Health Plans May Unwittingly Waive ERISA Preemption Under the HIPAA Privacy Rule
The Employee Retirement Income Security Act ("ERISA") reflects the intent of Congress to simplify the regulation of employee benefit plans. In keeping with that goal, ERISA provides that covered plans are generally not subject to the wide variety of differing and sometimes conflicting state laws that relate to employee benefit plans. However, new federal regulations regarding the confidentiality of individuals’ health information may pose a hidden threat to the protection of employee benefit plans from state laws.
The deadline is drawing near for health plans that must comply by April 14 with the new regulations relating to the privacy of protected health information promulgated under HIPAA (the "Privacy Rule") by the U.S. Department of Health and Human Services ("HHS"). These health plans must soon have in place plan amendments, policies and procedures, and other administrative, technical and physical safeguards that ensure the confidentiality of participants’ protected health information.
The Privacy Rule provides that entities covered by the regulation need not comply with certain conflicting state privacy laws. Such laws are said to be "preempted" by the Federal regulations. However, sponsors of health plans need to be aware that in some cases the Privacy Rule leaves in place state law relating to the confidentiality of health information. While complying with the Privacy Rule, sponsors of ERISA health plans must be careful to avoid the inadvertent waiver of otherwise applicable preemption of state privacy laws with respect to their plans.
Preemption of state law is a familiar concept for health plans in the context of the relationship of ERISA with state laws that relate to plan administration. However, the Privacy Rule also provides that "more stringent" state laws that relate to the privacy of individually identifiable health information are not preempted. Among other things, the exception to the Privacy Rule’s preemption of state law means that certain documents that must be created by covered entities—including health plans—must take into account any applicable state privacy law that is more stringent than the Privacy Rule. For example, the Notice of Privacy Practices that is required to be distributed to all participants in a health plan must incorporate state privacy law to the extent it prohibits or materially limits uses and disclosures of protected health information that are otherwise permitted by the Privacy Rule. A Notice of Privacy Practices that fails to incorporate applicable state privacy law does not comply with the Privacy Rule and may expose the plan sponsor to penalties.
The analysis of state privacy laws required for an entity covered by the Privacy Rule can be time-consuming and expensive. This is especially true for covered entities that have operations in more than one state and may be subject to conflicting state laws. Such analysis may not be necessary, however, in the case of health plans that are governed by ERISA. Specifically, in the case of ERISA health plans, it is possible that state privacy laws that are not specifically preempted by HIPAA may be preempted by ERISA. If so, more stringent state privacy laws would not apply in the case of ERISA plans. As a result, the Notice of Privacy Practices for the Plan need not incorporate such state laws.
In its preamble to the proposed Privacy Rule in November 1999, HHS stated that nothing in the Privacy Rule is intended to change the rules regarding preemption of state law under ERISA. More recently, in its preamble to the final rule in December 2000, HHS reiterated this view of ERISA preemption. Thus, it is the continuing view of HHS that nothing in the Privacy Rule subjects ERISA plans to state law regulation that would otherwise be preempted by ERISA. While HHS does not have the final word on the issue, the department’s interpretation of its own regulations should govern its compliance efforts.
Generally speaking, state law that implicates administration of an ERISA plan is preempted by ERISA. State laws regarding protection of an individual’s health information could implicate plan administration and as such could be subject to ERISA preemption. Sponsors of ERISA plans should be aware that an ERISA plan whose Notice of Privacy Practices does not incorporate state privacy law effectively takes the position that ERISA preempts state privacy law. On the other hand, a notice that is not carefully drafted to avoid incorporating state privacy law may inadvertently subject the plan to such state privacy laws and may require the plan to conduct the unnecessary and costly analysis of all state privacy laws.
Sponsors of ERISA health plans should review all documentation required by the HIPAA Privacy Rule to confirm that available preemption defenses have not been adversely affected. In particular, a Notice of Privacy Practices relating to an ERISA health plan that refers simply to "other applicable state law" may inadvertently expose the plan to state law that would be otherwise preempted by ERISA.