March 8, 2018

QUESTION:        We received a subpoena from an attorney requesting the medical records of a patient.  The attorney represents the plaintiff in the case, and the patient is the defendant.  We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either.  Help!

ANSWER:            The regulations implementing HIPAA (the “HIPAA Privacy Rule”) require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena.  Basically, these regulations require that a hospital receive “satisfactory assurances” that the patient has been notified of the subpoena and that any objections to the subpoena by the patient have been resolved.  Until the hospital receives these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.

State law may also help here.  For example, the Pennsylvania Rules of Civil Procedure require a party in a lawsuit to serve a copy of a proposed subpoena on all other parties prior to issuing that subpoena to a third party (the hospital).  Also, the Rules state that a party that intends to serve a subpoena on a third party (the hospital) must file a certificate showing that it has notified other parties in the lawsuit of the subpoena.

So, as required by the HIPAA Privacy Rule, a hospital, or its attorney, should request that the individual who requested the medical records provide the hospital with documentation that indicates that the patient has received notice of the subpoena, has had an opportunity to object to it, and either no objections were filed or all objections have been resolved.  Once the hospital receives that documentation, it will be able to comply with the subpoena.

August 11, 2016

QUESTION:          Does the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule protect individually identifiable health information of deceased individuals?

ANSWER:              Yes, for a certain period of time.  The Privacy Rule protects a deceased’s individually identifiable health information for 50 years following the date of death of the individual.  It does this by specifically excluding from the definition of “protected health information” individually identifiable health information of an individual who has been deceased for over 50 years (45 C.F.R. §160.103).

As the U.S. Department of Health & Human Services (“HHS”) explains on its website “This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.”

April 21, 2016

QUESTION:        We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes.  There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred.  Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?

ANSWER:           Yes.  The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen.  Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically.  In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes.  But, you should check with counsel and have them research the applicable state law, to be sure.

Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:

How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule.  For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions.  Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange.  However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required.  In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization.  Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
Created 12/15/08

November 12, 2015

QUESTION:         Our hospital recently received a discovery request (a request for production of documents) in a malpractice suit brought against one of the physicians practicing at our hospital. The request seeks documents which contain protected health information (“PHI”), as that term is defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Should we respond by producing the documents?

ANSWER:           This is a question that can best be answered by your attorneys and should be referred to them for an answer because the answer may depend on a number of variables, such as whether the information is protected by your state’s peer review privilege or some other evidentiary privilege. Nonetheless, assuming no privilege applies and that the information is otherwise discoverable, PHI under HIPAA may only be disclosed under certain circumstances. In litigation, disclosures of PHI are often made pursuant to a “qualified protective order.” A covered entity may disclose PHI if it “receives satisfactory assurance…from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order….” At a minimum, the qualified protective order must prohibit the parties from using or disclosing the PHI for any purpose other than the litigation and require the return to the covered entity or destruction of the PHI, and any copies made, at the end of the litigation. If a qualified protective order that meets HIPAA requirements is in place and the documents are not otherwise privileged or protected, it may be appropriate to provide the documents.  Of course, your hospital may also provide PHI that is sought in discovery after it is de-identified according to the requirements of HIPAA. Disclosure of de-identified health information may be appropriate if the discovery request does not seek health information that is tied to a particular individual and does not cover a large number of documents.

October 22, 2015

QUESTION:        Our health system is comprised of multiple entities, including several hospitals and a large physician group practice. We wanted to know how we can promote consistency and economies of scale by coordinating our efforts to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). We also wanted to know whether we could share protected health information amongst and between the multiple entities.

ANSWER:           Yes, you can. The easiest way to do this is under the HIPAA regulations, at 45 C.F.R. §164.105(b)(1), governing affiliated covered entities. Per this section, “legally separate entities that are affiliated” may designate themselves as a single covered entity for purposes of the security and privacy requirements of the HIPAA regulations. However, all of the covered entities in the system must be under common ownership and control and the designation must be documented. The designation documentation must be maintained in written or electronic form and for a period of six years from the date of its creation or the date when it last was in effect, whichever is greater. Often, this designation can be accomplished with a brief board resolution. The practical effect of the affiliated covered entities designation is that all of the covered entities in your system which are under common ownership and control are treated as one covered entity for HIPAA privacy and security purposes. Thus, they can share a single set of privacy policies and can freely share protected health information as if they were a single entity. This may result in significant efficiencies when navigating the regulatory complexity of the HIPAA rules.

September 10, 2015

QUESTION:        Our hospital is doing a HIPAA security risk assessment and was told we have to follow guidance issued by the National Institute of Standards and Technology (“NIST”). Is that something we have to do?

ANSWER:            No. You can use the NIST publications as a guide, but you don’t have to. The HIPAA Security Rule itself does not reference the NIST guide at all, although some NIST documents are mentioned in the Preamble to that rule. The HHS Office of Civil Rights has published several papers providing useful guidance on complying with the security rule, which can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule. In one of them, OCR says:

Although only federal agencies are required to follow federal guidelines like the NIST 800 series, non-federal covered entities may find their content valuable when performing compliance activities. As stated in the CMS frequently asked questions (FAQs) on the HIPAA Security Rule,

“Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities. While NIST documents were referenced in the preamble to the Security Rule, this does not make them required. In fact, some of the documents may not be relevant to small organizations, as they were intended more for large, governmental organizations.

The Security Rule does not prescribe a specific risk analysis or risk management methodology. This paper is not intended to be the definitive guidance on risk analysis and risk management. Rather, the goal of this paper is to present the main concepts of the risk analysis and risk management processes in an easy-to-understand manner. Performing risk analysis and risk management can be difficult due to the levels of detail and variations that are possible within different covered entities. Covered entities should focus on the overall concepts and steps presented in this paper to tailor an approach to the specific circumstances of their organization.

Therefore, while the NIST publications might help you in doing the risk assessment, they are not binding on you.


 

June 25, 2015


QUESTION:       
Our hospital would like to develop a “VIP” program by which certain individuals would receive special recognition when they are hospitalized. For example, current or past members of the Board of Directors or other individuals who have served the community might receive a card, flowers or a personal visit. Is such a program acceptable under HIPAA?

ANSWER:          HHS has issued no guidance on this topic. However, we believe a VIP program poses little risk under the HIPAA Privacy Rule.

The Privacy Rule permits hospitals to use or disclose protected health information for its own “health care operations.” “Health care operations” is defined broadly to include “general administrative activities,” which could reasonably be interpreted to include efforts to build and maintain relationships with individuals who are involved in the affairs of the community.

Of course, some hospitalized individuals who are particularly concerned with privacy may complain that the VIP program does not actually involve health care operations. One way to limit the possibility of such complaints is to ensure that any individual who has opted out of the facility directory, as permitted by the Privacy Rule, does not receive special recognition. More broadly, any dissemination of information within the hospital should be limited to those with a “need to know” for purposes of the VIP program.

Another way to limit complaints is to ensure that the health information of a patient is not disclosed outside of the hospital. For example, if flowers or other small gifts are ordered, they should be sent to an administrator’s office and then re-directed to the patient. Patients may expect hospital personnel to know they are hospitalized, but they may object to that information being shared with the local florist or other merchants.

We are unaware of any enforcement actions involving VIP programs, which might suggest that they are not viewed as a HIPAA violation by HHS. However, hospitals that choose to implement them should do so in a way that protects patient privacy and limits the disclosure of patient information.

June 11, 2015

QUESTION:        Our professional practice evaluation committee (“PPEC”) recently obtained an external review of a neurosurgery case that involved significant complications and a poor outcome for the patient. We shared the de-identified results of that review with the surgeon and invited him to submit his written comments and meet with the committee. Instead of doing so and without notice to the PPEC, he arranged for his own external review, by a neurosurgeon picked by him and unknown to the committee. He has submitted that review – which found no deviation from the standard of care – to the committee, with a statement indicating that no further review is required. What can we do with conflicting external reviews? Should we reprimand him for violating HIPAA?

ANSWER:        It can be frustrating when the leadership is attempting to deal openly and collegially with a colleague and its efforts are rebuffed. Such is the case here, where the neurosurgeon whose case is under review has ignored your request for his personal input and his attendance at your upcoming meeting and, instead, has obtained an unauthorized review by a third party. Your knee-jerk reaction may be to reprimand him or disregard his unsolicited expert opinion out-of-turn. After all, you are trying to help this practitioner improve his performance and he is, by all observation, fighting you tooth and nail. While that perspective is understandable, we encourage you to also think about this from the neurosurgeon’s perspective before deciding on next steps.

First, to get the legal issue out of the way, please note that there does not appear to be a violation of HIPAA’s privacy regulations, since the neurosurgeon is part of an organized health care arrangement with the hospital (as are all doctors who are members of the Medical Staff) and, in any event, the disclosure of information he made to his external reviewer was limited to records of a patient that he and the hospital have both treated and was for the limited purpose of quality improvement. HIPAA permits disclosures in such situations.

While HIPAA may not have been violated, the neurosurgeon’s actions may have nevertheless violated the hospital’s policies. For example, the hospital may have policies requiring all external reviews to be arranged through a specific person (such as the CEO or CMO) or body (such as the MEC), to ensure that any contracts for such reviews include appropriate protections. Further, the hospital may require its own business associate agreement or a confidentiality policy to be signed by any reviewer prior to sending that reviewer medical records. In this case, because the review was arranged by the neurosurgeon, but involved the disclosure of the hospital’s records, the hospital lost the opportunity to protect itself through the contract with the reviewer. It would be appropriate to follow up with the neurosurgeon by requesting a copy of the business associate agreement and, consistent with any hospital or Medical Staff policy, by notifying him of the appropriate process for arranging external reviews of care provided in the hospital.

Unless there is good reason to proceed otherwise, a reprimand is probably not necessary. Unless you have additional facts pointing to the contrary, it seems likely that this physician did not realize that his actions in obtaining an independent review informally – and without the authorization of the hospital and its Medical Staff leaders – could violate policy.

Now that you have the neurosurgeon’s independent review in your hands – what should you do with it? Medical Staff leaders often struggle with how to proceed in cases where experts disagree. Admittedly, this can seem like a “damned if you do and damned if you don’t” sort of situation. The good news is: Most courts give great deference to the decisions of hospitals and their Medical Staff leaders in matters involving Medical Staff appointment and clinical privileges. So, when facing conflicting information, your hands are not tied. You should feel comfortable looking at all of the information at hand, weighing each piece against the totality of information, and then finalizing a decision. Things to keep in mind:

  • Don’t reject the neurosurgeon’s independent review out of hand, simply because the neurosurgeon obtained it without notice to the PPEC and without going through formal channels. Consider the qualifications of the independent reviewer and the quality of the report that he or she supplied. Ask follow-up questions, if necessary. In the end, you may reject the review if the reviewer is not adequately qualified, does not have current clinical experience, or has not delved into the parts of the case that the PPEC thinks are relevant. If you do reject the report, or choose to give it little weight, articulate your reasons for doing so – and record those reasons in the minutes of the meeting where the matter is decided.
  • If the independent review seems well-informed and the reviewer seems well-qualified, you may try to work out the conflict between the PPEC’s external review and the neurosurgeon’s external review via any one or more options. First, you may choose to send the report submitted by the neurosurgeon to the PPEC’s external reviewer – and ask that your reviewer comment on the contrary conclusions. Second, you may choose to send the PPEC’s external review report to the neurosurgeon’s independent reviewer – and ask that reviewer to comment on the contrary conclusions. You could send both external reviews to a third external reviewer, who may act as a “tie breaker.” As a fourth option, you could choose to simply contact the neurosurgeon’s reviewer to question him about his conclusions – and verify that he had all relevant information about the care and about the PPEC’s concerns at the time he conducted his review and wrote his report.
  • In the end, the PPEC will need to weigh all of the information it has gathered before deciding how to proceed. This will mean considering all external reviews, any input from the physician, the opinions of the physicians who serve on the committee, and the physician’s peer review history, among other things. It must decide which sources of information are most credible, informative, relevant, and persuasive. Remember that the purpose of professional practice evaluation is to identify areas where there is room for improvement. Therefore, the leadership may choose to give less weight to a case review that concludes that there was “no deviation from the standard of care” (a term usually reserved for malpractice litigation, which relates only to whether the care is considered negligent by legal standards and not to whether the care satisfies your organization’s expectations) and more weight to a review which identifies strengths and weaknesses in the care that was provided.

Finally, one last point that, though discussed last, is not of least importance. The PPEC has invited the neurosurgeon to submit written feedback and to attend its upcoming meeting. The physician has ignored these requests. It is important that you follow up on these invitations – and not get sidetracked by the fact that the physician has submitted a report from an independent reviewer. Now is the time to follow up with the neurosurgeon. Tell him that you will consider the report he submitted, but that he must provide the written feedback and attend the meeting, as previously requested. If you have language in your Medical Staff Bylaws, Credentials Policy, or Professional Practice Evaluation Policy stating that individuals must provide information upon request by the leadership, or stating that they must attend meetings when given special notice that they are required to attend and that their care will be discussed, cite that language.

Make it clear that the leadership will not be thrown off course by the submission of the independent review – or by any other antics. Performance improvement can occur only if physicians under review actively participate in the professional practice evaluation process. Accordingly, it is important that this neurosurgeon get on board and work with the PPEC, collegially, to help it get to the bottom of what happened in this case to give rise to such serious complications and such a poor outcome.

April 2, 2015

QUESTION:    May physicians text or e-mail patient information to one another if such texts or e-mails are directly related to patient care? If so, does HIPAA require that such transmissions be encrypted?

ANSWER:       Any discussion of sending Protected Health Information (“PHI”) via text or e-mail should distinguish between: (1) the HIPAA Privacy Rule and (2) the HIPAA Security Rule:

(1)       The Privacy Rule is concerned with WHY information is being used or disclosed. Is there a permissible purpose? There is no violation of the Privacy Rule if a text or e-mail is for a treatment purpose.

(2)        The Security Rule is concerned with HOW information is transmitted and stored. Thus, while it may be appropriate for one physician to disclose PHI to another physician for treatment purposes, the Security Rule could be violated if the method used to transmit that information is improper.

The Security Rule has three categories of requirements:

(i)         Standards.

(ii)        Required Implementation Specifications.

(iii)       Addressable Implementation Specifications.

Covered entities must comply with all “Standards” and “Required Implementation Specifications.” As the name implies, “Addressable Implementation Specifications” do not always have to be implemented. Instead, each covered entity must evaluate whether an Addressable Implementation Specification is a “reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting” PHI. If so, the Addressable Implementation Specification must be implemented. If not, the covered entity must consider whether an alternative measure to protect security is feasible and must document its conclusions.

Encryption is an Addressable Implementation Specification. Thus, covered entities are expected to encrypt texts and e-mails if doing so is a “reasonable and appropriate safeguard in its environment.” In evaluating this question, covered entities should consider whether encryption would interfere with patient care (e.g., undue delays in transmission, retention of encrypted transmissions, etc.).