Is there a loophole in HIPAA, or does the Department of Health and Human Services’ Office for Civil Rights simply not want to enforce patients’ rights?
That’s a question raised by a story in the New York Times Wednesday, written by ProPublica‘s Charles Ornstein, about a man whose mental health diagnosis and records were disclosed in a lawsuit over unpaid doctor bills.
The patient, identified by the Times only as “a New Jersey lawyer named Philip,” filed a complaint with OCR — the proper legal channel for reporting HIPAA privacy and security violations — but the agency took no action against the practice, Short Hills Associates in Clinical Psychology, of Springfield, New Jersey. The story said:
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
In an email, Rachel Seeger, a spokeswoman for the office, said the agency “closed this case because we determined that Short Hills Associates in Clinical Psychology is not a HIPAA-covered entity, and therefore we have no jurisdiction to investigate or take any action on the complaint.”
This is where we get into a legal gray area, since Short Hills Associates has not moved to electronic health records. Per the Times:
The privacy law’s language specifies that it covers only health providers who “electronically transmit any health information in connection with transactions for which HHS. has adopted standards.” Doctors who still rely on paper records and paper bills — or clients who pay cash — are not subject to the law.
In legal papers, Short Hills Associates has not argued that it falls outside HIPAA’s reach. In fact, on its website it offers patients forms and information that specifically mentions their rights under the law.
HHS appears to say otherwise. On the department’s page of privacy FAQs, HHS stated:
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form, including in connection with the disposal of such information.
While Philip’s case was not about records disposal, it sure seems to fall under the “in any form” provision.
One of the nation’s most prominent healthcare privacy watchdogs, Dr. Deborah Peel, founder of the Austin, Texas-based Patient Privacy Rights Foundation, was incensed upon learning of the news, but in some ways not surprised.
“This is outrageous. There’s no reason for this. He has been seriously harmed,” Peel, a psychiatrist, told MedCity News.
“OCR has always been very helpful to industry,” Peel said, arguing that OCR interprets its enforcement role too narrowly. “There is no federal agency set up to protect patients.”
Again, we get into legal gray areas. “It’s unethical,” Peel said. “This is not ethical for any health professional.” But it may not be illegal under HIPAA.
The HIPAA privacy and security rules have always meant to be a national floor. States are free to enact stronger protections for patients, and Patient Privacy Rights said New Jersey has done just that. That, according to Peel, means Philip and others affected by disclosures at this psychology practice might have better recourse suing under New Jersey law.
According to the Times, Short Hills Associates “has filed dozens of collections lawsuits against patients and included in them their names, diagnoses and listings of their treatments.” Some of the patients were minors; their parents were the ones sued, but information on the children’s diagnoses made it into the public record.
The practice’s billing manager said in a court deposition that Short Hills Associates has not filed any new collections cases since Philip countersued, and that the practice was no longer working with a collections agency, Ornstein reported.
The practice, its attorney and the attorney for the collections agency declined comment for the Times story. However, a lawyer for the American Psychological Association said that the APA would “typically recommend against including patients’ diagnoses and a list of procedures as part of collection suits because it ‘may be more than the minimum disclosure necessary to obtain payment’ under HIPAA and the group’s ethics code.”
Photo: Flickr user Josh Hallett
