- HIPAA regulations are designed to keep healthcare organizations compliant, ensuring that sensitive data - such as patient PHI - stays secure. Should a healthcare data breach occur, covered entities or their business associates will be held accountable, and will likely need to make adjustments to their data security approach to prevent the same type of incident from happening again.
However, there are often questions and concerns in how HIPAA regulations tie into certain judicial or administrative proceedings. For example, if there is a subpoena or search warrant issued to a hospital, is that organization obligated to supply the information? What if the information being sought qualifies as PHI? Can covered entities be held accountable if they release certain information, and then that data falls into unauthorized individuals’ control?
This week, HealthITSecurity.com will break down how judicial proceedings, and other types of legal action, could potentially be impacted by HIPAA regulations. We will discuss how PHI could possibly be disclosed, and review cases where search warrants and similar issues were affected by HIPAA.
What does HIPAA say about searches and legal inquiries?
The HIPAA Privacy Rule states that there are several permitted uses and disclosures of PHI. This does not mean that covered entities are required to disclose PHI without an individual’s permission, but healthcare organizations are permitted to do so under certain circumstances.
“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” the Privacy Rule explains.
The six examples of permitted uses and disclosures are the following:
- To the Individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Health Care Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for the purposes of research, public health or health care operations.
Under the public interest and benefit activities, the Privacy Rule dictates that there are “important uses made of health information outside of the healthcare context.” Moreover, a balance must be found between individual privacy and the interest of the public.
There are several examples that relate to disclosing PHI due to types of legal action:
- Required by law
- Judicial and administrative proceedings
- Law enforcement purposes
Covered entities and their business associates are permitted to disclose PHI as required by statute, regulation or court orders.
“Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided,” according to the HHS website.
For “law enforcement purposes” HIPAA regulations state that PHI can also be disclosed to help identify or locate a suspect, fugitive, material witness, or missing person. Law enforcement can also make requests for information if they are trying to learn more information about a victim - or suspected victim. Another important aspect to understand is that a covered entity can can disclose sensitive information if it believes that PHI is evidence of a crime that took place on the premises. Even if the organization does not think that a crime took place on its property, HIPAA regulations state that PHI can disclosed “when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.”
Essentially, covered entities and business associates must use their own judgement when determining if it is an appropriate situation to release PHI without an individual’s knowledge. For example, if local law enforcement want more information from a hospital about a former patient whom they believe is dangerous, it is up to the hospital to weigh the options of releasing the information.
How have HIPAA regulations affected court rulings?
There have been several court rulings in the last year discussing HIPAA regulations and how covered entities are allowed to release PHI.
Connecticut: The Connecticut Supreme Court ruled in November 2014 that patients can sue a medical office for HIPAA negligence if it violates regulations that dictate how healthcare organizations must maintain patient confidentiality. In that case, a patient found out that she was pregnant in 2004 and asked her medical facility to not release the medical information to the child’s father. However, the organization released the patient’s information when it received a subpoena. The case claimed that the medical office was negligent in releasing the information, and that the child’s father used the information for “a campaign of harm, ridicule, embarrassment and extortion” against the patient.
Florida: Just one month earlier, a Florida federal appeals court ruled that it is not a HIPAA violation for physician defendants to have equal access to plaintiffs’ health information. In this case, a patient sued his doctor for medical negligence. Florida law states that the plaintiff must provide a health history, including copies of all medical records the plaintiff’s experts relied upon in forming their opinions and an “executed authorization form” permitting the release of medical information. However, the plaintiff claimed the move would violate his privacy. The appeals court ruled that two instances applied in this case where HIPAA regulations state that covered entities are permitted to release PHI.
As demonstrated in these two court cases, it is not always easy for covered entities to necessarily determine on their own when they are compromising patient privacy and when they are adhering to a court order. However, by seeking appropriate counsel, healthcare organizations can work on finding a solution that meets the needs of all parties involved.