By Charles I. Artz, Esq.
The HIPAA Privacy regulation’s compliance date arrived on April 14, 2003. Panic, overreaction, paranoia and misinformation have flooded the HIPAA Privacy marketplace of ideas. Consultants and businesses attempting to sell their wares to physicians have all too often started a sentence with the phrase “HIPAA says …”, which frequently ends with a serious misunderstanding of the law or, in other cases, blatant falsehoods. This includes advice that sign-in sheets are illegal, all medical records must be stored in files in locked rooms, and the Get Smart cone of silence must descend upon a physician and patient before the physician may utter a word of medical advice that someone else may hear.
This is article is designed to provide physicians with practical tools to deal with some of the more frequent problems the author has resolved as a result of this regulatory morass.
The HIPAA Privacy Rules apply only to “covered entities.” To be a covered entity, a physician must transmit health information in electronic form in connection with a HIPAA Transaction. The Administrative Simplification Act (perhaps the greatest oxymoron of all time), of which the Privacy Rule is one part, defines “Transaction” to include health care claims or encounter information, health care payment, health care claim status, referral certification and authorization, and so on.
Three elements are necessary for a health care provider to be a “covered entity”: (1) satisfying the definition of health care provider; (2) engaging in one or more HIPAA Transactions; and (3) engaging in a HIPAA Transaction electronically, or having someone do so electronically on behalf of the physician. The Preamble to the Privacy Rule contains several illustrations confirming that not every health care provider is automatically a “covered entity.” In fact, unless a physician also conducts at least one of the ten HIPAA Transactions and does so electronically or someone else does so on behalf of the physician electronically, the physician is not a covered entity and need not comply with the HIPAA Privacy regulations.
Privacy Stakes High Even For Non-Covered Entity
Even if a physician is not a covered entity, the physician still must comply with state law confidentiality requirements. In addition to a potential licensure disciplinary action for improperly disclosing protected health information obtained within the confines of the physician-patient relationship, which could form the basis of licensure disciplinary action, Superior Court recently created a new private right of action against physicians for breach of confidentiality. In Haddad v. Gopal (2001), Superior Court held that a physician may be sued for breach of physician-patient confidentiality if the physician obtains confidential diagnostic and treatment information:
• In the context of the physician-patient relationship, and
• Discloses any of that information to a third person other than the patient.
• Without the patient’s express written consent, and
• Where the disclosure occurs outside of any litigation or judicial proceedings.
To that extent, even if a physician is not a covered entity, the physician still cannot release protected health information without the patient signing a document very similar in scope to a HIPAA-compliant Authorization for release of protected health information form.
Some attorneys and medical record firms are taking the position that “HIPAA Privacy explicitly authorizes disclosures made pursuant to a valid subpoena.” Were they to have actually read the HIPAA Privacy Rules, it would be clear that no regulatory text exists at the typical reference cited. On the contrary, the HIPAA Privacy regulations describe in substantial detail the very limited circumstances under which PHI may be disclosed pursuant to a subpoena.
We take the position that physicians are not legally permitted to disclose their patient’s PHI absent the execution of a HIPAA-compliant Authorization or an order of court following a motion to compel discovery.
Letters from personal injury attorneys often fail to address the satisfactory assurance obligations imposed on physicians and other covered entities under the Privacy Rule regarding subpoenas. Disclosure of PHI pursuant to a subpoena absent a court order is permissible only if the physician receives satisfactory assurance that the party seeking the information has made reasonable efforts to either (1) comply with the detailed Notification rule or (2) secure a qualified protective order (QPO).
The party seeking the patient’s PHI must send the physician a written statement and accompanying documentation demonstrating that:
• The party requesting the PHI has made a good faith attempt to provide written notice to the patient,
• The notice includes sufficient information about the litigation proceeding in which the PHI is requested,
• The notice describes how the patient may raise an objection to the court about all or part of the PHI that the patient may not want to have disclosed pursuant to the subpoena, and
• The time for the individual to raise objections to the court has elapsed, and either no objections were filed by the patient or all objections filed by the patient have been resolved by the court and the disclosures being sought are consistent with such resolution.
The Rule 4009.21 legal procedure is insufficient since it does not satisfy each and every one of the mandatory elements outlined above.
The physician’s second option is to receive satisfactory assurances from the party seeking PHI, via a written statement and accompanying documentation, demonstrating that (1) the parties to the litigation have agreed to a qualified protective order and have presented it to the court, or (2) the party seeking the PHI has requested a qualified protective order from the court. The QPO must contain extensive requirements, which are typical of federal and state court protective orders.
The physician, as the covered entity, maintains the freedom to choose the method by which he will receive his satisfactory assurance from the party seeking disclosure of PHI. The foregoing analysis demonstrates that the conclusory statement used by many attorneys and medical records companies is incorrect.
The HIPAA Privacy Rules defer to state law that is more stringent than any HIPAA Privacy standard, requirement, or implementation specification. A state law is more stringent if it restricts a disclosure in circumstances under which such a disclosure otherwise would be permitted under the HIPAA Privacy Rule. As will be described in detail below, Pennsylvania law with respect to physician confidentiality in the context of a subpoena is more stringent than the HIPAA Privacy standards.
The State Board of Medicine’s regulations preclude disclosure of PHI obtained through the physician-patient relationship without prior consent. The only exception applies to any statutory obligation to disclose without patient consent. No Pennsylvania statute authorizes disclosure of medical records pursuant to a subpoena. On the contrary, case law has held that a physician’s disclosure of PHI absent consent pursuant to a subpoena violates the Medical Board’s confidentiality provision.
In Rost v. State Board of Psychology (1995), Commonwealth Court upheld licensure disciplinary action imposed against Dr. Rost because she released her patient’s records to defendant’s counsel in litigation pursuant to a subpoena, but did not seek the consent of her patient. Because the subpoena in that case did not have the imprimatur of a Judge, but was simply a subpoena obtained and distributed by counsel, Commonwealth Court determined Dr. Rost violated patient confidentiality and was subject to licensure discipline. The Court rejected out of hand Dr. Rost’s excuse that she was unfamiliar with legal process and that the attorneys intimidated her to release the confidential information. The Court ultimately held that Dr. Rost’s duty of confidentiality would be illusory if it could be overridden anytime a conflicting duty arose which was thought to be more important, i.e. a subpoena. The holding is equally applicable to physicians’ confidentiality obligations.
The Rost decision stands for the proposition that a licensed health care professional who discloses PHI without a valid patient Authorization – in response to a subpoena issued by an attorney – violates statutorily imposed confidentiality restrictions. The State Board of Medicine’s confidentiality provision is virtually identical to the statute at issue in Rost. The Haddad v. Gopal decision exposes the physician to a monetary damages claim for breach of confidentiality. Therefore, state law on this point is more stringent than the HIPAA Privacy Rule Notification Rule. It may also be more stringent than an agreed-to QPO; however, were the court to sign off on the QPO, Commonwealth Court’s analytical obligation described in Rost would be satisfied. Accordingly, absent the patient’s fully executed HIPAA-compliant Authorization, the presentation of a court-sanctioned QPO to the physician, or a court order directing disclosure of PHI, physicians should not disclose PHI requested via subpoena.
Debunking Hospital Paranoia and Overreaching
A surprising number of hospital administrators take the position that a physician must produce a signed HIPAA-compliant Authorization in order for the hospital to produce laboratory test results for a patient either awaiting treatment in the physician’s office, or who is about to come into the office for care. Physicians routinely take the position that the information must be produced timely in order to deliver high quality medical care.
There is no dispute that medical test results constitute PHI, or that utilization of the PHI at issue is applicable to the Treatment of both the hospital and the physician. The HIPAA Privacy regulations, as revised in August 2002, unequivocally contemplate a permissible disclosure of PHI under these precise circumstances, as follows: “A covered entity may disclose protected health information for treatment activities or a health care provider.”
Hospitals are covered entities. Physicians are health care providers. The physician’s analysis of the PHI contained in the diagnostic test result satisfies the definitions of both “Treatment” and “Health Care” under the HIPAA Privacy regulations. Because the disclosure is for Treatment purposes, an Authorization is not required. (Authorization required for use or disclosure of PHI for other than Treatment, Payment or Health Care Operations).
The Preamble to the August 2002 regulatory changes supports this analysis. For physicians who have access to the actual regulatory text and the Preamble, see 67 Federal Register 53209, 53210, 53212 and 53214 (August 14, 2002). Several illustrations exist at those citations confirming that the modified regulations clearly facilitate the flow of PHI from hospitals to physicians because HHS “does not want to compromise timely access to quality health care.”
Physicians should not stand for the imposition of additional paperwork hassles where the federal government unequivocally intended to eliminate any impediments to the flow of PHI for Treatment and Health Care purposes between hospitals and physicians who have provided service to the same patient.
Charles I. Artz, Esq. is the founder of Charles I. Artz & Associates, a Harrisburg-based law firm.