Michigan Court of Appeals Rules State Law on Patient Privacy Trumps HIPAA in Certain Circumstances

Posted on April 14, 2011 by Megan M. Hard

A new published health law opinion from the Michigan Court of Appeals could have some far reaching effects on HIPAA litigation.

In the case of Isidore Steiner, DPM, PC v Marc Bonanni, Dr. Bonanni was employed by Isadore Steiner, DPM, PC and his contract included a non-competition and non-solicitation provision.  After Dr. Bonanni left his employment with them, Isidore Steiner, DPM, PC sued him for allegedly violating the non-solicitation provision of the contract and stealing their patients.  In order to prove their allegations, Isidore Steiner, DPM, PC sought Dr. Bonanni's patient list during the discovery portion of the case. 

The Michigan Court of Appeals found that the patient list was not discoverable as it was privileged under Michigan law. The Michigan Court of Appeals held on April 7, 2011 that Michigan law protects the very fact of the physician-patient relationship from disclosure, absent patient consent; this means that the name, address, and contact information is protected from disclosure in litigation. The Court found that HIPAA (which would have allowed for disclosure) does not preempt state law on this matter because state law is more stringent.

Generally, HIPAA requires patient consent for the disclosure of protected health information, just as Michigan state law does. In litigation, however, HIPAA has special provisions that allow for the disclosure of protected health information in response to a subpoena or court order if the provider receives adequate assurances that notice was provided to the patient or that reasonable efforts were made to secure a QPO. However, Michigan law does not have such an exception and requires the patient's consent to reveal private patient information. Thus, it would seem that non-solicitation provisions in employment contracts may potentially lose some of their weight unless a violation can be proven without reference to patient information. If an ex-employee violates this contractual provision, the employer does not have access to the ex-employee's patient list to prove its allegations of violation of the employment contract under this latest Michigan Court of Appeals ruling.

Click here to read the entire opinion.

Tags: , , , , , ,

OCR Contemplates Electronic Medical Record Networks

Posted on February 23, 2009 by Veronica Marsich

In case you missed it, on December 15, 2008, the Office of Civil Rights published information that suggests it is thinking about how HIPAA applies to the electronic exchange of health information in a networked environment. If you want to review the materials for yourself, they are located here.

In summary, so long as the primary purpose for and function of an electronic network is treatment oriented, HIPAA should not be a barrier to the development of an effective network.   OCR's focus in its comments was on setting up electronic exchange networks so as to create a level of trust between patients and the covered entities participating in these networks.  OCR recommends that patients be advised, either in the Notice of Privacy Practices or in some other document, that their health information will be used and disclosed for treatment purposes through an electronic network.

Some of the other points made by OCR in this guidance includes the following:

  • While covered entities are not required to agree to allow patients to restrict otherwise permissible uses and disclosures of their information, a covered entity must have policies in place to deal with the issue and if a covered entity does agree to allow certain restrictions, the covered entity must abide by that agreement, except in an emergency situation;
  • OCR acknowledges that HIPAA does not require a covered entity to allow patients to "opt-in" or "opt-out" of an electronic network but suggests that the ability to afford patients that kind of choice will help build trust between patients and providers who use electronic networks;
  • Minimum necessary concepts apply to the electronic networks and the access of health information for payment and health care operations purposes through such networks;
  • Regardless of the scope or purpose of an electronic health information exchange network, any disclosures of health information by a covered entity through the network must comply with the Privacy Rule and, in addition must also be in compliance with any more stringent State law requirements;
  • Even in an electronic exchange environment, the HIPAA Privacy Rule requirements that patients consent to the disclosure of psychotherapy notes still applies;
  • Covered entities who set up electronic health information exchange networks must implement appropriate administrative, technical and physical safeguards to protect the privacy of the protected health information; and
  • Covered entities that participate in an electronic network need to be aware that whatever information they import into their electronic records via a network become a part of their legal medical record. However, network participation alone does not make all of the information about a patient that is accessible through the network a part of their legal medical record.

Overall, given the clients that I have worked with who are setting up, trying to set up, or thinking about setting up these kinds of electronic exchange networks, the OCR guidance is not overly enlightening but still helpful in that it confirms that there is a right way and a wrong way to set up such a network and that if you have the right goal -- facilitating better access to information for treatment purposes -- you should be able to get where you are trying to go.

Tags: , , , , ,

Where HIPAA and FERPA Meet: Student Health Records and Disclosure Requirements

Posted on December 9, 2008 by Maria Saez

The Departments of Education and Health and Human Services have issued joint guidance on how the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.

FERPA is a federal law that generally prohibits an institution from disclosing the education records or personally identifiable information from education records, without a parent or eligible student’s written consent. An eligible student is one who is over 18 years of age or who attends a post-secondary institution at any age. FERPA applies to institutions that receive funds pursuant to any program administered by the U.S. Department of Education, including medical and other professional schools. Please note that if an institution receives funds in this manner, FERPA applies to the recipient as a whole, including all its components, such as a department within a university.

“Education records” are broadly defined to include records that are directly related to a student and that are maintained by an educational institution or by a party acting for the institution. At the elementary and secondary levels, this can include student health records. In post-secondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. If the disclose is for purposes other than treatment, the records are then subject to FERPA’s requirements and can only be disclosed with the student’s written consent or under one of several enumerated exceptions to written consent.

HIPAA requires covered entities (health plans, health care clearinghouses and health care providers) to implement appropriate safeguards to protect the privacy of patients’ identifiable health information and to set limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Whether FERPA or HIPAA apply to a particular set of records first depends on the record holder’s status as a FERPA or HIPAA covered entity. In some situations, an entity may be both. For example, when a school provides health care to students in the normal course of business, such as through its health clinic, it is both a “health provider” under HIPAA and subject to FERPA’s requirement. The analysis then hinges on whether the records meet FERPA’s “education” or “treatment” records definitions. If the records are education or treatment records under FERPA, HIPAA does not apply because HIPAA specifically excludes these records from coverage. For example, if a school is a HIPAA covered entity, and the only health records maintained by the school are education or treatment records under FERPA, the school does not have to comply with the HIPAA Privacy or Security Rules because these records are specifically excluded from coverage.

Other examples of arrangements where either HIPAA or FERPA apply:

  • If a person such as a school nurse acts on behalf of a school subject to FERPA, and maintains student health records, these records are education records under FERPA, just as if the school maintained them directly, even if the health care is provided to students off-site. HIPAA would not apply to these records.
  • FERPA applies to most post-secondary institutions. Student records at post-secondary campus health clinics are either education records or treatment records under FERPA, even if the school is a HIPAA covered entity. If the student health clinic is open to the public or school staff or both, the protected health information of the clinic’s non-student patients is still subject to HIPAA Privacy and Security Rules.
  • Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically education records or treatment records under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. If the hospital runs the student health clinic, clinic records of students would be subject to FERPA as education records or treatment records and not HIPAA.

There is a never-ending array of possible situations that may arise when considering the interplay between FERPA and HIPAA. Consult legal counsel when presented with a request for disclosure of student health information to avoid inappropriate disclosures or denials for information.
Tags: , , , , , , , ,

FTC Red Flag Rules - Regulation From A New Direction

Posted on October 19, 2008 by Veronica Marsich

It never ceases to amaze me the number of varying directions from which hospitals and health care providers get regulated! 

The most recent federal agency to jump on the health care regulation bandwagon appears to be the Federal Trade Commission (FTC).  On November 9, 2007, the FTC, in conjunction with federal bank regulators, issued a set of regulations intended to combat identity theft.  These regulations are commonly referred to as the "Red Flag Rules."  The Red Flag Rules require financial institutions and other "creditors" to implement a program designed to detect, prevent and mitigate identity theft in connection with the creation and maintenance of "covered accounts."

Many hospitals and health care providers began to pay attention to these regulations a few months ago when word started to "eek out" that the Red Flag Rules might apply to hospitals and other health care providers. While the application of these rules to any specific transaction will depend upon the specifics of the transaction at issue, what does seem pretty clear at this point is that if you are affiliated with a health care provider that periodically allows patients to pay for their medical services through a series of payments, over time, that health care provider is likely a "creditor" and needs to comply with the Red Flag Rules.  Health care providers should, with very limited exception, expect to comply with the Red Flag Rules as of November 1, 2008.

Compliance with the Red Flag Rules is, in many ways, tied to your HIPAA compliance program and the policies and procedures health care providers already have in place.  Similar to the HIPAA Security and Privacy  Regulations, the Red Flag Rules deal with access to information in patient medical records and billing account records and the extent to which those records may be accessed and used to commit identity fraud.

To begin your compliance efforts, look to identify points of access or entry into patient records or accounts that might lend itself to identify theft.  Form a committee or task force made up of  representatives from:  HIM, HIPAA privacy and security, patient accounts, patient registration, pharmacy and the emergency department.  Ask this group to brainstorm the points of access to relevant patient information and to analyze specific examples and experiences with patient identity theft to begin to develop a sense of where your identify theft risk lies.

Next, look at your existing privacy and security policies developed as part of your HIPAA compliance efforts and then evaluate what changes or additions need to be made to those policies in order to minimize your identity theft risk.  In addition, you may need to revise policies or add new policies that will alert you to identity theft when it occurs and guide your response to patient identity theft.

Other things you will need to do over time as you build your Red Flag Rules compliance program will include demonstrating Board approval and oversight of your program and amending your existing business associate agreements so that your business associates are contractually obligated to be your partners in this effort. 

In addition to resources being developed by the American Health Lawyers Association, the AHA and other organizations, your compliance counsel should be available to assist with the development of a Red Flag Rules compliance program. 
Tags: , , , ,