Ready or not, Roe v. Wade leak or not, health app developers are on notice. Those that collect sensitive personal information, such as reproductive data, must carefully navigate both federal and state laws. These laws are continually in flux and warrant ongoing monitoring.

Last September, I wrote about the FTC’s Policy Statement on enforcing the Health Breach Notification Rule. This followed a blog I posted about Flo Health’s breach and failure to promptly notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

Businesswoman with smartphone
A businesswoman uses a smartphone.

Yesterday, the California Attorney General Rob Bonta issued a press release stating:

“The Confidentiality of Medical Information Act (CMIA) applies to mobile apps that are designed to store medical information, including some fertility trackers, and establishes privacy protections that go beyond federal law. In today’s alert, Attorney General Bonta urges health apps to adopt robust security and privacy measures to protect reproductive health information. At a minimum, these apps should assess the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.”

Consumer-facing health apps that are not subject to HIPAA as business associates must comply with CMIA if they collect information of California consumers, and apps that are subject to HIPAA must comply with any contrary and more stringent CMIA privacy and security requirements.

Finally, Attorney General Bonta pointed out that even if CMIA does not apply to certain apps, other California laws (such as the California Consumer Privacy Act) may apply and offer data rights and protections.

Health app developers must understand not only which data privacy and security laws apply, but how the nature and sensitivity of the data must dictate privacy and security design. If they do not, they risk scrutiny in what likely will be a closely watched area of data privacy for years to come. 

If you have any questions about how best to handle the reproductive data you receive and/or create as a vendor, or the applicability of HIPAA or state data and privacy laws to your company, please contact me at elitten@foxrothschild.com.

According to this article, 2021 has been a “particularly dire year” for health care data breaches.   So, it may not seem shocking that a hacker gained access to the protected health information of approximately 400,000 Planned Parenthood Los Angeles patients in October.  What is unusual about this particular hacking incident is its timing.  Planned Parenthood Los Angeles published Notice of the incident on Wednesday, December 1, 2021, the same day the U.S. Supreme Court heard oral argument on the controversial issue in the highly publicized case of Dobbs v. Jackson Women’s Health.

As described in the Notice, Planned Parenthood Los Angeles acted quickly, completed an initial forensic review of affected data in less than 3 weeks, and published the Notice less than 45 days after discovery.  Yet, Planned Parenthood Los Angeles now faces a class action lawsuit over the breach.

Although HIPAA does not provide a private right of action, the lawsuit alleges negligence, invasion of privacy, and violations of three California state laws: (1) the California Confidentiality of Medical Information Act, (2) the California Consumer Records Act, and (3) California’s Unfair Competition Law.

California claims aside, Planned Parenthood Los Angeles appears to have taken its HIPAA breach notification obligations very seriously, perhaps in recognition of the need to alert women as quickly as possible of an incident involving uniquely sensitive health information.

Unfortunately, not all entities entrusted with maintaining health information, even uniquely sensitive information about women’s sexual and reproductive health, take their federal breach notification obligations as seriously. Flo Health, Inc., an app used by more than 100 million women to track personal menstruation and fertility information didn’t provide notice until reaching a settlement with the Federal Trade Commission in January 2021.  Its breach came to light as a result of an investigation by the Wall Street Journal published in February 2019.  (For more about the Flo Health breach and settlement, you can read our blog here.)

The timing of the Planned Parenthood Los Angeles incident and the legal and political spotlight on Roe v. Wade is most likely coincidental.  It serves as a stark reminder, though, that personally (and politically) sensitive information may be targeted by hackers despite the provider’s best efforts to avoid data breaches.

The Federal Trade Commission seems to be getting serious about unauthorized disclosures of data collected by health apps.  In a Policy Statement issued on September 15, 2021, the FTC says it will enforce its Health Breach Notification Rule, 16 C.F.R. Part 318 (the “Rule”):

This Policy Statement serves to clarify the scope of the Rule, and place entities on notice of their ongoing obligation to come clean about breaches.

This past January, I wrote about the FTC’s failure to require Flo Health to provide individuals with notice as required by the Rule:

Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

The FTC’s Policy Statement clarifies that health app developers are subject to the Rule if they are capable of drawing information from various sources, such as consumer inputs and application programming interfaces (APIs), even if the health information only comes from one source.  By way of example, if a consumer inputs her glucose levels or other health-related information into an app that combines that information with non-health-related information retrieved from another source, the Rule applies.

The bottom line is that app developers that collect any health-related data need to be alert to the likely applicability of the Rule and the FTC’s recent enforcement stance.

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently settled four more investigations under the HIPAA Right of Access Initiative, which totals 11 settlements thus far.  In September, the OCR released a press release detailing its settlement of five additional actions under the HIPAA Right of Access Initiative. In the latest settlements, the OCR came down harder on  providers that failed to provide timely access to a patient’s protected health information by imposing six-figure fines (in two instances) and two year Corrective Action Plans on all four occasions.  In addition, the OCR Director delivered some stern remarks regarding the provider’s obligations with respect to the HIPAA Privacy Rule.

I.         Dignity Health

On October 7th, the OCR announced the settlement of its eighth HIPAA Right of Access Initiative investigation involving Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“Dignity Health”), which is a large, acute care hospital with various clinics based in Phoenix, Arizona. The OCR received a complaint from a mother stating that she made multiple requests for her son’s medical record in acting as her son’s personal representative, to no avail. Dignity Health provided some documents, but failed to properly respond to the mother’s request.

The OCR  determined that Dignity Health failed to provide the personal representative timely access to her son’s protected health information, which ultimately led to the OCR delivering a $160,000 “Resolution Amount” (as defined in the Corrective Action Plan)  and mandating Dignity Health to enter into a two year Corrective Action Plan.  For the record, this Resolution Amount was higher than all five of the previous settlement amounts announced by the OCR combined. The Corrective Action Plan orders the implementation of additional HIPAA policies and procedures, reporting requirements, training, and the submission of annual reports to HHS.  You can find the entire OCR announcement regarding Dignity Health here.

II.        NY Spine Medicine

Shortly following the OCR’s announcement regarding its settlement with Dignity Health, the OCR released yet another announcement regarding the settlement of its ninth investigation under the HIPAA Right of Access Initiative involving NY Spine Medicine, which is a private medical practice specializing in neurology and pain management with locations in New York, NY and Miami Beach, Florida. Last year, the OCR received a complaint from a woman stating that she made a request to NY Spine Medicine for her medical records, and again, the provider failed to the deliver the requested medical records after the woman made several inquiries.

The OCR determined that NY Spine Medicine failed to provide the patient access to her protected health information in a designated record set.  In fact, as of the settlement date, NY Spine Medicine still had not provided the patient with her requested medical records. Similar to the Dignity Health settlement, the OCR handed down a $100,000 Resolution Amount to NY Spine Medicine along with a two year Corrective Action Plan, which included similar mandated provisions as the Dignity Health Corrective Action Plan.  Most notably, the OCR Director, Roger Severino, provide some colorful commentary in the press release by stating: “No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” You can find the entire OCR announcement regarding NY Spine Medicine here.

III.      Riverside Psychiatric Medical Group

The OCR announced its tenth enforcement action under the Right of Access Initiative involving Riverside Psychiatric Medical Group, which is a group practice focused in mental health and substance abuse located in Riverside, California.  Last year, the OCR received two complaints from an individual stating that Riverside Psychiatric Medical Group failed to provide her requested medical records. After the initial complaint, the OCR even provided technical assistance to Riverside Psychiatric Medical Group.  However, even after the OCR assistance, the patient still did not receive her medical records and filed a second complaint. As such, the OCR issued a $25,000 Resolution Amount and mandated a two year Corrective Action Plan similar to the mandatory Corrective Action Plans in the Dignity Health and NY Spine settlements. You can find the entire OCR announcement regarding Riverside Psychiatric Medical Group here.

IV.      Dr. Bhayani

Within the past few days, the OCR announced its eleventh enforcement action, which was also the first enforcement against a private practitioner. Dr. Rajendra Bhayani specializes in ear, nose and throat medical services with an office located in New York.  Over two years ago, a patient sent a complaint to the OCR stating that she had failed to receive access to her medical records.  Yet again, the OCR responded by providing Dr. Bhayani with technical assistance.  In the summer of last year, the OCR received a second complaint from the same patient, which stated she still had not received her medical records despite the OCR’s efforts to assist the doctor. The OCR responded by issuing $15,000 Resolution Amount and implementing a two year Corrective Action Plan, which includes a six  year document retention requirement. In other words, the OCR will have a close eye on the doctor until October 2026. You can find the entire OCR announcement regarding Dr. Bhayani here.

V.       Moving Forward

The message is loud and clear, Director Severino. The OCR plans to continue its strict enforcement of the Privacy Rule under the HIPAA Right of Access Initiative.  Based on the latest wave of settlements, it seems that all it takes is the denial or inadequate response to a single patient or personal representative’s request to access their medical records and the provider could be on the hook for a six-figure fine. In addition to the Resolution Amounts, the provider could incur additional expenses relating to the compliance with a Corrective Action Plan, whether it is hiring additional staff, drafting new policies, or revamping its entire recordkeeping processes. Moving forward, all providers should diligently respond to all requests for patient records and ensure its policies and procedures comply with the Privacy Rule.

**** Update: University of Cincinnati Medical Center

Following the initial posting of this blog, the OCR subsequently announced the settlement of its twelfth investigation under the HIPAA Right of Access Initiative, which involved the University of Cincinnati Medical Center, LLC (“UCMC”). UCMC is an affiliate of the University of Cincinnati and offers a wide range of medical services within the Greater Cincinnati metropolitan area.  In 2019, the OCR received a complaint from a patient stating that UCMC failed to deliver an electronic copy of her health records to her lawyers.  Upon further investigation, the OCR determined that UCMC failed to timely respond to the patient’s request to deliver her medical records to a third-party, which is an permissible action under the Privacy Rule.  As a result, the OCR issued a $65,000 Resolution Amount and mandated a two year Corrective Action Plan.  You can find the entire OCR announcement regarding UCMC here.

If you have any questions regarding the Right of Access Initiative and how it affects your practice or healthcare business, please do not hesitate to contact us.

Mental Health/substance abuse providers and providers treating HIV/AIDS patients are held to a higher standard when it comes to protecting medical records, requiring additional levels of consent and analysis prior to productions. However, recent settlements published by the Office of Civil Rights of the Department of Health and Human Services (OCR) on September 15, 2020 remind all providers that patients and their authorized representatives have a right to access their records.

Right to Access Initiative:

In 2019 OCR launched the Right to Access Initiative based on concerns that had arisen that health care providers were not responding to request for records in a timely manner. In 2019, OCR’s Right to Access Initiative resulted in financial penalties and corrective action plans for two providers who had failed to provide patients with timely access to their records as required under HIPAA. Bayfront Health St. Petersburg, a Florida hospital, paid $85,000 and adopted a corrective action plan requiring one year of monitoring after a patient’s complaint to OCR led to the release of records nine months after the initial request. Korunda Medical, LLC., a primary care and pain management provider, also in Florida, paid the same amount and agreed to a similar one-year compliance monitoring arrangement as a result of its delays in forwarding records to a third party, failure to provide records in an electronic format, and overcharging for the records.

The Right to Access Initiative suffered a setback on January 23, 2020 when a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.” Additionally, the court ruled that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party. Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020). OCR has posted a notice that its previous third party directive guidance is restricted by the Ciox order but also reaffirmed that the right of individuals to access their own records and the fee limitations that apply when exercising this right has not changed.

Five New Settlements:

On September 15, 2020, OCR issued a press release announcing five additional settlements pursuant to its HIPAA Right to Access Initiative. All the settlements involved failure to produce records to just one individual. Three of the five settlements involved providers of mental health/psychiatric services, one provider treated HIV/AIDS patients and one provider helped with pain management. Additionally, three of the five settlement involved continued complaints from the same individual after “technical assistance” had been provided by OCR to the providers. The penalties ranged from $3,500 to $80,000. All providers also agreed to sign corrective action plans requiring government oversight for either one or two years.

These five additional settlements demonstrate that OCR continues to take the issue of right to access seriously, and that a complaint from one individual is enough to trigger monetary penalties and a correction action plan with government monitoring. Providers, including those who provide mental health and substance abuse services, should review their HIPAA policies and procedures and ensure that they are being followed and requested documents are being provided in a timely manner.

Last week, the Office for Civil Rights (OCR) announced its second enforcement action and settlement with a provider  for failing to comply with HIPAA’s patient access requirements.  Korunda Medical, LLC, a primary care and pain management practice in Florida, agreed to pay $85,000 and comply with a Corrective Action Plan (CAP) as a result of a patient’s complaint that it refused to provide the records in the requested electronic format and charged more than the reasonable, cost-based fee prescribed under HIPAA.

Korunda also apparently made the fatal mistake of ignoring OCR’s technical assistance. As I noted in connection with the $3 million resolution amount paid by a New York hospital system, when OCR offers technical assistance, the covered entity (or business associate) should follow it.

Payment of $85,000 may pale in comparison with payment of $3 million, but given the relative ease of complying with HIPAA’s patient access requirements, and added to the time and expense of responding to OCR’s investigation and negotiating the settlement agreement, it’s not an insignificant amount. In addition, compliance with the CAP will require additional expenditures of time and resources by Korunda. The CAP requires Korunda to submit the following to the U.S. Department of Health and Human Services (HHS):

* revised policies and procedures related to patient access that identify how Korunda calculates a reasonable, cost-based fee;

* training materials related to individual access rights, and then provide training to all workforce members;

* lists of requests for access (including date the request is received, the date the request is completed, the format requested, the format provided, the number of pages (if paper), the cost charged, including postage, as well as all documentation related to denials of requests)

* notification of any failure by a member of its workforce to comply with its access policies and procedures

* annual reports regarding the implementation of the CAP requirements

OCR has been focused on HIPAA’s access rights for the last few years. See here and here for posts from 2016 on this topic, and here for OCR’s first Resolution Agreement involving an access rights violation (also triggering an $85,000 settlement amount and similar CAP). Responding in a timely manner to patient access requests, providing the information in the format requested, not overcharging, and jumping on any technical assistance OCR sends your way are easy ways to avoid being the third example of, as OCR Director Severino put it,“bureaucratic inertia.”

The new Apple Watch Series 4® is one of the more recent and sophisticated consumer health engagement tools. It includes a sensor that lets wearers take an electrocardiogram (ECG) reading and detect irregular heart rhythms. The U.S. Food & Drug Administration (FDA) recently approved these functions as Class II medical devices, which generally means that they have a high to moderate risk to the user. The FDA approval letters describe the Apple Watch Series 4 functions as intended for over-the-counter use and not to replace traditional methods of diagnosis or treatment.

Tech developers and HIPAA lawyers often mean different things when describing a health app or medical device as HIPAA compliant. For example, a health app developer will likely focus on infrastructure, whereas the lawyer will likely focus on implementation. When asked about HIPAA, the app developer might rely on International Organization for Standardization (ISO) certification to demonstrate its data privacy and security controls and highlight how the infrastructure supports HIPAA compliance. The HIPAA lawyer, on the other hand, will likely focus on how (and by whom) data is created, received, maintained and transmitted and must look to the HIPAA regulations and guidance documents issued by the U.S. Department of Health and Human Services (HHS) to determine when and whether the data is subject to HIPAA protection. ISO certification does not equate to HIPAA certification; in fact, there is no HIPAA compliance certification process, and it is often difficult from the outset to determine if and when HIPAA applies.

As discussed in this prior blog post, HHS’s guidance on various “Health App Scenarios” underscores that fact that health data collected by an app may be HIPAA-protected in some circumstances and not in others, depending on the relationship between an app developer and a covered entity or business associate. The consumer (or app user) is unlikely to understand exactly when or whether HIPAA applies, particularly if the consumer has no idea whether such a relationship exists.

Back to the Apple Watch Series 4, and the many other consumer-facing medical devices or health apps in already on the market or in development. When do the nuances of HIPAA applicability begin to impede the potential health benefits of the device or app? If I connect my Apple Watch to Bluetooth and create a pdf file to share my ECG data with my physician, it becomes protected heath information (PHI) upon my physician’s receipt of the data. It likely was not PHI before then (unless my health care provider told me to buy the watch and has process in place to collect the data from me).

Yet the value of getting real-time ECG data lies not in immediate user access, but in immediate physician/provider access. If my device can immediately communicate with my provider, without my having to take the interim step of moving the data into a separate file or otherwise capturing it, my physician can let me know if something is of medical concern. I may not want my health plan or doctor getting detailed information from my Fitbit® or knowing whether I ate dessert every night last week, but if I’m at risk of experiencing a medical emergency or if my plan or provider gives me an incentive to engage in healthy behavior, I may be willing to allow real-time or ongoing access to my information.

The problem, particularly when it comes to health apps and consumer health devices, is that HIPAA is tricky when it comes to non-linear information flow or information that changes over time. It can be confusing when information shifts from being HIPAA-protected or not, depending on who has received it. As consumers become more engaged and active in managing health conditions, it is important that they realize when or whether HIPAA applies and how their personal data could be used (or misused) by recipients. Findings from Deloitte’s 2018 consumer health care survey suggest that many consumers are interested in using apps to help diagnose and treat their conditions. For example, 29% were interested in using voice recognition software to identify depression or anxiety, but perhaps not all of the 29% would be interested in using the software if they were told their information would not be protected by HIPAA (unless and until received by their provider, or if the app developer was acting as a business associate at the time of collection).

Perhaps certain HIPAA definitions or provisions can be tweaked to better fit today’s health data world, but, in the meantime, health app users beware.

In a recent New York Times op-ed piece entitled “How a Bad Law and a Big Mistake Drove My Mentally Ill Son Away,” the father of a young man involuntarily hospitalized under Florida’s Baker Act decries “privacy laws” for limiting his access to information about his son’s whereabouts and care.   If this account is accurate, it highlights the widespread confusion that surrounds  health care providers’ communication with family members.

The article’s author, Norman Ornstein, describes a disturbing incident in which his son Matthew’s landlord reported that Matthew’s behavior was putting himself in danger.  Based on the landlord’s report, which Ornstein later describes as a pretext for removing Matthew from the property, Ornstein and his wife agreed to authorize a 72-hour involuntary commitment under the Florida statute.  They later learned that Matthew had been seized by police and taken to the county mental health facility, where he was held for three days and released.  He reported:

But the staff members wouldn’t let us in. In fact, they said privacy rules meant that they could not even confirm that he was there. … The Baker Act allows 72 hours of involuntary observation to see whether someone is in fact an imminent danger to himself or others. Matthew was not, and after three awful days, he was put in a taxi and sent home. We were not informed when he was released.

Matthew had begun to struggle with mental illness at age 24, but his age at the time is not specified.  Since he was no longer a minor, his parents would not be “personal representatives” with access to all his health information absent a guardianship appointment, power of attorney, or similar process recognized under applicable law.  However, the facility would have been permitted to confirm his admission and general condition under the HIPAA “directory exception,” which states:

(a) Standard: Use and disclosure for facility directories

(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its facility:

(A) The individual’s name;

(B) The individual’s location in the covered health care provider’s facility;

(C) The individual’s condition described in general terms that does not communicate specific medical information about the individual; and

(D) The individual’s religious affiliation; and

(ii) Use or disclose for directory purposes such information:

(A) To members of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

HIPAA also allows family members to be given information in order to locate an individual, and allows the sharing of protected health information directly relevant to the family members’ involvement with the individual’s health care or payment for such care.

(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purposes

(1) Permitted uses and disclosures.

(i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.

Finally, the facility could have simply asked Matthew if he agreed to allow the facility to notify his parents that he was being treated there. The Times account does not indicate whether the facility attempted to seek his consent, and it is possible that he was asked and refused.

The Office of Civil Rights (OCR) of the Department of Health and Human Services has addressed these concerns in a bulletin entitled HIPAA Helps Caregiving Connections –  HIPAA helps family and friends stay connected with loved ones who have a substance use disorder, including opioid abuse, or a mental or behavioral health condition:

If a family member, friend, or person you are caring for, has a mental health condition, substance use disorder (including opioid abuse), or other health problem, it can be difficult to stay connected if their condition worsens and they enter a health care facility for observation or treatment. HIPAA helps by allowing the health and mental health providers who treat your loved one to make decisions about communicating with his or her family and friends based on their professional judgment about what is best for the patient.

For Notification Purposes: HIPAA helps you stay connected with your loved one by permitting health professionals to contact you with information related to your family member, friend, or the person you are caring for, that is necessary and relevant to your involvement with the patient’s health care or payment for care. For example, if your loved one becomes disoriented, delirious, or unaware of their surroundings, due, for example, to opioid abuse or a mental health crisis, and arrives at a hospital emergency room for treatment, the doctors, nurses, and social workers may notify you of the patient’s location  and general condition. First, the staff will determine whether the patient agrees to share this information with you or if you are the patient’s personal representative.

If the patient is not able to make decisions (for example, due to being unconscious, sedated, severely intoxicated, or disoriented), then the doctors, nurses, and social workers may contact you without the patient’s permission when they determine that doing so is in the patient’s best interests.

To Help the Patient: HIPAA helps you to assist your loved one by permitting doctors, nurses, and social workers to share protected health information that is related to the care and assistance you are providing to your loved one. For example, if your adult son has been prescribed medication to treat anxiety, and you are helping him by providing supervision or housing, the discharge nurse may inform you what medication he will be taking, if he doesn’t object to sharing this information with you–as well as the side effects to watch for, or symptoms that indicate the medication isn’t working or isn’t being taken properly. If your son is unable to make health decisions independently, the nurse may decide to share this information with you if the nurse determines, using professional judgment, that it is in your son’s best interests.

See also Elizabeth Litten’s post following the Florida nightclub shootings in 2016:  Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

Some facilities tend to err on the side of caution when they are uncertain whether they are permitted to release information.  In addition, to the extent a state law affords greater privacy protections than those afforded under HIPAA, the state law protections will control.  However, erring on the side of caution when no HIPAA restriction applies and no other law affords greater privacy protections may actually exacerbate problems for the individual, particularly in the context of mental health.

 

 

Heading into its 22nd year, HIPAA continues to be misunderstood and misapplied by many, including health care industry professionals who strive for (or at least claim the mantle of) HIPAA compliance. Here is my “top 5” list of the most frequent, and most frustrating, HIPAA misperceptions seen during 2017:

  1. “If I’m using or disclosing protected health information (PHI) for health care operations purposes, I don’t need a Business Associate Agreement.”

Yes, HIPAA allows PHI to be used or disclosed for treatment, payment and health care operations purposes, but the term “health care operations” is defined to include specific activities of the covered entity performing them. In addition, the general provision permitting use or disclosure for health care operations purposes (45 C.F.R. 164.506(c)) allows such use or disclosure for the covered entity’s “own” health care operations. So if the covered entity (or business associate) is looking to a third party to perform these activities (and the activities involve the use or disclosure of PHI), a Business Associate Agreement is needed.

  1. “I don’t need to worry about HIPAA if I’m only disclosing a patient’s/member’s telephone number, since that’s not PHI.”

If the data disclosed was ever PHI, it’s still PHI (unless it has been de-identified in accordance with 45 C.F.R. 164.514). For example, if data is received by a health care provider and relates to the provision of care to patient (e.g., as a phone number listed on a patient intake form), it’s PHI – even though, as a stand-alone data element, it doesn’t appear to have anything to do with the patient’s health. Unless the patient has signed a HIPAA authorization allowing the disclosure of the phone number to a third party vendor, the vendor receiving the phone number from the provider to perform patient outreach on behalf of the provider is a Business Associate.

  1. “When a doctor leaves a practice, she can take her patients’ medical records with her.”

This is not automatic, particularly if the practice is the covered entity responsible for maintaining the records and the patient has not expressly allowed the disclosure of his or her records to the departing doctor. In most cases, the practice entity transmits health information in electronic form in connection with a HIPAA transaction and acts as the covered entity health care provider responsible for HIPAA compliance. The patient can access his or her records and direct that they be sent to the departing physician (see guidance issued by the U.S. Department of Health and Human Services (HHS) on individual’s access rights), and if the patient shows up in the departing doctor’s new office, the practice can share the patient’s PHI under the “treatment” exception. If the practice wants the departing doctor to maintain the records of patients she treated while part of the practice, it can enter a records custodian agreement and Business Associate Agreement with the departing doctor.

  1. “I can disclose PHI under the “sales exception” to anyone involved in due diligence related to the sale of my health care practice/facility without getting a Business Associate Agreement.”

HIPAA prohibits the sale of PHI, but excluded from this prohibition is “the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence” as described in the definition of health care operations. The definition of health care operations, in turn, includes the “sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.”  This “sales exception” is a bit vague and the cross-referencing of other regulations adds to the confusion, but the fact that disclosing PHI in connection with due diligence related to a possible sale of a covered entity is not prohibited as a “sale” does not mean it’s permitted without regard to other HIPAA requirements and protections. Attorneys, consultants, banks, brokers and even potential buyers should consider whether they are acting as business associates, and careful buyers and sellers may want to require Business Associate Agreements with those accessing PHI.

  1. “If I’m treating an overdose victim [or other unconscious or incapacitated person], I can’t share his/her PHI with family members or caregivers.”

The HHS Office for Civil Rights recently published guidance to clarify that HIPAA does not prohibit health care professionals from sharing information with family members and others in crisis situations, such as those involving overdose victims. I blogged on a related topic, involving the nightclub shooting tragedy in Orlando, Florida, back in 2016. The bottom line is that HIPAA allows the disclosure of PHI in two circumstances that are often forgotten: (1) where the patient is unconscious or incapacitated and the provider believes sharing information with family and close friends involved in the patient’s care is in the best interests of the patient; and (2) where the provider believes that sharing information will prevent or lessen a serious and imminent threat to the patient’s health or safety.  More stringent laws may apply, such as those governing substance use disorder treatment records created or maintained by certain federally-assisted substance use disorder treatment providers or state laws, but HIPAA permits providers to exercise discretion in crisis situations.

U.S. Representative Tim Murphy (R-PA) has been a vocal advocate for mental health reform for a number of years.  Part of his crusade is driven by his concern that the HIPAA privacy rule “routinely interferes with the timely and continuous flow of health information between health care providers, patients, and families, thereby impeding patient care, and in some cases, public safety.”  Congressman Murphy’s efforts have resulted in the inclusion in the recently-passed 21st Century Cures Act of a provision entitled “Compassionate Communications on HIPAA” targeted at improving understanding of what mental health information can be shared with family members and caregivers.

The 21st Century Cures Act streamlines the drug approval process, authorizes $4.8 billion in new health research funding, including $1.8 billion for Vice President Joe Biden’s “cancer moonshot” and $1.6 billion for brain diseases such as Alzheimer’s, and provides grants to combat the opioid epidemic.

Of most interest to readers of this blog, the Act also calls for the Department of Health and Human Services (HHS) to clarify the situations in which HIPAA permits health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.  By December 13, 2017, the Secretary of HHS is required to issue guidance  regarding when such disclosures would require the patient’s consent; when the patient must be given an opportunity to object; when disclosures may be made based on the exercise of professional judgment regarding whether the patient would object when consent may not be obtained due to incapacity or emergency; and when disclosures may be made in the best interest of the patient when the patient is not present or is incapacitated.   HHS is directed to address communications to family members or other individuals involved in the care of the patient, including facilitating treatment and medication adherence.  Guidance is also required regarding communications when a patient presents a serious and imminent threat of harm to self or others.  HHS is directed to develop model training materials for healthcare providers, patients and their families.

The law incorporates the Substance Abuse and Mental Health Administration’s definition of the term “serious mental illness” as “a diagnosable mental, behavioral, or emotional disorder that results in serious functional impairment and substantially interferes with or limits one or more major life activities.”

Importantly, the law neither changes existing regulatory exceptions under HIPAA nor directs HHS to modify them.  Instead, it calls for further explanation of existing rules that are often poorly understood by providers, patients and caregivers alike or may actually be used inappropriately to thwart the flow of meaningful and helpful information leading to barriers to effective communication that would benefit patients and improve mental health outcomes.

An existing public safety exception permits a covered entity to use or disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

The existing exception for caregivers permits disclosures to a family member, other relatives, or a close personal friend of the individual, or any other person identified by the individual, but only regarding PHI that is directly relevant to such person’s involvement with the individual’s health care or payment for care.

PHI may also be disclosed when the patient is present and provides consent, does not object to a disclosure of PHI to another individual accompanying them when given the opportunity to object, or where the covered entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

Other existing exceptions address emergency situations as well as cases where the patient is incapacitated, and permit disclosure of only the PHI that is directly relevant to the other person’s involvement with the patient’s care or payment.

The new law falls short of Rep. Murphy’s previous legislative proposals.  In 2015, Murphy introduced a bill entitled the Helping Families In Mental Health Crisis Act. which he said would “allow the doctor or mental health professional to provide the diagnosis, treatment plans, appointment scheduling, and prescription information to the family member and known caregiver for a patient with a serious mental illness. This change would apply for those who can benefit from care yet are unable to follow through on their own self-directed care.”   This bill was passed by the House by a wide margin but was not enacted.

While the new law does not expand HIPAA exceptions, it does make it more likely that those exceptions already on the books will be more clearly understood and implemented in cases involving serious mental illness.