As doctors, you are heroes. You are noble protectors who always work for the good of your patients. You protect our health, but also our privacy. In fact, one of the most significant facets of the physician/patient relationship is trust, which is largely based on confidentiality. Naturally, then, one of the most difficult tasks you might confront in your profession is to have to tell a patient that there has been a breach of her private health information. That undertaking becomes even more daunting when you are made to consider the legal ramifications of the breach. Not only must you consider the notification requirements and possible repercussions of the federal HIPAA law, but state law imposes potential liability as well.
As far as federal law is concerned, not all instances of unauthorized access or loss of control over protected health information (“PHI”) is a “breach”, as it is defined by HIPAA. For example, losing a laptop with PHI is not a breach if it was properly encrypted. Therefore, the first step in determining what, if any, HIPAA notification needs to be made, is to determine whether there has been a “breach” at all.
According to the updated HIPAA standard, there is a presumption that notification is required for all unauthorized uses, acquisitions, or disclosures except when: 1) the physician conducts a risk assessment and establishes that there is a low probability that PHI was compromised; or 2) one of the limited existing exceptions to the definition of breach applies.
The risk assessment analyzes four primary factors. If after performing the risk assessment there is doubt whether or not notification is required, the new rules favor notification.
Once you have determined that notification is warranted, you must then determine what kind of notification is required; the timing, method, and recipient. For example, notification must be made without unreasonable delay and should be sent in writing to the last known address of the patient. You would also need to notify the Secretary of Health and Human Services by submitting a log at the end of the calendar year. If the breach involves greater than 500 patients, however, you might also be required to notify the media and the Secretary immediately. An investigation by the Office of Civil Rights (“OCR”) may follow.
HIPAA isn’t the only legal hurdle you will have to overcome, though. The Virginia courts have recognized a claim in tort for breaching the duty not to disclose information gained in the course of treatment without a patient’s authorization. In one case, a patient was awarded $100,000 for the humiliation, embarrassment and hurt caused by a healthcare provider’s disclosure. It is important to keep this, along with potential liability in an OCR investigation, in mind when notifying or communicating with a patient regarding a breach.
The legal requirements for dealing with a breach of PHI may appear daunting, but with assistance, you can navigate your way through it, reestablish trust with your patients, and reclaim hero status once again. – Jason R. Davis and Beth A. Norton