Health Care Lawyer Blog

A recent case from the federal Court for the Northern District of Ohio has set out that the Health Insurance Portability and Accountability Act's (HIPAA) exception permitting disclosure of medical records in response to a grand jury subpoena does not authorize covered entities to disclose a patient’s protected health information (PHI), when a more-restrictive state statute prohibits such a disclosure.

Specifically, in Turk v. Oiler, Dkt. No. 09-CV-381 (ND Ohio, Feb. 2010), Ohio’s Cleveland Clinic received a subpoena that ordered it to appear as a witness before a grand jury and produce certain documents relating to the medical treatment of a patient. The Clinic produced the documents pursuant to 45 C.F.R. §164.512(f)(1)(ii)(B). The patient thereafter sued, claiming that Ohio’s physician-patient privilege statute does not contain an exception permitting disclosure of PHI in response to a grand jury subpoena. Specifically, the Ohio statute states that a physician cannot testify as to “a communication made to the physician… by a patient in that relation or in the physician’s advise to a patient” except under limited circumstances.

Since in the past, Ohio state courts have specifically declined to create an exception to the privilege statute for grand jury proceedings, the court held that the disclosure was improper. The court also rejected the Clinic’s argument that since the grand jury proceedings are confidential, it did not “publically” disclose the patient’s medical records. Therefore, the Cleveland Clinic may be held liable – either by the Office of Civil Rights or state Attorney General’s office – for providing the patient’s mental health and substance abuse records to the grand jury.

The Turk case makes clear than when responding to a grand jury subpoena or any other request for patient PHI, it is important to first check state laws and make sure such disclosures are permitted – even if the HIPAA statutes permit the disclosure. In Michigan, for example, the physician-patient privilege statute states that “Except as otherwise provided by law [i.e., by HIPAA], person duly authorized to practice medicine or surgery shall not disclose any information that the person has acquired in attending a patient in a professional character…” (see M.C.L. §600.2157). Therefore, a disclosure of PHI to a grand jury would be permitted in Michigan.

Covered entities should use special care when contemplating disclosure of mental health records, since mental health/psychiatric notes are often afforded special privileges.

Next week marks the deadline for health care covered entities and business associates to comply with several privacy law requirements implemented by the 2009 Health Information Technology for Economic and Clinical Health Act (a.k.a. HITECH Act). Specifically, under the language of the Act, the following must be satisfied by February 18, 2010:

- Business Associate Agreements. Previously, business associates were required to comply with HIPAA-related privacy laws through a contract with a covered entity, but were not directly responsible for HIPAA compliance. Now, business associates are bound by the HIPAA laws, and must have policies and procedures documenting the same. Specifically, any business associate who performs work on behalf of a covered entity with respect to the entity’s “covered functions” must amend their business associate agreements to add language that the business associate must comply with the HIPAA rules (including breach notification requirements) and include details on how the business associate will store and safeguard PHI.
- Minimum necessary rule. Covered entities are now required to use or disclose only the “minimum necessary” amount of PHI required to complete a covered function. While HHS has yet to issue guidance on the definition of “minimum necessary” (such details are expected to be released August of 2010), effective February 18 covered entities are to use a “limited data set” or the least amount of PHI necessary to accomplish the intended purpose.
- Request for restrictions. Currently, covered entities must allow individuals to request restrictions on how their PHI may be disclosed, but are not required to honor such requests. For example, a patient who pays out-of-pocket can request that his health care provider not disclose information about his medical condition or treatment to his employer/insurer. Under the old privacy laws, a covered entity was required to accept the patient’s request but did not have to act upon it. Effective February 18, however, covered entities must honor requests not to disclose PHI (for purposes of payment or health care operations only) if the patient pays the entire cost of treatment out-of-pocket.

After the jump - HITECH amends access, marketing policies

Continue reading "Major Changes to HIPAA Laws Take Effect Feb. 18" »

If corrupt physicians and other health care providers submitting false claims to Medicare and Medicaid themselves wasn't bad enough, there's a new twist to the health care fraud scheme. According to a CNN.com article today, a new fraud trick where hospital administrators or physicians' assistants actually sell patient data to organized crime groups has become increasingly common.

The crime groups then use patients' medical insurance data and social security numbers to bill Medicare (and private insurers too) for drugs, equipment and treatment which was never actually prescribed. To collect the money, the fraudsters set up "shell" companies which can dissapear easily at the hint of a government investigation. Some criminals even sell patient insurance information to uninsured individuals who are desperate for medical care.

If there are no unscrupulous providers around to sell the information, many crime groups hack into digital medical records in order to siphon patient information. Unfortunately, such crime trends may be on the rise as the use of electronic health records increases.

Bottom line - we not only have to worry health care fraud, but identity theft too. Here's hoping that the increased HIPAA penalties will encourage health care providers to keep patient information safe.