As she has done in January for several years, our good friend Marla Durben Hirsch quoted my partner Elizabeth Litten and me in Medical Practice Compliance Alert in her article entitled “MIPS, OSHA, other compliance trends likely to affect you in 2017.” For her article, Marla asked various health law professionals to make predictions on diverse healthcare matters including HIPAA and enforcement activities. Full text can be found in the January 2017 issue, but excerpts are included below.

Marla also wrote a companion article in the January 2017 issue evaluating the results of predictions she published for 2016. The 2016 predictions appeared to be quite accurate in most respects. However, with the new Trump Administration, we are now embarking on very uncertain territory in multiple aspects of healthcare regulation and enforcement. Nevertheless, with some trepidation, below are some predictions for 2017 by Elizabeth and me taken from Marla’s article.

  1. The Federal Trade Commission’s encroachment into privacy and security will come into question. Litten said, “The new administration, intent on reducing the federal government’s size and interference with businesses, may want to curb this expansion of authority and activity. Other agencies’ wings may be clipped.” Kline added, “However, the other agencies may try to push back because they have bulked up to handle this increased enforcement.”
  2. Telemedicine will run into compliance issues. As telemedicine becomes more common, more legal problems will occur. “For instance, the privacy and the security of the information stored and transmitted will be questioned,” says Litten. “There will also be heightened concern of how clinicians who engage in telemedicine are being regulated,” adds Kline.
  3. The risks relating to the Internet of things will increase. “The proliferation of cyberattacks from hacking, ransomware and denial of service schemes will not abate in 2017, especially with the increase of devices that access the Internet, known as the ‘Internet of things,’ warns Kline. “More devices than ever will be networked, but providers may not protect them as well as they do other electronics and may not even realize that some of them —such as newer HVAC systems, ‘smart’ televisions or security cameras that can be controlled remotely — are also on the Internet and thus vulnerable,” adds Litten. “Those more vulnerable items will then be used to infiltrate providers’ other systems,” Kline observes.
  4. More free enterprise may create opportunities for providers. “For example, there may not be as much of a commitment to examine mergers,” says Kline. “The government may allow more gathering and selling of data in favor of business interests over privacy and security concerns,” says Litten.

The ambitious and multi-faceted foray by the Trump Administration into the world of healthcare among its many initiatives will make 2017 an interesting and controversial year. Predictions are always uncertain, but 2017 brings new and daunting risks to the prognosticators.  Nonetheless, when we look back at 2017, perhaps we may be saying, “The more things change, the more they stay the same.”

U.S. Representative Tim Murphy (R-PA) has been a vocal advocate for mental health reform for a number of years.  Part of his crusade is driven by his concern that the HIPAA privacy rule “routinely interferes with the timely and continuous flow of health information between health care providers, patients, and families, thereby impeding patient care, and in some cases, public safety.”  Congressman Murphy’s efforts have resulted in the inclusion in the recently-passed 21st Century Cures Act of a provision entitled “Compassionate Communications on HIPAA” targeted at improving understanding of what mental health information can be shared with family members and caregivers.

The 21st Century Cures Act streamlines the drug approval process, authorizes $4.8 billion in new health research funding, including $1.8 billion for Vice President Joe Biden’s “cancer moonshot” and $1.6 billion for brain diseases such as Alzheimer’s, and provides grants to combat the opioid epidemic.

Of most interest to readers of this blog, the Act also calls for the Department of Health and Human Services (HHS) to clarify the situations in which HIPAA permits health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.  By December 13, 2017, the Secretary of HHS is required to issue guidance  regarding when such disclosures would require the patient’s consent; when the patient must be given an opportunity to object; when disclosures may be made based on the exercise of professional judgment regarding whether the patient would object when consent may not be obtained due to incapacity or emergency; and when disclosures may be made in the best interest of the patient when the patient is not present or is incapacitated.   HHS is directed to address communications to family members or other individuals involved in the care of the patient, including facilitating treatment and medication adherence.  Guidance is also required regarding communications when a patient presents a serious and imminent threat of harm to self or others.  HHS is directed to develop model training materials for healthcare providers, patients and their families.

The law incorporates the Substance Abuse and Mental Health Administration’s definition of the term “serious mental illness” as “a diagnosable mental, behavioral, or emotional disorder that results in serious functional impairment and substantially interferes with or limits one or more major life activities.”

Importantly, the law neither changes existing regulatory exceptions under HIPAA nor directs HHS to modify them.  Instead, it calls for further explanation of existing rules that are often poorly understood by providers, patients and caregivers alike or may actually be used inappropriately to thwart the flow of meaningful and helpful information leading to barriers to effective communication that would benefit patients and improve mental health outcomes.

An existing public safety exception permits a covered entity to use or disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

The existing exception for caregivers permits disclosures to a family member, other relatives, or a close personal friend of the individual, or any other person identified by the individual, but only regarding PHI that is directly relevant to such person’s involvement with the individual’s health care or payment for care.

PHI may also be disclosed when the patient is present and provides consent, does not object to a disclosure of PHI to another individual accompanying them when given the opportunity to object, or where the covered entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

Other existing exceptions address emergency situations as well as cases where the patient is incapacitated, and permit disclosure of only the PHI that is directly relevant to the other person’s involvement with the patient’s care or payment.

The new law falls short of Rep. Murphy’s previous legislative proposals.  In 2015, Murphy introduced a bill entitled the Helping Families In Mental Health Crisis Act. which he said would “allow the doctor or mental health professional to provide the diagnosis, treatment plans, appointment scheduling, and prescription information to the family member and known caregiver for a patient with a serious mental illness. This change would apply for those who can benefit from care yet are unable to follow through on their own self-directed care.”   This bill was passed by the House by a wide margin but was not enacted.

While the new law does not expand HIPAA exceptions, it does make it more likely that those exceptions already on the books will be more clearly understood and implemented in cases involving serious mental illness.

Federal enforcement agencies are increasingly focusing on HIPAA breaches which involve mishandling of PHI by telecommuters.  Two recent cases illustrate the liability exposure resulting from inadequate oversight of staff working remotely.

Medical equipment supplier Lincare was fined $239,800 as a result of a breach which occurred when an employee left unprotected PHI in a car in the possession of her estranged husband.  An Administrative Law Judge upheld the penalty, noting that Lincare did not have policies in place requiring employees to safeguard medical information off-site.

In a second case, Cancer Care Group, an Indianapolis radiation oncology practice (CCG), entered into a $750,000 settlement with OCR after unencrypted backup tapes containing the PHI of more than 50,000 patients were stolen from a telecommuting employee’s vehicle.  OCR required the group to enter into a Corrective Action Plan that included conducting a risk analysis and developing and implementing policies and procedures to prevent similar occurrences.

My partners Michael Kline and Elizabeth Litten were quoted in the November issue of Medical Practice Compliance Alert by Marla Durben Hirsch in her article entitled “Call it telecommuting or working remotely, it needs a HIPAA policy.”

It is increasingly common for employers, including health care providers, to allow staff to work off site on a full- or part-time basis. While it’s most commonly seen as working from home, it includes anywhere but the office, including on a train, in a coffee shop, while traveling from patient to patient or elsewhere, points out attorney Michael Kline with Fox Rothschild in Princeton, N.J.

But it increases the risk of HIPAA violations because the practice is no longer in control of some of the technical and physical safeguards required by HIPAA’s security rule to protect the PHI, points out attorney Elizabeth Litten, also with Fox Rothschild.

“There are more opportunities for things to go wrong,” Litten warns.

Among the tips suggested in the article are the following:

  1. Have clear policies about what practices are accepted and how workers will protect the data;
  2. Determine what hardware and software will be allowed and how it must be configured;
  3. Make sure that the PHI can be password-protected, encrypted or otherwise segregated if the employee does not have a dedicated computer, so that family members who have access to the computer can’t view the PHI. “You don’t want it accessed by little children who want to look at Bubble Guppies,” says Kline.
  4. Double check that your insurance policies allow telecommuting;
  5. Include PHI off the premises as part of your practice’s overall risk assessments and management;
  6. Incorporate protection of PHI into your practice’s telecommuting policy;
  7. Get the promise to protect PHI in writing; and
  8. Monitor how telecommuters handle PHI.

Failure to design and implement effective telecommuting policies and procedures contributed to the breaches at Lincare and CCG and may have substantially increased the magnitude of the financial penalties.  Ideally, covered entities and business associates should anticipate issues with telecommuters and roll out appropriate rules before any PHI leaves the office, but if you already have team members working remotely, it is better to address these risks late than never.

 

 

 

Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now).

The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may represent PokéStops where players may find and capture Pokémon (“pocket monster” characters) that appear on the player’s phone superimposed over images of the real-world location when in augmented reality (AR) mode, and “Gyms” where they can virtually battle other players. Niantic, Inc., a Google spinoff, developed the game and based its PokéStops and Gyms on user-contributed locations (“portals”) from its previous augmented reality game, Ingress. These sites include businesses, parks, public buildings, museums, churches, private homes, and yes, even hospitals.

When players encounter Pokémon, they can take screen shots using their phone’s camera, which in AR mode will also capture whatever is in the background at the time. Naturally, this is giving hospitals and other healthcare facilities some concerns about safety, privacy, and maintaining a peaceful healing environment.  Indeed, in extreme cases of “invasion by Pokémon GO players,” the law of tort or criminal trespass could possibly be invoked by a health care facility in many jurisdictions. Simply stated, the action of trespass can be maintained against anyone who interferes with the right of ownership or possession of land, whether the invasion is by a person or by something that a person has set in motion. However, such an action would undoubtedly create a media sensation and must be carefully considered before undertaking it

The game has already made headlines for contributing to incidents where deeply-absorbed players have been injured by following their phones into the path of danger. The Advisory Board reports that the game has directed players near a hospital’s helipad Amid ‘Pokémon Go’ craze, hospitals say game players could jeopardize patient safety. Healthcare Business and Technology reports “The sheer amount of unauthorized visitors has raised safety concerns about everything from security issues to increased germ exposure that heightens patients’ risk of infections.” Pokemon Go causes problems for hospitals: How to respond.

Ban it? Embrace it?

Accordingly, some hospitals have asked players to avoid their campuses or banned the game outright. Others have forbidden their staffs from playing the game while on site, according to Healthcare IT News. The game appeals to a surprisingly wide age group since many adults have fond memories of playing the original Nintendo game in the mid-1990’s.

For HIPAA purposes, the use of smartphone cameras in the game can be problematic. At a recent meeting of the Healthcare Council of Western Pennsylvania, compliance officers reported that they had discovered PokéStops in their facility near patient care areas where records were potentially visible. Hospitals certainly do not want to encourage or permit individuals to wander their halls who are not there to obtain care or visit patients they know.

Many hospitals have policies on use of cameras or camera phones on campus, and those policies should be reviewed and recirculated to staff as well as communicated to patients and visitors in light of the popularity of the game.

Some children’s hospitals, however, are big fans of the game and its ability to motivate hospitalized kids to be more physically active and socially interactive. USA Today reports:

In the past, young patients at C.S. Mott Children’s Hospital in Ann Arbor, Mich., shuffled down the hallways without speaking to each other, but now it’s not uncommon to see them stop and talk near a Pokémon Go hotspot.

Advocate Children’s hospital in Oak Lawn/Park Ridge, IL tweeted a photo of a young patient playing the game with the caption “Luke’s mom says @Pokemon Go has been a lifesaver to get him out of his hospital room and moving around!” We hope they had Luke’s mom’s permission for the tweet. Toronto’s Sunnybrook Hospital tweeted : “We love that #PokemonGO encourages exercise! Remember: stay alert & safe. Can’t catch ’em all from a hospital bed.” Of course HIPAA is not an issue in Canada, but there is Ontario’s Personal Health Information Protection Act (PHIPA). And a meme is circulating featuring an anime-style nurse which reads “

Hey Pokémon Go players. Have extra lures? Then drive to your nearest Children’s Hospital and drop the lure there. There are plenty of kids who would love to go out and collect Pokémon, but they are stuck in bed, so this will help them.”

(Lures are markers players can collect and distribute within the game that help attract Pokémon).

Wipe yourself off the map?

Hospitals are not the only unwilling hosts of PokéStops and Gyms. The Holocaust Museum and Arlington National Cemetery are among locations that are included in the game’s map. As a result of objections, Niantic has set up a link to a form on its web site through which you can request removal of a PokéStop or Gym. It is not clear how long it will take for the company to remove an unwelcome site.

It’s common these days for technology to outpace policy, but it’s a good idea to understand this sudden craze and decide how to approach it in your organization.

Our partner Elizabeth Litten and I were featured again by our good friend Marla Durben Hirsch in her article in the April 2016 issue of Medical Practice Compliance Alert entitled “5 safeguards to take with patient-employee health records.” Full text can be found in the April, 2016 issue, but a synopsis is below.

For her article, Marla asked us to comment about physician medical practices that provide medical treatment to their own employees and other staff or affiliates (collectively, “Patient-Employees”). She observed that “These medical records [of Patient-Employees] are not fair game for colleagues to view unless there’s a job-related reason for them to do so.”

Marla quoted Kline as saying that “It’s human nature to talk about others [that you know]. You also have rogue employees who are ‘frenemies’ [Or simply curious about a co-worker’s treatment].” Nonetheless, as Marla observed, events of improper access are not just potential HIPAA violations; they can also have a negative impact on the workplace.

Our five tips for reducing the risks of improper breaches of Patient-Employees’ health information that were developed with Marla follow:

Litten: Include employee privacy in your HIPAA education. “This is a topic for specific training.” For example, make sure that everyone in the office knows the practice’s HIPAA policies and procedures, and that all patients, even those who are employees are entitled to their privacy rights. Emphasize the fact that employees should only review records when it is necessary to do their job.

Kline: Limit access to the records. “For instance, not all employees need unfettered access to electronic medical records, so different staff members can have different levels of access.    Human resources shouldn’t be able to find out that an employee came in for [medical] help.”

Litten and Kline: Take consistent disciplinary action when warranted. An employee may need to be retrained, disciplined or even fired, and treat all workforce members the same, whether licensed professionals or other staff.

Litten: Require staff to report these kinds of breaches. “At the least the practice can argue that the employee had an obligation to report, and by not doing so the fault lay with the employee, not the employer.”

Litten and Kline: Don’t let Patient-Employees take shortcuts to access their records. All patients are entitled to access their records; Patient-Employees should be required to go through the same procedures to access their records as any non-Patient-Employee.

In this ever more-challenging environment of compliance with the privacy and security requirements of HIPAA (and other applicable federal and state laws), a health care provider should limit the risks appurtenant to providing treatment to its own employees as patients, especially since it may be an economical and efficient alternative. There are enough external risks lurking about. Through establishing discrete policies and procedures, a provider can do much to control its internal risks involving Patient-Employees.

President Obama announced a series of Executive Orders on January 4, 2016 to address gun-related violence in America. Among those orders was an initiative to increase mental health reporting to the background check system. But this does not mean that mental health records will be widely released or that anyone who has sought treatment for mental illness will be banned from gun ownership.  It only means that information about individuals who are already prevented from owning guns under current law will be made available for background checks.

A fact sheet released by the administration includes this summary:

Remove unnecessary legal barriers preventing States from reporting relevant information to the background check system. Although States generally report criminal history information to [the National Instant Criminal Background Check System, (NICS)], many continue to report little information about individuals who are prohibited by Federal law from possessing or receiving a gun for specific mental health reasons. Some State officials raised concerns about whether such reporting would be precluded by the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Today, the Department of Health and Human Services issued a final rule expressly permitting certain HIPAA covered entities to provide to the NICS limited demographic and other necessary information about these individuals.

A Final Rule was posted by the Office of Civil Rights of the Department Health and Human Services (OCR) at https://federalregister.gov/a/2015-33181.  In an announcement posted by OCR, the agency emphasized that this rule is narrowly drawn and applies only to a limited category of covered entities:

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having firearms or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS.

The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information. [emphasis added]

OCR emphasizes that individuals who seek help for mental health conditions and/or receives mental health services are not automatically legally prohibited from having a firearm, and that nothing in the final rule changes that.

The rule only applies to state agencies or other agencies that are designated by the state to report, or which collects information for purposes of reporting, on behalf of the state, to the NICS; or a court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to lose the right to possess firearms under existing federal law.  It authorizes such agencies to disclose the information only to NICS or an entity designated by the state to report, or which collects information for purposes of reporting, on behalf of the State, to NICS, and permits disclosure of only such limited demographic and certain other information needed for purposes of NICS reporting.  It expressly prohibits disclosure of diagnostic or clinical information for such purposes.

In light of the heightened emotions surrounding any government action relating to firearms, especially as it may involve mental health and HIPAA, it is likely that misunderstandings, exaggerations, misinformation (or even intentional disinformation)  about this limited change will circulate through social media and similar channels.  Healthcare providers and other covered entities should be aware that the rule changes nothing except for certain state agencies and their agents.

 

 

A thoughtful reader responded to our last post, Debunking a Viral “Medical Hack” Meme,  which advised health plan subscribers to cite certain HIPAA compliance issues in efforts to overturn unfavorable insurance coverage decisions.

Jeff Knapp wrote:

This meme just popped up in my Facebook news feed this morning, and I was happy to see you addressed it so quickly. I too immediately noticed several flaws. In addition to the ones you noted here, there is certainly no right under HIPAA for an individual to speak with a covered entity’s privacy officer. While it’s true that a covered entity must designate a contact person or office, in my experience the contact person/office and the privacy officer are not the same. Typically, a privacy officer is dealing with higher-level issues than responding to requests for documents. I always enjoy reading your blog posts.

Mr. Knapp accurately notes that there is no right to contact a privacy officer, and in fact, HIPAA provides no private right of action for an individual whose protected health information was improperly accessed.  See Why Can’t I Sue Under HIPAA for a Breach of my Protected Health Information? What Can I Do?

Moreover, if the individual disputing a coverage decision is covered by a self-insured plan sponsored by his or her employer, the strategy advocated by the meme could easily backfire, notwithstanding any separation of insurance administration and human resources functions within an employer’s management structure, whether nominal or reasonable.

Since the early days of HIPAA, a steady trickle of misinterpretations, misunderstandings and half-truths have circulated informally both within the medical community and among the general public.  The prevalence of social media only amplifies the effect. For example, a meme currently making the rounds on Facebook suggests using HIPAA as a strategy for convincing a health insurer to reverse a coverage denial decision.  The post, entitled “Medical Hack,” began appearing this month.  While containing some accurate information, the post contains a number of flaws.

hipaa-medical-hack-insurance

It reads as follows:

So, your doctor ordered a medical test or treatment and your insurance company denied it. That is a typical cost saving method.

OK, here is what you do:

1. Call the insurance company and tell them you want to speak with the “HIPAA Compliance/Privacy Officer” (By federal law, they have to have one)

2. Then ask them for the NAMES and CREDENTIALS of every person accessing your record to make that decision of denial. By law you have a right to that information.

3. They will almost always reverse the decision very shortly rather than admit that the committee is made of low paid HS graduates, looking at “criteria words,” making the medical decision to deny your care. Even in the rare case it is made by medical personnel, it is unlikely it is made by a board certified doctor in that specialty and they DO NOT WANT YOU TO KNOW THIS!

4. Any refusal should be reported to the US Office of Civil Rights (OCR.gov) as a HIPAA violation.

As with any viral post, it is prudent to fact-check this advice with reliable sources such as Snopes.com.  Sure enough, Snopes has addressed the “hack” and classified it a mixture of true, false and undetermined information.   See http://www.snopes.com/hipaa-medical-hack-insurance-claim-denials/

To their credit, the fact-checkers at Snopes picked up on several flaws in the strategy suggested in the hack, particularly the fact that neither HIPAA nor the Affordable Care Act require insurers to base decisions to deny coverage of services or medications on the decision of a doctor, let alone a doctor that is board certified in the specialty under which that treatment fell.  (In fact, these issues are primarily regulated by state insurance laws.)   To that effect, Snopes notes:

… if insurance companies are entitled to deny coverage on a discretionary basis without the say-so of a doctor, there’s no reason a non-mandated process would be outlined through any plan resource or HHS guideline. Asking for such documentation would make as much sense as someone demanding a receipt for a donut you didn’t buy.

However, the most critical flaw in the suggested strategy is the fact that insurers and other covered entities are not required to account for all internal disclosures (and even many external disclosures for that matter), and disclosures for payment or health care operations purposes are specifically carved out of the accounting requirement in 45 C.F.R. 164.528(a).  Insurance clerks, regardless of their level of education, are likely to be utilizing patient records for payment and operations purposes when processing claims denials.

With regard to the requirement to designate a  “HIPAA Compliance/Privacy Officer,” the Snopes report stated “We were unable to locate any relevant portion of the act that specifically mandated what the meme claimed.”   In fact,  45 C.F.R. § 164.530 states:

(a)(1) Standard: Personnel designations.(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

A better approach for health insurance subscribers facing denial of a treatment ordered by their physician is to follow the appeal mechanisms specified in their plans, and check their rights under applicable state law. For instance, Pennsylvania’s Act 68 includes certain standards for managed care plans and offers complaint and grievance procedures for individuals.

Lesson: Viral memes are often an unreliable source of legal advice.  I’m a major fan of Snopes.com, but sometimes even Snopes doesn’t get all the details.

Our partners Elizabeth Litten and William H. Maruca and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “Watch for HIPAA Pitfalls When Involving Police in ID Checks.” Full text can be found in the October 26, 2015, issue, but a synopsis is below. Marla’s article was also featured in Part B News.

Houston area OB/GYN clinic Northeast Women’s Healthcare has received attention due to a situation involving the verification of a patient’s identification by contacting law enforcement.  The clinic believed that a patient was attempting to use false identification in order to receive treatment at the facility, which prompted them to contact law enforcement. When local authorities were given the license number, it was determined that the information provided was false which led to the arrest of the individual seeking treatment.

Although the individual was alleged to have tampered with government records and has been noted as an undocumented immigrant, some questions have surfaced whether the clinic’s procedure violated HIPAA regulations by disclosing protected health information.

Some of the considerations identified in the article for providers that are concerned about possible false identification submitted by a patient data include the following from Marla’s article:

  1. “Providers appear to be under no obligation under HIPAA to report suspicious documents,” points out Maruca.
  2. “It’s not up to a doctor’s office to be a cop. You need to balance quality and safety issues versus the veneer of not wanting to treat the undocumented,” Litten says.
  3. “The controversy also is fueled by its occurrence in Texas, with not only a large demographic of immigrants but also where immigration status is a hot button issue and has garnered significant publicity.” Kline says.
  4. Kline continues by stating, “Emotions on this are high in Texas. It heightens the sexiness of the case.”

The obligations of providers to report to authorities that an individual has submitted suspected false identification to secure healthcare services can be complex and fact-specific.  Depending on the fact pattern, the matter can even become a media event.  In light of heightened sensitivities to immigration status, this issue can be expected to be a developing area of HIPAA and State law on identity theft, which may differ from HIPAA.

A Houston-area woman was arrested at her gynecologist’s office by Sheriff’s deputies because she presented a false ID and now may face deportation, according to a September 11, 2015 report in the Houston Press.  The woman, Blanca Borrego, was reportedly visiting Northeast Women’s Healthcare for an annual check-up and to follow up on a painful abdominal cyst that had been identified a year earlier.   The Houston Press goes on to say that after filling out paperwork and waiting two hours, she was called into an exam room and met by law enforcement officers, who led her out in handcuffs in front of her young daughters.

“We’re going to take her downtown, she presented a form of false identification,” Borrego’s daughter recalled the deputy saying. He said their mother’s bond would probably be around $20,000, and added, “She’s going to get deported.”

Ms. Borrego had reportedly remained in the U.S. for 12 years on an expired visa.  It was her first visit to this clinic, although she had been treated previously by the same physician.  However, one commentator suggests she may have been eligible for protection from deportation under current law:

In fact, Borrego would have qualified for President Obama’s Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA) administrative reform program, which was announced last year. For the estimated 4.1 million undocumented individuals like Borrego—who have been in the United States since January 1, 2001 and have a son or daughter who is a U.S. citizen or lawful permanent resident—DAPA allows work permit applications and protection from deportation.  – Ana DeFrates, Texas Latina Advocacy Network, National Latina Institute for Reproductive Health

When can a physician practice, clinic, hospital or other healthcare provider reveal protected health information to law enforcement?  Section 164.512(j) of the HIPAA rule permits such disclosures to avert a serious threat to health or safety, and only in limited situations:

(j) A covered entity may,consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:

(i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or

(ii) Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms are defined in §164.501.

Covered entities may also disclose to law enforcement officials protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.  It is not clear whether at this time if Northeast will rely on that provision to justify their call to the police.  There are no allegations of identity theft and in fact Ms. Borrego reportedly was covered by her husband’s health insurance policy.

Ironically, when asked by the Houston Press about its policies regarding informing authorities about suspected undocumented aliens, the Houston Press reports that Memorial Hermann spokeswoman Alex Loessin replied  “As you know, because of patient privacy, I am unable to provide comment.”

The HIPAA implications of this emerging story have yet to fully play out.  Covered entities and their business associates should use caution before voluntarily disclosing PHI to law enforcement agencies, particularly when there is no indication of violent crime or serious threats to health or safety.