Sensitive Health Information

The November 2014 ruling in the Connecticut Supreme Court in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014, WL 5507439 (2014) (the “Byrne case”) has been discussed in a number of posts on this blog, including those here and here. The main focus of such posts has been the Byrne case’s recognition of potential use of HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit, even though an individual cannot sue under HIPAA itself. In those earlier blog entries, we observed that the Connecticut case may spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

This blog entry will focus more on facts of the Byrne case and some of their implications for individual health information (“IHI”) privacy in the context of domestic relations – both in the divorce or legal separation context and even in a less confrontational domestic environment. In the divorce or breakup context, consideration should be given to privacy issues of IHI in settlement agreements and divorce decrees. While settlement agreements and divorce decrees often address healthcare and health insurance issues, especially where there are custodial children involved, addressing IHI issues is much less common.

The Byrne Case

We recently co-authored an article entitled “Utilizing HIPAA as a Basis for State Negligence Actions” that was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). The article, which may be found here, focused more on the facts of the Byrne case than our earlier blog posts and illustrates how IHI issues may infiltrate the break-up of domestic relationships. Among other things, the plaintiff in the Byrne case complained that, upon the end of her five month relationship with an individual (the “Individual”), she instructed the defendant physician practice group (the “Group”), as permitted under the Notice of Privacy Practices (“NPP”) of the Group, not to release her medical records to the Individual. Thereafter, the Group was allegedly served with a subpoena requesting its presence, together with the plaintiff’s medical records, at a court proceeding. The Group apparently did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court, but rather mailed a copy of the plaintiff’s medical file to the court. The Individual later allegedly informed the plaintiff by telephone that he had reviewed the plaintiff’s medical file in the court file.

(Part II of this series on privacy of health information in the domestic relations context will be posted shortly.)

Copyright: / 123RF Stock Photo
Copyright: / 123RF Stock Photo

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.

Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.

Recently our partner Keith R. McMurdy posted an entry on the Fox Rothschild Employee Benefits Legal Blog entitled “HIPAA Medical Privacy Matters: Court Permits ADA Claim to Proceed.”  While the full text of the excellent blog posting can be found here, I thought that a specific HIPAA point in Keith’s posting was well worth emphasizing:  individual sensitive health information (ISHI) and the communication thereof may not constitute protected health information (PHI) that is regulated by HIPAA.

As described in the blog posting, ISHI was provided by the father of a seriously sick child on behalf of and for the child in an e mail he sent to his employer’s CFO.  The employer’s self-insured health plan apparently had received claims approximating $1,000,000 for treatment for the child who was covered under the plan.

Keith points out,

Arguably, Myers’ [the father’s] e-mail did not implicate HIPAA medical privacy concerns because the [i]nformation provided voluntarily by the patient himself or herself (or in this case the parent of a minor patient) is not protected health information (PHI) under HIPAA.   Further, because the CFO knew about the sick child, he was able to review the plan expenses and deduce that the higher costs were associated with that particular dependent.  Even that was not in and of itself a violation of HIPAA medical privacy (assuming his role with the plan was part of the plan’s operation).  So there is no indication that there was an improper use of PHI so as to create a privacy violation under HIPAA.

Among other things, the blog entry highlights the fact that the source of ISHI (in this case the parent of the child who sent the e mail to the CFO), and the circumstances under which the ISHI is shared (in this case by the father to the CFO of the plan sponsor), may materially impact whether the ISHI is PHI that is subject to regulation under HIPAA.

Fox Rothschild partner Scott Vernick recently appeared as a guest on the Willis Report to discuss the fallout of the hacking of Sony Pictures Entertainment.  Click here to view the segment.  Celebrities’ individually identifiable health information, some of which appears to be protected health information (“PHI”) under HIPAA, was among the sensitive personal data hacked into.  According to one report, a file was accessed that contains a list of the highest-cost patients covered by Sony Pictures’ health plan.

As a covered entity, a health plan (and/or its business associate) that suffers a breach of plan members’ PHI may find itself subject to civil monetary penalties imposed by the Secretary of the Department of Health and Human Services (“HHS”) that can be substantial, particularly if HHS determines the HIPAA violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the health plan (or its business associate, if the business associate is liable) knew or, by exercising reasonable diligence, would have known that the violation occurred.

Penalties under these circumstances are to be at least $50,000 for each violation, up to $1,500,000 for identical violations in a single calendar year.  Penalties of up to $50,000 for each violation and up to $1,500,000 for identical violations in a year can even be imposed when the health plan (or business associate) did not know, and by exercising reasonable diligence, would not have known that it had violated HIPAA.  45 CFR 160.404.

The Secretary of HHS will consider aggravating factors in determining the amount of the penalty, including whether the HIPAA violation resulted in harm to an individual’s reputation.  45 CFR 160.408.

Although HIPAA may seem the least of Sony Pictures’ concerns right now, as discussed in previous posts (here and here) regarding the recent Byrne v. Avery Center for Obstetrics and Gynecology, P.C. case,  HIPAA “may well inform the applicable standard of care” in negligence actions brought under state law.

On November 1, 2009, the "Statistical Reporting of Abortion Law" was scheduled to go into effect in Oklahoma. A temporary restraining order issued on October 20, 2009, however, has blocked enforcement of the law until at least December 4, 2009.* (Davis v. Edmondson, Okla. Dist. Ct. No. CJ-2009-9154). The Statistical Reporting of Abortion Law is just one aspect of a broad and controversial abortion law, which also bans abortions on the basis of "sex of the unborn child." The Statistical Reporting of Abortion Law requires doctors to obtain detailed information from patients seeking abortions that will then be posted publicly through the Oklahoma Department of Health’s web site. Some of the required information includes:

  • Date of abortion
  • County in which abortion performed
  • Age of mother
  • Marital status of mother (married, divorced, separated, widowed, or never married)
  • Race of mother
  • Years of education of mother (specify highest year completed)
  • State or foreign country of residence of mother
  • Total number of previous pregnancies of the mother
  • Total number of live births, miscarriages, induced abortions
  • Whether the woman is employed by the State of Oklahoma

The ostensible purpose of the Statistical Reporting of Abortion Law is to collect data about abortions to inform lawmakers about abortion practices in the State. The Davis lawsuit alleges the law violates Oklahoma’s constitution (for reasons unrelated to privacy concerns), but others have expressed concerns that the law violates the spirit, and perhaps the actual provisions, of HIPAA. Some commentators have noted that the information could be used to identify women who have obtained abortions, particularly when they live in small towns. Under HIPAA, "de-identified" protected health information ("PHI") may be used or disclosed for various purposes, including research. De-identified PHI (that is, information that is stripped of details that would identify the patient, such as name, street address, city, county, etc.) can be used or disclosed without restriction, however, HIPAA requires that entities have no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual. Opponents of the law’s reporting provisions believe that under certain circumstances women can be identified based on the information requested, resulting in a violation of HIPAA. More to come as the lawsuit continues.

* Correction: An earlier version of the blog post stated that the law went into effect on November 1, 2009.

Yesterday, the White House Office of the Press Secretary announced that President Bush signed the Genetic Information Nondiscrimination Act of 2008 ("GINA").  The intent of GINA is to protect individuals from employers and insurance companies denying employment, promotions or health coverage to people when genetic tests show they have a predisposition to cancer, heart disease, or other ailments.  But critics of the law are concerned that certain provisions are vague and may expose employers and insurers to frivolous lawsuits.  

The Genetic Information Nondiscrimination in Employment ("GINE") Coalition lobbied and prepared numerous letters to Congress to have certain provisions of GINA revised prior to enactment in order to protect employers’ nondiscriminatory practices and legitimate collection and uses of genetic information.  According to Michael Eastman, executive director of labor law policy at the US Chamber of Commerce and a member of the GINE Coalition, the group remains concerned that GINA (1) will not preempt inconsistent state laws, (2)  will award “excessive” punitive and compensatory damages that will likely encourage “unmeritorious litigation," and (3) lacks exceptions to provisions barring the collection of genetic information.  

For a good review of the pros and cons of GINA, see an article published by GenomeWeb Daily News.  For a quick and dirty summary of  legal provisions of GINA, click and read on . . .

Continue Reading GINA (the new federal law, not a girl) May Spur Lawsuits

ScienceDaily reports today that the U.S. Senate approved the Genetic Information Nondiscrimination Act of 2008 (GINA) yesterday, April 24, 2008, by unanimous consent of an amended version of H.R. 493, which passed the House last April 25, 2007 by a vote of 420-3.  The House is expected to take up the measure again quickly before sending it to President Bush to sign into law.  A copy of amended H.R.493 can be viewed on the Library of Congress’ Thomas website. 

Among other things, GINA directs the Secretary of DHSS to revise the HIPAA privacy regulation, within 60 days after the date of the enactment  of GINA, to include the following:

(a)(1) Genetic information shall be treated as health information described in [HIPAA].

     (2) The use or disclosure by a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare supplemental policy of protected health information that is genetic information about an individual for underwriting purposes under the group health plan, health insurance coverage, or medicare supplemental policy shall not be a permitted use or disclosure. . . . .

    (d) Enforcement – In addition to any other sanctions or remedies that may be available under law, a covered entity that is a group health plan, health insurance issuer, or issuer of a medicare supplemental policy and that violates the HIPAA privacy regulation (as revised under subsection (a) or otherwise) with respect to the use or disclosure of genetic information shall be subject to the penalties described in [the HIPAA Statute] in the same manner and to the same extent that such penalties apply to violations of this part. (Emphasis was added).

GINA aims to protect the privacy of all Americans’ genetic information and to establish a national and uniform basic standard necessary to fully protect the public from discrimination based on genetic information.  Until yesterday, genetic information has been protected specifically only by a handful of states.  In New Jersey, the New Jersey Genetic Privacy Act (N.J.S.A. §§10:5-43 et seq.) already provides that no person may disclose or be compelled to disclose the identity of an individual upon whom a genetic test has been performed, or individually identifiable genetic information, except pursuant to a few very limited exceptions. See N.J.S.A. §10:5-47.  However, any entity that or individual who uses or handles DNA in New Jersey should reevaluate its disclosure and consent procedures in light of GINA’s new standards.