Privacy, please: HIPAA changes will broaden patient protection

December 1, 2009

Dr. Privacy has been a practicing dermatologist for 30 years. He has prided himself on being computer savvy, and tries to keep abreast of the latest in legal requirements that impact his practice. Most of his patients are on a variety of managed care insurance plans.

Key Points

Two years ago, Dr. Privacy treated a 34-year-old patient with myriad facial flat warts. Despite monthly visits and an attempt at using a variety of treatment modalities, the problem progressively worsened. All visits and treatments were paid for by the patient's managed care plan, a plan in which Dr. Privacy had signed on as a provider five years earlier.

Because of his difficulty in treating the facial verrucae, Dr. Privacy suggested that his patient be tested for HIV antibodies. At first reluctant to do so, the patient finally complied, with the understanding that he wanted the test done by a lab outside his insurance plan.

Three months later, the managed-care plan undertook a routine audit of some of Dr. Privacy's charts. When asked to do so, Dr. Privacy sent all the records from this particular patient. The insurance plan, in its attempt to do due diligence, notified the patient of this information, while offering suggestions for future care. The patient sued Dr. Privacy for a Health Insurance Portability and Accountability Act (HIPAA) violation. Is there any basis for this lawsuit?

Protected information

HIPAA gives the federal government the ability to mandate how healthcare plans, healthcare providers and clearinghouses - each a "covered entity" - store and transmit individual patients' health information. HIPAA establishes privacy and security standards for a patient's Protected Health Information (PHI).

The HIPAA privacy rule specifically addresses the use and disclosure of PHI. PHI is any information held by a covered entity that concerns health status, provision of healthcare or payment for healthcare that can be linked to an individual.

Clearly, the HIV test is PHI. The privacy rule requires patient notification, consent and authorization regarding disclosure of PHI. All medical practices, in general, must comply with this law as it relates to confidential patient records. If the practice maintains PHI in electronic form, then the HIPAA security rule applies, and the practice must implement administrative, physical and technical safeguards to protect the electronic PHI.

It is clearly important to have policies and procedures in place to train staff on the appropriate measures required to view patient files and maintain confidentiality. The problem for Dr. Privacy relates to the fact that patients generally sign a waiver that allows their managed-care plan to access their medical records. Thus, Dr. Privacy thought he was acting appropriately when he handed over his patient's record (including the HIV test results).

Amendments

Recently, HIPAA has been amended by the American Recovery and Reinvestment Act of 2009, with most provisions effective as of Feb. 17, 2010. New amendments to HIPAA include the following:

It would appear that Dr. Privacy did not violate the HIPAA rules - for now. After this year, however, he and all of us must be aware of the new rule changes.

David Goldberg, M.D., J.D., is director of Skin Laser & Surgery Specialists of New York and New Jersey, director of laser research, Mount Sinai School of Medicine, and adjunct professor of law, Fordham Law School.