Recently our partner Keith R. McMurdy posted an entry on the Fox Rothschild Employee Benefits Legal Blog entitled “HIPAA Medical Privacy Matters: Court Permits ADA Claim to Proceed.” While the full text of the excellent blog posting can be found here, I thought that a specific HIPAA point in Keith’s posting was well worth emphasizing: individual sensitive health information (ISHI) and the communication thereof may not constitute protected health information (PHI) that is regulated by HIPAA.
As described in the blog posting, ISHI was provided by the father of a seriously sick child on behalf of and for the child in an e mail he sent to his employer’s CFO. The employer’s self-insured health plan apparently had received claims approximating $1,000,000 for treatment for the child who was covered under the plan.
Keith points out,
Arguably, Myers’ [the father’s] e-mail did not implicate HIPAA medical privacy concerns because the [i]nformation provided voluntarily by the patient himself or herself (or in this case the parent of a minor patient) is not protected health information (PHI) under HIPAA. Further, because the CFO knew about the sick child, he was able to review the plan expenses and deduce that the higher costs were associated with that particular dependent. Even that was not in and of itself a violation of HIPAA medical privacy (assuming his role with the plan was part of the plan’s operation). So there is no indication that there was an improper use of PHI so as to create a privacy violation under HIPAA.
Among other things, the blog entry highlights the fact that the source of ISHI (in this case the parent of the child who sent the e mail to the CFO), and the circumstances under which the ISHI is shared (in this case by the father to the CFO of the plan sponsor), may materially impact whether the ISHI is PHI that is subject to regulation under HIPAA.