Access to Patient Medical Records During COVID-19

Health Care Law Practice Group

By Health Care Law Practice Group

medical recordsIssues relating to a patient’s right of access to medical records have never been more important than now, in the midst of the COVID-19 pandemic.  Healthcare providers, big and small (from a large New York City non-profit providing health care and other services to the homeless population to small psychiatric services providers in Virginia and Colorado), are facing monetary penalties and having to comply with Corrective Action Plans (CAP) imposed by the Office for Civil Rights (OCR) with strict requirements and short deadlines.

One of these psychiatry services providers must distribute new policies and procedures concerning patient requests for records to all members of its workforce and relevant business associates within 30 days and to new employees upon hiring. Recipients are required to execute certification of having read, understood, and promised to abide by these policies and procedures. Training and individual certifications must be completed within 60 days. Going forward, the practice must implement annual training. Any reportable events must be fully investigated and described in a report as part of the full-scale written “Implementation Report.” The practice must submit the report to the U.S. Department of Health and Human Services (HHS) within 120 days. The CAP concludes with a “Final Report,” again containing specific terms and obligations of the psychiatry practice. Continue reading »

Warning to Employers and Medical Providers Alike Regarding Releasing COVID-19 Test Results!

Employment Law Practice Group

By Employment Law Practice Group

So, your furloughed employee[i] is returning to work – Hooray!? Not so fast. Employers and the medical providers who are treating and perhaps testing these employees/patients for COVID-19 need to be wary about who is able to disclose and use testing information and to whom.  Both sides must tread carefully and follow strict guidelines in such situations.

covid test

For over two decades, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has governed disclosure of an individual’s protected health information and has prevented a medical provider from unilaterally disclosing sensitive health information to employers.  Even faced with a previously unimaginable global pandemic, from its implementation in 2003, the HIPAA Privacy Rule has had procedures in place that address this thorny legal issue.

Take the following hypothetical example: An employer furloughs an employee as a reduction in work force for financial reasons. While on furlough, the rumor mill is active and the employer “hears” that this employee may have been experiencing COVID-19 symptoms while on furlough.  May the employer reach out to the employee’s medical provider to obtain medical information specifically related to COVID-19 testing? May the provider release such information if the employer contacts the provider to inquire? Work-arounds exist under the HIPAA Privacy Rule or may exist when the employer pays for COVID-19 testing.

Option 1:  Consent Upfront. Continue reading »

Troubling Practices by Hospitals for Patients’ Access to Medical Records Uncovered

Health Care Law Practice Group

By Health Care Law Practice Group

A new study published in JAMA Network Open and conducted by Yale University School of Medicine found troubling practices at U.S. hosmedical recordspitals relating to patients’ access to and provision of patients’ own medical records.  HIPAA’s Privacy Rule absolutely requires access to a medical record when properly requested under two circumstances:  (1) to the patient; and (2) to the Secretary of the Department of Health and Human Services.  Further, the patient must be provided records in his or her preferred format and for a reasonable processing fee.  Shockingly, only 53 percent of the hospitals surveyed provide patients an option to obtain their own medical records.  (Eighty-three top-ranked U.S. hospitals in 29 states were surveyed.)

Continue reading »

Modernizing Healthcare Legislation in the Face of the Opioid Crisis

Health Care Law Practice Group

By Health Care Law Practice Group

opioid crisis

In 2016, opioid overdoses accounted for more than 42,000 deaths in America. It was estimated that 11.5 million people misused opioid prescriptions and 2.1 million people suffered from an opioid use disorder that same year.[1] From July 2016 to September 2017, the Center for Disease and Prevention found that opioid overdoses increased 30% in 45 states; however, the Midwest region alone saw a 70% increase.[2] On October 26, 2017, President Trump declared the opioid crisis a national Public Health Emergency under federal law.

While the federal government has responded by allotting six billion dollars to assist in the treatment and prevention of opioid overdoses, hospitals and medical providers still face barriers when it comes to the disclosure of medical information related to these overdoses due to conflicts between HIPAA and other federal law. Congress is working to resolve this conflict.

In 2017, the Department of Health and Human Services Office for Civil Rights (OCR) released a new HIPAA Guidance on when and how healthcare providers may share a patient’s health information with his or her family members, friends, and legal representative if the patient is in crisis. Current HIPAA regulations permit (but do not require) healthcare professionals to disclose health information without a patient’s consent if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment of care. This allows a provider to talk to the parents of someone incapacitated by an opioid overdose about the overdose, but generally does not allow disclosure of medical information unrelated to the overdose without the patient’s permission. Continue reading »

The Intersection of HIPAA and Cloud Storage

Katherine M. Flett

By Katherine M. Flett

Our ever-evolving technological society is raising new questions about how to reconcile complex health data protection laws with cloud storage.  Storage of data in the “cloud” allows users to store, maintain, and manage data remotely on the internet.  Its advantages include accessibility of the cloud-stored data from any location via the internet, emergency back-up capacity, and even cost savings.  An online search for HIPAA-compliant cloud storage companies reveals that there is no shortage of companies who advertise their “HIPAA-compliant cloud services.”  It is important to remember that working with a company who claims their cloud storage “is HIPAA compliant,” does not excuse you from meeting HIPAA requirements.  Due diligence is required when selecting such a company and entering into appropriate contractual arrangements with the companies.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) is responsible for overseeing protection of sensitive health data under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). OCR issued guidance on October 6, 2016, explaining how to safeguard electronic health information protected by HIPAA in today’s widespread cloud networking environment.

HIPAA applies to “covered entities,” and this article will focus on one such covered entity, the health care provider.  Most health care providers do not perform all of their health care functions by themselves and instead often use a range of services offered by others, called “business associates” under HIPAA.  Health care providers are permitted to disclose protected health information (“PHI”) to these business associates (“BA”) as long as they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the health care provider, will safeguard the information from misuse, and will help the health care provider comply with some of the health care provider’s duties under HIPAA, through the execution of business associate agreements.

Continue reading »

HIPAA Non-Compliance Results in Largest Single-Entity Settlement to Date

Katherine M. Flett

By Katherine M. Flett

On August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into a settlement agreement with Advocate Health Care Center (Advocate) in which Advocate agreed to pay $5.5 million to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the largest HIPAA settlement against a single entity to date, and according to OCR, is due to the severity of the violations and the length of time that those violations continued.

According to OCR’s press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of unsecured electronic protected health information (ePHI).  The combined breaches resulted in unsecured access to over four million patients’ information. Continue reading »

Mizzou Story Highlights Tension Between Doctor-Patient Privilege and Protecting the Patient

Health Care Law Practice Group

By Health Care Law Practice Group

A story concerning the death of a female athlete by suicide, her alleged rape, and the role played by the university she attended in the tragic facts has placed the issue of patient confidentiality squarely in the headlines.  The story highlights the care that must be taken to protect a patient’s ability to speak candidly and honestly to his or her medical provider without fear that such information will be divulged to anyone else without the patient’s permission.

The female student athlete had committed suicide in 2011, approximately 16 months after her alleged rape in 2010 by another student athlete at the school.  According to an email posted to Mizzou’s website on January 24, 2014, an ESPN producer of “Outside the Lines” wanted to know if University of Missouri officials planned to investigate or notify law enforcement about the alleged rape.  Just hours before publishing the story, the ESPN producer asked university officials: Continue reading »

A Long Road to HIPAA Compliance: Privacy and Security Audits

Health Care Law Practice Group

By Health Care Law Practice Group

Since the Health Information Portability and Accountability Act of 1996 (HIPAA) was implemented in 2003, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has not conducted a formalized plan for auditing health care providers, insurance plans and other covered entities … until now.

OCR recently announced its pilot program to audit covered entities for privacy and security compliance and says in 2012 it will conduct up to 150 audits in their effort to ensure that covered entities and their business associates are complying with the HIPAA Privacy and Security Rules and the Breach Notification Standards. The OCR website provides useful information about this program and its objectives.

Previously, there was no mandated auditing process as a part of HIPAA, but rather reviews of covered entities typically would occur as complaints were raised by patients or consumers. With the American Recovery and Reinvestment Act of 2009, Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH) amended portions of HIPAA and requires HHS to develop procedures for auditing covered entities to verify compliance with the Privacy Rules and breach notification.

Covered entities need to ensure that their policies and procedures are updated for privacy and security compliance efforts. The entity must be prepared to provide documentation of its procedures, including with regard to breach notification, and documentation that its key personnel have been trained. Training does not include simply having a notebook containing policies and procedures that no one knows how to use.

According to the OCR website, the timeline is fairly quick, so individuals within the covered entity should be prepared to know what to do upon receiving a written notification that an audit is coming. If a “serious compliance issue” is found, OCR may initiate a compliance review to address the problem.

Of course, OCR will continue to accept complaints from individuals and covered entities through their privacy officers must continue to accept complaints from individuals. The goal of the pilot audit program appears to be to identify best practices and discover risks and vulnerabilities that otherwise have not come to light through the complaint process.

Covered entities that are prepared will shine, while those that are not prepared will have some explaining to do.

Electronic Health Records: Could Your Practice Be at Risk?

Health Care Law Practice Group

By Health Care Law Practice Group

The federal government’s efforts at incentivizing medical providers to use electronic health records (EHRs) may be putting some practices at risk.

In Electronic Records May Increase Malpractice Lawsuit Risk,” Neil Versel with Information Week refers to a white paper published by the AC Group, a Montgomery, Texas, health IT research and consulting firm. The white paper describes the kinds of risks that medical practices may face if they try to implement EHRs too quickly without the appropriate vendors.

Even vendors who have been certified by the Office of the National Coordinator for Health Information Technology (ONC) have been found lacking in the area of “medico-legal training.” For example, according to Versel, it has been discovered that ONC certification may not require providers “to check drug orders against laboratory results or take into account social and family medical history in creating alerts,” such as the need for more frequent mammograms for a female patient with a mother who has had breast cancer.

Here are just a few other issues that have arisen :

  • Critical safety alerts are being missed due to incomplete medication lists;
  • Problems with time synchronization of records between electronic charting systems; and
  • A high percentage of EHRs do not run drug interaction checks when filling prescriptions.

So to the medical practice community: buyer beware.

The Security Breach Notification Rule

Health Care Law Practice Group

By Health Care Law Practice Group

A security breach notification only applies to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.


HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met: Continue reading »