September 27, 2007
Author: Augustine Weekley
Organization: Holland & Knight
U.S. businesses and private citizens have become increasingly knowledgeable regarding the existence of the Health Insurance Portability and Accountability Act and its general implications. The purpose of this advisory is not to rehash HIPAA requirements but, rather, to touch on newer uses and abuses of this law and its applications. No private right of action is bestowed by HIPAA; however, if the trends and case outcomes discussed below continue to gain traction, a very expensive result may await those who breach HIPAA confidentiality.
The Scope of Health Data Protection
In May 2006, veterans’ records were stolen by a Veterans Administration employee, who had taken home a computer with an external hard drive. On it were names, social security numbers, birth dates and diagnostic codes for six and a half million veterans. This incident required the setting aside of $160 million for remediation and protection of those whose information was contained on the computer drive. Fortunately, the drive was found and data had not been removed. Details of these and similar events are some times reported in major newspapers and other media before private or governmental action is taken.
The Privacy Rights Clearing House (http://www.privacyrights.org) reports that during the last three years, approximately 155 million protected health information records have been involved in security breaches. A chronology of those data breaches since January 2002 can be found on its Web site. The number and breadth of those breaches, and the list of the prestigious institutions where they have occurred, is astonishing. The full remediation costs are unknown but would likely be massive.
The Department of Veterans Affairs has recently committed $20 million to correct a data breach which could affect almost one million VA physicians and patients. This breach resulted from the loss of a hard drive at a VA medical facility in Birmingham, Alabama – requiring notice and credit-monitoring services for approximately 650,000 physicians and 254,000 veterans.
These are but a few of the recent cases of federal HIPAA violations. While virtually all states have privacy laws affecting PHI, 36 also legislatively protect additional personal or consumer information. One must therefore be familiar and compliant with local as well as federal law. Such compliance, and the ongoing attendant education, is expensive. Adding the cost of litigation to the general cost of data protection and loss remediation multiplies the losses to an uncalculated but potentially staggering figure.1
In 2006, HIPAA was invoked as the basis for privacy standards in two significant cases:
1) Sorensen, et al v. Barbuto, et al, 143 P. 3rd, 295 (Utah Ct. App. 2006) apparently went largely unnoticed by the health care community, probably because the court footnoted the plaintiff’s HIPAA reference without further discussion.
In this case, Sorensen received personal injury treatment from Dr. Barbuto, who later produced Sorensen’s medical records and engaged in ex parte communications with defense counsel in the ensuing personal injury suit. When Sorensen learned of this disclosure, he objected and the trial court excluded Barbuto’s testimony. Sorensen prevailed in the personal injury action.
Later, Sorensen filed an action against Dr. Barbuto asserting several causes of action, but Sorensen’s suit was dismissed by the trial court and the above appeal followed. The appeal court cited cases forming the basis for finding that the doctor/patient relationship contemplates a duty of confidentiality which extends beyond the termination of the patient/physician relationship, and agreed that the duty not to disclose confidential personal information rises out of trust and confidence in that relationship. The court concluded that a tortuous action may arise from the breach of that confidentiality.
The appeal court observed that, in his brief, Sorensen “ … asserts that the professional standards contribute to the proper standard of care, citing the Health Insurance Portability and Accountability Act (HIPAA), the American Medical Association’s Principles of Medical Ethics, and the Hippocratic Oath.” Id. Barbuto points out that HIPAA does not provide a private right of action, with which the court apparently agreed. However, there is no further discussion of the HIPAA basis, the court holding “ … that ex parte communication between a physician and opposing counsel constitutes a breach of the physician’s fiduciary duty of confidentiality” [citations omitted].
The appeal court found that the trial court’s dismissal of Sorensen’s claim was error because “ ... Barbuto’s tort based duty of confidentiality continued [after the patient/physician relationship ended].” The remainder of the opinion is not pertinent here.
2) Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006) did not mention the Sorensen case. However, Acosta did directly deal with HIPAA as being a basis for determination of the appropriate level of care in relation to the privacy of medical information. It is this case that has alerted and disquieted the health care community in privacy matters. Patient Acosta was treated by Dr. Faber, a psychiatrist. During the course of the treatment, hostility developed between Acosta and Dr. Faber’s assistant, Robin Byrum. Acosta sued both Faber and Byrum, alleging that Dr. Faber allowed Byrum to use his access code to view Acosta’s psychiatric records, and that Byrum disclosed this information to third parties. Acosta sued Byrum for the intentional infliction of emotional distress, and more importantly for this review, sued Farber for the negligent infliction of emotional distress. One element of the alleged negligence was Dr. Faber’s action in permitting Byrum to use his password in a way that violated the HIPAA standard of privacy. Again, the trial court dismissed Acosta’s action and appeal followed.
The appeal court reversed the trial court’s dismissal, finding, among other conclusions, that the action was not a medical malpractice claim (which would require pre-suit expert certification) but was rather based on the administrative conduct of the psychiatrist in permitting a staff member to view a patient’s record by use of the physician’s access code. Further, the court recognized that the patient’s action was not a claim under HIPAA, which does not provide a private right of action; however, HIPAA may be used to establish an appropriate standard for the protection of health care information. The court, noting that the plaintiff made no independent HIPAA claim, concluded that “ … HIPAA is inapplicable beyond providing evidence of the duty of care owed by Dr. Faber with regards to the privacy of plaintiff’s medical records.” Id. at 253. Through this mechanism, the plaintiff provided evidence of one of the necessary elements of negligence.
Thus begins what is likely to be a line of civil cases using HIPAA as a standard for the measurement of the duty to maintain health care privacy, much similar to the use by plaintiffs’ attorneys of the clinical practice guidelines developed and published by the Agency for Health Care Research and Quality.2
Reports indicate that between April 2003 and April 2007, more than 27,000 HIPAA complaints have been registered with the Department of Health and Human Services; however, to date, convictions have been few. HIPAA privacy enforcement has been assigned to the DHHS Office of Civil Rights, which has openly characterized its past enforcement efforts as being largely educational and remedial.
However, there are indications that federal enforcement is likely to increase. One such indication is an April 16, 2007, notice in the Federal Register that the secretary of the DHHS has delegated to the director of the OCR subpoena authority to obtain testimony from witnesses in ongoing violation investigations. Meanwhile, Centers for Medicare and Medicaid Services is investigating security violations. If the investigation discloses possible criminal violation, the matter is now referred to the Department of Justice for investigation.
In what appears to be the first HIPAA audit of a hospital performed by the DHHS, the Office of the Inspector General of DHHS presented Piedmont Hospital in Atlanta a list of 42 items about which the DHHS wanted information within ten days.3 Public information on this audit is otherwise presently scarce, but other hospitals are certainly taking notice, and many are upgrading their security systems or taking other data protection measures.
The first HIPAA conviction was of Richard Gibson in November 2004 and was based upon Gibson’s admission that he disclosed protected health information of a patient for the purpose of obtaining credit cards in the patient’s name, which he then used to make thousands of dollars worth of personal purchases.
The second criminal conviction was of Liz Ramirez in Texas. This defendant worked in the office of a physician who provided FBI agents with physical examinations and medical treatment. An undercover investigator posed as a drug trafficker to buy PHI on a particular FBI agent for a $500 payment to Ramirez.
More recently, a widely publicized south Florida case involved Isis Machado, a former employee of Cleveland Clinic Hospital, who printed out the PHI on over 1,100 patients and passed them to her cousin, Fernando Ferrer – who happened to own a claims company. Through that company, he filed over $2.5 million in fraudulent Medicare claims. Machado plead guilty to the conspiracy and received a reduced sentence of three years’ probation, including six months of home confinement, for her testimony against Ferrer. Ferrer plead not guilty but was found guilty and sentenced to seven years, three months in prison – plus supervised release. The defendants were ordered to make restitution of a combined $2.51 million to the government.
While the OCR has previously stated and practiced remediation and education in PHI violation instances, there are strong indications that future enforcement efforts will be more widespread and severe. It appears that federal enforcement agencies believe that the “gentle cycle” is evolving into a more rigid and thorough investigative and enforcement mode. Perhaps of equal or greater importance is the possible opening of a floodgate of civil cases based on a variety of damages arising out of the disclosure of PHI and other personal data, using the HIPAA as the standard required for the protection of the confidentiality of such information. Individuals and entities responsible for protection of PHI should redouble their vigilance and strengthen their protective efforts.
Dr. Weekley practices in the Health Care Department at Holland & Knight. He is experienced in the areas of health and hospital law, medical staff issues, nursing home law, administrative law, Medicare, healthcare provider licensing law and medical malpractice defense. For more information, e-mail firstname.lastname@example.org or call toll free, 1-888-688-8500.
1 While other privacy issues abound, only health care data is addressed here. For example, in June 2007, a class-action suit was filed in the U.S. District Court for the Middle District of Florida claiming that the TJX Companies, Inc. and Fifth Third Bank Corp. had allowed “thousands if not hundred of millions” of customer credit card members and other personal financial data to be stolen from the companies’ computer databases by identity thieves. In early July 2007, during the preparation of this report, a subsidiary of Fidelity National Information Services, Certegy Check Services, reported that approximately 2.2 million consumer records were stolen. These records contained credit and bank account records, and 99,000 included credit card information. The information was sold to a data broker who re-sold to direct marketing companies.
2 Formerly, Agency for Health Care Policy and Research.
3 See http://www.computerworld.com for a list of the questions; visited June 25, 2007.