Health Care Lawyer Blog

The Department of Health and Human Services ("HHS") has issued proposed rules intended to strengthen the privacy and security of personally identifiable health information as required by the Health Information Technology and Economic Clinical Health Act ("HITECH"). This proposed rule strengthens the privacy and security of health information, and is an integral piece of the administration's efforts to broaden the use of health information technology in health care today.

As previously discussed on the Health Care Lawyer Blog, HITECH requires business associates of HIPAA-covered entities to fully comply with the HIPAA privacy rule. Business associates must also now comply with certain portions of the HIPAA Security Rule and report breaches of unsecured PHI to HHS. As described in the notice of proposed rulemaking, HHS intends to require business associates to enter into written agreements requiring subcontractors who create or receive personally identifiable health information to safeguard the privacy and security of such information. Importantly, the requirements applicable to business associates with respect to subcontractors mirror the requirements imposed on covered entities with respect to business associates.

As an example, if a home health care agency (covered entity) hires an attorney to perform a reimbursement audit, the attorney would be a business associate. If the attorney retains a copy center to help with photocopying voluminous patient files, the copy center would be a subcontractor of the business associate. Therefore, the attorney must enter into a written agreement with the copy center requiring the copy center safeguard the privacy and security of the information, in the same way that the attorney must protect the information.

In addition, the proposed regulations also set forth the conditions under which the sale of protected health information without patient authorization is prohibited and limitations on the use and disclosure of protected health information for marketing and fundraising.

HHS has also launched a website at www.hhs.gov/healthprivacy/index.html that will keep consumers informed about what HHS is doing to protect the privacy of their health information.

While warnings about heightened penalties for HIPAA violations proliferated following last year’s passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), one California physician apparently failed to take notice.

Huping Zhou, a licensed cardiothoracic surgeon who was previously working at the UCLA School of Medicine as a researcher, was sentenced in late April to four months of jail after pleading guilty to improperly accessing patient medical records. Zhou’s sentence marks the first incarceration for security breaches under the heighted HITECH penalties.

In light of the enhanced penalties, health care providers should make sure that all employees understand HIPAA rules and regulations, and are aware that any unauthorized access to patient files constitutes a HIPAA violation. While “file snooping” is most prevalent when the patient is a celebrity, employees may also be tempted to peek at files for their neighbor, child’s teacher, or other acquaintances. While employees may believe they are permitted to view such records, access to protected health information must be for treatment, payment, or health care operations. Therefore, perusing a patient’s file out of curiosity is not an authorized access and can land a practice in hot water.

The American Medical Association advises practices to conduct credit checks and other background searches on potential employees prior to hiring and instatement. For example, if a practice treats many celebrities, the practice should be wary of hiring an employee who has a lot of debt or a low credit score, as the employee may be tempted to sell the information to tabloids or newspapers.

Health care providers who currently use or are planning to use electronic health records should take note of a pending change to the accounting rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under current HIPAA regulations, if a patient requests an “accounting” of how their protected health information (PHI) has been used, covered entities are required provide patients with the details of each disclosure over the past six years. Each accounting must include:
1) The date of the disclosure
2) The name of address of the entity/person who received the PHI;
3) Brief description of the information disclosed;
4) Brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).

The current privacy rule exempts disclosures to carry out treatment, payment, and health care operations from these accounting requirements. However, as a result of the HITECH provisions contained in last year’s Stimulus Bill, these exemptions no longer apply to disclosures through an “electronic health record.”

Starting January 1, 2011, any covered entity that uses electronic health records must comply with the new requirements, and provide an accounting of such disclosures made during three years prior to the request. For example, if a patient requests an accounting under the new statute, the covered entity must account for every transmission of the patient’s information; whether it is for billing purposes, sending lab results to another covered entity for analysis, etc. Obviously, the number of transactions to be accounted for will significantly increase.

The Department of Health and Human Services (HHS) recently issued a Request for Information (RFI) to providers seeking information on the interest of individuals with respect to learning of such disclosures, and the administrative burdens on accounting for the same. The specific information sought from providers includes answers to such questions as “Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?” and “What are the benefits to the individual of an accounting of disclosures?”

The full Request for Information is available here.

A recent case from the federal Court for the Northern District of Ohio has set out that the Health Insurance Portability and Accountability Act's (HIPAA) exception permitting disclosure of medical records in response to a grand jury subpoena does not authorize covered entities to disclose a patient’s protected health information (PHI), when a more-restrictive state statute prohibits such a disclosure.

Specifically, in Turk v. Oiler, Dkt. No. 09-CV-381 (ND Ohio, Feb. 2010), Ohio’s Cleveland Clinic received a subpoena that ordered it to appear as a witness before a grand jury and produce certain documents relating to the medical treatment of a patient. The Clinic produced the documents pursuant to 45 C.F.R. §164.512(f)(1)(ii)(B). The patient thereafter sued, claiming that Ohio’s physician-patient privilege statute does not contain an exception permitting disclosure of PHI in response to a grand jury subpoena. Specifically, the Ohio statute states that a physician cannot testify as to “a communication made to the physician… by a patient in that relation or in the physician’s advise to a patient” except under limited circumstances.

Since in the past, Ohio state courts have specifically declined to create an exception to the privilege statute for grand jury proceedings, the court held that the disclosure was improper. The court also rejected the Clinic’s argument that since the grand jury proceedings are confidential, it did not “publically” disclose the patient’s medical records. Therefore, the Cleveland Clinic may be held liable – either by the Office of Civil Rights or state Attorney General’s office – for providing the patient’s mental health and substance abuse records to the grand jury.

The Turk case makes clear than when responding to a grand jury subpoena or any other request for patient PHI, it is important to first check state laws and make sure such disclosures are permitted – even if the HIPAA statutes permit the disclosure. In Michigan, for example, the physician-patient privilege statute states that “Except as otherwise provided by law [i.e., by HIPAA], person duly authorized to practice medicine or surgery shall not disclose any information that the person has acquired in attending a patient in a professional character…” (see M.C.L. §600.2157). Therefore, a disclosure of PHI to a grand jury would be permitted in Michigan.

Covered entities should use special care when contemplating disclosure of mental health records, since mental health/psychiatric notes are often afforded special privileges.

Next week marks the deadline for health care covered entities and business associates to comply with several privacy law requirements implemented by the 2009 Health Information Technology for Economic and Clinical Health Act (a.k.a. HITECH Act). Specifically, under the language of the Act, the following must be satisfied by February 18, 2010:

- Business Associate Agreements. Previously, business associates were required to comply with HIPAA-related privacy laws through a contract with a covered entity, but were not directly responsible for HIPAA compliance. Now, business associates are bound by the HIPAA laws, and must have policies and procedures documenting the same. Specifically, any business associate who performs work on behalf of a covered entity with respect to the entity’s “covered functions” must amend their business associate agreements to add language that the business associate must comply with the HIPAA rules (including breach notification requirements) and include details on how the business associate will store and safeguard PHI.
- Minimum necessary rule. Covered entities are now required to use or disclose only the “minimum necessary” amount of PHI required to complete a covered function. While HHS has yet to issue guidance on the definition of “minimum necessary” (such details are expected to be released August of 2010), effective February 18 covered entities are to use a “limited data set” or the least amount of PHI necessary to accomplish the intended purpose.
- Request for restrictions. Currently, covered entities must allow individuals to request restrictions on how their PHI may be disclosed, but are not required to honor such requests. For example, a patient who pays out-of-pocket can request that his health care provider not disclose information about his medical condition or treatment to his employer/insurer. Under the old privacy laws, a covered entity was required to accept the patient’s request but did not have to act upon it. Effective February 18, however, covered entities must honor requests not to disclose PHI (for purposes of payment or health care operations only) if the patient pays the entire cost of treatment out-of-pocket.

After the jump - HITECH amends access, marketing policies

Continue reading "Major Changes to HIPAA Laws Take Effect Feb. 18" »

If corrupt physicians and other health care providers submitting false claims to Medicare and Medicaid themselves wasn't bad enough, there's a new twist to the health care fraud scheme. According to a CNN.com article today, a new fraud trick where hospital administrators or physicians' assistants actually sell patient data to organized crime groups has become increasingly common.

The crime groups then use patients' medical insurance data and social security numbers to bill Medicare (and private insurers too) for drugs, equipment and treatment which was never actually prescribed. To collect the money, the fraudsters set up "shell" companies which can dissapear easily at the hint of a government investigation. Some criminals even sell patient insurance information to uninsured individuals who are desperate for medical care.

If there are no unscrupulous providers around to sell the information, many crime groups hack into digital medical records in order to siphon patient information. Unfortunately, such crime trends may be on the rise as the use of electronic health records increases.

Bottom line - we not only have to worry health care fraud, but identity theft too. Here's hoping that the increased HIPAA penalties will encourage health care providers to keep patient information safe.