October 1, 2020

QUESTION:        We unintentionally sent an unencrypted email containing Protected Health Information (“PHI”) to the wrong person, who is a business associate.  Is sending an unencrypted email a HIPAA breach?

ANSWER:          No.  The HIPAA Rules that come into play here are the Privacy Rule and the Security Rule.  HIPAA defines “breach” to mean the acquisition, access, use or disclosure of PHI “in a manner not permitted under [the Privacy Rule]….”  So, a “breach” can occur only if the Privacy Rule is violated – Security Rules violations are not “breaches” – and merely sending an unencrypted email containing PHI, without more, does not violate the Privacy Rule (however, sending an unencrypted email could possibly violate the Security Rule, since it has standards that discuss encryption).

Alright, since a “breach” did not occur by sending an unencrypted email, did a HIPAA “breach” occur when the email was sent to the business associate?  The answer is “no” since the HIPAA definition of “breach” has an exception that states as follows:

“Breach excludes…any unintentional acquisition, access, or use of PHI by a workforce member…of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under [the HIPAA Privacy Rule.]”

In this case, the business associate “acquired” the PHI by opening the e-mail, which was unintentional.  In other words, the business associate did not mean to acquire the PHI (as opposed to actively trying to gain access to information), and was acting within the scope of his/her employment, in good faith, and did not further disclose the PHI.  Thus, there was no HIPAA breach.

April 23, 2020

QUESTION:          Any tips for virtual board meetings?


ANSWER:            My wife, Pauline, was sworn in as mayor of our municipality in January.  There was a council meeting in February, but the meeting in March was cancelled due to COVID-19.  However, the municipality’s business still had to be conducted, so the April meeting had to be held, and it was conducted as a “virtual” meeting.

The first tip is to have two or three “dry runs” to work out any glitches.  During the dry runs, some council members were having trouble getting into the meeting, or would get into the meeting but couldn’t be heard, or couldn’t be seen.  Those problems were all solved.  So, work with the IT department to identify and solve issues.

Another tip is to realize that the normal procedure may have to be altered for practical reasons.  Usually at council meetings, the public is permitted to speak after each agenda item is on the floor.  So, in a normal meeting, if there are five agenda items, a resident may get up to speak five times.  However, because that would have been technically difficult, burdensome and not very practical in a virtual meeting, the procedure was changed so that a resident could speak regarding any or all of the agenda items all at once.

An additional tip is to start the board meeting with a “confidentiality reminder.”  These aren’t necessary at council meetings since our municipality has to adhere to the state “sunshine” act which means that the meetings are open to the public, except for some very specific issues, such as personnel matters.  So, start the meeting with a reminder and document it in the minutes.  The reminder could include practical matters, such as stating the board members should try to avoid being in a place in the house where the members can be overheard, or the audio from the meeting can be heard.  Also, a reminder to not download emails with peer review, Protected Health Information, or confidential attachments to their home computers which everyone in the house has access to.

Finally, when COVID-19 has hopefully passed, take everything that has been learned to develop a policy on virtual meetings.  Hopefully, it will never have to be used again, but you will be ready for the next big snowstorm!

November 8, 2018

QUESTION:        Is a subpoena from a state board of medicine treated just like any other subpoena for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”)?  In other words, is it true that the hospital can’t release a patient’s Protected Health Information to a state board of medicine unless it first takes certain steps, such as getting a qualified protective order from a court, or informing the patient?  Thanks.

ANSWER:            No, a subpoena from a state board of medicine is not treated like any other subpoena for HIPAA purposes.  Protected Health Information (“PHI”) which is the subject of such a subpoena can be released to a state board of medicine without a qualified protective order or notice to the patient.  HIPAA provides that PHI may be disclosed to a “health oversight agency” for “licensure or disciplinary actions” necessary for oversight of the health care system.  (45 C.F.R. §164.512(d).)  HIPAA also states that a state board of medicine is a “health oversight agency.”  (45 C.F.R. §164.501.)  That said, if certain categories of particularly sensitive information are involved (such as mental health, drug/alcohol, or HIV/AIDs), state law should be consulted to see if it offers greater protections to the information.

November 12, 2015

QUESTION:         Our hospital recently received a discovery request (a request for production of documents) in a malpractice suit brought against one of the physicians practicing at our hospital. The request seeks documents which contain protected health information (“PHI”), as that term is defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Should we respond by producing the documents?

ANSWER:           This is a question that can best be answered by your attorneys and should be referred to them for an answer because the answer may depend on a number of variables, such as whether the information is protected by your state’s peer review privilege or some other evidentiary privilege. Nonetheless, assuming no privilege applies and that the information is otherwise discoverable, PHI under HIPAA may only be disclosed under certain circumstances. In litigation, disclosures of PHI are often made pursuant to a “qualified protective order.” A covered entity may disclose PHI if it “receives satisfactory assurance…from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order….” At a minimum, the qualified protective order must prohibit the parties from using or disclosing the PHI for any purpose other than the litigation and require the return to the covered entity or destruction of the PHI, and any copies made, at the end of the litigation. If a qualified protective order that meets HIPAA requirements is in place and the documents are not otherwise privileged or protected, it may be appropriate to provide the documents.  Of course, your hospital may also provide PHI that is sought in discovery after it is de-identified according to the requirements of HIPAA. Disclosure of de-identified health information may be appropriate if the discovery request does not seek health information that is tied to a particular individual and does not cover a large number of documents.

October 22, 2015

QUESTION:        Our health system is comprised of multiple entities, including several hospitals and a large physician group practice. We wanted to know how we can promote consistency and economies of scale by coordinating our efforts to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). We also wanted to know whether we could share protected health information amongst and between the multiple entities.

ANSWER:           Yes, you can. The easiest way to do this is under the HIPAA regulations, at 45 C.F.R. §164.105(b)(1), governing affiliated covered entities. Per this section, “legally separate entities that are affiliated” may designate themselves as a single covered entity for purposes of the security and privacy requirements of the HIPAA regulations. However, all of the covered entities in the system must be under common ownership and control and the designation must be documented. The designation documentation must be maintained in written or electronic form and for a period of six years from the date of its creation or the date when it last was in effect, whichever is greater. Often, this designation can be accomplished with a brief board resolution. The practical effect of the affiliated covered entities designation is that all of the covered entities in your system which are under common ownership and control are treated as one covered entity for HIPAA privacy and security purposes. Thus, they can share a single set of privacy policies and can freely share protected health information as if they were a single entity. This may result in significant efficiencies when navigating the regulatory complexity of the HIPAA rules.

April 2, 2015

QUESTION:    May physicians text or e-mail patient information to one another if such texts or e-mails are directly related to patient care? If so, does HIPAA require that such transmissions be encrypted?

ANSWER:       Any discussion of sending Protected Health Information (“PHI”) via text or e-mail should distinguish between: (1) the HIPAA Privacy Rule and (2) the HIPAA Security Rule:

(1)       The Privacy Rule is concerned with WHY information is being used or disclosed. Is there a permissible purpose? There is no violation of the Privacy Rule if a text or e-mail is for a treatment purpose.

(2)        The Security Rule is concerned with HOW information is transmitted and stored. Thus, while it may be appropriate for one physician to disclose PHI to another physician for treatment purposes, the Security Rule could be violated if the method used to transmit that information is improper.

The Security Rule has three categories of requirements:

(i)         Standards.

(ii)        Required Implementation Specifications.

(iii)       Addressable Implementation Specifications.

Covered entities must comply with all “Standards” and “Required Implementation Specifications.” As the name implies, “Addressable Implementation Specifications” do not always have to be implemented. Instead, each covered entity must evaluate whether an Addressable Implementation Specification is a “reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting” PHI. If so, the Addressable Implementation Specification must be implemented. If not, the covered entity must consider whether an alternative measure to protect security is feasible and must document its conclusions.

Encryption is an Addressable Implementation Specification. Thus, covered entities are expected to encrypt texts and e-mails if doing so is a “reasonable and appropriate safeguard in its environment.” In evaluating this question, covered entities should consider whether encryption would interfere with patient care (e.g., undue delays in transmission, retention of encrypted transmissions, etc.).