Healthcare Information Security

HIPAA and Compliance News

Judge Says HIPAA Regulations Do Not Apply in Organ Donor Case

A New York judge ruled that HIPAA regulations are not applicable in a case that tried to keep organ donor patients’ records protected.

HIPAA regulations not applicable in recent New York Supreme Court case.

Source: Thinkstock

By Elizabeth Snell

- Patient records from the New York Organ Donor Network are not liable to HIPAA regulations, according to a recent New York Supreme Court ruling.

A former network official claimed that four patients had not yet been declared legally dead before their organs were harvested, and had argued that the records in question were protected under HIPAA.

Plaintiff Patrick McMahon also claimed that he had been fired for being a whistleblower and stating that organs were being taken prematurely.

“Plaintiff alleges that he was fired after making complaints that defendant's employees were procuring organs from individuals without performing legally required tests,” the court documents explain. “Plaintiff further claims that in some instances, organs were taken from individuals who were still showing clear signs of life. Plaintiff claims that he was fired in violation of New York Labor Law.”

McMahon argued that the network was not a HIPAA covered entity and the four patients’ medical records should be turned over. The records “are material and necessary because plaintiff insists that each person showed signs of brain activity when their organs were harvested.”

The network reportedly acknowledged that it is not a HIPAA covered entity, but said it still must maintain patient confidentiality.

“Defendant also points out that it has entered into memorandums of understanding (MOUs) with hospitals in which defendant gains access to confidential patient information in order to facilitate the organ donor process,” the case stated. “Defendant maintains that it would defeat the purpose of HIP AA if it were required to comply with plaintiffs requests.”

Manhattan Supreme Court Justice Arlene Bluth ruled that the network is not a covered entity under HIPAA regulations, and must turn over the requested documents. The defendant “failed to identify a federal regulation or case law that would prevent this Court from requiring disclosure,” Bluth wrote.

Bluth added that the defense team did not cite a case or federal law that would prevent the disclosure. The network claimed that Liew v New York Univ. Med. Ctr was an example to follow.

In that case, the defendant was a hospital and wanted third-party defendant St. Luke's Hospital to produce medical records of a nonparty organ donor.

“The Supreme Court's opinion in Liew, which the Second Department affirmed without modification, noted that the ‘HIP AA Privacy Rule protects the confidentiality of these records,’” the decision explained. “This suggests that, although not-mentioned in the Appellate Division's decision, St. Luke's Hospital was a covered entity HIPAA. Because defendant is not a covered entity, this case is not binding based on the facts of this case.”

Furthermore, Bluth noted that HIPAA rules do not prevent document disclosure. HIPAA allows for organ procurement organizations (OPOs) to receive PHI from covered entities

HHS could have promulgated a rule stating that any protected health information received by an OPO from a covered entity must remain subject to HIPAA's privacy protections as if the OPO were a covered entity; HHS did not. Or HHS could have included OPOs in its definition of a covered entity; HHS did not.

Bluth stressed the importance of confidentiality. While OPOs are not covered by HIPAA, “these MOUs seek to assure the covered entities who provide information to defendant that protected health information will be kept confidential.”

“Providing this information might negatively impact these MOUs,” the decision stated. “But that possibility merely underscores the need for additional federal regulations addressing OPOs and their relationship with HIPAA.”

McMahon is prohibited from using the medical records in question for any purpose other than in the litigation, Bluth said.

“These provisions would satisfy the criteria for a qualified protective order required for disclosures in judicial proceedings even if defendant were a covered entity under HIPAA,” she wrote. “Plaintiffs motion is granted and defendant must produce the requested medical records of the four individuals in accordance with the parties' confidentiality order on or before April 26, 2017.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...