Health Care Lawyer Blog

A federal court in Florida recently held that a state statute requiring nursing homes to furnish patient information to an individual’s “representative” was overly broad and pre-empted by the federal Health Insurance Portability and Accountability Act (“HIPAA”). The case is notable because it demonstrates the importance of strict compliance with HIPAA wherever patient information is concerned – even if a state law provides otherwise.

In Opis Management Resources, LLC, et al. v. Dudek, Plaintiff operated several nursing home facilities. Under Florida state statute, nursing homes are required to “furnish to the spouse, guardian, surrogate, proxy, or attorney in fact… for a former resident… a copy of that resident’s records which are in possession of the facility.” Fla. Stat. §400.145. After Plaintiff refused to provide healthcare records of deceased residents, the Florida Agency for Health Care Administration cited Plaintiff for violation of the statute. In response, Plaintiff claimed that the statute was preempted by HIPAA and therefore they could not comply without violating the federal law, and sought declaratory judgment with the U.S. District Court for the Northern District of Florida.

On review, the Court noted that HIPAA provides that a “covered entity” (such as the nursing home in this case) may not disclose patient information except to the patient, or to the patient’s “personal representative.” Pursuant to HIPAA, a “personal representative” includes an executor, administrator, or other person who has authority under state law to act on behalf of a deceased individual or of the individual’s estate.

After a detailed analysis of the variations between “personal representative” as defined in the HIPAA statute and Florida state law, the Court concluded that the Florida state statute requiring the nursing home to turn over records was overly broad and therefore preempted by HIPAA. Cases like Opis Management highlight the need for health care providers to be well-acquainted with HIPAA and be able to recognize when a seemingly innocuous state or municipal law may run afoul of the federal Act. Providers with questions about HIPAA should contact Mercedes Varasteh Dordeski at (248) 952-0400.

The case is Opis Management Resources, LLC v. Dudek, Case No. 4:11-cv-00400 (N.D. Fla. December 2, 2011).

Today's installment of "health care entity fined for having nosy employees" hails from Los Angeles, California, where the UCLA Health System has agreed to pay the U.S. Department of Health and Human Services $865,000 to resolve privacy breach allegations. The settlement agreement stems from complaints filed by two celebrity patients, who alleged that from 2005-2008, unauthorized employees improperly accessed the patients' protected health information in violation of HIPAA.

Providers should heed an important lesson from this and other similar settlements - although the employees did the snooping, at the end of the day the providers were the ones footing the bill for the privacy violations. Therefore, every health care provider should, at a minimum, take the following steps:

1) Educate ALL employees on how protected health information (PHI) may be properly used - i.e., PHI may ONLY be accessed for treatment, payment, or health care operations. Employees should understand that simply because they work for a health care provider, it does not grant them unfettered access to peruse all patient records.
2) Privacy policies should be clearly outlined in an employee handbook or manual, along with guidelines for how employees should report suspected privacy breaches.
3) Providers should carefully screen all potential employees, from licensed medical personnel to receptionists. Specifically, hiring employees with questionable or unknown backgrounds increases the risk that employees may use PHI for personal gain - for example, selling information about a local celebrity to a tabloid or even maliciously disseminating the information on Facebook, Twitter, etc. to gain popularity.

Providers with questions about how to best protect themselves from privacy breaches should contact an experienced health care attorney. At a minimum, every provider should have a comprehensive employee handbook, copies of which should be given to ALL employees.

While the increased penalties for HIPAA privacy violations have made headlines over the past two years, no one knew if the U.S. Department of Health and Human Service was serious - until now.

Today HHS announced a $4.3 million civil monetary penalty imposed against Cignet Health of Prince George's County, Md., stemming from violations of the HIPAA privacy laws. According to the Notice of Final Determination, HHS's Office of Civil Rights, which enforces HIPAA's provisions, found that Cignet violated 41 patients' rights by denying them access to their medical records when requested between September 2008 and October of 2009. The $4.3 million civil monetary penalty (CMP) marks the first issued by HHS for a covered entity's violation of the HIPAA Privacy Rule. The CMP is based on the violation categories and heightened penalties authorized by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.

Specifically, HIPAA provides that a covered entity must provide a patient with a copy of his/her medical records between 30-60 days of the patient's request. After Cignet failed to abide by this provision, the effected patients filed individual complaints with OCR. During OCR's investigation, Cignet initially refused to respond to OCR's demands to produce the records; then failed to produce the records in response to an OCR subpoena.

Notably, the CMP for failing to provide patients with requested medical records pursuant to HIPAA is $1.3 million; the remaining $3 million resulted from Cignet's failure to cooperate with OCR's investigation, which they are required to do under federal law.

The Notice of Final Determination is significant because many covered entities wrongly assume they are insulated from CMPs absent mass privacy breaches or particularly damaging disclosures of protected health information (PHI). However, as the Cignet case proves, even "administrative" violations of HIPAA can result in fines and penalties.

As a health care attorney, I frequently receive calls from potential clients involving violations of the Health Insurance Portability and Accountability Act (HIPAA). Many times, either through neglect or oversight, a client’s protected health information (PHI) is improperly disclosed – a pharmacist may dispense a client’s medication to another individual, a billing statement may go to the wrong address, or a physician may disclose a patient’s health information under the mistaken belief that a patient authorized the same.

Many times the violations can be particularly upsetting, especially if the information disclosed reveals that a patient has a sexually transmitted disease, if adoption records are involved, or if the information was disclosed to an undesirable third party like an employer or an estranged family member.

Regardless of the nature of the violation, clients who feel their medical privacy has been jeopardized usually have one question – what can I do?

What can I do?

First, it is important to understand that HIPAA does not currently include a private right of action for privacy violations. This means that an individual does not have a right to file a lawsuit against an offending party simply because his/her PHI was improperly disclosed.

Depending on the nature of the violation and resulting harm, a client may be able to bring a tort-based cause of action against an offending party under the common law for a privacy violation. However, such cases are generally not viable unless a party is able to demonstrate legitimate emotional and/or financial harm. One common example is where a health care provider discloses sensitive health information, such as details about a sexually transmitted disease or HIV/AIDS, to a patient’s employer or family, thereby causing the patient to be terminated or ostracized.

After the jump - other remedies

Continue reading "HIPAA Helper: What Every Patient Needs To Know About Privacy Rights" »

FHWN attorney Suzanne D. Nolan has published an article detailing the new proposed rule addressing HIPAA security compliance by business associates and subcontractors. The article, which appears in this month's ABA Health Law Section eSource, discusses the provisions of the Health Information Technology for Clinical Health (HITECH) Act that requires business associates - not just covered entities - to directly comply with the security rule.

One important change to the security rule is that now business associate-subcontractor relationships are regulated in the same manner as the covered entity-business associate relationship. This means that business associates of covered entities such as CPAs, attorneys, information technology consultants, etc. who choose to subcontract certain tasks must make sure that the subcontractor will also implement appropriate measures to safeguard protected health information.

For a full summary of the new proposed rules, see Nolan's article available here. For more information pertaining to HIPAA or other health law issues, please contact Sue Nolan or Mercedes Varasteh Dordeski.

The Department of Health and Human Services (“HHS”) has delayed release of the breach notification regulations that covered entities and business associates must adhere to in the event of improper disclosures of protected health information (PHI).

Pursuant to last year’s Health Information Technology for Economic and Clinical Health Act (HITECH), HHS was required to develop regulations governing how covered entities and business associates are required to respond in the event patient PHI is stolen, leaked, or otherwise improperly disclosed. HHS issued an interim final rule on August 24, 2009, which became effective on September 23, 2009. The interim final rule sets out the breach notification standards, such as how to identify if a breach has occurred; who must be notified in the event of a breach; and the manner in which notification must occur.

During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments. After review of the comments, HHS developed a final rule, which was submitted to the Office of Management and Budget (OMB) for regulatory review on May 14, 2010. However, on Friday HHS withdrew the final rule from OMB review. While the scope of the changes HHS intends to make is unclear (the final rule was not published before the retraction), it appears that the Final Rule may include even stricter breach notification guidelines.

“This is a complex issue and the Administration is committed to ensuring that individuals health information is secured to the extent possible to avoid unauthorized uses and discloses, and that individuals are appropriately notified when incidents do occur,” the OCR announcement stated.

Health care providers should take note that the interim final rule, which took effect September of 2009, remains in effect while the details of the final rule are being developed.

The decision to pull the final rule from OBM review follows last week’s announcement that Rite-Aid Corporation and its 40 affiliated entities will pay $1 million to settle potential privacy disclosure allegations with HHS. The allegations arose after pharmacy videotapes surfaced showing that Rite Aid pharmacies disposed of prescriptions and bottle labels containing PHI in industrial trash containers that were accessible to the public.

The Department of Health and Human Services ("HHS") has issued proposed rules intended to strengthen the privacy and security of personally identifiable health information as required by the Health Information Technology and Economic Clinical Health Act ("HITECH"). This proposed rule strengthens the privacy and security of health information, and is an integral piece of the administration's efforts to broaden the use of health information technology in health care today.

As previously discussed on the Health Care Lawyer Blog, HITECH requires business associates of HIPAA-covered entities to fully comply with the HIPAA privacy rule. Business associates must also now comply with certain portions of the HIPAA Security Rule and report breaches of unsecured PHI to HHS. As described in the notice of proposed rulemaking, HHS intends to require business associates to enter into written agreements requiring subcontractors who create or receive personally identifiable health information to safeguard the privacy and security of such information. Importantly, the requirements applicable to business associates with respect to subcontractors mirror the requirements imposed on covered entities with respect to business associates.

As an example, if a home health care agency (covered entity) hires an attorney to perform a reimbursement audit, the attorney would be a business associate. If the attorney retains a copy center to help with photocopying voluminous patient files, the copy center would be a subcontractor of the business associate. Therefore, the attorney must enter into a written agreement with the copy center requiring the copy center safeguard the privacy and security of the information, in the same way that the attorney must protect the information.

In addition, the proposed regulations also set forth the conditions under which the sale of protected health information without patient authorization is prohibited and limitations on the use and disclosure of protected health information for marketing and fundraising.

HHS has also launched a website at www.hhs.gov/healthprivacy/index.html that will keep consumers informed about what HHS is doing to protect the privacy of their health information.

While warnings about heightened penalties for HIPAA violations proliferated following last year’s passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), one California physician apparently failed to take notice.

Huping Zhou, a licensed cardiothoracic surgeon who was previously working at the UCLA School of Medicine as a researcher, was sentenced in late April to four months of jail after pleading guilty to improperly accessing patient medical records. Zhou’s sentence marks the first incarceration for security breaches under the heighted HITECH penalties.

In light of the enhanced penalties, health care providers should make sure that all employees understand HIPAA rules and regulations, and are aware that any unauthorized access to patient files constitutes a HIPAA violation. While “file snooping” is most prevalent when the patient is a celebrity, employees may also be tempted to peek at files for their neighbor, child’s teacher, or other acquaintances. While employees may believe they are permitted to view such records, access to protected health information must be for treatment, payment, or health care operations. Therefore, perusing a patient’s file out of curiosity is not an authorized access and can land a practice in hot water.

The American Medical Association advises practices to conduct credit checks and other background searches on potential employees prior to hiring and instatement. For example, if a practice treats many celebrities, the practice should be wary of hiring an employee who has a lot of debt or a low credit score, as the employee may be tempted to sell the information to tabloids or newspapers.

Health care providers who currently use or are planning to use electronic health records should take note of a pending change to the accounting rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under current HIPAA regulations, if a patient requests an “accounting” of how their protected health information (PHI) has been used, covered entities are required provide patients with the details of each disclosure over the past six years. Each accounting must include:
1) The date of the disclosure
2) The name of address of the entity/person who received the PHI;
3) Brief description of the information disclosed;
4) Brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).

The current privacy rule exempts disclosures to carry out treatment, payment, and health care operations from these accounting requirements. However, as a result of the HITECH provisions contained in last year’s Stimulus Bill, these exemptions no longer apply to disclosures through an “electronic health record.”

Starting January 1, 2011, any covered entity that uses electronic health records must comply with the new requirements, and provide an accounting of such disclosures made during three years prior to the request. For example, if a patient requests an accounting under the new statute, the covered entity must account for every transmission of the patient’s information; whether it is for billing purposes, sending lab results to another covered entity for analysis, etc. Obviously, the number of transactions to be accounted for will significantly increase.

The Department of Health and Human Services (HHS) recently issued a Request for Information (RFI) to providers seeking information on the interest of individuals with respect to learning of such disclosures, and the administrative burdens on accounting for the same. The specific information sought from providers includes answers to such questions as “Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?” and “What are the benefits to the individual of an accounting of disclosures?”

The full Request for Information is available here.

A recent case from the federal Court for the Northern District of Ohio has set out that the Health Insurance Portability and Accountability Act's (HIPAA) exception permitting disclosure of medical records in response to a grand jury subpoena does not authorize covered entities to disclose a patient’s protected health information (PHI), when a more-restrictive state statute prohibits such a disclosure.

Specifically, in Turk v. Oiler, Dkt. No. 09-CV-381 (ND Ohio, Feb. 2010), Ohio’s Cleveland Clinic received a subpoena that ordered it to appear as a witness before a grand jury and produce certain documents relating to the medical treatment of a patient. The Clinic produced the documents pursuant to 45 C.F.R. §164.512(f)(1)(ii)(B). The patient thereafter sued, claiming that Ohio’s physician-patient privilege statute does not contain an exception permitting disclosure of PHI in response to a grand jury subpoena. Specifically, the Ohio statute states that a physician cannot testify as to “a communication made to the physician… by a patient in that relation or in the physician’s advise to a patient” except under limited circumstances.

Since in the past, Ohio state courts have specifically declined to create an exception to the privilege statute for grand jury proceedings, the court held that the disclosure was improper. The court also rejected the Clinic’s argument that since the grand jury proceedings are confidential, it did not “publically” disclose the patient’s medical records. Therefore, the Cleveland Clinic may be held liable – either by the Office of Civil Rights or state Attorney General’s office – for providing the patient’s mental health and substance abuse records to the grand jury.

The Turk case makes clear than when responding to a grand jury subpoena or any other request for patient PHI, it is important to first check state laws and make sure such disclosures are permitted – even if the HIPAA statutes permit the disclosure. In Michigan, for example, the physician-patient privilege statute states that “Except as otherwise provided by law [i.e., by HIPAA], person duly authorized to practice medicine or surgery shall not disclose any information that the person has acquired in attending a patient in a professional character…” (see M.C.L. §600.2157). Therefore, a disclosure of PHI to a grand jury would be permitted in Michigan.

Covered entities should use special care when contemplating disclosure of mental health records, since mental health/psychiatric notes are often afforded special privileges.

Next week marks the deadline for health care covered entities and business associates to comply with several privacy law requirements implemented by the 2009 Health Information Technology for Economic and Clinical Health Act (a.k.a. HITECH Act). Specifically, under the language of the Act, the following must be satisfied by February 18, 2010:

- Business Associate Agreements. Previously, business associates were required to comply with HIPAA-related privacy laws through a contract with a covered entity, but were not directly responsible for HIPAA compliance. Now, business associates are bound by the HIPAA laws, and must have policies and procedures documenting the same. Specifically, any business associate who performs work on behalf of a covered entity with respect to the entity’s “covered functions” must amend their business associate agreements to add language that the business associate must comply with the HIPAA rules (including breach notification requirements) and include details on how the business associate will store and safeguard PHI.
- Minimum necessary rule. Covered entities are now required to use or disclose only the “minimum necessary” amount of PHI required to complete a covered function. While HHS has yet to issue guidance on the definition of “minimum necessary” (such details are expected to be released August of 2010), effective February 18 covered entities are to use a “limited data set” or the least amount of PHI necessary to accomplish the intended purpose.
- Request for restrictions. Currently, covered entities must allow individuals to request restrictions on how their PHI may be disclosed, but are not required to honor such requests. For example, a patient who pays out-of-pocket can request that his health care provider not disclose information about his medical condition or treatment to his employer/insurer. Under the old privacy laws, a covered entity was required to accept the patient’s request but did not have to act upon it. Effective February 18, however, covered entities must honor requests not to disclose PHI (for purposes of payment or health care operations only) if the patient pays the entire cost of treatment out-of-pocket.

After the jump - HITECH amends access, marketing policies

Continue reading "Major Changes to HIPAA Laws Take Effect Feb. 18" »

If corrupt physicians and other health care providers submitting false claims to Medicare and Medicaid themselves wasn't bad enough, there's a new twist to the health care fraud scheme. According to a CNN.com article today, a new fraud trick where hospital administrators or physicians' assistants actually sell patient data to organized crime groups has become increasingly common.

The crime groups then use patients' medical insurance data and social security numbers to bill Medicare (and private insurers too) for drugs, equipment and treatment which was never actually prescribed. To collect the money, the fraudsters set up "shell" companies which can dissapear easily at the hint of a government investigation. Some criminals even sell patient insurance information to uninsured individuals who are desperate for medical care.

If there are no unscrupulous providers around to sell the information, many crime groups hack into digital medical records in order to siphon patient information. Unfortunately, such crime trends may be on the rise as the use of electronic health records increases.

Bottom line - we not only have to worry health care fraud, but identity theft too. Here's hoping that the increased HIPAA penalties will encourage health care providers to keep patient information safe.

Today the Department of Health and Human Services' interim final regulations governing the new Health Insurance Portability and Accountability Act (HIPAA) security breach notification requirements were published in the Federal Register. These regulations take effect September 23, 2009, and health care providers should take care to familiarize themselves with the requirements by then.

The Health Information Technology for Economic and Clinical Health (HITECH Act), which was part of the 2009 Stimulus Bill, requires HIPAA-covered entities to provide notification to affected individuals and the Secretary of Health and Human Services following the discovery of a breach of unsecured protected health information (PHI). In some cases, the HITECH Act requires covered entities to provide notification to the media of the breaches. In the case of a breach of unsecured PHI by a business associate (such as an accountant or attorney) of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary of Health and Human services to post a list of covered entities that experience a breach of the PHI of 500 or more individuals on the HHS website.

However, it is important to note that the HITECH Act does not require the reporting of every slip-up and privacy violation by a covered entity or business associate. For example, in order for a breach to occur the PHI must be “unsecured”. This means that the information must not be rendered unuseable, unreadable, or indecipherable to unauthorized individual. For example, if a covered entity accidentally emails notes on a patient file to the wrong address, but the email is encrypted in a certain fashion delineated by the regulations, the notice requirements would not be triggered because the information is not “unsecured”.

After the jump - how to determine if a "breach" has occurred >>

Continue reading "Health Care Providers Should Take Note of Interim Final HIPAA Breach Notification Laws" »