Brought to you by Kaufman & Canoles, Attorneys at Law
In a recent letter to their clients, Kaufman & Canoles Attorneys at Law addresses today’s healthcare providers.
“As doctors, you are heroes,” wrote Jason Davis and Beth Norton.
Davis is a member of the Health Care Practice Group. His litigation and counseling practice includes representing various healthcare providers in HIPAA complaints and investigations, HIPAA breach notification proceedings and breach of privacy claims. Norton is an associate in the Health Care Practice Group.
“You are noble protectors who always work for the good of your patients. You protect our health, but also our privacy. In fact, one of the most significant facets of the physician/patient relationship is trust, which is largely based on confidentiality. Naturally, then, one of the most difficult tasks you might confront in your profession is to have to tell a patient that there has been a breach of her private health information.”
Notifying a patient about a breach is, no doubt, even more daunting when you consider the legal ramifications.
“Not only must you consider the notification requirements and possible repercussions of the federal HIPAA law, but state law imposes potential liability as well,” Davis and Norton wrote.
But there are a lot of gray areas when it comes to healthcare information, breaches and what is considered loss of data.
“As far as federal law is concerned, not all instances of unauthorized access or loss of control over protected health information (“PHI”) is a breach, as it is defined by HIPAA. For example, losing a laptop with PHI is not a breach if it was properly encrypted. Therefore, the first step in determining what, if any, HIPAA notification needs to be made, is to determine whether there has been a breach at all.”
According to the updated HIPAA standard, there is a presumption that notification is required for all unauthorized uses, acquisitions, or disclosures except when: 1) the physician conducts a risk assessment and establishes that there is a low probability that PHI was compromised; or 2) one of the limited existing exceptions to the definition of breach applies.
The risk assessment analyzes four primary factors. If after performing the risk assessment there is doubt whether or not notification is required, the new rules favor notification, according to Kaufman & Canoles.
“Once you have determined that notification is warranted, you must then determine what kind of notification is required; the timing, method, and recipient. For example, notification must be made without unreasonable delay and should be sent in writing to the last known address of the patient. You would also need to notify the Secretary of Health and Human Services by submitting a log at the end of the calendar year. If the breach involves greater than 500 patients, however, you might also be required to notify the media and the Secretary immediately. An investigation by the Office of Civil Rights (“OCR”) may follow.”
HIPAA isn’t the only legal hurdle.
The Virginia courts have recognized a claim in tort for breaching the duty not to disclose information gained in the course of treatment without a patient’s authorization. In one case, a patient was awarded $100,000 for the humiliation, embarrassment and hurt caused by a healthcare provider’s disclosure.
“It is important to keep this, along with potential liability in an OCR investigation, in mind when notifying or communicating with a patient regarding a breach.”
The legal requirements for dealing with a breach of PHI may appear daunting, but with assistance, you can navigate your way through it, reestablish trust with your patients, and reclaim hero status once again.
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances.