| NYS Statute |
HIPAA Regulation (45 CFR Parts 160, 164) |
Preemption Analysis |
| Civil Practice Law and Rules Section 2302: Subpoenas |
| CPLR 2302 (a): Subpoenas may be issued without a court order by the clerk of the court, a judge where there is no clerk, the attorney general, an attorney of record for a party to an action, an administrative proceeding or an arbitrator…..provided, however, that a subpoena to compel production of a patient's clinical record maintained pursuant to the provisions of section 33.13 of the MHL shall be accompanied by a court order… |
§164.501: Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
§164.512(a): A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. |
No Preemption State law applies, since it is more stringent by preventing disclosure without an accompanying court order, which can only be made after specific findings have been made. |
| Penal Law Section 400: Firearms |
| Penal Law §400(4) Investigation. Before a license( to possess or deal in firearms) is issued or renewed, there shall be an investigation of all statements required in the application by the duly constituted police authorities of the locality where such application is made. For that purpose, the records of the appropriate office of the department of mental hygiene concerning previous or present mental illness of the applicant shall be available for inspection by the investigating officer of the police authority….Upon completion of the investigation, the police authority shall report the results to the licensing officer without unnecessary delay. |
§164.501: Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
§164.512(a): A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
§164.512(f) Disclosures for law enforcement purposes. A covered entity may disclose PHI: (i) as required by law including laws that require the reporting of certain types of wounds…(ii) In compliance with and as limited by the relevant requirements of..(C) an administrative request…, provided that: (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used.
Preamble: "The importance and legitimacy of law enforcement activities are beyond question, and they are not at issue in this regulation. We permit disclosure of protected health information to law enforcement officials without authorization in some situations precisely because of the importance of these activities to public safety." (P. 82678:3) |
No Preemption: Because of the nexus between the need for the disclosure by law enforcement and public safety, State law and the HIPAA Privacy regulation are consistent and State law applies. Additionally, though not legally necessary, it is possible that through the application process the individual is authorizing this disclosure. |
| Labor Law Sections 458,459: Explosives |
| Labor Law §458(5): Before a license or certificate (to deal in explosives) is issued, the Commissioner of Labor shall have the authority to request and receive from any department, division, board, bureau, commission or agency of the state or local government thereof such assistance and information as will enable him properly and effectively to carry out his powers and duties under this article.
Labor Law §459 (1): A license or certificate (to deal in explosives) may be denied where the Commissioner of Labor has probably reason to believe…after due investigation…that the applicant…has been confined as a patient or inmate in a public or private institution for the treatment of mental diseases… |
§164.501: Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
§164.512(a): A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
§164.512(f) Disclosures for law enforcement purposes. A covered entity may disclose PHI: (i) as required by law including laws that require the reporting of certain types of wounds…(ii) In compliance with and as limited by the relevant requirements of..(C) an administrative request…, provided that: (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used.
Preamble: "The importance and legitimacy of law enforcement activities are beyond question, and they are not at issue in this regulation. We permit disclosure of protected health information to law enforcement officials without authorization in some situations precisely because of the importance of these activities to public safety." (P. 82678:3) |
No Preemption: Because of the nexus between the need for the disclosure by law enforcement and public safety, State law and the HIPAA Privacy regulation are consistent and State law applies. Additionally, though not legally necessary, it is possible that through the application process the individual is authorizing this disclosure. |
