QUESTION: One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient. The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?
ANSWER: The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition. Thus, the deceased patient’s cancer history meets this definition. However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule? The answer to this question is “yes.” The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual. Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.
That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks. Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters. He has a few options. The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities. According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.” If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options. First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer. If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information. If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA. For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.
QUESTION: Is a subpoena from a state board of medicine treated just like any other subpoena for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”)? In other words, is it true that the hospital can’t release a patient’s Protected Health Information to a state board of medicine unless it first takes certain steps, such as getting a qualified protective order from a court, or informing the patient? Thanks.
ANSWER: No, a subpoena from a state board of medicine is not treated like any other subpoena for HIPAA purposes. Protected Health Information (“PHI”) which is the subject of such a subpoena can be released to a state board of medicine without a qualified protective order or notice to the patient. HIPAA provides that PHI may be disclosed to a “health oversight agency” for “licensure or disciplinary actions” necessary for oversight of the health care system. (45 C.F.R. §164.512(d).) HIPAA also states that a state board of medicine is a “health oversight agency.” (45 C.F.R. §164.501.) That said, if certain categories of particularly sensitive information are involved (such as mental health, drug/alcohol, or HIV/AIDs), state law should be consulted to see if it offers greater protections to the information.
QUESTION: We recently received a complaint that one of our Medical Staff members was “surfing” the EMR, looking for patients with a certain diagnosis and then contacting them to offer his services. Should we refer this matter to our HIPAA Privacy Officer, review it under our Medical Staff Professionalism Policy, or take some other approach?
ANSWER: There are good reasons for involving the hospital’s Privacy Officer in the review of HIPAA violations by Medical Staff members. The Privacy Officer is responsible for implementing the hospital’s HIPAA policies, so that individual should be aware of potential privacy violations by Medical Staff members. Also, Privacy Officers have significant experience investigating and responding to privacy violations. They will be familiar with HIPAA’s dense regulatory requirements and know how to find information that shows if health information was improperly accessed.
At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:
- Physicians may be more likely to listen to other physicians.
- Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
- The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
- Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.
To get the best of both worlds, we recommend that the Medical Staff Professionalism Policy include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility. The Policy should also describe how efforts will be made to coordinate the efforts of the Medical Staff leadership and the individual responsible for the other policy (e.g., through attendance at meetings and the sharing of information).
For additional information about dealing with physician behavior concerns, please join us in San Francisco for:
The Peer Review Clinic
QUESTION: We received a subpoena from an attorney requesting the medical records of a patient. The attorney represents the plaintiff in the case, and the patient is the defendant. We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either. Help!
ANSWER: The regulations implementing HIPAA (the “HIPAA Privacy Rule”) require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena. Basically, these regulations require that a hospital receive “satisfactory assurances” that the patient has been notified of the subpoena and that any objections to the subpoena by the patient have been resolved. Until the hospital receives these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.
State law may also help here. For example, the Pennsylvania Rules of Civil Procedure require a party in a lawsuit to serve a copy of a proposed subpoena on all other parties prior to issuing that subpoena to a third party (the hospital). Also, the Rules state that a party that intends to serve a subpoena on a third party (the hospital) must file a certificate showing that it has notified other parties in the lawsuit of the subpoena.
So, as required by the HIPAA Privacy Rule, a hospital, or its attorney, should request that the individual who requested the medical records provide the hospital with documentation that indicates that the patient has received notice of the subpoena, has had an opportunity to object to it, and either no objections were filed or all objections have been resolved. Once the hospital receives that documentation, it will be able to comply with the subpoena.
QUESTION: Does the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule protect individually identifiable health information of deceased individuals?
ANSWER: Yes, for a certain period of time. The Privacy Rule protects a deceased’s individually identifiable health information for 50 years following the date of death of the individual. It does this by specifically excluding from the definition of “protected health information” individually identifiable health information of an individual who has been deceased for over 50 years (45 C.F.R. §160.103).
As the U.S. Department of Health & Human Services (“HHS”) explains on its website “This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.”
QUESTION: We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes. There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred. Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?
ANSWER: Yes. The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen. Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically. In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes. But, you should check with counsel and have them research the applicable state law, to be sure.
Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:
How do HIPAA authorizations apply to an electronic health information exchange environment?
The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule. For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions. Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange. However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required. In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization. Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
QUESTION: Our hospital recently received a discovery request (a request for production of documents) in a malpractice suit brought against one of the physicians practicing at our hospital. The request seeks documents which contain protected health information (“PHI”), as that term is defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Should we respond by producing the documents?
ANSWER: This is a question that can best be answered by your attorneys and should be referred to them for an answer because the answer may depend on a number of variables, such as whether the information is protected by your state’s peer review privilege or some other evidentiary privilege. Nonetheless, assuming no privilege applies and that the information is otherwise discoverable, PHI under HIPAA may only be disclosed under certain circumstances. In litigation, disclosures of PHI are often made pursuant to a “qualified protective order.” A covered entity may disclose PHI if it “receives satisfactory assurance…from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order….” At a minimum, the qualified protective order must prohibit the parties from using or disclosing the PHI for any purpose other than the litigation and require the return to the covered entity or destruction of the PHI, and any copies made, at the end of the litigation. If a qualified protective order that meets HIPAA requirements is in place and the documents are not otherwise privileged or protected, it may be appropriate to provide the documents. Of course, your hospital may also provide PHI that is sought in discovery after it is de-identified according to the requirements of HIPAA. Disclosure of de-identified health information may be appropriate if the discovery request does not seek health information that is tied to a particular individual and does not cover a large number of documents.
QUESTION: Our health system is comprised of multiple entities, including several hospitals and a large physician group practice. We wanted to know how we can promote consistency and economies of scale by coordinating our efforts to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). We also wanted to know whether we could share protected health information amongst and between the multiple entities.
ANSWER: Yes, you can. The easiest way to do this is under the HIPAA regulations, at 45 C.F.R. §164.105(b)(1), governing affiliated covered entities. Per this section, “legally separate entities that are affiliated” may designate themselves as a single covered entity for purposes of the security and privacy requirements of the HIPAA regulations. However, all of the covered entities in the system must be under common ownership and control and the designation must be documented. The designation documentation must be maintained in written or electronic form and for a period of six years from the date of its creation or the date when it last was in effect, whichever is greater. Often, this designation can be accomplished with a brief board resolution. The practical effect of the affiliated covered entities designation is that all of the covered entities in your system which are under common ownership and control are treated as one covered entity for HIPAA privacy and security purposes. Thus, they can share a single set of privacy policies and can freely share protected health information as if they were a single entity. This may result in significant efficiencies when navigating the regulatory complexity of the HIPAA rules.
QUESTION: Our hospital is doing a HIPAA security risk assessment and was told we have to follow guidance issued by the National Institute of Standards and Technology (“NIST”). Is that something we have to do?
ANSWER: No. You can use the NIST publications as a guide, but you don’t have to. The HIPAA Security Rule itself does not reference the NIST guide at all, although some NIST documents are mentioned in the Preamble to that rule. The HHS Office of Civil Rights has published several papers providing useful guidance on complying with the security rule, which can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule. In one of them, OCR says:
Although only federal agencies are required to follow federal guidelines like the NIST 800 series, non-federal covered entities may find their content valuable when performing compliance activities. As stated in the CMS frequently asked questions (FAQs) on the HIPAA Security Rule,
“Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities. While NIST documents were referenced in the preamble to the Security Rule, this does not make them required. In fact, some of the documents may not be relevant to small organizations, as they were intended more for large, governmental organizations.”
The Security Rule does not prescribe a specific risk analysis or risk management methodology. This paper is not intended to be the definitive guidance on risk analysis and risk management. Rather, the goal of this paper is to present the main concepts of the risk analysis and risk management processes in an easy-to-understand manner. Performing risk analysis and risk management can be difficult due to the levels of detail and variations that are possible within different covered entities. Covered entities should focus on the overall concepts and steps presented in this paper to tailor an approach to the specific circumstances of their organization.
Therefore, while the NIST publications might help you in doing the risk assessment, they are not binding on you.
QUESTION: Our hospital would like to develop a “VIP” program by which certain individuals would receive special recognition when they are hospitalized. For example, current or past members of the Board of Directors or other individuals who have served the community might receive a card, flowers or a personal visit. Is such a program acceptable under HIPAA?
ANSWER: HHS has issued no guidance on this topic. However, we believe a VIP program poses little risk under the HIPAA Privacy Rule.
The Privacy Rule permits hospitals to use or disclose protected health information for its own “health care operations.” “Health care operations” is defined broadly to include “general administrative activities,” which could reasonably be interpreted to include efforts to build and maintain relationships with individuals who are involved in the affairs of the community.
Of course, some hospitalized individuals who are particularly concerned with privacy may complain that the VIP program does not actually involve health care operations. One way to limit the possibility of such complaints is to ensure that any individual who has opted out of the facility directory, as permitted by the Privacy Rule, does not receive special recognition. More broadly, any dissemination of information within the hospital should be limited to those with a “need to know” for purposes of the VIP program.
Another way to limit complaints is to ensure that the health information of a patient is not disclosed outside of the hospital. For example, if flowers or other small gifts are ordered, they should be sent to an administrator’s office and then re-directed to the patient. Patients may expect hospital personnel to know they are hospitalized, but they may object to that information being shared with the local florist or other merchants.
We are unaware of any enforcement actions involving VIP programs, which might suggest that they are not viewed as a HIPAA violation by HHS. However, hospitals that choose to implement them should do so in a way that protects patient privacy and limits the disclosure of patient information.