Tag: HIPAA

Wearables, Wellness and Privacy

Bloomberg BNA recently reported that this fall the Center for Democracy & Technology (CDT) will be issuing a report on Fitbit Inc.’s privacy practices. Avid runners, walkers or those up on the latest gadgets likely know about Fitbit, and its line of wearable fitness devices. Others may know about Fitbit due to the need to measure progress in their employers’ wellness programs, or even whether they qualify for an incentive. When participating in those programs, employees frequently raise questions about the privacy and security of data collected under such programs, a compliance issue for employers. Earlier this month, FitBit reported that its wellness platform is HIPAA compliant.

fitbit, charge HR, wearable technology, fitness tech, exercise, step counter, weight loss deviceFitBit’s Charge HR (the one I use) tracks some interesting data in addition to the number of steps: heart rate, calories burned, sleep activity, and caller ID. This and other data can be synched with a mobile app allowing users to, among other things: create a profile with more information about themselves, to track progress daily and weekly, and to find and communicate with friends also using a similar device.

Pretty cool stuff, and reasons why FitBit is the most popular manufacturer of wearables with nearly 25 percent of the market, as noted by Bloomberg BNA. But, of course, FitBit is not the only player in the market, and the same issues have to considered with the use of wearables regardless of the manufacturer.

According to Bloomberg BNA’s article, one of the concerns raised by CDT about FitBit and other wearables is that the consumer data collected by the devices may not be protected by federal health privacy laws. However, CDT’s deputy director of the Consumer Privacy Project stated to Bloomberg BNA that she has “a real sense that privacy matters” to FitBit. This is a good sign, but the laws that apply to the use of these kinds of devices depend on how they are used.

When it comes to employer-sponsored wellness programs and health plans, a range of laws may apply raising questions about what data can be collected, how it can be used and disclosed, and what security safeguards should be in place. At the federal level, the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA) should be on every employer’s list. State laws, such as California’s Confidentiality of Medical Information Act, also have to be taken into account when using these devices in an employment context.

Recently issued EEOC proposed regulations concerning wellness programs and the ADA address medical information confidentiality. If finalized in their current form, among other safeguards, the regulations would require employers to provide a notice informing employee about:

  • what medical information will be obtained,

  • who will receive the medical information,

  • how the medical information will be used,

  • the restrictions on its disclosure, and

  • the methods that will be used to prevent improper disclosure.

Preparing these notices for programs using wearables will require knowing more about the capabilities of the devices and how data is accessed, managed, disclosed and safeguarded.

But is all information collected from a wearable “medical information”? Probably not. The number of steps a person takes on a given day, in and of itself, seems unlikely to be medical information. However, data such as heart rate and other biometrics might be considered medical information subject to the confidentiality rule. Big data analytics and IoT may begin to play a greater role here, enabling more detailed pictures to be developed about employees and their activities and health through the many devices they use.

Increasingly wellness programs seek to incentivize the household, or at least employees and their spouses. Collecting data from wearables of both employee and spouse may raise issues under GINA which prohibits employers from providing incentives to obtain genetic information from employees. Genetic information includes the manifestation of disease in family members (yes, spouses are considered family members under GINA). The EEOC is currently working on proposed regulations under GINA that we are hoping will provide helpful insight into this and other issues related to GINA.

HIPAA too may apply to wearables and their collection of health-related data when related to the operation of a group health plan. Employers will need to consider the implications of this popular set of privacy and security standards including whether (i) changes are needed in the plan’s Notice of Privacy Practices, (ii) business associate agreements are needed with certain vendors, and (iii) the plan’s risk assessment and policies and procedures adequately address the security of PHI in connection with these devices.

Working through plans for the design and implementation of a typical wellness program certainly must involve privacy and security; moreso for programs that incorporate wearables. FitBits and other devices likely raise employees’ interest and desire to get involved, and can ease administration of the program, such as in regard to tracking achievement of program goals. But they raise additional privacy and security issues in an area where the law continues to develop. So, employers need to consider this carefully with their vendors and counselors, and keep a watchful eye for more regulation likely to be coming.

Until then, I need to get a few more steps in…

Article By Joseph J. Lazzarotti of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

HIPAA: Disclosing Exam Results to Employers

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.HIPAA

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92).

An employee who receives an unfavorable test or exam result may attempt to block disclosure by revoking their authorization. Although patients are generally entitled to revoke their authorization by submitting a written revocation, HIPAA contains an exception that limits revocation if and to the extent that the provider has taken action in reliance on the authorization. (45 CFR 164.508(b)(5)). That exception should apply when the provider has conditioned and provided the test or exam in reliance on the patient’s authorization.

There are very limited exceptions to the authorization requirement. As in other situations, a provider may disclose protected health information to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (45 CFR 164.512(j)), or if the disclosure is otherwise required by law. (Id. at 164.512(a)). HIPAA contains a specific exception that allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. (Id. at 164.512(b)(v)). Finally, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws. (Id. at 164.512(l)).

The bottom line: if you are a physician or other provider who conducts employment physicals, tests, or exams, be sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing test or exam results to the employer.

Article By Kim C. Stanger, Pia Dean & William W. Mercer of Holland & Hart LLP

Copyright Holland & Hart LLP 1995-2015.

Moving to the Cloud: Some Key Considerations for Healthcare Entities

Covington & Burling LLP

Healthcare providers, health plans, and other entities are increasingly utilizing cloud services to collect, aggregate, store and process data.  A recent report by IDC Health Insights suggests that 80 percent of healthcare data is expected to pass through the cloud by 2020.  As a substantial amount of healthcare data comprises “personal information” or “protected health information” (PHI), federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, raise significant questions for healthcare providers and health plans utilizing the cloud in connection with such data.  Such questions include whether HIPAA requirements extend to cloud providers, how and if entities storing health data on the cloud will be notified in case of a breach, and whether storage of data overseas by cloud providers triggers any additional obligations or concerns.

Given the complex legal issues at play, any contract between a healthcare provider or health plan and a cloud service provider that involves using the cloud in connection with PHI should therefore address the regulatory restrictions and requirements applicable to PHI.  By way of example, recent guidance from the HHS Office for Civil Rights suggests that health care providers must likely have a business associate agreement in place with their cloud service provider.  Moreover, although cloud providers might not regularly access the data they store and may never “use” or “disclose” that data as those terms are defined under HIPAA, cloud providers probably need to adhere to HIPAA breach notification requirements.  There have also been indications of late that HHS may consider it advisable, if not required, that entities subject to the HIPAA Security Rule encrypt PHI data even when that data is at rest and not being transmitted electronically.  The recent data breaches involving health plans Anthem and Premera highlight the vulnerability of health care data and may lead to additional pressure for providers to implement additional encryption measures.

Even if HIPAA rules do not apply to cloud service provider contracts, healthcare providers and health plans storing data on the cloud should be aware that many states now have privacy and breach notification laws which could come into play.

Finally, in addition to addressing the regulatory requirements and data privacy and security, a healthcare provider or health plan should negotiate appropriate service level terms with the cloud provider that address such issues as the performance requirements for the cloud network and the process and procedures for addressing problems with the cloud network.  The healthcare provider or health plan should also include appropriate back-up and disaster recovery provisions in the contract with the cloud provider, as well as appropriate remedies in the event it suffers losses as a result of the contract.

ARTICLE BY

Paige M. Jennings
Anna Kraus
Ramy Ramadan
Lee J. Tiedrich
Covington & Burling LLP
Covington E-Health

Still Waiting for ADA and GINA Guidance on Wellness Incentives

Jackson Lewis P.C.

March is here. The EEOC’s perspective on wellness program incentives is not. Yet again.

In its Fall 2014 regulatory agenda, the EEOC stated it would be issuing in February 2015 amended regulations concerning the size of incentives an employer may offer, yet still have a “voluntary” wellness program under the ADA and GINA.  The EEOC listed these same amendments on its Spring 2014 regulatory agenda. The regulatory agenda is a preliminary statement of priorities under consideration and is not a binding commitment to issue the regulations on the stated date.

The EEOC noted on its agenda that these amendments were needed to address whether an employer’s compliance with HIPAA rules concerning wellness program incentives, as amended by the Affordable Care Act (ACA), also complies with the ADA. The EEOC added that an amendment would also address the size of inducements allowed under GINA “to employees’ spouses or other family members who respond to questions about their current or past medical conditions on health risk assessments.”

The allowed size of wellness incentives matters to the growing number of employers with wellness programs. The ACA has a clear compliance standard for such incentives.  Until 2014, the EEOC had stayed on the sidelines of the wellness incentive debate, not offering any guidance beyond its general view that if the incentive was too large, the program was not “voluntary.”

In 2014, the EEOC sued three employers, claiming the size of their wellness incentives (or penalties, depending on your perspective) transformed otherwise voluntary wellness programs into involuntary programs. In the third case, the EEOC sought to enjoin the company from continuing the incentives in its wellness plan. There was no claim that the incentives violated the ACA standard. Our report on that case is here.

At the oral argument on the injunction hearing, the court asked the EEOC numerous times to define the line between a lawful and unlawful incentive under the ADA and GINA. The EEOC declined to define a specific line. The court denied the EEOC’s injunction request.

More than a year ago, we posted that waiting for the EEOCs guidance on incentives under wellness programs is like waiting for Beckett’s Godot, where Estragon and Vladimir lament daily that Godot did not come today, he might come tomorrow. The waiting continues.

ARTICLE BY

Michael J. Soltis
OF
Jackson Lewis P.C.

Bring Your Own Device To Work Programs: Regulatory and Legal Risks and How To Minimize Them

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm

If you’ve ever left your mobile phone on an airplane, in a restaurant, or somewhere other than in your possession, you know it’s frightening enough to think of losing the device itself, which costs a premium, as well as your personal photos or information stored on the device. Now imagine if you lost your mobile phone, but it also had protected health information (PHI) associated with your health care work stored on it.  The lost device suddenly presents the potential for reputational damage and legal or regulatory obligations, in addition to the inconvenience and cost of replacement.

Mobile phones are lightweight, palm sized, and cordless, which makes them convenient and easily portable. These same features make mobile phones highly susceptible to theft or loss. As such, there are serious compliance risks to consider and mitigate when allowing personal mobile device use for work purposes, or a bring your own device (BYOD) program, especially in a healthcare setting. Despite the known risks, current research shows that in some industries, up to 90% of employees are using their personal devices for work purposes whether “allowed” or not.  For example, an assisted living nurse using a personal device for work purposes might send a text message to a patient’s primary care physician (PCP) to obtain guidance or to provide an update.  That communication includes PHI, raising compliance obligations, such as state laws or HIPAA security requirements. In the long term care setting, it’s also a clear violation of applicable privacy laws and the Centers for Medicare and Medicaid Services will, and has been, citing such infractions on surveys.  We suspect the Division of Health Service Regulation would do likewise under state law if this occurred in an adult care home.

There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices. However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients. One such step is implementing a mobile device management (MDM) solution. An MDM solution allows a secure connection for employees to access work networks and information resources remotely, using an application installed on their personal device. That solution keeps “work applications” such as the employer’s email program technically separated from “personal applications” like social media apps. In addition, an MDM solution allows the employer to force technical controls on the device, such as password requirements, encryption or the ability to remotely wipe all data from the device.

Recognizing that employers must relinquish ownership and technical control to make a BYOD program work, employers also must implement robust policies and procedural controls. For example:

  • Permissible Uses. Document the permissible uses of personal devices for work purposes, including whether employees are ever permitted to transfer PHI or other types of sensitive personal information on a personal device and the employment terms associated with such uses.

  • Device Security Controls. Document the policies that govern device controls (such as requiring employees to use passwords, up-to-date malware protection, device time-out, authentication or encryption on the device).

  • Training and Sanctions. Enforce training requirements and frequency as part of the terms of use and implement clear sanctions policies for unauthorized access or use.  Employers may also consider whether the same training and policies/procedures will apply to vendors or contractors.

  • HR Policies.  Review other important employment law considerations such as employee privacy rights, social media policies, and policies for removing applicable data from the devices of terminated or exiting employees.

There are many compliance considerations to keep in mind when deciding whether to implement a BYOD program. A comprehensive security framework, including technical controls, policies, procedures, and training, can reduce the high risks associated with the use of personal mobile devices for work purposes.

ARTICLE BY

Tara N. Cho
OF
Poyner Spruill LLP

Employer Liability for Employees’ Privacy Violations: What Your Organization Should Learn from Walgreens’ Expensive Lesson (Hint: It Has Little To Do with HIPAA)

Poyner Spruill Law firm

You may already have read the scintillating facts surrounding a jury award of $1.44 million (recently challenged unsuccessfully on appeal) against Walgreen Co. following its pharmacist’s alleged inappropriate review and disclosure of patient records. What caught our attention was not so much the lurid details (the pharmacist was alleged to have looked up her boyfriend’s ex in Walgreens’ patient records, apparently to determine whether the ex might have passed an STD to her boyfriend). The more notable development was an employer footing the bill for a large jury verdict even though the employee violated the company’s policies as well as the law. This alert describes how Walgreens was put on the hook for its employees’ misdeeds, and examines whether a similar rationale could be applied in other privacy contexts (not just HIPAA) to create a new trend in employer liability for employee privacy violations. The implications are significant given the relative lack of success plaintiffs have encountered to-date when attempting to prosecute perceived privacy violations in court.

Employer Liability

Against the pharmacist, the patient pursued state-law claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. She sought to hold Walgreens liable through respondeat superior (vicarious liability), and also included direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice. While the trial judge dismissed the negligent training claim against Walgreens and the invasion of privacy by intrusion claim against the pharmacist, he allowed the other claims to proceed. The jury returned a general verdict for the patient, finding the pharmacist and Walgreens jointly liable for $1.44 million in damages.

The linchpin of respondeat superior is that an employer can only be held vicariously liable for damage caused by an employee if the employee was acting “within the scope of employment” when the injury occurred. When it appealed the jury verdict, Walgreens seized on this factor and argued that the pharmacist’s actions were outside the scope of employment because she clearly violated Walgreens policy. The appellate court disagreed, citing case law holding an employee’s actions are within the scope of employment if those actions are of the same “general nature” as the actions authorized by the employer, even when the employee’s specific actions are against company policy. The court reasoned that the pharmacist’s improper access of  the patient’s records was of the same “general nature” as the actions authorized by Walgreens because  the pharmacist took the same steps to access  the patient’s records as she would have in properly accessing records of other patients. The pharmacist was authorized to use the Walgreens computer system and printer, handle prescriptions for Walgreens customers, look up customer information on the Walgreens computer system, review patient prescription histories, and make prescription-related printouts. The court found that the pharmacist’s conduct in accessing  this patient’s records for personal reasons, while against company policy, was of the same “general nature” as the conduct authorized by Walgreens, and therefore at least some of her actions were within the scope of her employment. Since the pharmacist was acting within the scope of employment, the court affirmed that Walgreens could be held liable under respondeat superior.

Acknowledging Walgreens could not be held vicariously liable unless the pharmacist was also liable, the court turned next to the issue of the jury’s verdict concerning the pharmacist. As the jury returned only a general verdict (which does not indicate the specific grounds on which it made its decision), the court speculated on the theory of liability for the pharmacist, and held that the jury could have properly found the pharmacist liable under a general negligence theory. The key factors in a negligence claim are a duty owed to the plaintiff by the defendant, a breach of that duty by the defendant, causation, and damages. To establish the pharmacist owed a duty to the patient, the court looked to a state law requiring pharmacists to hold patient records and information in the strictest of confidences. Finding this statute to clearly establish that the pharmacist owed a duty of confidentiality the patient, the court found it unquestionable that the pharmacist’s actions breached that duty, and that the patient sustained at least some damages as a result. Therefore, the court concluded the jury could properly have found the pharmacist directly liable for the breach of confidentiality, and Walgreens vicariously liable for the breach.

Potential Impact

Commentary on this case has largely focused on HIPAA implications, and sometimes the more specific prospect of employer liability for employee HIPAA violations. Importantly, HIPAA was not a factor in the appellate court’s reasoning. Rather, the court looked primarily to state law for privacy expectations and a duty of confidentiality. That distinction creates broader implications for employer liability beyond HIPAA or health care generally.

A multitude of state laws now impose confidentiality, privacy and security obligations. Some are limited to certain professional occupations (e.g., pharmacists, physicians, even <<gasp>> lawyers), but many are more general. For example, many states have enacted requirements to maintain general or specific security measures without regard to industry. In fact, states increasingly read privacy and security obligations into their application of unfair and deceptive trade practices statutes, imposing a duty to maintain privacy and security across sectors and without regard to types of personal information affected.

The Indiana appellate court’s reasoning in the Walgreens’ case clearly suggests that employees owing a statutory duty of confidentiality under state law could be liable for a breach of such duties, and their employers may be vicariously liable for the reasons noted. While some state laws specifically enumerate such duties at the employee level (particularly where a license is held by the individual), it is not clear that distinction made a difference to the court’s rationale, meaning courts applying general privacy or security laws may consider following suit, even if the law does not create duties specifically aimed at employees.

Further, the Indiana appellate court’s broad characterization of what constitutes actions “within the scope of employment” could leave many employers on the hook for large damage awards, even if the underlying employee violation is indisputably against company policy.

While the Walgreens outcome alone may not establish a trend toward more frequent employer liability, it is important to recognize the case may be novel only in the size of the verdict awarded. For example, in 2006, the North Carolina Court of Appeals used similar reasoning to overturn the dismissal of a plaintiff’s negligent infliction of emotional distress claim against a doctor who allegedly allowed his office manager to improperly access the plaintiff’s medical records (Acosta v. Byrum).

What Should You Do?

The Walgreens outcome makes clear that policies, training and other compliance efforts may not indemnify employers against an employee’s breach of confidentiality or privacy. In addition to keeping an eye on further developments that either support or erode this potential liability trend, employers should consider whether broad technical access to systems is necessary and justified. Flat access rights can be necessary, particularly in health care settings where care often trumps privacy as a consideration. However, technical access limitations are the most effective way to demonstrate that employee misdeeds, when orchestrated in violation of systems-based (rather than merely policy-based) access controls, should not be held against the employer because they are clearly outside the scope of employment. Interestingly, the same approach can strengthen employer’s Computer Fraud and Abuse Act claims and can reduce the risk of HIPAA enforcement that may arise from similar facts.

ARTICLE BY

Jacob A. Lopes
Elizabeth H. Johnson
OF
Poyner Spruill LLP

Just in Time for the Holidays: Another HIPAA Settlement

Mcdermott Will Emery Law Firm

On December 2, 2014, the Office for Civil Rights (OCR) and Anchorage Community Mental Health Services, Inc., (ACMHS) entered into a Resolution Agreement and Corrective Action Plan (CAP) to settle alleged violations of the HIPAA Security Rule, which governs the safeguarding of electronic protected health information (ePHI).  OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012 notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals.  The breach resulted from malware that compromised ACMHS’s information technology resources.

OCR’s investigation found that ACMHS (1) had never performed an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS; (2) had never implemented Security Rule policies and procedures; and (3) since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically, by failing to ensure that appropriate firewalls were in place and regularly updated with available patches.

ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations.  The CAP has a two-year term and obligates ACMHS to take the following actions:

  • Revise, adopt and distribute to its workforce updated Security Rule policies and procedures that have been approved by OCR

  • Develop and provide updated security awareness training (based on training materials approved by OCR) to applicable workforce members, and update and repeat the training annually

  • Conduct annual risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS, and document the security measures implemented to reduce the risks and vulnerabilities to a reasonable and appropriate level

  • Investigate and report to OCR any violations of its Security Rule policies and procedures by workforce members

  • Submit annual reports to OCR describing ACMHS’s compliance with the CAP

In announcing the settlement, OCR Director Jocelyn Samuels said, “[s]uccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”  A copy of the Resolution Agreement and CAP can be found here.

The settlement is another reminder that covered entities and business associates should ensure that they have taken steps necessary and appropriate to safeguard the ePHI in their possession.  Conducting regular ePHI risk assessments, addressing any identified security vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to ePHI are all steps that covered entities and business associates must take to comply with HIPAA and protect ePHI.

HIPAA Considerations In The Event Of Employee Death or Incapacitation

McBrayer NEW logo 1-10-13

The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, acts in part to provide federal protection for identifiable health information retained by covered entities, which includes most businesses that offer company health plans. While many employers have policies and procedures in place to ensure HIPAA compliance in routine, every day matters relating to the management of employee health data, few employers have developed policies or even considered how to manage protected health information in the unfortunate event of employee death or incapacitation.

Employee Benefits Folder

Importantly, HIPAA’s protection of identifiable health information does not expire in the event of incapacitation or even the death of an employee. In fact, HIPAA continues to protect identifiable health information for 50 years after death. Consequently, it is important for employers to know to whom protected health information may be disseminated during this time period in order to continue to ensure compliance and avoid the assessment of steep penalties and fines.

Covered health information for the deceased or incapacitated employee during this time may be released to their legal representative under state law. In most instances involving a diseased employee, this would be the appointed administrator of the deceased’s estate. It is permissible to release protected health information to non-representative family members, including but not limited to spouses, domestic partners, parents, children, or siblings, unless doing so is inconsistent with any prior expressed preference that is known to the covered entity. However, the information released to a non-representative family member must be limited to that information which is relevant to that person’s involvement in the decedent’s or incapacitated employee’s care or payment for care. The regulations leave the determination of this relevancy up to the entity’s “professional judgment.” 45 CFR 164.510(b)(5).

The Department of Health and Human Services gives the following example of what could be released: “For example, a covered health care provider could describe the circumstances that led to an individual’s death with the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.” (Click here to directed to The Department of Health and Human Services website.)

Consequently, unless protected information is requested by the legal representative of the deceased’s estate, or the information requested is directly related to the requestor’s involvement in the deceased’s care prior to death or payment for the deceased’s care prior to death, a signed HIPAA release by the legal representative is required prior to release of the protected information. Other exceptions allowing the release of protected health information covering special situations are also available, including the allowance of release to law enforcement to assist in a criminal investigation.

Medical History Questionnaire with Pen

It is important that employers understand their responsibilities to protect identifiable health information covered by HIPAA and develop policies to ensure compliance.

ARTICLE BY

Brandon K. Johnson
OF
McBrayer, McGinnis, Leslie and Kirkland, PLLC

Managing Ebola Concerns in the Workplace [PODCAST]

Jackson Lewis Law firm

Many employers are struggling to understand the potential workplace implications of Ebola hemorrhagic fever (EHF).  We invite you to listen to a complimentary 48-minute podcast during which three Jackson Lewis practice group leaders discuss some of the legal and practical issues relating to the virus.  Among the issues discussed are:

  • Steps employers should consider taking to ensure OSHA and state workplace health and safety laws are satisfied;

  • ADA, GINA and FMLA compliance challenges that may arise as employers attempt to lawfully identify and manage employees who are or may have been exposed to Ebola; and

  • HIPAA and other sources of privacy and medical confidentiality obligations that should be considered as employers respond to workplace Ebola concerns.

You can access the podcast here.

ARTICLE BY

Bradford T. Hammock
OF
Jackson Lewis P.C.

Ex Parte Communications between Treating Physician and Attorneys in Tennessee

Dickinson Wright Logo

Under HIPAA, physicians are permitted to disclose “protected health information” to their attorneys for purposes of their own healthcare operations. This allows physicians sued by patients for malpractice to provide their attorneys with the information needed to prepare and present a defense. Ordinarily, subpoenas or orders are a part of a court ordered deposition or trial at which the patients or their attorneys are present, so the need to protect health information is lessened.

HIPAA does not allow treating physicians in one practice to disclose “protected health information” to attorneys for a treating physician in another practice unless a subpoena or an order of a court permits that disclosure. Instead, HIPAA allows members of a group practice to transmit protected health information concerning a patient to business associates of that practice. This means that attorneys representing the other physicians in the group practice can receive information related to the practice’s healthcare operations, including information relating to representing the practice in malpractice lawsuits. A subpoena or court order is not required for this disclosure. Thus, when a physician is being sued for malpractice, HIPAA permits the practice’s attorney to meet with other physicians in that same practice and obtain protected health information related to the plaintiff.

While HIPAA may permit the disclosure of protected health information in this circumstance, state law is another matter altogether. For example, the Tennessee Supreme Court found that an implied covenant of confidentiality exists between the treating physician and his or her patient. Like HIPAA, this implied covenant of confidentiality absolutely prohibits an attorney for a treating physician from meeting with another treating physician unless the patient or the patient’s attorney is present. Like HIPAA, the court assumes that the patient’s interests are protected when the patient is present.

This in turn begs the question – does the implied covenant of confidentiality prohibit a physician employed in a group practice from meeting with the attorneys representing another employee of the practice who has been sued for malpractice without the patient being present? In Tennessee, this issue was recently addressed in Hall v. Crenshaw, W2013-00662-COA-R9-CV (Tenn. Ct. App. July 18, 2014). The court of appeals in Hall held that the implied covenant of confidentiality does not prohibit a physician in a group practice from meeting with attorneys representing another employee physician of the practice. The court of appeals reasoned that a corporation can only function through its agents and employees. Under state law, all knowledge of the corporation’s employees is imputed to the corporation. As a result, the court held that the corporation already possessed this information, meaning the corporation, through its employees, is able to discuss a patient’s medical record and history with the attorneys representing the corporation and its employees.

© Copyright 2014 Dickinson Wright PLLC
ARTICLE BY

Keith C. Dennen
OF
Dickinson Wright PLLC