What do you do when your hospital discloses confidential information?
|Martin I. Kalish, M.D.||Jennifer Christianson|
The health care industry knows that patient information generally must remain confidential, and most health care providers have spent a substantial amount of time educating themselves and putting proper procedures in place to prevent disclosures of confidential information. However, health care providers do not spend as much time educating themselves about what steps are appropriate when there has been a breach and confidentiality is not maintained. We intend to clarify these issues and make recommendations to protect the patient and minimize the health care provider’s liability.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), commonly referred to as the Privacy Rule, requires the security and confidentiality of personal health care information. It covers many actors in the health care industry, including health care providers as well as health plans and health care clearinghouses.
HIPAA protects a patient’s health care information that is maintained or transmitted by a health care provider or its business associate, whether that information is electronic, on paper or spoken. This information is referred to as “protected health information” (PHI) under the Privacy Rule, and includes any information relating to the patient’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual. A health care provider may not use or disclose PHI except either as the Privacy Rule permits or requires, or as the individual who is the subject of the information authorizes in writing.
Penalties for Violations of HIPAA
The penalties for disclosing PHI under HIPAA are severe. The United States Department of Health & Human Services (HHS) may impose civil monetary penalties on a health care provider of $100 per failure to comply with a Privacy Rule requirement; that penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year.
However, HHS may not impose a civil monetary penalty if (1) HHS concludes that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that he or she violated the provision or (2) the failure to comply with HIPAA was due to reasonable cause, not willful neglect, and the health care provider corrected the violation within 30 days of when he or she knew or should have known of the violation.
Thus, when a provider learns of a HIPAA violation, it is important to act quickly to identify how the breach occurred and implement appropriate corrective measures in order to meet the 30-day deadline (although, under extenuating circumstances, a health care provider may be able to obtain an extension of the 30-day deadline from HHS).
HIPAA regulations also include criminal penalties for violations of the Privacy Rule. Anyone who knowingly obtains or discloses individually identifiable health information in violation of HIPAA may face a fine of $50,000 and up to one year imprisonment. This penalty may increase to $100,000 to $250,000 and up to five to 10 years of imprisonment if the disclosure involved false pretenses or the intent to sell, transfer or use the information for commercial advantage, personal gain or malicious harm. These criminal sanctions are enforced by the Department of Justice (DOJ).
In 2005, the DOJ issued an opinion in which it extended liability for prosecutions for HIPAA violations to health care providers; directors, officers and employers of health care providers who may be directly criminally liable; and third parties who cause, aid or abet, counsel, command, induce, procure, or conspire with a health care provider to act in violation of HIPAA.
Handling a Breach of the Privacy Rule
When there has been a breach of the patient’s privacy, depending on the circumstances of the breach, a health care provider may be required under HIPAA regulations to notify the patient and/or HHS or Office of Civil Rights (OCR), the government entity responsible for HIPAA enforcement. It should also be noted that patients are entitled to request an accounting of disclosures of PHI from health care providers.
In addition, certain state laws have notification requirements when there has been a breach of security and confidentiality. These laws vary from state to state, and contain specific procedures and timeframes for such disclosures as well as special exemptions. In addition, a health care provider may be required under applicable state laws to maintain a record of all disclosures of information contained in the medical record to a third party, including the purpose of the disclosure request. This disclosure accounting may be maintained in the medical record, in which case it would be accessible to a patient who requests it. Therefore, it is important for the health care provider to be familiar with its state’s disclosure requirements as well as HIPAA requirements in the event there has been a breach of security or confidentiality.
HIPAA regulations also require a health care provider to “mitigate” the damage caused by a breach of the Privacy Rule. This duty means that the entity should take any and all necessary steps to mitigate the harmful effect of any disclosure and ensure that a breach does not happen in the future, which may include:
The duty to mitigate extends to breaches by a business associate of the health care provider. Accordingly, OCR has suggested that if a health care provider becomes aware of a breach by a business associate, the provider must take reasonable steps to cure the breach or stop the violation and, ultimately, must terminate the contract or relationship if these remedial steps are not successful. When termination is not feasible, OCR has suggested that the health care provider must report the problem to OCR.
In certain situations, health care providers may find that a complaint of a HIPAA violation has been filed against them with HHS. Upon receipt of a HIPAA complaint, HHS will notify the health care provider in writing and request a response, including any mitigating factors. The health care provider is entitled to a hearing and appellate rights prior to the imposition of any civil penalties by HHS.
Covering the Bases
Health care providers need to ensure that policies and procedures are in place for HIPAA compliance should there be a breach of the Privacy Rule. Once a breach is identified, health care providers should conduct a thorough investigation to determine what information was disclosed and if it was disclosed to an unauthorized person or persons. It is wise to have an independent third party, such as an attorney, perform this investigation because an independent party can be more impartial and an independent investigation may be received as more credible if it is necessary to report any information to a federal or state agency.
The health care provider must also determine whether it is required to inform the patient and the appropriate government agencies. Even when it is not necessary to disclose a breach to the patient under the federal and state laws, the provider must mitigate any damages caused by the disclosure and take the necessary actions against those persons who violated its privacy policies. Prompt action is essential when a breach has been identified to protect patients, minimize the risk of civil and criminal penalties, and ensure that the health care provider complies with the requirements of HIPAA.
Martin Kalish, M.D., J.D., and Jennifer Christianson, J.D., are attorneys in the Miami office of Zuckerman Spaeder LLP, where they focus their practices on health care regulatory, operational and litigation issues.
Hospitals & Health Networks welcomes your comment on this article. E-mail your comments to firstname.lastname@example.org, fax them to H&HN Editor at (312) 422-4500, or mail them to Editor, Hospitals & Health Networks, Health Forum, One North Franklin, Chicago, IL 60606.
This article first appeared in the on March 25, 2008 in HHN Magazine online site.