The opinion of the court was delivered by: Smith, J.:
This opinion is uncorrected and subject to revision before publication in the New York Reports.
We hold that the Privacy Rule adopted by the federal government pursuant to the Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of a patient's medical records to a State agency that requests them for use in a proceeding to compel the patient to accept mental health treatment, where the patient has neither authorized the disclosure nor received notice of the agency's request for the records.
Dr. Charles Barron, as designee of the New York City Department of Health and Mental Hygiene, applied for an order under Mental Hygiene Law § 9.60 requiring "assisted outpatient treatment" (AOT) for Miguel M. The petition alleged that Miguel was suffering from a mental illness; that he was unlikely to survive safely in the community without supervision; that he had a history of failing to comply with treatment; that he was unlikely to participate in necessary treatment voluntarily; and that he needed, and would benefit from, AOT to prevent a relapse or deterioration of his mental status, which would be likely to result in serious harm to Miguel or to others.
At the hearing on the petition, Barron offered in evidence records from two hospitals relating to three occasions on which Miguel was hospitalized. A witness called by Barron testified that the hospitals had furnished the records in response to a request -- a request made, it is clear from the record, without notice to Miguel. The witness acknowledged that Miguel had not authorized the release of the records, and that no court order for their disclosure had been sought or obtained.
The records were received in evidence over Miguel's objection, and Barron's witness described their contents. After the hearing, Supreme Court directed that Miguel "receive and accept assisted outpatient treatment" for a period of six months. The Appellate Division affirmed. We granted leave to appeal, and now reverse.
The six-month duration of Supreme Court's order expired before the Appellate Division decided this case, and the immediate controversy is therefore moot. Neither party challenges, however, the Appellate Division's conclusion that the case presents a novel and substantial issue that is likely to recur and likely to evade review, and that therefore the exception to the rule against deciding moot disputes applies here (see Matter of Hearst Corp. v Clyne, 50 NY2d 707, 714-715 ). We agree, and proceed to the merits.
Mental Hygiene Law § 9.60, known as "Kendra's Law," was enacted in 1999. It is named for Kendra Webdale, who was killed by a mentally ill man who pushed her off a subway platform. It says that, on a proper showing, a mentally ill person whose lack of compliance with treatment has, twice within the last 36 months, caused him or her to be hospitalized may be the subject of AOT pursuant to a plan stated in a court order (see Mental Hygiene Law § 9.60 [c], [j] ). Public officials identified as "directors of community services" are given the duty of enforcing Kendra's Law (Mental Hygiene Law § 9.47 [b]), and a petition to require AOT may be filed by a director of community services or his or her designee (Mental Hygiene Law § 9.60 [e]  [vii]).
Mental Hygiene Law § 33.13 (c) (12) permits disclosure of medical records to a director of community services who requests it in the exercise of his or her duties. Thus, the disclosure of a patient's medical records for purposes of an AOT proceeding is permitted by State law, unless the applicable State law is preempted. Miguel argues that it is.
Miguel says that preemption is found in HIPAA (Pub L No 104-191, 110 US Stat 1936, codified in various titles of the United States Code) and the Privacy Rule (45 CFR Titles 160 and 164) promulgated by the United States Department of Health and Human Services under authority granted by HIPAA § 264 (c) (1) (see note to 42 USC § 1320d-2). The Privacy Rule prohibits disclosure of an identifiable patient's health information without the patient's authorization, subject to certain exceptions (45 CFR § 164.508 [a] ). HIPAA § 264 (c) (2) (see note to 42 USC § 1320d-2) and the Privacy Rule (45 CFR § 160.203 [b]) say that contrary state laws are preempted unless they offer privacy protections that are "more stringent" than those of the federal law; New York does not offer any more stringent protection that is relevant here. The preemption issue thus comes down to whether the disclosure of Miguel's medical records was permitted by one of the exceptions to the Privacy Rule.
Barron relies on two exceptions, those permitting disclosure for purposes of "public health" and "treatment." It is possible to read the language of both exceptions as covering the disclosure now at issue, but in both cases the reading is strained. Considering the apparent purposes of these two exceptions, we conclude that neither fits these facts.
The public health exception permits disclosure of protected information to:
"A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health ...