to disclosures made among a provider’s employees in the conduct of their jobs, or to disclosures made by hospital employees to treating physicians on the hospital’s medical staff.

Because the Privacy Standards regulate “internal disclosures”, broad and important exceptions are provided to allow disclosures to be easily made for the purposes of treating the patient, seeking payment, and conducting the provider’s operations. These are the so-called “treatment, payment, and operations” exceptions, (hereinafter, “TPO exceptions”). Nevada’s laws do not contain explicit TPO exceptions, presumably because those laws were not seen by the persons who drafted them as even applying to “internal disclosures”. Thus to determine whether Nevada state laws are “more stringent” regarding TPO disclosures, we must first determine whether Nevada state laws are likely to be construed by Nevada courts as containing implicit TPO exceptions and then, what the limits of those exceptions are. Only then can we decide whether the Nevada laws are “more stringent” than the Privacy Standards, and which “more stringent” elements will continue to apply in a post-Privacy Standards environment. Unfortunately, the generality of the language of Nevada’s laws, combined with the lack of reported interpretational authority, makes such a determination problematic and the results uncertain.

The Privacy Standards also set out detailed rules regarding how and when providers may use and disclose medical information for research, for marketing or fund-raising purposes and to law enforcement or legal proceedings. Nevada’s laws are largely silent regarding such uses of medical information. Thus, to determine whether the Nevada laws are “more stringent” we must first determine whether there are implicit exceptions for research, marketing and fund-raising and disclosures to law enforcement and legal proceedings, and then determine the scope of those exceptions. In many cases, this is a subjective process and the results are necessarily uncertain.

E. Guide is Not Legal Advice.

The author of this Guide is not rendering legal advice to the reader. This Guide is for information purposes only, and is not a substitute for professional legal advice. Due to the complexity of the subject matter and the legal uncertainties discussed above, providers are advised to seek knowledgeable legal counsel for the resolution of use and disclosure questions in any particular circumstance or situation.

F. Citations. Nevada laws cited in this outline may be found online at http://www.leg.state.nv.us/law1.cfm.

II. Medical information in general.

A. Statutes.

Two statutes, NRS 449.720 and NRS 629.061, govern the confidentiality of most patient information held by hospitals, physicians and other providers. They provide that all medical records and records concerning a patient “are confidential” and they set out a limited list of exceptions to that confidentiality where disclosure is authorized. The listed exceptions do not include the release of patient information for TPO purposes, research purposes, marketing or fund raising purposes; or to law enforcement, or in response to a private attorney’s subpoena.

B. TPO Purposes.

While the statutes do not authorize disclosures for TPO purposes, we believe that common sense requires such exceptions be implied. If an implicit treatment exception does not exist, many disclosures that are commonly made in the medical community and that are essential to the efficient provision of care and the operation of the state’s health care providers could not be made. As a result, the provision of health care in Nevada would come to a halt. Since this seems a nonsensical result, we believe that a Nevada court should find an unstated authority to disclose information among providers as necessary to treat the patient.

Whenever a patient is transferred between medical facilities, NRS 449.705 requires that a copy of a patient’s medical record be forwarded to the recipient facility. This statute reflects a clear legislative recognition of the need for disclosure of medical information between treating providers. Further, we believe that support for an “treatment exception” to disclose information among providers as necessary to treat the patient can be found in certain language in NRS 449.720.4 which provides:

“Discussions of a patient’s care, consultations with other persons concerning the patient, examinations or treatments, and all communications and records concerning the patient…are confidential. The patient must consent to the presence of any person who is not directly involved with his care during any examination, consultation or treatment.” [Emphasis added.]

We believe that the italicized language clearly recognizes the occurrence of and need for consultations with others persons regarding the patient, which should be interpreted to mean that disclosing medical information to others directly involved in treating the patient is viewed as permissible under the statute. The fact that the statute recognizes that other persons can be directly involved in a patient’s care and must be allowed to be present during exams, seems to signal legislative recognition of the fact that health care is delivered by teams of persons and entities who are often only indirectly related. Given that recognition, the implicit authorization of “consultations” found in the statute, and the nonsensical result that would follow if an implied treatment exception were not found, we do not think it is improper to conclude that the Nevada statutes contain an implied “treatment” exception.

We believe it is also reasonable to conclude that the Nevada statutes are subject to implied exceptions for “payment” and “operations”; - that is, that medical information about a patient may be disclosed to others in the provider’s operation for the purpose of allowing the provider to seek payment for services rendered, or to operate the practice or treatment facility. One argument for such implicit exceptions is, again, that health care operations in Nevada could not be conducted without such exceptions. Further, when the patient consents to treatment by a provider, the patient should logically know that as a consequence of treating him, the provider will also need to access his medical information to seek payment and operate its business. Therefore, the patient’s consent to “payment” and “operations” disclosures may reasonably be implied from his or her consent to treatment.

The limits of an implied TPO exception to the Nevada statutes are not clear. Since the Privacy Standards provide clear direction as to the scope and limits of the federal TPO exceptions, a provider that applies the Privacy Standards, including the “minimum necessary” rule, should be able to reasonably argue that those standards are persuasive authority. Thus, a provider that complies with the TPO exceptions set out in the Privacy Rule should be able to argue in good faith that it has not violated the Nevada statutes.

We are aware that many Nevada providers require another provider to obtain and furnish a signed authorization from the patient before a request for the transfer of patient medical information is honored. While that may not be necessary, we believe it is good practice. The Privacy Standards place a “duty of verification” upon covered entities, requiring that they “verify the identity of a person requesting” health information and “the authority of the person to access” that information under the Standards. Securing a patient authorization for release of information, where possible, would satisfy that duty, and we recommend the practice.

C. Research.

The Nevada statutes do not specifically authorize disclosures for research purposes. A provider should be able to make a strong, good faith argument that the confidentiality of a patient’s information would not be breached, and the statutes would not be violated, if information were released to researchers without patient identifiers.

Where research requires patient-identifiable information, the Privacy Standards are fairly permissive. An argument can be made that since the Nevada statutes are completely silent as to research disclosures, and the Privacy Standards have well developed rules on the subject, the Privacy Standards alone should control. This argument is not without merit, as the well-developed rules in the Privacy Standards should be regarded by Nevada courts as persuasive.

However, the logic used above in finding implied exceptions to the statutes for treatment, payment and operations purposes does not extend to finding an implied exception for disclosures for research purposes. An implied exception for TPO disclosures is conceptually rooted in the patient’s consent to care by the involved provider(s). Researchers are not involved in a patient’s care, and the patient does not consent to their involvement; so consent for a researcher to access the patient’s medical information should not be implied from the patient’s consent to treatment. While it is difficult to contemplate a Nevada judge holding a provider in violation of Nevada’s statutes for releasing patient data to a well-regarded and responsible academic institution for an IRB-approved research project, another Nevada statute that grants health providers immunity for disclosures of information to the persons or agencies named in the statute, has been very narrowly interpreted in the two reported cases that exist. Therefore, a narrow, literal interpretation of Nevada’s confidentiality statutes by a court with respect to the research disclosures of patient-identifiable information is also possible.

Under the Nevada statutes, an authorization by the patient, even a blanket authorization given at the time of admission or acceptance into a medical practice, that allowed the use and disclosure of his information for research purposes, should be adequate to permit the disclosure of general medical information without violating the statutes. Therefore, a provider wishing to make disclosures of patient-identifiable information to researchers should modify its admission/intake consent forms to incorporate such permission, so that releases for research purposes could be made without uncertainty.

D. Marketing and Fund-Raising.

The Nevada statutes are silent as to using or disclosing a patient’s medical information for internal marketing or fund-raising purposes. We would be hesitant to rely upon an “implied” exception for marketing or fund-raising purposes, since it cannot be directly implied from the patient’s consent to care, as can a TPO exception.

The Privacy Standards have well developed rules for disclosure and use in these areas, and a provider that complies with those rules should have a reasonable argument that Nevada’s statutes (which are silent on marketing and fund-raising uses and disclosures) should not be considered violated by conduct that complies with the Privacy Standards.

Under Nevada’s statutes, an authorization by the patient, even a blanket authorization given at the time of admission or intake, that allowed the use and disclosure of his information for internal marketing and fund-raising purposes, should be adequate to permit the use and disclosure of general medical information for these purposes without violating the statutes. Therefore, the safest course would be for providers to modify their admission/intake consent forms to incorporate such permission.

E. Law Enforcement.

NRS 629.061 requires providers to make a patient’s health care records available to certain law enforcement activities. Specifically, the statute requires that investigators for the attorney general be allowed to inspect records when they are investigating criminal neglect of patients, elder abuse, welfare fraud or worker’s compensation fraud. Investigators of state licensing agencies are also allowed to inspect patient records. The statute provides health providers with immunity for making disclosures to these agencies. That immunity has been strictly construed by the Supreme Court of Nevada, and only applies to disclosures to the specified investigators when making the specified investigations. Jones v. Wilkin, (Nev. 1995) 905 P.2D 166, 111 Nev. 1335.

It could be argued that NRS 629.061 and the Jones case limit the permissible disclosures of medical information to law enforcement in Nevada to disclosures to the named agencies for the named purposes only. The gist of that argument would be that the legislature provided an exception in NRS 629.061 for disclosures to law enforcement in the specific circumstances listed, because the legislature thought that disclosure would and should be otherwise prohibited. Therefore, disclosures in non-listed circumstances should not be allowed. This argument is not without merit.

However, we think such an argument would probably not prevail; if only because a Nevada court should recognize that other law enforcement agencies will require access to medical information in different circumstances for the effective performance of their duties. Thus, we think it is reasonable for a provider to conclude that there is an implied exception to these statutes allowing disclosures to other law enforcement agencies in other circumstances.

The Privacy Standards have well-defined rules for disclosures to law enforcement. A provider that complies with those rules should have a reasonable argument that Nevada’s statutes (which are silent on the issue) should not be considered violated by conduct that complies with the Privacy Standards. Therefore, disclosures of general medical information to law enforcement may probably be made in accordance with the Privacy Standards.

F. Legal Proceedings.

Under Nevada law, a patient has no doctor-patient privilege that extends to written hospital or medical records in a proceeding where a patient’s condition is at issue. N.R.S. 49.245.3. However, even in such a case, Nevada law clearly suggests that proper compliance with a subpoena for medical records requires delivery of a sealed copy of the record to the court, to be opened only upon direction or order of the court. NRS 52.335. Thus, as a general rule in Nevada, medical records or other types of medical information should not be disclosed to an attorney in response to a subpoena, except where the attorney provides a signed authorization from the patient.

This makes Nevada law “more stringent” than the Privacy Standards. The Privacy Standards would allow release of medical information under certain conditions to an attorney who provides a subpoena, along with additional statements.

Therefore, Nevada law should be followed after April 14, 2003. With respect to medical information or medical records in general, they should not be disclosed to an attorney in response to a subpoena, except where the attorney provides a signed authorization from the patient. (Authorization forms should always be HIPAA-compliant.)

III. Specific types of medical information. Nevada has specific statutes relating to certain, more sensitive types of medical information. The discussion below indicates where a provider may wish to deviate from the approaches suggested above for TPO, research, marketing, fund-raising and law enforcement disclosures when dealing with the types of information covered by one of these specific statutes.

A. Blood, Breath or Urine Test Results.

NRS 629.065 specifically governs the release of health care records, or that portion thereof, relating to blood, breath or urine test results. The statute requires disclosure of these records to “a law enforcement agent” or “a district attorney”, if the patient is suspected of driving a motor vehicle or water-borne vessel while under the influence. The statute provides immunity for such disclosures.

This type of information and/or any information gathered from a patient on the occasion of such a test should not be used for marketing or fund-raising purposes or disclosed for research, even with an approving admission/intake consent form, since an intoxicated person’s capacity to give consent is questionable. Disclosures of blood, breath or urine test results to law enforcement, outside of the circumstances specifically mentioned in the statute, can probably be made in accordance with the Privacy Standards. These tests results should not be disclosed to an attorney in response to a subpoena, except where the attorney provides a signed authorization from the patient.

B. Genetic Information.

Genetic information is defined by NRS 629.111 and 121 as any information derived from a test:

“including a laboratory test, that uses deoxyribonucleic acid extracted from the cells of a person, or a diagnostic test to determine the presence of abnormalities or deficiencies, including carrier status, that (1) are linked to physical or mental disorders or impairments; or (2) indicate a susceptibility to illness, disease, impairment or any other disorder, whether physical or mental.”

The statute’s language is imprecise, and it can be argued that “genetic information” is not limited to studies of DNA. However, logic dictates that what the legislature intended the statute to say, and the way the statute should be interpreted by the courts, is that “genetic information” is limited to information resulting from an examination of DNA or otherwise relating to abnormalities in a person’s genetic structure.

It is a misdemeanor to disclose “genetic information” without the informed consent of the patient or the patient’s legal guardian, except as authorized by the statute. The statute, NRS 629.171, authorizes disclosure for the following purposes:

1. to conduct a criminal investigation, an investigation concerning the death of a person, or a criminal or juvenile proceeding,

2. to determine the parentage or identity of a person in a criminal or civil action,

3. to determine the paternity of a person in a court-ordered paternity test, or in proceedings before a master to determine paternity for child support purposes,

4. pursuant to a court order,

5. where the disclosure is made by a physician and the genetic information relates to a deceased person, disclosure is permitted to assist in the medical diagnosis of the deceased person’s relatives,

6. to a federal, state, county or city law enforcement agency to establish the identity of a person or a dead body,

7. to determine the presence of certain preventable or inheritable disorders in an infant,

8. to carry out the provisions of the state’s birth defect and adverse birth outcome reporting system, or

9. to an agency of criminal justice for the state’s central repository of records of criminal history.

Uses and disclosures of genetic information for TPO purposes should probably be limited to the purposes of the provider, and disclosures should not be made to other providers, even where it would be allowed by the Privacy Standards. Marketing, fund-raising and research uses and disclosures should not be made. Disclosures to law enforcement should only be made as specifically allowed by the statute above. Medical information containing genetic information should not be disclosed to an attorney in response to a subpoena, except where the attorney provides a signed authorization and a signed “informed consent” form from the patient.

When making a disclosure of genetic information pursuant to a patient authorization, remember that a patient’s “informed consent” is required, using a procedure and a form established by the board of health. Both a HIPAA-compliant authorization and the state-mandated “informed consent” form will be required.

C. Communicable Diseases.

Nevada’s Communicable and Sexually Transmitted Disease Act (“the Act”) is set out in NRS 441A. NRS 441A.220 governs the disclosure of “all information of a personal nature” about or provided by any person who has one of 66 listed communicable diseases. It authorizes only certain disclosures of that information. Disclosure is allowed:

1. for statistical purposes, provided that the identity of the person is not discernible from the information disclosed,

2. in a prosecution for violation of a provision of the Act,

3. in a proceeding for an injunction pursuant to the Act,

4. in reporting the actual or suspected abuse or neglect of a child or elderly person,

5. to any person who has a medical need to know the information for his own protection or the well-being of a patient or dependent person, as determined by the county health authority in accordance with regulations,

6. if the patient consents in writing to the disclosure,

7. by the health authority, to the victim and the arrested, suspected perpetrator of a sexual offense; or to their parents or guardians where they are minors,

8. by a provider to a law enforcement officer or agent, correctional officer, emergency medical attendant or fireman pursuant to a court petition,

9. to the state department of human resources, where a patient diagnosed as having AIDS/HIV is a Medicaid recipient,

10. to firemen, police officers and emergency medical service personnel, where the state board of health has determined the information to be disclosed relates to a communicable disease significantly related to that occupation, or

11. where authorized or required by a specific statute.

The statute makes it very clear that disclosure for any purpose not specifically listed is forbidden, even pursuant to a subpoena, search warrant or discovery order. Uses and disclosures of information relating to patients with communicable diseases for TPO purposes should probably be limited to the TPO purposes of the provider, and disclosures should not be made to other providers, even where allowed by the Privacy Standards, except pursuant to a specific written patient authorization. Marketing, fund-raising and research uses and disclosures should not be made, unless very specific authority to release the information is obtained from the patient (e.g., “you agree that any and all information, including information about any communicable disease, including HIV, AIDS or other sexually transmitted diseases you may have, may be used and disclosed for fund-raising, marketing or research purposes, so long as such information will not be made public”). Disclosures to law enforcement should only be made as specifically allowed by the statute above. Medical information containing information about a patient’s communicable disease should not be disclosed to an attorney in response to a subpoena, except where the attorney provides a signed authorization from the patient.

D. Mental Health Information.

NRS 433A.360 governs the release of clinical records for “clients”. The term “clients” is defined to include persons who seek treatment or training in a private institution offering mental health services. Private institutions which provide mental health services to “clients” must keep “clinical records”. “Clinical records” are records including “information pertaining to the client’s admission, legal status, treatment and individualized plan for habilitation.”

NRS 433A.360 provides that no part of the clinical record may be released except in certain specified circumstances. Release is authorized:

1. to physicians, attorneys and social agencies as specifically authorized in writing by the client, his parents or guardians,

2. as ordered by a court,

3. to a qualified member of the staff of a facility run by the division of mental health and developmental services of the department of human resources, or to a division employee, or a member of the staff of an Nevada agency established pursuant to the federal Developmental Disabilities Assistance and Bill of Rights Act or the Protection and Advocacy for Mentally Ill Individuals Act of 1986.

4. for statistical and evaluative purposes, if the information disclosed is abstracted in such a way as to protect the identity of individual clients, or

5. to the extent necessary to make, or allow the client to make a claim for aid, insurance or medical assistance.

Uses and disclosures of information relating to clients for TPO purposes should probably be limited to the purposes of the provider, and disclosures should not be made to other providers without client consent, even where allowed by the Privacy Standards. Marketing or fund-raising uses and disclosures should not be made, unless very specific authority to release such information is obtained from the patient. Research disclosures should only be made pursuant to 4 above. Disclosures to law enforcement should not be made without a court order. Disclosures to an attorney in response to a subpoena should not be made, except where the attorney provides a signed authorization from the patient.

E. Medical Laboratory Reporting of Test Results.

NRS 652.190 and 652.193 govern the release of test results by medical laboratories. Where a licensed laboratory performs a test on the patient of a rural, county-owned or district hospital (a “rural hospital patient”), NRS 652.193 provides that test results may only be released to the patient, the physician who ordered the tests and “a provider of health care who is currently treating or providing assistance in the treatment of the patient”. In all other cases, the laboratory may report the test results only to the patient and “the person requesting the test or procedure”, and reporting of results by the lab to other persons involved in treatment is not allowed.

NRS 652.190 does not address whether a lab can honor the request of a patient who is not a rural hospital patient to send lab results to another provider who is treating him, in addition to the person who ordered the test. While a patient does not have the authority to waive the requirements of a state licensing law, we presume that the sole purpose of the statute’s limitation on test reporting is to grant the patient a right of privacy. A patient can waive his right to privacy. Therefore, we think that a licensed lab should be permitted to report test results to other providers involved in treating the patient, or another person designated by the patient, if the patient so directs the lab in a HIPAA-compliant authorization.

The statutes govern only the reporting of test results. The internal use and disclosure of test results and all other patient information held by the lab, as well as the external disclosure of all patient information other than test results, will be governed by HIPAA and the relevant state law as provided elsewhere in this article.

IV. Federal Regulations Governing the Release of Substance Abuse Information.

Where a provider operates a drug or alcohol abuse “program” within the meaning of the federal regulations restricting the release of information about drug and alcohol abuse patients, those regulations control the use and disclosure of patient medical information. Under the regulations, set out at 42 CFR Part 2, (‘the Regulations”) a provider operates a “program” if it does either of the following:

1. has an identified unit which holds itself out to the public as providing, and provides alcohol or drug abuse diagnosis, treatment or referral for treatment; or

2. has medical personnel or other staff whose primary function is the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment, and who are identified as such providers.

HIPAA does not address how the Privacy Standards relate to existing federal law. However, since the Regulations are more specific than the Privacy Standards in that they deal with a specific type of information, we suspect a provider should regard the Regulations as controlling their conduct with this type of information over the provisions of HIPAA. Therefore, the Privacy Standard’s use and disclosure rules should not be applied to information covered by the Regulations.

The information covered by the Regulations (“Covered Information”) is any information “which would identify a patient as an alcohol or drug abuser” and which was obtained during the time the program was operated “for the purpose of treating alcohol or drug abuse, or for making a diagnosis or referral for such treatment.” This information may only be disclosed with patient consent, or as follows:

1. to medical personnel to the extent necessary to meet a bona fide medical emergency,

2. to qualified personnel for the purposes of conducting scientific research, management audits, financial audits or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit or evaluation or otherwise disclose patient identities in any manner,

3. to a qualified service organization where information is needed by that organization to provide services to the program,

4. pursuant to a court order,

5. to report child abuse or neglect under state law,

6. among personnel in the program or personnel working for an entity having direct administrative control over the program, in connection with their duties that arise out of the provision of diagnosis, treatment or referral for treatment so long as the communications are within the program or between the program and the entity,

7. to law enforcement officers, where the disclosure and use is (i) directly related to a patient’s commission of a crime on the program’s premises or a threat to commit such a crime, and (ii) limited to the circumstances of the incident, including the patient status of the perpetrator, his name and address and last known whereabouts.

V. Psychotherapy Notes. One exception to all of the above does need to be noted. Under the Privacy Standards, “psychotherapy notes” may only be disclosed under very limited circumstances. Under the Privacy Standards, psychotherapy notes are defined as below:

Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual’s medical record.

Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

A provider should use and disclose “psychotherapy notes” only as permitted by the Regulations and the Privacy Standards.

Tabular Summary of Use and Disclosure

Type of Information	T.P.O. Purposes*	Research**	Marketing and Fundraising	Law Enforcement (including prosecutors.)
*General medical information*	Follow Privacy Standard’s rules for provider’s own purposes, require authorization for TPO disclosures to another provider or plan for its TPO purposes.	Obtain authorization, “blanket form” OK.	Obtain authorization, “blanket form” OK.	Follow Privacy Standard’