March 6, 2025

Posted on March 6, 2025 by Courtney Patterson

QUESTION:
Our hospital received a threatening letter from a lawyer, claiming that our website uses Google Analytics and, in doing so, has violated wiretapping laws. Is this legitimate or a scam? What should we do?

ANSWER FROM HORTYSPRINGER ATTORNEY RACHEL REMALEY:
Some might believe the letter you received is both legitimate and a scam, wrapped up in the same package. Specifically, as you likely know, the U.S. legal system acknowledges/permits class action lawsuits – essentially, lawsuits filed by one or more “class representatives” who litigate the claim on behalf of all similarly situated class members (the aggrieved individuals). In concept, class actions permit litigation of claims where the damage to any one litigant may be too small to warrant a single individual shouldering the expenditure of fees/costs on complex litigation. By grouping the claims of the entire class together, the lawyers who manage class action lawsuits make their money (since they collect their legal fees/costs first, out of any settlement or award), making it possible for these claims – that may otherwise go unaddressed – to be brought.

With that said, many of the class action lawsuits threatened/brought in recent years seem to originate with lawyers looking for a hook to justify a claim. Often these firms run advertisements looking for individuals willing to serve as a “class representative” plaintiff, giving assurances that those volunteers won’t have to pay any upfront fees and, for their time, will be awarded a greater share of any settlement/award that results from the suit. One begins to wonder if, for many of these suits, anyone was ever “aggrieved” to begin with. Some of these firms even sell an interest in the lawsuits to private equity investors. If the suit eventually results in a settlement or award, the firms/investors win big. Class members usually receive paltry payouts. Sometimes, they are a few cents or dollars. Sometimes, there is no payout for the class members, just promises by a company to do better in the future. Either way, the law firm walks away with its fees/costs recouped.

So, the letter you received is probably a legitimate letter from a lawyer or law firm. If it alleges that some class of individuals is aggrieved, it remains to be seen whether any individual actually believed they were aggrieved or knew anything about the alleged wiretapping violation described in the letter. A quick search of the internet will reveal for you that these types of letters/claims are rampant, and not just with respect to health care organizations. They are just one of the many ways that firms/plaintiffs have been pursuing class action claims in recent years. Remember several years ago, when a spate of lawsuits alleged that health care entities were violating HIPAA and state healthcare privacy laws through tracking that occurred on their websites? We have also seen some firms/plaintiffs taking a new angle, alleging that websites that show videos and track users are violating the federal Video Privacy Protection Act (VPPA).

The good news for you is that (1) you are not alone in being targeted in this way, and (2) a number of courts around the country have already rejected these types of claims under various state’s wiretapping laws. But, that doesn’t mean that you should simply throw the letter in the trash and ignore it. Any time you receive any correspondence alleging a legal violation or threatening to sue, you should notify risk management and legal counsel, so that they can help the organization decide the most appropriate response. In most cases, the next step will be to promptly notify your insurance carrier (who may decide whether to appoint specific counsel to manage the response, put a litigation hold in place, etc.).

Finally, receipt of a letter like this can be a good time for the organization to review its current practices to ensure that there are not gaps in compliance/areas of risk. The Department of Health and Human Services put out a guidance document, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” that may be helpful to review, if website tracking concerns are new to you. As the HHS website makes clear, some of the guidance has been limited by court action. But, if you are looking for more information about why website tracking is of concern and some steps that might be taken to address privacy concerns, it is a good place to get started.

If you have a quick question about this, e-mail Rachel Remaley at rremaley@hortyspringer.com.

January 16, 2025

Posted on January 16, 2025 by Courtney Patterson

QUESTION:
How should we handle distributing peer review materials prior to a meeting?

ANSWER FROM HORTYSPRINGER ATTORNEY NICHOLAS CALABRESE:
In general, we recommend that documents not be distributed before meetings. You always take a risk when you distribute peer review materials prior to a meeting, because if the materials are lost, misplaced, or treated carelessly, peer review protections could be lost. Confidential materials should not end up in the hands of someone who is not part of a legally protected peer review committee.

But, we also realize that sometimes confidential materials have to be reviewed prior to a meeting, because it may be a huge pile of documents. So, here are a couple ideas:

You could keep all of the peer review materials in a central location, like the medical staff office. Committee members can have access to the materials, but won’t be able to take them out of the office. Also, here, don’t allow any copies to be made, unless the VPMA, CMO or CEO allows it.

Another idea is to put the committee member’s name and phone number on the materials, along with a number, like 1 of 12. The committee members should be told that no copies may be made, and that the documents should be returned after the meeting. Then, after the meeting, the materials should be collected, all of the numbers accounted for, and the copies destroyed – only keep the originals as official records.

One final idea that can be used with the first two ideas is to stamp all of the confidential materials with a stamp that states “Protected and Confidential Pursuant to the State Peer Review Statute.” Again, a red flag goes up if the stamp is seen outside the meeting room.

During the pandemic, everything became virtual, which raised a whole host of issues. Everyone is now more comfortable sharing peer review documents electronically through protected portals and the like, but there is still a need to be cautious. So, sit down and think everything through on how to tackle this. For example, think about:

How do you control access? (passwords, secure email, etc.)
Do you send emails to gmail accounts or only to hospital accounts?
Are you going to blind the records? Prohibit copies?

We advise pulling in your facility’s tech experts to work with you as a part of this process. Which videoconferencing platform is secure for HIPAA and other privacy laws? Create a list of approved software programs.

We’ve developed a policy on virtual meetings. The highlights of the policy are:

Virtual participants should be required to maintain compliance with all policies relating to confidentiality, data privacy, electronic communications and security. We recommend that all meetings begin with a reminder about confidentiality, privacy and security, and that this be reflected in the minutes. Quorum and voting requirements apply as if at an in‑person meeting.
The best practice is to prepare for calls by testing new cameras and microphones before the meeting. Also, minimize outside distractions, such as the dog coming in and out of the picture, hearing the neighbors fighting, or the kid next door testing out the new exhaust on his Dodge Challenger. You can’t soundproof the walls, but do try to find a secluded, quiet space.

Some practical tips for virtual meetings…

Remember that you’re in a professional setting. During the pandemic, there were stories about people making dinner, brushing their teeth, etc., while on Zoom. Avoid that and give the meeting the attention it deserves.
Remember that mute is your friend. Keep microphones on mute unless speaking, and always assume that the mic is hot. Pre‑pandemic, there’s the famous story about President Ronald Reagan forgetting that he had a hot mic, and saying “My fellow Americans, I’m pleased to tell you today that I’ve signed legislation that will outlaw Russia forever. We begin bombing in five minutes.” Then there are the pandemic stories – all members of a San Francisco area school board resigned after they were heard making disparaging comments about parents at a virtual board meeting. Always assume the mic is hot and the camera is on.

If you have a quick question about this, e‑mail Nick at ncalabrese@hortyspringer.com.

March 14, 2024

Posted on March 14, 2024 by Courtney Patterson

QUESTION:
Do you have any tips for virtual meetings?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY NICHOLAS CALABRESE:
Yes, invest in Zoom! The pandemic changed a lot of things, one of which was that many meetings became virtual. While in-person meetings are back, virtual meetings still may be held from time-to-time, so we’ve compiled the following tips:

Virtual participants should be required to maintain compliance with all policies relating to confidentiality, data privacy, electronic communications and security. We recommend that all meetings begin with a reminder about confidentiality, privacy and security, and that this be reflected in the minutes. Quorum and voting requirements apply as if at an in-person meeting.

The best practice is to prepare for calls by testing new cameras and microphones before the meeting. Also, minimize outside distractions, such as the dog coming in and out of the picture, hearing the neighbors fighting, or the kid next door testing out the new exhaust on his Dodge Challenger. You can’t soundproof the walls, but do try to find a secluded, quiet space.

Remember that you’re in a professional setting. We’ve all heard the stories about people making dinner, brushing their teeth, etc., while on Zoom. Avoid that and give the meeting the attention it deserves.

Remember that mute is your friend. Keep microphones on mute unless speaking, and always assume that the mic is hot. Pre-pandemic, there’s the famous story about President Ronald Reagan forgetting that he had a hot mic, and saying “My fellow Americans, I’m pleased to tell you today that I’ve signed legislation that will outlaw Russia forever. We begin bombing in five minutes.” Then there are the pandemic stories – all members of a San Francisco area school board resigned after they were heard making disparaging comments about parents at a virtual board meeting. Always assume the mic is hot and the camera is on.

Set forth a process for sharing documents, taking into account: How do you control access? (passwords, secure email, etc.); Do you send emails to gmail accounts or only to hospital accounts? Are you going to blind the records? Prohibit copies? Which videoconferencing platform is secure for HIPAA and other privacy laws? Create a list of approved software programs.

Finally, take everything and turn it into a policy to be used whenever a virtual meeting is held.

If you have a quick question about this, e-mail Nick at ncalabrese@hortyspringer.com.

February 15, 2024

Posted on February 15, 2024 by Courtney Patterson

QUESTION:
We recently received a complaint that a Medical Staff member may have been inappropriately accessing medical records. Do we handle this as a Medical Staff matter or should we refer this to our HIPAA Privacy Officer?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY IAN DONALDSON:
Given the Privacy Officer is responsible for implementing the hospital’s HIPAA policies, they should be made aware of any potential violations by a Medical Staff member. In addition, Privacy Officers have significant experience investigating and responding to privacy violations and they will understand the law’s regulatory requirements, including if breach notifications are required.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

Physicians may be more likely to listen to other physicians.

Hospital licensing regulations generally require the Medical Staff to review the actions of its members.

The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.

Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

This is why we recommend that the Medical Staff’s professionalism policy or code of conduct include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility. This allows for coordination between the Medical Staff leadership and the individual responsible for the other policy.

If you have a quick question about this, e-mail Ian Donaldson at idonaldson@hortyspringer.com.

January 25, 2024

Posted on January 25, 2024 by Courtney Patterson

QUESTION:
Our hospital wants to require employees to submit documentation to Human Resources of their COVID-19 and flu vaccination status. One employee complained that this is a HIPAA violation. Is it?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY PHIL ZARONE:
No. A hospital is acting in its role as an employer (not a covered entity/health care provider) when it asks employees to answer questions or provide documentation about their vaccination status. Hospitals store such information in the employee’s employment record, not in the employee’s medical record.

HIPAA specifically excludes employment records from the definition of “Protected Health Information.” The relevant definition states: “Protected health information excludes individually identifiable health information…[i]n employment records held by a covered entity in its role as employer.” 45 C.F.R. § 160.103.

Thus, information that a hospital obtains when it asks an employee about vaccination status isn’t covered by HIPAA. It follows that HIPAA isn’t violated if the hospital then discloses that information to managers and supervisors so they can enforce the hospital’s policies.

Although HIPAA doesn’t apply, the Americans with Disabilities Act (“ADA”) does govern information that a hospital holds in its role as an employer. The regulations implementing the ADA state that information “regarding the medical condition or history of any employee shall be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record, except that: (A) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations.” 29 C.F.R. § 1630.14.

It’s important to recognize that in some cases a hospital could hold information about vaccination status in its role as a covered entity/health care provider under HIPAA. For example, a hospital might conduct a clinic by which it gives flu shots to members of the community. HIPAA would apply to that information, because it was created by the hospital in its role as a provider of health care services. Thus, the hospital could not disclose those vaccination records to a local third-party employer unless the individual signs a HIPAA authorization.

If you have a question about this issue, please e-mail Phil Zarone at pzarone@hortyspringer.com.

August 10, 2023

Posted on August 10, 2023 by Courtney Patterson

QUESTION:
One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient. The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY CHARLES CHULACK:
The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition. Thus, the deceased patient’s cancer history meets this definition. However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule? The answer to this question is “yes.” The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual. Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

It is certainly important that a patient understand their family history, including risks for certain diseases and disorders so that they can proactively address those risks. Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters. He has a few options. The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities. According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.” If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options. First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer. If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information. If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA. For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

If you have a quick question about this, e-mail Charlie Chulack at cchulack@hortyspringer.com.

August 26, 2021

Posted on August 26, 2021 by Courtney Patterson

QUESTION:
“One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient. The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?”

ANSWER:
The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition. Thus, the deceased patient’s cancer history meets this definition. However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule? The answer to this question is “yes.” The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual. Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks. Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters. He has a few options. The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities. According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.” If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options. First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer. If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information. If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA. For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

July 23, 2020

Posted on July 23, 2020July 23, 2020 by hortyspringer

***
QUESTION: Our hospital recently addressed a HIPAA breach by a hospital employee. Do we have any obligation to conduct a comprehensive review of that employee’s activities to see if there are any other HIPAA breaches?

ANSWER: HIPAA doesn’t specifically require a hospital to conduct an audit or other type of review to determine if a person who committed one HIPAA breach may have committed other similar (or different) breaches. However, a hospital’s efforts are important in two ways:

The HIPAA breach notification rule says patients must be notified of a breach within 60 days of when the hospital knows of a breach, or within 60 days of when the hospital would have known of the breach if it had exercised “reasonable diligence.”
HIPAA penalties are based on the action a hospital takes. If a hospital knows of a breach that may be part of a pattern but chooses not to look for other similar breaches, the hospital could be charged with “willful neglect” and penalized more severely.

The federal government has never said whether “reasonable diligence” means that a hospital must go back a certain amount of time or engage in certain types of activities. Instead, the government has offered the following general guidance:

With respect to those commenters asking for guidance on what it means for a covered entity to be exercising reasonable diligence, we note that the term reasonable diligence, as defined in § 160.401, means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances. Factors to be considered include whether a covered entity or business associate took reasonable steps to learn of breaches and whether there were indications of breaches that a person seeking to satisfy the Rule would have investigated under similar circumstances. Covered entities and business associates may wish to look to how other covered entities and business associates operating under similar circumstances conduct themselves for a standard of practice.

78 Fed. Reg. 5566, 5647 (January 25, 2013).

January 30, 2020

Posted on January 30, 2020January 30, 2020 by hortyspringer

QUESTION: I heard that the Department of Health and Human Services released a new rule on partial fills of opioid prescriptions. Can you give me a brief overview of the change?

ANSWER: Yes. The Department of Health and Human Services (“HHS”) has issued a final rule designed to improve tracking of transactions involving Schedule II drugs. Briefly stated, this change requires certain covered entities to report “quantity prescribed” data for transactions involving Schedule II drugs. The data will track whether the prescription was partially filled (which is legal under some circumstances) or refilled (which can potentially be a violation of the Controlled Substances Act).

If your organization is covered by HIPAA and has a retail pharmacy that dispenses Schedule II drugs, you should check to see whether this law may have an impact on your workflows and recordkeeping. The final rule is available here.

April 25, 2019

Posted on April 25, 2019 by hortyspringer

QUESTION: One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient. The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?

ANSWER: The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition. Thus, the deceased patient’s cancer history meets this definition. However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule? The answer to this question is “yes.” The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual. Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.