July 23, 2020

Our hospital recently addressed a HIPAA breach by a hospital employee.  Do we have any obligation to conduct a comprehensive review of that employee’s activities to see if there are any other HIPAA breaches?


ANSWER:            HIPAA doesn’t specifically require a hospital to conduct an audit or other type of review to determine if a person who committed one HIPAA breach may have committed other similar (or different) breaches.  However, a hospital’s efforts are important in two ways:

  1. The HIPAA breach notification rule says patients must be notified of a breach within 60 days of when the hospital knows of a breach, or within 60 days of when the hospital would have known of the breach if it had exercised “reasonable diligence.”
  2. HIPAA penalties are based on the action a hospital takes. If a hospital knows of a breach that may be part of a pattern but chooses not to look for other similar breaches, the hospital could be charged with “willful neglect” and penalized more severely.

The federal government has never said whether “reasonable diligence” means that a hospital must go back a certain amount of time or engage in certain types of activities.  Instead, the government has offered the following general guidance:

With respect to those commenters asking for guidance on what it means for a covered entity to be exercising reasonable diligence, we note that the term reasonable diligence, as defined in § 160.401, means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.  The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances.  Factors to be considered include whether a covered entity or business associate took reasonable steps to learn of breaches and whether there were indications of breaches that a person seeking to satisfy the Rule would have investigated under similar circumstances.  Covered entities and business associates may wish to look to how other covered entities and business associates operating under similar circumstances conduct themselves for a standard of practice.

78 Fed. Reg. 5566, 5647 (January 25, 2013).

January 30, 2020

QUESTION:        I heard that the Department of Health and Human Services released a new rule on partial fills of opioid prescriptions.  Can you give me a brief overview of the change?

ANSWER:          Yes.  The Department of Health and Human Services (“HHS”) has issued a final rule designed to improve tracking of transactions involving Schedule II drugs.  Briefly stated, this change requires certain covered entities to report “quantity prescribed” data for transactions involving Schedule II drugs.  The data will track whether the prescription was partially filled (which is legal under some circumstances) or refilled (which can potentially be a violation of the Controlled Substances Act).

If your organization is covered by HIPAA and has a retail pharmacy that dispenses Schedule II drugs, you should check to see whether this law may have an impact on your workflows and recordkeeping.  The final rule is available here.

April 25, 2019

QUESTION:        One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient.  The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?


ANSWER:            The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition.  Thus, the deceased patient’s cancer history meets this definition.  However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule?  The answer to this question is “yes.”  The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual.  Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks.  Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters.  He has a few options.  The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities.  According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.”  If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options.  First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer.  If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information.  If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA.  For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

November 8, 2018

QUESTION:        Is a subpoena from a state board of medicine treated just like any other subpoena for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”)?  In other words, is it true that the hospital can’t release a patient’s Protected Health Information to a state board of medicine unless it first takes certain steps, such as getting a qualified protective order from a court, or informing the patient?  Thanks.

ANSWER:            No, a subpoena from a state board of medicine is not treated like any other subpoena for HIPAA purposes.  Protected Health Information (“PHI”) which is the subject of such a subpoena can be released to a state board of medicine without a qualified protective order or notice to the patient.  HIPAA provides that PHI may be disclosed to a “health oversight agency” for “licensure or disciplinary actions” necessary for oversight of the health care system.  (45 C.F.R. §164.512(d).)  HIPAA also states that a state board of medicine is a “health oversight agency.”  (45 C.F.R. §164.501.)  That said, if certain categories of particularly sensitive information are involved (such as mental health, drug/alcohol, or HIV/AIDs), state law should be consulted to see if it offers greater protections to the information.

August 9, 2018

QUESTION:        We recently received a complaint that one of our Medical Staff members was “surfing” the EMR, looking for patients with a certain diagnosis and then contacting them to offer his services.  Should we refer this matter to our HIPAA Privacy Officer, review it under our Medical Staff Professionalism Policy, or take some other approach?

ANSWER:            There are good reasons for involving the hospital’s Privacy Officer in the review of HIPAA violations by Medical Staff members.  The Privacy Officer is responsible for implementing the hospital’s HIPAA policies, so that individual should be aware of potential privacy violations by Medical Staff members.  Also, Privacy Officers have significant experience investigating and responding to privacy violations.  They will be familiar with HIPAA’s dense regulatory requirements and know how to find information that shows if health information was improperly accessed.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
  • The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
  • Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

To get the best of both worlds, we recommend that the Medical Staff Professionalism Policy include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility.  The Policy should also describe how efforts will be made to coordinate the efforts of the Medical Staff leadership and the individual responsible for the other policy (e.g., through attendance at meetings and the sharing of information).

For additional information about dealing with physician behavior concerns, please join us in San Francisco for:

The Peer Review Clinic

March 8, 2018

QUESTION:        We received a subpoena from an attorney requesting the medical records of a patient.  The attorney represents the plaintiff in the case, and the patient is the defendant.  We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either.  Help!

ANSWER:            The regulations implementing HIPAA (the “HIPAA Privacy Rule”) require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena.  Basically, these regulations require that a hospital receive “satisfactory assurances” that the patient has been notified of the subpoena and that any objections to the subpoena by the patient have been resolved.  Until the hospital receives these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.

State law may also help here.  For example, the Pennsylvania Rules of Civil Procedure require a party in a lawsuit to serve a copy of a proposed subpoena on all other parties prior to issuing that subpoena to a third party (the hospital).  Also, the Rules state that a party that intends to serve a subpoena on a third party (the hospital) must file a certificate showing that it has notified other parties in the lawsuit of the subpoena.

So, as required by the HIPAA Privacy Rule, a hospital, or its attorney, should request that the individual who requested the medical records provide the hospital with documentation that indicates that the patient has received notice of the subpoena, has had an opportunity to object to it, and either no objections were filed or all objections have been resolved.  Once the hospital receives that documentation, it will be able to comply with the subpoena.

August 11, 2016

QUESTION:          Does the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule protect individually identifiable health information of deceased individuals?

ANSWER:              Yes, for a certain period of time.  The Privacy Rule protects a deceased’s individually identifiable health information for 50 years following the date of death of the individual.  It does this by specifically excluding from the definition of “protected health information” individually identifiable health information of an individual who has been deceased for over 50 years (45 C.F.R. §160.103).

As the U.S. Department of Health & Human Services (“HHS”) explains on its website “This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.”

April 21, 2016

QUESTION:        We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes.  There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred.  Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?

ANSWER:           Yes.  The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen.  Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically.  In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes.  But, you should check with counsel and have them research the applicable state law, to be sure.

Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:

How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule.  For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions.  Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange.  However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required.  In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization.  Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
Created 12/15/08

November 12, 2015

QUESTION:         Our hospital recently received a discovery request (a request for production of documents) in a malpractice suit brought against one of the physicians practicing at our hospital. The request seeks documents which contain protected health information (“PHI”), as that term is defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Should we respond by producing the documents?

ANSWER:           This is a question that can best be answered by your attorneys and should be referred to them for an answer because the answer may depend on a number of variables, such as whether the information is protected by your state’s peer review privilege or some other evidentiary privilege. Nonetheless, assuming no privilege applies and that the information is otherwise discoverable, PHI under HIPAA may only be disclosed under certain circumstances. In litigation, disclosures of PHI are often made pursuant to a “qualified protective order.” A covered entity may disclose PHI if it “receives satisfactory assurance…from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order….” At a minimum, the qualified protective order must prohibit the parties from using or disclosing the PHI for any purpose other than the litigation and require the return to the covered entity or destruction of the PHI, and any copies made, at the end of the litigation. If a qualified protective order that meets HIPAA requirements is in place and the documents are not otherwise privileged or protected, it may be appropriate to provide the documents.  Of course, your hospital may also provide PHI that is sought in discovery after it is de-identified according to the requirements of HIPAA. Disclosure of de-identified health information may be appropriate if the discovery request does not seek health information that is tied to a particular individual and does not cover a large number of documents.

October 22, 2015

QUESTION:        Our health system is comprised of multiple entities, including several hospitals and a large physician group practice. We wanted to know how we can promote consistency and economies of scale by coordinating our efforts to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). We also wanted to know whether we could share protected health information amongst and between the multiple entities.

ANSWER:           Yes, you can. The easiest way to do this is under the HIPAA regulations, at 45 C.F.R. §164.105(b)(1), governing affiliated covered entities. Per this section, “legally separate entities that are affiliated” may designate themselves as a single covered entity for purposes of the security and privacy requirements of the HIPAA regulations. However, all of the covered entities in the system must be under common ownership and control and the designation must be documented. The designation documentation must be maintained in written or electronic form and for a period of six years from the date of its creation or the date when it last was in effect, whichever is greater. Often, this designation can be accomplished with a brief board resolution. The practical effect of the affiliated covered entities designation is that all of the covered entities in your system which are under common ownership and control are treated as one covered entity for HIPAA privacy and security purposes. Thus, they can share a single set of privacy policies and can freely share protected health information as if they were a single entity. This may result in significant efficiencies when navigating the regulatory complexity of the HIPAA rules.