February 15, 2024

QUESTION:
We recently received a complaint that a Medical Staff member may have been inappropriately accessing medical records.  Do we handle this as a Medical Staff matter or should we refer this to our HIPAA Privacy Officer?

OUR ANSWER FROM HORTYSPRINGER ATTORNEY IAN DONALDSON:
Given the Privacy Officer is responsible for implementing the hospital’s HIPAA policies, they should be made aware of any potential violations by a Medical Staff member.  In addition, Privacy Officers have significant experience investigating and responding to privacy violations and they will understand the law’s regulatory requirements, including if breach notifications are required.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
  • The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
  • Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

This is why we recommend that the Medical Staff’s professionalism policy or code of conduct include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility.  This allows for coordination between the Medical Staff leadership and the individual responsible for the other policy.

If you have a quick question about this, e-mail Ian Donaldson at idonaldson@hortyspringer.com.

August 26, 2021

QUESTION:
“One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient.  The physician believes that this information will assist the patient in making choices about the direction of her treatment.  Can he do that?”

ANSWER:
The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition.  Thus, the deceased patient’s cancer history meets this definition.  However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule?  The answer to this question is “yes.”  The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual.  Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks.  Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters.  He has a few options.  The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities.  According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.”  If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options.  First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer.  If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information.  If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA.  For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

October 1, 2020

QUESTION:        We unintentionally sent an unencrypted email containing Protected Health Information (“PHI”) to the wrong person, who is a business associate.  Is sending an unencrypted email a HIPAA breach?

ANSWER:          No.  The HIPAA Rules that come into play here are the Privacy Rule and the Security Rule.  HIPAA defines “breach” to mean the acquisition, access, use or disclosure of PHI “in a manner not permitted under [the Privacy Rule]….”  So, a “breach” can occur only if the Privacy Rule is violated – Security Rules violations are not “breaches” – and merely sending an unencrypted email containing PHI, without more, does not violate the Privacy Rule (however, sending an unencrypted email could possibly violate the Security Rule, since it has standards that discuss encryption).

Alright, since a “breach” did not occur by sending an unencrypted email, did a HIPAA “breach” occur when the email was sent to the business associate?  The answer is “no” since the HIPAA definition of “breach” has an exception that states as follows:

“Breach excludes…any unintentional acquisition, access, or use of PHI by a workforce member…of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under [the HIPAA Privacy Rule.]”

In this case, the business associate “acquired” the PHI by opening the e-mail, which was unintentional.  In other words, the business associate did not mean to acquire the PHI (as opposed to actively trying to gain access to information), and was acting within the scope of his/her employment, in good faith, and did not further disclose the PHI.  Thus, there was no HIPAA breach.