Physicians may be responsible when employees commit HIPAA violations

July 1, 2010

Dr. Eczema has a very large dermatology practice and performs studies on new treatments for a variety of dermatoses. Recently, one of the pharmaceutical companies with which Dr. Eczema works contacted his research nurse to ask her to provide a copy of all of this electronic data, which she does. A former research patient finds out and has an attorney inform Dr. Eczema he will sue for a HIPAA violation unless he settles with his client for $100,000.

Key Points

Recently, one of the pharmaceutical companies with which Dr. Eczema works contacted his research nurse to ask her to provide the company with a copy of all of this electronic data. The company wants to use this data to develop better treatments for atopic dermatitis. Trying to be helpful, the nurse gives the pharmaceutical company all of the data in question.

Not long after, one of Dr. Eczema's other employees finds out about this transfer of data. Because of her ill feelings toward her fellow employee, she tells some friends about what has occurred. One of these friends is a former research patient in Dr. Eczema's office, and she is furious at this breach of her medical privacy. She hires an attorney who reaches out to Dr. Eczema. The attorney tells Dr. Eczema that he will sue him for a HIPAA violation unless he settles with his client for $100,000. Should Dr. Eczema settle this case? Should he pay the $100,000?

EMR is here to stay. In spite of all the benefits offered by electronic medical records, their use has also introduced a number of problems and issues. Perhaps the most important of these are the potential privacy breaches associated with electronic record and data storage. As more personal information, such as school records, credit card information and bank account data goes online and is stored electronically, people seem to have become more accustomed to accepting the risks associated with storing personal data this way, especially in view of the convenience and other benefits that this method offers. Medical records, however, are possibly the most private and personal information available about a person, and therefore are subject to unique privacy and security concerns.

While breaches of other personal data are intrusive and potentially harmful, medical records are unique by their very nature. Once private medical information is breached, it is nearly impossible to mitigate the potentially associated harm.

In view of these concerns, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its associated regulations. Under HIPAA, the Department of Health and Human Services (HHS) has the authority to adopt standards for HIPAA-specified entities to follow in protecting, using and disclosing patients' medical information and records. In the act, Congress listed the following parties as covered entities subject to the HHS-adopted standards: health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with specified financial and administrative transactions.

Using its congressionally delegated authority, HHS enacted regulations commonly referred to collectively as the "Privacy Rule," which took effect April 14, 2003. This rule established specific obligations for covered entities regarding the safekeeping and privacy of protected health information.

The Privacy Rule defines protected health information (PHI) as medical information that is "individually identifiable" as pertaining to a specific patient. Individually identifiable information includes health information that is maintained in any form or medium; relates to, identifies or could identify the person that the health information concerns; and is transmitted or maintained by a covered entity. More specifically, the Privacy Rule covers information that a patient's doctors, nurses and other healthcare providers put in his/her medical record; conversations a doctor has about a patient's care or treatment with nurses and others; information about a patient in his health insurer's computer system; billing information about a patient at his/her office; and most other health information about a patient that is held by covered entities.