Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Health Information Technology in NJ – Where Are We Now?

Posted in Health IT, RHIO & HIE

Part 2

Money talks.

In other words, offering financial incentives is one way to effect behavior change.  It seems to have worked in getting providers to adopt and use health IT in everyday practice, both in New Jersey and nationally.

HITECH and Meaningful Use Incentive Payments

As explained by ONC in its October 2014 “Report to Congress”:

“Prior to the HITECH Act, adoption of EHRs among physicians and hospitals was quite low. In 2009, roughly one-half (48 percent) of office-based physicians had any type of EHR system. When examining the adoption of EHRs containing functionalities, such as the ability to generate a comprehensive list of patients’ medications and allergies and the ability to view laboratory or imaging results electronically, only 22 percent of office-based physicians had a basic EHR system. U.S. hospitals had similar adoption rates. In 2009, only 12 percent of hospitals had adopted a basic EHR system.”

According to ONC, as of June of 2014, more than 75% of the nation’s eligible physicians had received incentive payments, while 92% of eligible hospitals (including critical access hospitals) had received incentive payments. The areas evaluated by CSHP covered key meaningful use criteria eligible physicians must meet in order to receive these payments.

For the NJ evaluation, CSHP conducted and analyzed a physician mail survey, clinical laboratory and pharmacy mail surveys with telephone follow-up, and physician follow-up telephone interviews with fax and mail follow-up.  In addition, Health Information Organization (HIO) use metrics from each of New Jersey’s six regional HIOs were collected from the New Jersey Department of Health and analyzed by CSHP researchers.

New Jersey Health IT Adoption

The CSHP Report findings identified several key themes.  Among physicians responding, older physicians, those in smaller practices, and specialists were less likely to adopt health IT and more likely to report barriers to adoption (particularly start-up and maintenance costs) and were also more likely to report implementation of health IT as having had a negative impact on their practices.

Most physicians who reported use of health IT felt that use of health IT had a positive impact.  However, they frequently cited start-up and maintenance costs cited as barriers to health IT use.  For labs and pharmacies, those not using health IT reported more perceived barriers to health IT use and anticipated a more negative impact on their workflow and productivity.  Among physicians, labs, and pharmacies, the lack of uniform standards within the industry was cited as resulting in poor system compatibility and was a major issue across all types of health IT.

CSHP weighted the physician mail survey data by specialty to be representative of New Jersey’s office-based physicians. Key findings regarding specific health IT use among the state’s physicians responding to the physician mail survey included the following:

  • Nearly three-fourths (72.5%) of physicians reported use of health IT to transmit prescriptions to pharmacies electronically.
  • Nearly two-thirds (62.6%) of physicians reported use of health IT to view test results from clinical labs electronically. However, only 37.1% reported use of health IT to send lab test requests electronically.
  • Nearly half (48.9%) of physicians reported that they maintained 100% of patient records in their EHR systems.
  • More than half of physicians (57.3%) provided a clinical visit summary to at least 50% of their patients. Less than half of physicians (42.9%) provided electronic patient care summaries to other providers. About one-quarter of physicians (23.0%) accessed electronic patient care summaries created by other providers.

In (very general) comparison, the ONC Report found that in 2013, 57% of prescriptions sent by physicians were sent electronically.  ONC also reported that more than two-thirds (69%) of physicians reported having the capability to order lab tests electronically, while more than three-quarters (77%) reported having the ability to view the lab results electronically.

Perhaps statewide health IT interoperability through expansion of and connection among regional NJ HIOs can be achieved in the next decade, but it will require creation of the necessary health IT infrastructure, awareness of its existence by the providers who will use it, and, perhaps, financial or other incentives to effect its adoption and use.

 

Health Information Technology in NJ – Where Are We Now?

Posted in Health IT, RHIO & HIE

When I need to travel from the southern part of NJ to northern NJ, I often rely on my car or phone GPS and the relative ease and simplicity of the NJ Turnpike.  If I needed my southern NJ physician to share information with my northern NJ physician, I might be surprised to learn that it’s not as easy to get my health data from point A to point B.  My physicians might be using electronic health records (EHR) and health IT, but the communications infrastructure in NJ needs to be further developed.  We need greater awareness and adoption of regional health information organizations (HIOs), a way to fund their maintenance (an EZ Pass system for the transmission of health data?), and development of a connected, statewide system.

In January of 2011, the Office of the National Coordinator for Health Information Technology (ONC) awarded New Jersey $11.4 million to be used for developing a strategic and operational plan for health information exchange, and required the state to conduct an independent evaluation of the state’s health IT program.  The Rutgers University Center for State Health Policy (CSHP) conducted the evaluation and published a Report (Brownlee, et al) last year showing where New Jersey physicians stand (or stood, during a survey period that ran from late 2013 to early 2014) in terms of adoption and use of health IT.

NJ Physician Engagement with Regional HIOs - Pie ChartWhen I read the Report, I was surprised to see that while physician use of health IT is increasing, the road to regional health data sharing (let alone statewide sharing) seems to be a long way off.  The Report found that awareness of the existence of a regional HIO by physicians was low (12.5%), and physician participation in a regional HIO was even lower (6.8%). The New Jersey Turnpike is gloriously accessible and functional as compared with this glimpse of the New Jersey health IT highway.

Where Are We Now? to be continued…

Doctor is Arrested for Allegedly Stealing Thousands of Patient Records

Posted in Privacy & Security

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Doctor is Arrested for Stealing Thousands of Patient Records.”  While the full text can be found in the February 16, 2015 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.

A theft of patient protected health information (“PHI”) may invoke more than federal and state privacy laws.  It can also mean criminal charges under state penal laws. Radiologist James Kessler learned the hard way when he was arrested for allegedly stealing the PHI of nearly 100,000 patients.

Elizabeth was quoted as observing, “There is no indication that it was difficult for Kessler to do this.  He didn’t treat all 100,000 patients, so why did he have the ability to copy all of those files?  There are technical safety mechanisms and audit controls to limit that access.”

The article pointed out that in some multi-physician situations, ownership of records may need to be negotiated, and the contract may need to specify who gets which records in the event of a separation.  For example, if a physician brings patients to a practice, the employee may be entitled to own and take those patients’ records.

I was quoted by Marla: “Implement safeguards to reduce the risk that an employee can access records outside of his or her job responsibilities.  Also ensure that the practice provides HIPAA training, so that if an employee does violate HIPAA the action is less likely to be attributed to the employer.”

In the article Elizabeth explained that it is important to have an action plan to handle data breaches.  “Be prepared to investigate an incident that may be a security breach using the four steps required by HIPAA’s breach-notification requirements to see whether the breach needs to be reported,” she noted.  “Also be prepared to report a breach not only to the HHS and the state under HIPAA and state-notification laws but also to law enforcement when dealing with criminal activity such as theft and hacking.”

Elizabeth also advises in the article to make sure that the employment agreement complies with state law.  “Many states have laws regarding the reach of an employment agreement with physicians, such as reasonable non-competes and continuity of care provisions,” she says. “For instance, it varies whether an individual doctor or the practice itself is seen as having the relationship with the patients; there may even be state laws on the rights of patients in the event of a physician’s separation from a practice.”

The article points out that there are many complexities involved in the ownership, custody, creation, access, use, maintenance, transmission and retention of PHI. It may not be possible to prevent hacking or theft of PHI, even with reasonable security and privacy policies and procedures in place that are being followed.  However, if a breach or other adverse event occurs, the covered entity or business associate will be well-served by being able to demonstrate that it had and followed such policies and procedures if and when a regulatory authority or court is reviewing a HIPAA violation and determining potential responsibility and liability.

When HIPAA Applies to Patient Assistance Programs (and When it Doesn’t), Part 2

Posted in Privacy & Security

I posed a question in Part 1 of this post which I will summarize here:  is personal health information provided to a Patient Assistance Program (PAP) in order to help with covering the cost of prescription drugs protected as “protected health information” (PHI) under HIPAA?

Let’s use two examples.  Say Patient A, who knows he can’t afford the out-of-pocket costs for a branded drug prescribed by his doctor, goes to the pharmaceutical manufacturer’s website where he sees that the company has a PAP and on-line application form into which he enters his personal information to see if he qualifies for assistance.  Patient B is also concerned about the cost of a non-formulary drug prescribed for her, but the hospital where Patient B’s physician works has an arrangement with the PAP whereby the PAP will work with a patient’s insurance carrier to get coverage for drugs not included on the carrier’s formulary.  What happens if the PAP’s system is hacked and the personal health information of both Patient A and Patient B is compromised?  Does HIPAA apply and will the PAP notify Patient A and Patient B of the breach?

The answer is a qualified “yes”, because HIPAA would be applicable only if the PAP is functioning as a covered entity or business associate as those terms are defined under HIPAA when it receives and maintains the personal health information.  It’s the role the PAP plays with respect to the patient (and his or her information) that matters when trying to figure out whether the patient’s information is HIPAA-protected as PHI, rather than just the type of information the PAP receives and maintains.

Generally speaking, a pharmaceutical manufacturer (and its PAP) will be a “covered entity” under the HIPAA regulations if it is a “health care provider who transmits any health information in electronic form in connection with a transaction . . . .” (italics added).  The term “health care provider” is defined very broadly under the HIPAA regulations, and a “transaction” is defined (in relevant part) as “the transmission of information … to carry out financial or administrative activities related to health care.”  The manufacturer (and its PAP) is a “business associate” if it performs functions on behalf of a covered entity that require it to create, receive, maintain or transmit PHI.

The same mini-analysis can be applied to other business entities that “create, receive, maintain or transmit” PHI as a useful first step to understanding whether and how the personal health information may be protected.

Hacked Health Records Prized for their Black Market Value

Posted in Articles, Health IT, Medical Identity Theft, Privacy & Security, Sensitive Health Information

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.

MINNESOTA BLUES GET HEALTH RECORDS SNOOPING BLUES

Posted in Articles, HIPAA Enforcement, Security Breach Notification

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy.

The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under the insurer’s contract with the state Department of Health to monitor prescription drug use in state-run medical programs. In that capacity, he was given access to the Minnesota Prescription Monitoring Program (MNPMP), which is generally limited to licensed prescribers and pharmacists, and their delegated staff. The MNPMP was established to detect diversion, abuse and misuse of prescriptions for controlled substances.

For a period of eight months after Johnson had been reassigned to other duties, he apparently had not been removed from the list of authorized users despite BC/BS having notified the state of the change. WCCO reports that during that time Johnson had accessed 56 individuals’ records, and had viewed a number of records multiple times. Investigations also revealed that Johnson had accessed some of these same individuals’ social media profiles. There reportedly is no indication at this time that Johnson disclosed any of the information he obtained or that he misused that information to obtain narcotics.

State Nursing Board disciplinary records indicate that Johnson had been fired by two previous employers because of narcotic violations. He reportedly admitted to stealing drugs from Children’s Hospital in St. Paul in 2000 and was fired by Unity Hospital after admitting to stealing morphine. He had not been charged criminally but had been fined and subjected to additional supervision. BC/BS was apparently unaware of Johnson’s disciplinary history when he was hired.

There is plenty of blame in this situation to go around. Although the MNPMP apparently had a process in place for credentialing legitimate users, it failed to revoke those credentials when they were notified that Johnson’s job no longer required him to access the database. BC/BS may have failed to monitor its employees’ access to such a highly-confidential trove of information, and may have exercised poor judgment in not thoroughly vetting an employee before assigning him to such a sensitive role.

Employee “snooping” has led to serious consequences in a number of high profile cases, including a Vermont ultrasound technologist who peeked at her ex-husband’s family’s records, a UCLA researcher who was sentenced to prison for looking at celebrity charts, California and New York hospital workers who accessed celebrity records and 16 Houston hospital employees fired for accessing a resident’s medical records after she was injured in a shooting incident.

A surprising footnote to WCCO’s story is the fact that the state Department of Health reportedly misstated HIPAA’s breach reporting requirements and claimed that only breaches involving 500 or more individuals were reportable. Such large-scale breaches require notice within 60 days of discovery, but, as indicated in the WCCO report, breaches involving fewer than 500 individuals must still be reported within 60 days of the close of the calendar year.

This is not BC/BS’s first brush with medical privacy violations. According to the Star Tribune, in 2010, a subscriber sued the insurer for violating the Minnesota Health Records Act and breaching her privacy by disclosing her name and providing confidential information about her medical treatment. Amazingly, the patient’s information was reproduced in illustrations that appeared in handbooks and marketing pamphlets instead of “dummy” information. Her ID and claims information appeared in 400 copies of a pamphlet and in 95,000 copies of a member handbook. Previously, the State Department of Commerce suspended the license of a BC/BS agent after a life insurance customer complained that the agent had improperly disclosed the customer’s personal information.

Once again the temptation to rummage around in an inadequately-secured repository of information has proven too hard for an employee to resist. Few covered entities and business associates have implemented safeguards to protect data from curious (or dishonest) employees’ eyes. Heightened employee training about prohibition of snooping with emphasis on discipline up to and including discharge is one step. However, the time may have come when relying on the honor system and training may be insufficient to meet HIPAA’s poorly-defined “minimum necessary” standard and more robust technical solutions may be called for. Even when, as in this case, only certain individuals are given access to PHI on a need-to-know basis, there is room for improvement of monitoring and oversight of those individuals’ actual behavior.

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

Posted in Privacy & Security

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance coverage.  An article published recently in the New England Journal of Medicine suggests that the ACA has increased insurance coverage for an estimated 10 million previously uninsured individuals in 2014, some insurers are structuring drug formularies in a manner that discriminates against (and discourages enrollment of) patients suffering from particular high-cost conditions.

Regardless of the cause, the need for and utilization of PAPs raises interesting questions related to privacy and security of protected health information (PHI).  I had the opportunity to co-present a workshop session on HIPAA at CBI’s 16th Annual Patient Assistance and Access Programs Conference in Baltimore, MD this week with Paula Stannard, Esq. of Alston & Bird.  The conference was well-attended, and Paula and I were asked a number of questions during and after our workshop that showed interest in HIPAA compliance by PAP entities, as well as confusion regarding it.

Paula and I crafted a scenario in which a PAP’s data system is hacked, and the hacker gains access to individually identifiable health information stored on the system.  Both Patient A and Patient B have insurance, but suffer from a condition requiring a medication not on their carriers’ formularies.  Patient A put his own information into the PAP system after learning about the PAP from TV ad.  Patient B let his physician put her information into the PAP system, after the physician explained that the hospital at which the physician works has an arrangement with the PAP whereby the PAP will help with getting insurance coverage.

We asked the audience whether the hacker’s access to Patient A’s and Patient B’s information in the PAP was a HIPAA breach.  A follow up to this blog will discuss the factors relevant to deciding when HIPAA applies to PAPs (and individually identifiable information they maintain) and when it doesn’t.

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part III

Posted in Privacy & Security, Sensitive Health Information

(Part III continues Part I and Part II of this series on privacy of health information in the domestic relations context, which may be found here and here. Capitalized words not defined in this Part III shall have the meanings assigned in Part I or Part II.)

6. The situation can be further complicated by the fact that the Affordable Care Act requires Insurers that offer dependent coverage to make the coverage available until the adult child reaches the age of 26 to avoid loss of health insurance for students after they graduate from college. Most Insurers permit adult children of 18 or over (e.g., those emancipated under state law) to block access to claims information by their parents, regardless of the fact the parent is paying for the coverage. Such an adult child is typically not a party to divorce settlements or decrees. In some states even minor children below the age of 18 may be permitted to block access to claims information by their parents.

7. HIPAA permits an individual to require a Provider to agree to the request of such individual to restrict disclosure of protected health information (“PHI, as defined in HIPAA) about such individual to an Insurer if:

a. The disclosure is for the purpose of carrying out payment or health care operations (but not treatment) and is not otherwise required by law; and

b. The PHI pertains solely to a health care item or service for which the individual, or person other than the Insurer on behalf of the individual, has paid the Provider in full.

Adopting this payment approach may allow an individual to prevent his/her spouse from learning about specific events of diagnosis and treatment relating to such individual or his/her custodial children that would otherwise be available by access to claims information through an Insurer.

8. HIPAA provides that individuals have the right to request restrictions on how a Provider will use and disclose PHI about them for treatment, payment, and health care operations. A Provider is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. This type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

9. HIPAA also provides that individuals may request receiving confidential communications from a Provider, either at alternative locations or by alternative means. For example, an individual may request that her Provider call her at her office, rather than her home. A Provider must accommodate an individual’s reasonable request for such confidential communications. An Insurer must accommodate an individual’s reasonable request for confidential communications, if the individual clearly states that not doing so could endanger him or her. Again, as in item 8, this type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

10. A wide range of changes in circumstances, such as a change in employment and/or Insurer, obtaining services from a new Provider, relocation to a different state, changes in state law, reaching of majority age by children and/or life event changes that relate to provisions in a divorce or separation agreement or decree warrants revisiting these tips from time to time. HIPAA rights and responsibilities must be re-evaluated regularly in the context of the facts and circumstances involved at any given time.

Conclusion

The foregoing discussion refers to only a few of the many permutations of issues that may arise regarding IHI in the domestic relations context. It is intended to indicate the wide diversity of challenges and opportunities that spouses and domestic partners may encounter regarding access and blocking access to IHI. Individuals who need advice regarding legal aspects of their domestic relationships and/or disputes should seek counsel of professionals who have familiarity with the ramifications, complexities and continuous changes involving HIPAA, state privacy laws and IHI.

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part II

Posted in Privacy & Security, Sensitive Health Information

(Part I of this series on privacy of health information in the domestic relations context may be found here. Capitalized words not defined in this Part II shall have the meanings assigned in Part I.)

Tips on dealing with IHI Issues in the Domestic Relations Context

1. Whether an individual is in a stable domestic relations environment or involved in the breakdown of a relationship, careful attention should be given the Notice of Privacy Practices (“NPP”) of the healthcare provider (“Provider”) or health insurer or health plan (collectively, “Insurer”) as to (i) who is entitled to access IHI in the possession of such Provider or Insurer and (ii) the extent to which a patient or subscriber has the right to block such access. For example, an employee subscriber of an employer health plan typically has access not only to all of his/her claims information, but also to all of the claims information of a covered estranged spouse and of dependents, even if such subscriber is not the custodial parent.

2. To the extent that an NPP of a Provider or Insurer does not answer a question about IHI access and blocking in the domestic context, an individual should direct the question to the Provider or Insurer, as applicable. However, there may not be a clear answer forthcoming.

3. Most Insurers permit a covered spouse to block access to his/her claims information from the other spouse, even if such other spouse is the employee subscriber or person responsible for paying for health care coverage. This is a matter that should be addressed in a domestic relations agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and limits of coverage affected by the claims of the other spouse. The desire to block access to IHI by the other spouse may be heightened in the case of diagnosis and treatment for sensitive health matters, such as mental illness, substance abuse, infectious diseases, etc. (This last consideration can be present even in a stable domestic relationship where a spouse wants to avoid disclosure regarding such potential ailments, even perhaps to prevent undue anxiety by the other spouse.)

4. Similarly, many Insurers will permit a spouse who has custody of children to block access to the claims information of such children from the other spouse, even if such other spouse is the employee subscriber or person who is paying for the health care coverage for the children. Again, consideration should be given to addressing this matter in a domestic relations agreement or divorce order or agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and coverage limits affected by unknown claims of children with respect to whom he/she lacks custody. Moreover, the custodial parent may wish to prevent access by the other parent to prevent what the custodial parent deems to be potential interference with the custodial parent’s discretion as to the appropriate course of treatment and provision of health care services to the children. The HIPAA Privacy Rule generally allows a parent to have access to the child’s medical records and claims information as the child’s personal representative, as long as such access is not inconsistent with state or other applicable law.  Regardless, however, of whether a parent is the personal representative of a minor child, the HIPAA Privacy Rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child.

5. Where there is shared custody of children, the issue can become even murkier. Without an agreement, there can be a new and unexpected domestic battlefield regarding access, control and blocking of IHI. While HIPAA requires a covered entity Insurer or Provider to treat a person that has authority (under applicable law) to act on behalf of another individual as the individual’s personal representative (thereby treating the personal representative as the individual), a Provider may choose not to treat a parent as a personal representative in certain circumstances, including where the Provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

(Part III of this series on privacy of health information in the domestic relations context will be posted shortly.)

 

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part I

Posted in Privacy & Security, Sensitive Health Information

The November 2014 ruling in the Connecticut Supreme Court in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014, WL 5507439 (2014) (the “Byrne case”) has been discussed in a number of posts on this blog, including those here and here. The main focus of such posts has been the Byrne case’s recognition of potential use of HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit, even though an individual cannot sue under HIPAA itself. In those earlier blog entries, we observed that the Connecticut case may spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

This blog entry will focus more on facts of the Byrne case and some of their implications for individual health information (“IHI”) privacy in the context of domestic relations – both in the divorce or legal separation context and even in a less confrontational domestic environment. In the divorce or breakup context, consideration should be given to privacy issues of IHI in settlement agreements and divorce decrees. While settlement agreements and divorce decrees often address healthcare and health insurance issues, especially where there are custodial children involved, addressing IHI issues is much less common.

The Byrne Case

We recently co-authored an article entitled “Utilizing HIPAA as a Basis for State Negligence Actions” that was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). The article, which may be found here, focused more on the facts of the Byrne case than our earlier blog posts and illustrates how IHI issues may infiltrate the break-up of domestic relationships. Among other things, the plaintiff in the Byrne case complained that, upon the end of her five month relationship with an individual (the “Individual”), she instructed the defendant physician practice group (the “Group”), as permitted under the Notice of Privacy Practices (“NPP”) of the Group, not to release her medical records to the Individual. Thereafter, the Group was allegedly served with a subpoena requesting its presence, together with the plaintiff’s medical records, at a court proceeding. The Group apparently did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court, but rather mailed a copy of the plaintiff’s medical file to the court. The Individual later allegedly informed the plaintiff by telephone that he had reviewed the plaintiff’s medical file in the court file.

(Part II of this series on privacy of health information in the domestic relations context will be posted shortly.)