HIPAA

March 14, 2024

Posted on by Courtney Patterson

QUESTION:
Do you have any tips for virtual meetings?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY NICHOLAS CALABRESE:
Yes, invest in Zoom!  The pandemic changed a lot of things, one of which was that many meetings became virtual.  While in-person meetings are back, virtual meetings still may be held from time-to-time, so we’ve compiled the following tips:

  • Virtual participants should be required to maintain compliance with all policies relating to confidentiality, data privacy, electronic communications and security. We recommend that all meetings begin with a reminder about confidentiality, privacy and security, and that this be reflected in the minutes.  Quorum and voting requirements apply as if at an in-person meeting.
  • The best practice is to prepare for calls by testing new cameras and microphones before the meeting. Also, minimize outside distractions, such as the dog coming in and out of the picture, hearing the neighbors fighting, or the kid next door testing out the new exhaust on his Dodge Challenger.  You can’t soundproof the walls, but do try to find a secluded, quiet space.
  • Remember that you’re in a professional setting. We’ve all heard the stories about people making dinner, brushing their teeth, etc., while on Zoom.  Avoid that and give the meeting the attention it deserves.
  • Remember that mute is your friend. Keep microphones on mute unless speaking, and always assume that the mic is hot.  Pre-pandemic, there’s the famous story about President Ronald Reagan forgetting that he had a hot mic, and saying “My fellow Americans, I’m pleased to tell you today that I’ve signed legislation that will outlaw Russia forever. We begin bombing in five minutes.”  Then there are the pandemic stories – all members of a San Francisco area school board resigned after they were heard making disparaging comments about parents at a virtual board meeting.  Always assume the mic is hot and the camera is on.
  • Set forth a process for sharing documents, taking into account: How do you control access? (passwords, secure email, etc.); Do you send emails to gmail accounts or only to hospital accounts? Are you going to blind the records?  Prohibit copies?  Which videoconferencing platform is secure for HIPAA and other privacy laws?  Create a list of approved software programs.

Finally, take everything and turn it into a policy to be used whenever a virtual meeting is held.

If you have a quick question about this, e-mail Nick at ncalabrese@hortyspringer.com.

February 15, 2024

Posted on by Courtney Patterson

QUESTION:
We recently received a complaint that a Medical Staff member may have been inappropriately accessing medical records.  Do we handle this as a Medical Staff matter or should we refer this to our HIPAA Privacy Officer?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY IAN DONALDSON:
Given the Privacy Officer is responsible for implementing the hospital’s HIPAA policies, they should be made aware of any potential violations by a Medical Staff member.  In addition, Privacy Officers have significant experience investigating and responding to privacy violations and they will understand the law’s regulatory requirements, including if breach notifications are required.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
  • The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
  • Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

This is why we recommend that the Medical Staff’s professionalism policy or code of conduct include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility.  This allows for coordination between the Medical Staff leadership and the individual responsible for the other policy.

If you have a quick question about this, e-mail Ian Donaldson at idonaldson@hortyspringer.com.

January 25, 2024

Posted on by Courtney Patterson

QUESTION:
Our hospital wants to require employees to submit documentation to Human Resources of their COVID-19 and flu vaccination status.  One employee complained that this is a HIPAA violation.  Is it?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY PHIL ZARONE:
No.  A hospital is acting in its role as an employer (not a covered entity/health care provider) when it asks employees to answer questions or provide documentation about their vaccination status.  Hospitals store such information in the employee’s employment record, not in the employee’s medical record.

HIPAA specifically excludes employment records from the definition of “Protected Health Information.”  The relevant definition states:  “Protected health information excludes individually identifiable health information…[i]n employment records held by a covered entity in its role as employer.”  45 C.F.R. § 160.103.

Thus, information that a hospital obtains when it asks an employee about vaccination status isn’t covered by HIPAA.  It follows that HIPAA isn’t violated if the hospital then discloses that information to managers and supervisors so they can enforce the hospital’s policies.

Although HIPAA doesn’t apply, the Americans with Disabilities Act (“ADA”) does govern information that a hospital holds in its role as an employer.  The regulations implementing the ADA state that information “regarding the medical condition or history of any employee shall be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record, except that:  (A) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations.”  29 C.F.R. § 1630.14.

It’s important to recognize that in some cases a hospital could hold information about vaccination status in its role as a covered entity/health care provider under HIPAA.  For example, a hospital might conduct a clinic by which it gives flu shots to members of the community.  HIPAA would apply to that information, because it was created by the hospital in its role as a provider of health care services.  Thus, the hospital could not disclose those vaccination records to a local third-party employer unless the individual signs a HIPAA authorization.

If you have a question about this issue, please e-mail Phil Zarone at pzarone@hortyspringer.com.

August 10, 2023

Posted on by Courtney Patterson

QUESTION:
One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient.  The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY CHARLES CHULACK:
The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition.  Thus, the deceased patient’s cancer history meets this definition.  However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule?  The answer to this question is “yes.”  The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual.  Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

It is certainly important that a patient understand their family history, including risks for certain diseases and disorders so that they can proactively address those risks.  Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters.  He has a few options.  The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities.  According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.”  If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options.  First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer.  If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information.  If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA.  For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

If you have a quick question about this, e-mail Charlie Chulack at cchulack@hortyspringer.com.

August 26, 2021

Posted on by Courtney Patterson

QUESTION:
“One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient.  The physician believes that this information will assist the patient in making choices about the direction of her treatment.  Can he do that?”

ANSWER:
The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition.  Thus, the deceased patient’s cancer history meets this definition.  However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule?  The answer to this question is “yes.”  The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual.  Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks.  Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters.  He has a few options.  The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities.  According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.”  If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options.  First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer.  If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information.  If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA.  For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

July 23, 2020

Posted on by hortyspringer

***
QUESTION:        Our hospital recently addressed a HIPAA breach by a hospital employee.  Do we have any obligation to conduct a comprehensive review of that employee’s activities to see if there are any other HIPAA breaches?

 

ANSWER:            HIPAA doesn’t specifically require a hospital to conduct an audit or other type of review to determine if a person who committed one HIPAA breach may have committed other similar (or different) breaches.  However, a hospital’s efforts are important in two ways:

  1. The HIPAA breach notification rule says patients must be notified of a breach within 60 days of when the hospital knows of a breach, or within 60 days of when the hospital would have known of the breach if it had exercised “reasonable diligence.”
  2. HIPAA penalties are based on the action a hospital takes. If a hospital knows of a breach that may be part of a pattern but chooses not to look for other similar breaches, the hospital could be charged with “willful neglect” and penalized more severely.

The federal government has never said whether “reasonable diligence” means that a hospital must go back a certain amount of time or engage in certain types of activities.  Instead, the government has offered the following general guidance:

With respect to those commenters asking for guidance on what it means for a covered entity to be exercising reasonable diligence, we note that the term reasonable diligence, as defined in § 160.401, means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.  The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances.  Factors to be considered include whether a covered entity or business associate took reasonable steps to learn of breaches and whether there were indications of breaches that a person seeking to satisfy the Rule would have investigated under similar circumstances.  Covered entities and business associates may wish to look to how other covered entities and business associates operating under similar circumstances conduct themselves for a standard of practice.

78 Fed. Reg. 5566, 5647 (January 25, 2013).

January 30, 2020

Posted on by hortyspringer

QUESTION:        I heard that the Department of Health and Human Services released a new rule on partial fills of opioid prescriptions.  Can you give me a brief overview of the change?

ANSWER:          Yes.  The Department of Health and Human Services (“HHS”) has issued a final rule designed to improve tracking of transactions involving Schedule II drugs.  Briefly stated, this change requires certain covered entities to report “quantity prescribed” data for transactions involving Schedule II drugs.  The data will track whether the prescription was partially filled (which is legal under some circumstances) or refilled (which can potentially be a violation of the Controlled Substances Act).

If your organization is covered by HIPAA and has a retail pharmacy that dispenses Schedule II drugs, you should check to see whether this law may have an impact on your workflows and recordkeeping.  The final rule is available here.

April 25, 2019

Posted on by hortyspringer

QUESTION:        One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient.  The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?

 

ANSWER:            The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition.  Thus, the deceased patient’s cancer history meets this definition.  However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule?  The answer to this question is “yes.”  The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual.  Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks.  Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters.  He has a few options.  The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities.  According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.”  If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options.  First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer.  If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information.  If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA.  For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

November 8, 2018

Posted on by hortyspringer

QUESTION:        Is a subpoena from a state board of medicine treated just like any other subpoena for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”)?  In other words, is it true that the hospital can’t release a patient’s Protected Health Information to a state board of medicine unless it first takes certain steps, such as getting a qualified protective order from a court, or informing the patient?  Thanks.

ANSWER:            No, a subpoena from a state board of medicine is not treated like any other subpoena for HIPAA purposes.  Protected Health Information (“PHI”) which is the subject of such a subpoena can be released to a state board of medicine without a qualified protective order or notice to the patient.  HIPAA provides that PHI may be disclosed to a “health oversight agency” for “licensure or disciplinary actions” necessary for oversight of the health care system.  (45 C.F.R. §164.512(d).)  HIPAA also states that a state board of medicine is a “health oversight agency.”  (45 C.F.R. §164.501.)  That said, if certain categories of particularly sensitive information are involved (such as mental health, drug/alcohol, or HIV/AIDs), state law should be consulted to see if it offers greater protections to the information.

August 9, 2018

Posted on by hortyspringer

QUESTION:        We recently received a complaint that one of our Medical Staff members was “surfing” the EMR, looking for patients with a certain diagnosis and then contacting them to offer his services.  Should we refer this matter to our HIPAA Privacy Officer, review it under our Medical Staff Professionalism Policy, or take some other approach?

ANSWER:            There are good reasons for involving the hospital’s Privacy Officer in the review of HIPAA violations by Medical Staff members.  The Privacy Officer is responsible for implementing the hospital’s HIPAA policies, so that individual should be aware of potential privacy violations by Medical Staff members.  Also, Privacy Officers have significant experience investigating and responding to privacy violations.  They will be familiar with HIPAA’s dense regulatory requirements and know how to find information that shows if health information was improperly accessed.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
  • The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
  • Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

To get the best of both worlds, we recommend that the Medical Staff Professionalism Policy include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility.  The Policy should also describe how efforts will be made to coordinate the efforts of the Medical Staff leadership and the individual responsible for the other policy (e.g., through attendance at meetings and the sharing of information).

For additional information about dealing with physician behavior concerns, please join us in San Francisco for:

The Peer Review Clinic