In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.

A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”

Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?

Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:

Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”

The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.

Many employers who have had it drilled into them that HIPAA applies to protected health information (PHI) of employees are often surprised to learn that the applicability of HIPAA to employee health information (EHI) is actually quite narrow.  HIPAA only applies to EHI related to the employer’s group health plans (such as medical, dental, employee assistance program (EAP) and health flexible spending arrangement (FSA)).  Employer-sponsored group health plans are HIPAA covered entities. Further, although this is true regardless of whether the group health plan is insured by an insurance company or self-insured by the employer, the employer will not generally have HIPAA compliance responsibilities for an insured group health plan if it does not receive any EHI other than for the limited purpose of enrollment activities, or summary health information for amending or terminating the plan or obtaining premium bids. Instead, for a fully-insured group health plan, HIPAA compliance will generally be handled by the insurance company, which is also subject to HIPAA as a covered entity.

HIPAA doesn’t apply to EHI that the employer obtains from a source other than its group health plans, such as medical information related to employment (including pre-employment physicals, drug testing results, medical leave or workers’ compensation) and information from other employment-related benefits that are not group health plans (such as life or disability insurance). This result does not change merely because the employee’s health information is PHI when held by a HIPAA-covered entity health care provider who tested or treated the employee before the information was transferred to the employer via a HIPAA-compliant authorization.

Even though EHI obtained by an employer for employment-related reasons or relating to non-group health plan benefits isn’t subject to HIPAA, this doesn’t mean the employer can throw caution to the wind.  Other federal and state laws (such as the Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA) and state workers’ compensation laws) impose restrictions on the employer’s access to and use and disclosure of this EHI and impose obligations to maintain confidentiality of the EHI. These restrictions and obligations apply regardless of how the employer obtains the EHI (for example, even if obtained pursuant to an authorization signed by the employee or directly from the employee).

Because other laws protect EHI even when HIPAA does not, it’s often helpful for the employer to apply the same or similar safeguards to all EHI, even if HIPAA does not apply.  Applying HIPAA-like safeguards to EHI that isn’t subject to HIPAA not only will often bring the employer a long way towards complying with other federal and state laws that may apply; it may also avoid the necessity of categorizing types of EHI to determine what level of safeguards should be imposed.

The New York City skyline, including the Empire State BuildingIn a post on February 28, Fox associate Kristen Marotta discussed the privacy and security issues arising from the growing use of telemedicine, particularly for mental health treatment. Now on the firm’s Physician Law blog, Kristen continues her discussion of telepsychiatry by diving into recent developments in New York State surrounding the innovative practice model. Kristen notes new funding from the New York Office of Mental Health to expand its use, and breaks down the OMH regulations that psychiatrists and physicians will need to consider before offering telepsychiatry services.

We invite you to read Kristen’s piece.

In a recent New York Times op-ed piece entitled “How a Bad Law and a Big Mistake Drove My Mentally Ill Son Away,” the father of a young man involuntarily hospitalized under Florida’s Baker Act decries “privacy laws” for limiting his access to information about his son’s whereabouts and care.   If this account is accurate, it highlights the widespread confusion that surrounds  health care providers’ communication with family members.

The article’s author, Norman Ornstein, describes a disturbing incident in which his son Matthew’s landlord reported that Matthew’s behavior was putting himself in danger.  Based on the landlord’s report, which Ornstein later describes as a pretext for removing Matthew from the property, Ornstein and his wife agreed to authorize a 72-hour involuntary commitment under the Florida statute.  They later learned that Matthew had been seized by police and taken to the county mental health facility, where he was held for three days and released.  He reported:

But the staff members wouldn’t let us in. In fact, they said privacy rules meant that they could not even confirm that he was there. … The Baker Act allows 72 hours of involuntary observation to see whether someone is in fact an imminent danger to himself or others. Matthew was not, and after three awful days, he was put in a taxi and sent home. We were not informed when he was released.

Matthew had begun to struggle with mental illness at age 24, but his age at the time is not specified.  Since he was no longer a minor, his parents would not be “personal representatives” with access to all his health information absent a guardianship appointment, power of attorney, or similar process recognized under applicable law.  However, the facility would have been permitted to confirm his admission and general condition under the HIPAA “directory exception,” which states:

(a) Standard: Use and disclosure for facility directories

(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its facility:

(A) The individual’s name;

(B) The individual’s location in the covered health care provider’s facility;

(C) The individual’s condition described in general terms that does not communicate specific medical information about the individual; and

(D) The individual’s religious affiliation; and

(ii) Use or disclose for directory purposes such information:

(A) To members of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

HIPAA also allows family members to be given information in order to locate an individual, and allows the sharing of protected health information directly relevant to the family members’ involvement with the individual’s health care or payment for such care.

(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purposes

(1) Permitted uses and disclosures.

(i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.

Finally, the facility could have simply asked Matthew if he agreed to allow the facility to notify his parents that he was being treated there. The Times account does not indicate whether the facility attempted to seek his consent, and it is possible that he was asked and refused.

The Office of Civil Rights (OCR) of the Department of Health and Human Services has addressed these concerns in a bulletin entitled HIPAA Helps Caregiving Connections –  HIPAA helps family and friends stay connected with loved ones who have a substance use disorder, including opioid abuse, or a mental or behavioral health condition:

If a family member, friend, or person you are caring for, has a mental health condition, substance use disorder (including opioid abuse), or other health problem, it can be difficult to stay connected if their condition worsens and they enter a health care facility for observation or treatment. HIPAA helps by allowing the health and mental health providers who treat your loved one to make decisions about communicating with his or her family and friends based on their professional judgment about what is best for the patient.

For Notification Purposes: HIPAA helps you stay connected with your loved one by permitting health professionals to contact you with information related to your family member, friend, or the person you are caring for, that is necessary and relevant to your involvement with the patient’s health care or payment for care. For example, if your loved one becomes disoriented, delirious, or unaware of their surroundings, due, for example, to opioid abuse or a mental health crisis, and arrives at a hospital emergency room for treatment, the doctors, nurses, and social workers may notify you of the patient’s location  and general condition. First, the staff will determine whether the patient agrees to share this information with you or if you are the patient’s personal representative.

If the patient is not able to make decisions (for example, due to being unconscious, sedated, severely intoxicated, or disoriented), then the doctors, nurses, and social workers may contact you without the patient’s permission when they determine that doing so is in the patient’s best interests.

To Help the Patient: HIPAA helps you to assist your loved one by permitting doctors, nurses, and social workers to share protected health information that is related to the care and assistance you are providing to your loved one. For example, if your adult son has been prescribed medication to treat anxiety, and you are helping him by providing supervision or housing, the discharge nurse may inform you what medication he will be taking, if he doesn’t object to sharing this information with you–as well as the side effects to watch for, or symptoms that indicate the medication isn’t working or isn’t being taken properly. If your son is unable to make health decisions independently, the nurse may decide to share this information with you if the nurse determines, using professional judgment, that it is in your son’s best interests.

See also Elizabeth Litten’s post following the Florida nightclub shootings in 2016:  Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

Some facilities tend to err on the side of caution when they are uncertain whether they are permitted to release information.  In addition, to the extent a state law affords greater privacy protections than those afforded under HIPAA, the state law protections will control.  However, erring on the side of caution when no HIPAA restriction applies and no other law affords greater privacy protections may actually exacerbate problems for the individual, particularly in the context of mental health.

 

 

Kristen Marotta writes:

Many believe that educated millennials are choosing to work in urban, rather than rural areas, during their early career due to societal milestones being steadily pushed back and the professional opportunities and preferences of a young professional. Recent medical school graduates are a good example of this dichotomy. The shortage of physicians in rural areas is a well-known phenomenon. Over the years, locum tenens staffing has helped to soften the impact and, recently, so has telemedicine.

Illustration of stethoscope and mobile phone, symbolizing telemedicineThe growing prevalence of telemedicine around the country is an important consideration for new physicians as they decide where to settle down and establish their careers.  In New York, medical graduates should be aware that a $500,000 federal grant was given to New York State’s Office of Mental Health this month, February 2018 by the U.S. Department of Agriculture Rural Development Distance Learning and Telemedicine program.  Using telemedicine to provide mental health services may be a productive and efficient way to deliver healthcare, not only because many mental health examinations would not have to be conducted in-person, but also because of the general shortage of psychiatrists and mental health providers to meet these patient needs. Now, medical graduates who would like to establish their lifestyle in a city can simultaneously care for patients living miles apart from them.

It is essential that health care providers engaging in telemedicine understand the implications of this practice model with respect to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Providers rendering health care services via telemedicine should update and adjust their security risk assessments and HIPAA privacy and security policies and procedures, because protected health information is likely to be created in two separate locations (i.e., the location of the provider and the location of the patient).  Providers should also make sure that their (or their practice’s) Notice of Privacy Practices has been updated to reflect the provision of services via telemedicine, so that the patient has the opportunity to make an informed decision about engaging in this type of health care. Additionally, new business associate agreements may be required with telehealth vendors that do not meet the narrow “mere conduit” exception and any new parties who will have access to the individual’s protected health information as a result of the provision of services via telemedicine. In connection with these efforts, Providers should research and conduct due diligence on vendors to confirm that they understand the services model and are HIPAA-compliant.

As telemedicine emerges and gains more traction in health care, state laws and regulations will also be created and/or updated, and physicians will need to keep abreast of these changes. A good example of this is the State of New York, which has an entire section of mental health regulations dedicated to telepsychiatry. Stay tuned to Fox Rothschild’s Physician Law Blog for further updates on these specific New York regulations, as well as the developments in telemedicine.

Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

Many employers who offer wellness programs to their employees may not have considered compliance with HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”), since they don’t think of their wellness programs as a group health plan. Part 1 of this post covered why most employee assistance programs (“EAPs”) are subject to the HIPAA Rules. This part discusses wellness programs. As with EAPs, wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

A wellness program may be considered a group health plan in at least two common ways. First, if an employer offers a wellness program as part of another group health plan (e.g., a major medical plan), any individually identifiable health information collected from participants in the wellness program is protected health information (“PHI”) under the HIPAA Rules. In other words, if the wellness program is part of another group health plan, such as a major medical plan—for example, by offering incentives like premium reductions or lower cost-sharing amounts for major medical coverage based on participation in the wellness program—the wellness program will be subject to the HIPAA Rules.

Second, a wellness program will be a group health plan subject to the HIPAA Rules if it provides medical care to employees. Some benefits commonly provided by wellness programs are not medical benefits—a health risk assessment (“HRA”), for example, is typically a questionnaire intended to identify an employee’s possible health risks and to motivate the employee to make positive behavior changes to reduce those risks. HRAs are not medical care if they are not administered by medical professionals and are not intended to diagnose illness or prescribe treatment. Other non-medical benefits offered by wellness programs include exercise, nutrition, or weight loss programs, as long as they are not connected with or recommended in response to a medical practitioner’s diagnosis. A wellness program may also provide general health-related information, or referrals (if made by people without any special medical training), without providing medical care (and without triggering compliance obligations under the HIPAA Rules).

Other common wellness program benefits, however, may provide medical care. A biometric screening (often conducted in conjunction with an HRA) is typically medical care because it often involves a blood draw, labs and a clinical assessment of an employee’s health and is intended to diagnose, or indicate an increased risk of, certain health conditions (heart disease, diabetes, etc.). Wellness programs also often include disease management and smoking cessation services, which are considered medical care because they are designed to assist with specific health conditions. Even something as simple as an employee flu shot is medical care, whether or not it is part of another group health plan. Individualized health coaching by trained nurses or counseling provided by trained counselors also would be considered medical care. Providing any of this medical care through a wellness program may lead to unexpected compliance obligations under the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured wellness program that provides medical care will need to enter into a the HIPAA Rules business associate agreement with the wellness program vendor, amend the plan document for the wellness program to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures in place under the HIPAA Rules for another self-insured group health plan (such as a major medical plan) to make them apply to the wellness program as well. If the wellness program is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance under the HIPAA Rules.

 

 

 

 

 

 

 

 

You may be surprised to learn that those “extra” benefits your company offers to its employees such as your employee assistance program (“EAP”) and wellness program likely are subject to the HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”). Part 1 covers why most EAPs are subject to the HIPAA Rules. Part 2 will discuss wellness programs. In both cases, EAPs and wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

As background, the HIPAA Rules apply to “covered entities” and their “business associates.” Health plans and most healthcare providers are “covered entities.” Employers, in their capacity as employers, are not subject to the HIPAA Rules. However, the HIPAA Rules do apply to any “protected health information” (“PHI”) an employer/plan administrator holds on a health plan’s behalf when the employer designs or administers the plan.

Plan administrators and some EAP vendors may not consider EAPs to be group health plans because they do not think of EAPs as providing medical care. Most EAPs, however, do provide medical care. They are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition, including substance abuse and mental health issues. In contrast, an EAP that provides only referrals on the basis of generally available public information, and that is not staffed by health care providers, such as counselors, does not provide medical care and is not subject to the HIPAA Rules.

A self-insured EAP that provides medical care is subject to the HIPAA Rules, and the employer that sponsors and administers the EAP remains responsible for compliance with the HIPAA Rules because it acts on behalf of the plan.   On the other hand, for an EAP that is fully-insured or embedded in a fully-insured policy, such as long-term disability coverage, the insurer will have the primary obligations for compliance with the HIPAA Rules for the EAP. The employer will not be responsible for overall compliance with the HIPAA Rules for an insured EAP even though it provides medical care, but only if the employer does not receive PHI from the insurer or only receives summary health information or enrollment/disenrollment information. Even then, the employer needs to ensure it doesn’t retaliate against a participant for exercising their rights under the HIPAA Rules or require waiver of rights under the HIPAA Rules with respect to the EAP.

An EAP that qualifies as an “excepted benefit” for purposes of HIPAA portability and the Affordable Care Act (as is most often the case because the EAP is offered at no cost, eligibility is not conditioned on participation in another plan (such as a major medical plan), benefits aren’t coordinated with another plan, and the EAP does not provide “significant benefits in the nature of medical care”) can be subject to the HIPAA Rules. In other words, just because you’ve determined that your EAP is a HIPAA excepted benefit doesn’t mean the EAP avoids the HIPAA Rules. Most EAPs are HIPAA excepted benefits, yet subject to full compliance with the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured EAP that provides medical care will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures under the HIPAA Rules for another self-insured group health plan to make them apply to the EAP as well. If the EAP is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance with the HIPAA Rules.

Text messaging is a convenient way for busy doctors to communicate, but for years, the question has remained: are doctors allowed to convey sensitive health information with other members of their provider team over SMS? The answer is now “yes,” thanks to a memo published last week by the U.S. Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).   The memo clarifies that “texting patient information among members of the health care team is permissible if accomplished through a secure platform.”

However, texting patient orders is prohibited “regardless of the platform utilized” under the CMS hospital Conditions of Participation or Conditions of Coverage, and providers should enter orders into an electronic health record (EHR) by Computerized Provider Order Entry (CPOE).

According to the memo, CMS expects providers and organizations to implement policies and procedures that “routinely assess the security and integrity of the texting systems/platforms that are being utilized” to avoid negatively affecting patient care.

What’s interesting about the CMS memo is that texting on a cell phone has become as routine (if not more routine) as speaking into a cell phone – and HHS published guidance way back in 2013 explaining that the HIPAA Privacy Rule permits doctors and other health care providers to share protected health information over the phone. Telling a 21st century doctor not to communicate by text message (within the proper HIPAA parameters, of course) is like telling the President he can’t communicate on Twitter.

CMS’s restriction on texting patient orders appears to relate to concerns about medical record accuracy, not privacy and security. “CMS has held to the long standing practice that a physician … should enter orders into the medical record via a hand written order” or by CPOE, “with an immediate download into the … [EHR, which] would be dated, timed, authenticated, and promptly placed in the medical record.”

I asked a couple of IT security experts here at Fox how a provider or organization would go about “routinely assessing the security and integrity of the texting systems/platforms” being used by doctors. According Fox partner and Chief Privacy Officer Mark McCreary, CIPP/US, the provider or organization might want to start by:

“… receiv[ing] and review[ing] their third party audits and certifications.  Most platform providers would make those available to customers (if not the public).  They like to tout their security.”

Matthew Bruce, Fox’s Information Security Officer, agreed:

“That is really the only practical way to routinely assess. SMS, which is standard text messaging, isn’t secure so it would likely require the potential use of third party app like Signal.  iMessages are encrypted and secure but only between iPhone users. Both companies should publish their security practices.”

So, providers or organizations participating in Medicare can (continue to) allow doctors to communicate (but not enter treatment orders) by text, but should periodically review the security of the texting systems or platforms the doctors are using. They may also want to remind doctors to make sure they know when and how to preserve text messages, whether by taking screen shots, using an SMS backup app, or some other method.

In our most recent post, the Top 5 Common HIPAA Mistakes to Avoid in 2018, we noted that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has recently published guidance on disclosing protected health information (PHI) related to overdose victims. OCR published this and other guidance within the last two months in response to the Opioid Crisis gripping the nation and confusion regarding when and to whom PHI of patient’s suffering from addiction or mental illness may be disclosed.

Pills and capsules on white backgroundTo make the guidance easily accessible to patients and health care professionals, OCR published two webpages, one dedicated to patients and their family members and the other dedicated to professionals.

  • Patients and their family members can find easy-to-read commentary addressing the disclosure of PHI in situations of overdose, incapacity or other mental health issues here.
  • Physicians and other health care professionals can find similar fact sheets tailored to their roles as covered entities here.
  • OCR also recently issued a two-page document summarizing its guidance on when health care professionals may disclose PHI related to opioid abuse and incapacity [accessible here].

The main points from this guidance include:

  1. If a patient has the capacity to make decisions regarding his or her health care, a health care professional may not generally share any PHI with family, friends or others involved in the patient’s care (or payment for care), unless the patient consents to such disclosure.  However, a health care professional may disclose PHI if there is a serious and imminent threat of harm to the patient’s health and the provider in good faith believes that the individual to whom the information is disclosed would be reasonably able (or in a position) to prevent or lessen such threat. According to OCR, in the context of opioid abuse, this rule allows a physician to disclose information about the patient’s opioid abuse to any individual to whom the physician in good faith believes could reasonably prevent or lessen the harm that could be caused by the patient’s continued opioid abuse following discharge.
  2. If the patient is incapacitated or unconscious, HIPAA allows health care professionals to disclose certain PHI to family and close friends without a patient’s permission where (i) the individuals are involved in the care of the patient, (ii) the health care professional determines that disclosing the information is in the best interests of the patient, and (iii) the PHI shared is directly related to the family or friend’s involvement in the patient’s health care (or payment for such health care). As an example, OCR clarified that a physician may, in his or her professional judgment, share PHI regarding an opioid overdose and related medical information with the parents of someone who is incapacitated due to an overdose.
  3. OCR also addressed the difficult situation where a patient is severely intoxicated or unconscious, but may regain sufficient capacity to make health care decisions several hours after arriving in the emergency room.   In such situations, HIPAA would allow a physician or nurse to share PHI related to the patient’s overdose and medical condition with the patient’s family or close personal friends while the patient is incapacitated, so long as the nurse or doctor believes that it is in the patient’s best interest to do so and the information shared with the family member or friend is related to the individual’s involvement in the patient’s health care.

OCR published similar guidance, available at the above websites, regarding the disclosure of PHI related to the mental health of a patient.  Included in that guidance is clarification that HIPAA does not prohibit treating physicians from sharing PHI of a patient with a mental illness or substance use disorder for treatment purposes, except in the case of psychotherapy notes.

However, it is important to understand that OCR’s guidance on these issues does not supersede state laws or other federal laws or rules of medical ethics that would apply to disclosure of a patient’s PHI, including the federal confidentiality regulations [located at 42 CFR Part 2] pertaining to patient records maintained in connection with certain federally-assisted substance use disorder treatment programs.  The “Part 2” regulations (as well as state patient confidentiality laws that are more restrictive than HIPAA) could prohibit some or all of the disclosures which OCR has now clarified are permitted under HIPAA.

If you have a question regarding how this new guidance may affect your practice, please contact a knowledgeable attorney.

Heading into its 22nd year, HIPAA continues to be misunderstood and misapplied by many, including health care industry professionals who strive for (or at least claim the mantle of) HIPAA compliance. Here is my “top 5” list of the most frequent, and most frustrating, HIPAA misperceptions seen during 2017:

  1. “If I’m using or disclosing protected health information (PHI) for health care operations purposes, I don’t need a Business Associate Agreement.”

Yes, HIPAA allows PHI to be used or disclosed for treatment, payment and health care operations purposes, but the term “health care operations” is defined to include specific activities of the covered entity performing them. In addition, the general provision permitting use or disclosure for health care operations purposes (45 C.F.R. 164.506(c)) allows such use or disclosure for the covered entity’s “own” health care operations. So if the covered entity (or business associate) is looking to a third party to perform these activities (and the activities involve the use or disclosure of PHI), a Business Associate Agreement is needed.

  1. “I don’t need to worry about HIPAA if I’m only disclosing a patient’s/member’s telephone number, since that’s not PHI.”

If the data disclosed was ever PHI, it’s still PHI (unless it has been de-identified in accordance with 45 C.F.R. 164.514). For example, if data is received by a health care provider and relates to the provision of care to patient (e.g., as a phone number listed on a patient intake form), it’s PHI – even though, as a stand-alone data element, it doesn’t appear to have anything to do with the patient’s health. Unless the patient has signed a HIPAA authorization allowing the disclosure of the phone number to a third party vendor, the vendor receiving the phone number from the provider to perform patient outreach on behalf of the provider is a Business Associate.

  1. “When a doctor leaves a practice, she can take her patients’ medical records with her.”

This is not automatic, particularly if the practice is the covered entity responsible for maintaining the records and the patient has not expressly allowed the disclosure of his or her records to the departing doctor. In most cases, the practice entity transmits health information in electronic form in connection with a HIPAA transaction and acts as the covered entity health care provider responsible for HIPAA compliance. The patient can access his or her records and direct that they be sent to the departing physician (see guidance issued by the U.S. Department of Health and Human Services (HHS) on individual’s access rights), and if the patient shows up in the departing doctor’s new office, the practice can share the patient’s PHI under the “treatment” exception. If the practice wants the departing doctor to maintain the records of patients she treated while part of the practice, it can enter a records custodian agreement and Business Associate Agreement with the departing doctor.

  1. “I can disclose PHI under the “sales exception” to anyone involved in due diligence related to the sale of my health care practice/facility without getting a Business Associate Agreement.”

HIPAA prohibits the sale of PHI, but excluded from this prohibition is “the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence” as described in the definition of health care operations. The definition of health care operations, in turn, includes the “sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.”  This “sales exception” is a bit vague and the cross-referencing of other regulations adds to the confusion, but the fact that disclosing PHI in connection with due diligence related to a possible sale of a covered entity is not prohibited as a “sale” does not mean it’s permitted without regard to other HIPAA requirements and protections. Attorneys, consultants, banks, brokers and even potential buyers should consider whether they are acting as business associates, and careful buyers and sellers may want to require Business Associate Agreements with those accessing PHI.

  1. “If I’m treating an overdose victim [or other unconscious or incapacitated person], I can’t share his/her PHI with family members or caregivers.”

The HHS Office for Civil Rights recently published guidance to clarify that HIPAA does not prohibit health care professionals from sharing information with family members and others in crisis situations, such as those involving overdose victims. I blogged on a related topic, involving the nightclub shooting tragedy in Orlando, Florida, back in 2016. The bottom line is that HIPAA allows the disclosure of PHI in two circumstances that are often forgotten: (1) where the patient is unconscious or incapacitated and the provider believes sharing information with family and close friends involved in the patient’s care is in the best interests of the patient; and (2) where the provider believes that sharing information will prevent or lessen a serious and imminent threat to the patient’s health or safety.  More stringent laws may apply, such as those governing substance use disorder treatment records created or maintained by certain federally-assisted substance use disorder treatment providers or state laws, but HIPAA permits providers to exercise discretion in crisis situations.