New Developments in Health Privacy and Security Law
July 23, 2008
Some health care providers and others dealing with health care records may have grown complacent about health privacy and security issues after the initial scramble to become HIPAA-compliant following the implementation of the HIPAA privacy and security rules several years ago. However, two recent developments in the area of health information privacy should serve notice that it is now more important than ever to be vigilant about the proper use and disclosure of health information.
On July 9, 2008, the Supreme Court of Ohio recognized an independent tort for an attorney’s unauthorized disclosure of an opposing party’s medical records obtained through litigation. In Hageman v. Southwest Gen. Health Ctr., Slip Opinion No. 2008-Ohio-3343, the court considered the question of whether an attorney (representing the wife in a divorce case) may disclose medical information regarding the opposing party (i.e., the husband) where the medical information was lawfully obtained in connection with a divorce case but where the disclosure was made to a prosecuting attorney in connection with a separate but related criminal case against the husband defendant. The court held that although the husband had waived the confidentiality of the medical records by seeking custody of his daughter in the divorce proceedings, this waiver should be limited only to the divorce case. Thus, the disclosure of the medical information to the criminal prosecutor outside of the divorce case was improper, and the court recognized the husband’s right to seek damages against the wife’s attorney for such improper disclosure. The Hageman case extends the earlier holding of the Supreme Court of Ohio in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d. 395 (1999), in which the court recognized both a cause of action by individuals against health care providers for unauthorized disclosure of health information to third parties and a cause of action by individuals against third parties who induce health care providers to wrongfully disclose health information. Both Biddle and Hageman also show that Ohio law (and, indeed, other applicable state law) must be considered even if in a given situation the HIPAA laws may either be inapplicable or not violated.
And while the principal impact of the Hageman decision may be limited to Ohio, another recent action by the United States Department of Health and Human Services (“DHHS”) reminds us that compliance with the federal HIPAA laws is not simply a matter of having some policies and procedures on the shelf and that the consequences for non-compliance are very real. On July 16, 2008, the DHHS entered into a Resolution Agreement with Seattle-based Providence Health & Services to settle potential violations of the HIPAA privacy and security rules. The incidents giving rise to the agreement involved backup tapes, optical disks, and laptops – containing unencrypted protected health information of over 386,000 patients – left unattended and subsequently lost or stolen. The DHHS Office of Civil Rights and the Centers for Medicare & Medicaid Services (“CMS”) investigated numerous complaints about the thefts and losses and found that Providence had failed to appropriately implement policies and procedures to safeguard the information. In the settlement agreement, Providence agreed to pay a $100,000 fine and to implement a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft of loss. In a press release announcing the settlement, the acting administrator of CMS commented, “This resolution confirms that effective compliance means more than just having written policies and procedures. To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
The Providence settlement agreement reminds us that complaints about HIPAA violations are being actively investigated by the government and that serious violations may be met with significant penalties and other sanctions. And the Hageman decision shows that the duty to protect and safeguard health information is not always limited to HIPAA and/or health care providers. Feel free to contact us if you have questions about how these two developments might impact you or your business or if you would like help in reviewing your organization’s privacy and security safeguards.
On July 9, 2008, the Supreme Court of Ohio recognized an independent tort for an attorney’s unauthorized disclosure of an opposing party’s medical records obtained through litigation. In Hageman v. Southwest Gen. Health Ctr., Slip Opinion No. 2008-Ohio-3343, the court considered the question of whether an attorney (representing the wife in a divorce case) may disclose medical information regarding the opposing party (i.e., the husband) where the medical information was lawfully obtained in connection with a divorce case but where the disclosure was made to a prosecuting attorney in connection with a separate but related criminal case against the husband defendant. The court held that although the husband had waived the confidentiality of the medical records by seeking custody of his daughter in the divorce proceedings, this waiver should be limited only to the divorce case. Thus, the disclosure of the medical information to the criminal prosecutor outside of the divorce case was improper, and the court recognized the husband’s right to seek damages against the wife’s attorney for such improper disclosure. The Hageman case extends the earlier holding of the Supreme Court of Ohio in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d. 395 (1999), in which the court recognized both a cause of action by individuals against health care providers for unauthorized disclosure of health information to third parties and a cause of action by individuals against third parties who induce health care providers to wrongfully disclose health information. Both Biddle and Hageman also show that Ohio law (and, indeed, other applicable state law) must be considered even if in a given situation the HIPAA laws may either be inapplicable or not violated.
And while the principal impact of the Hageman decision may be limited to Ohio, another recent action by the United States Department of Health and Human Services (“DHHS”) reminds us that compliance with the federal HIPAA laws is not simply a matter of having some policies and procedures on the shelf and that the consequences for non-compliance are very real. On July 16, 2008, the DHHS entered into a Resolution Agreement with Seattle-based Providence Health & Services to settle potential violations of the HIPAA privacy and security rules. The incidents giving rise to the agreement involved backup tapes, optical disks, and laptops – containing unencrypted protected health information of over 386,000 patients – left unattended and subsequently lost or stolen. The DHHS Office of Civil Rights and the Centers for Medicare & Medicaid Services (“CMS”) investigated numerous complaints about the thefts and losses and found that Providence had failed to appropriately implement policies and procedures to safeguard the information. In the settlement agreement, Providence agreed to pay a $100,000 fine and to implement a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft of loss. In a press release announcing the settlement, the acting administrator of CMS commented, “This resolution confirms that effective compliance means more than just having written policies and procedures. To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
The Providence settlement agreement reminds us that complaints about HIPAA violations are being actively investigated by the government and that serious violations may be met with significant penalties and other sanctions. And the Hageman decision shows that the duty to protect and safeguard health information is not always limited to HIPAA and/or health care providers. Feel free to contact us if you have questions about how these two developments might impact you or your business or if you would like help in reviewing your organization’s privacy and security safeguards.
