Health Law Blog - Healthcare Legal Issues

Archive for February, 2018

Medical Alerts – HIPAA Implications of Flagging Patient Records

Tuesday, February 27th, 2018

Identification of AIDS Status Through Medical Alert System

Dentist Revises Process to Safeguard Medical Alert PHI

AIDS identification external alert HIPAAA recent OCR investigation of a dental practice’s flagging of patients records highlights a potential HIPAA violation.  The OCR investigation confirmed allegations that the dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover.   Records were handled so that other patients and staff without need to know could read the sticker.  A patient complaint commenced an OCR investigation into whether the practice potentially identified the AIDS status of patients within the office.

When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

The lesson here is not to place special medical alerts on the outside of physical patient records.  This is a particularly bad practice in a dental office where the typical office setup can result in visual identification by other patients.  If a patient is being escorted by staff and is seen by other patients, the identification on the outside of the patient’s chart can easily be connected to the patient.  This creates a very sensitive potential violation of HIPAA and other laws protecting against disclosure of the AIDS status of individuals.

Providing Protected Health Information in Response to Subpoena

Thursday, February 22nd, 2018

OCR Citation for Improper Disclosure of PHI in Response to a Subpoena

unauthorized release phi subpoenaA health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal.  this does not mean that a provider can simply release everything it has in a patient record when it receives a court order.  Some records, such as mental health or substance abuse records might have special protections or limitations that apply.  Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.

The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules.  Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request.  This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.

The application of these rules are illustrated by a relatively recent OCR settlement involving a hospital that was accused of improperly disclosing PHI in response to a subpoena.  The hospital apparently failed to determine that reasonable efforts had been made to notify that individual whose PHI was being sought under the subpoena.  This had the effect of denying the individual the right to object or seek a protective order.

As part of the settlement with the Hospital, OCR required the hospital to revise its subpoena processing procedures. The new policies adopted by the offending hospital hold a lesson for all covered entities.  If a subpoena does not meet the requirements of the Privacy Rule, policy should require the covered entity to reach out to the party who issued the subpoena to explain the notification requirements.  Until those requirements are complied with, the information cannot be released.

Court Orders and Subpoenas – Release of Protected Health Information

Mental Health Center Settlement for Failure to Provide Patient Record Copies

Tuesday, February 20th, 2018

OCR Sanction for Failing to Provide Patient Access to Protected Health Information

OCR Settlements Illustrate Area of HIPAA Risk

Access to Medical RecordsIn this case that was settled with the Office of Civil rights, the provider was a mental health center that was accused of refusing to provide a patient with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist.  However, the provider failed to provide the patient with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement if they are separately maintained by the covered entity. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.

The regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect the privacy and security of individuals’ identifiable health information and establish an array of individual rights with respect to health information, have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.  Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

In addition, two categories of information are expressly excluded from the right of access:

  1. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
  2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

Applying Section 1557 Discrimination Rules to Employer Sponsored Health Plans

Sunday, February 11th, 2018

Section 1557 Covered Entities and Employer Sponsored Health Plans

Health Plan 1557 ComplianceSection 1557 of the Affordable Care Act (ACA) prohibits “covered entities” discrimination in health programs that receive federal financial assistance from the Department of Human and Health Services.  Regulations were issued in 2016 that define the details of compliance with Section 1557 which prohibits discrimination based on race, color, national origin, age, disability and sex.  (including discrimination based on pregnancy, gender identity and sex stereotyping).  The stated purpose for the rules is to expand access and eliminate barriers to the ability to obtain health care coverage.

The definition of “covered entities” to which Section 1557 apply is extremely broad.  Through the broad definition, the requirements of Section 1557 apply to any health program or activity that received federal financial assistance through the Department of Health and Human Service.  This definition includes most health care providers, such as hospitals, nursing homes, and physician, who receive Medicare or Medicaid reimbursement, insurance marketplace and exchanges and participating health plans.

The Section 1557 rules extend to some (but not all) employers that are group health plan sponsors.  Determining whether Section 1557 applies to a specific employer can be quite complicated and is based on several factors such as the sponsor’s primary business function, the nature and extent of federal financial assistance, whether the employer plan is self-funded or insured, and variety of other factors.

Failing to comply with Section 1557, where necessary, can expose an employer to significant risk.  Significant compliance exposure, coupled with complicated rules defining application of Section 1557, make this an extremely important area for employers. Employers should carefully assess whether they are subject to the requirements of Section 1557 and take steps to assure compliance where necessary.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.