T he privacy of patients’ medical information has been a cornerstone of the doctor-patient relationship since the time of Hippocrates. As the complexity of the provision of medical care has increased, in particular since World War II and the creation of medical insurance, other entities besides doctors and patients have had access to this information. Among these other entities are lawyers, employers, insurers and government program administrators. These complexities and multilateral relationships have been accompanied by a variety of legal and administrative defenses for private patient medical data. This article will review some of the cases and content of the protections of private patient data. How Regulations Vary The legal, regulatory and administrative protections for private patient medical data are fragmented and multifaceted. The nature, scope and remedy for violating these protections vary by governmental authority. For example, both state and federal requirements exist. The type of protection also depends on the patient group specified. For example, regulations pertaining to schoolchildren will differ from those regulating the elderly. Regulations also depend upon the party possessing the information. For example, the Social Security Administration would follow different guidelines than a nursing home. The type of regulations would also depend on a patient’s disease (for example, for a patient with HIV, regulations would be much more stringent), type of treatment (records for patients undergoing treatment for substance abuse or a mental health condition would be under tighter control), and other categories. Congress also continues to consider special protection for genetic information.1 What HIPAA Requires The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the first and most comprehensive federal legislation covering the protection of private patient information. Large healthcare institutions were subject to HIPAA requirements for protecting the privacy of patient information beginning in April of 2003. This month, these HIPAA requirements will take effect for entities with sales of less than $5 million. The privacy rule states that medical information can be used for purposes of treatment payment and operations (“TPO”). The meaning of TPO is complex. One aspect of the complexity of TPO is the U.S. Department of Health and Human Services’ (HHS’) statement that allows insurance companies and hospitals to have their market research firms use this information. In May 2003, a suit was filed against HHS by doctors, psychotherapists, 10 consumer and health-advocacy groups and Sally Scofield, a patient. This suit contended HHS has been too expansive in allowing insurers and providers to use private patient information for “routine use” in “business and planning.” Sally Scofield joined the suit because after knee surgery she’d been contacted by a marketing company who asked her about recent knee surgery she’d had at a Chicago hospital. According to the patient, the marketing company had all the details of her treatment. HHS still mandates that information not be sold to third-party marketers that sell unrelated products or services.2 Questions over the use of patient information for marketing aside, HIPPA’s privacy rule imposes a general “minimum necessary” requirement on entities holding and using protected patient health care information. Patient and use of entities covered by institutions exercising treatment payment and operations must limit their uses and disclosures of TPO to “minimum necessary” information required to perform a task. Entities need policies and procedures that spell-out the type of protected patient information that can be seen by the varying levels and classes of their workers and the content of information that can be released in response to routine inquiries. These entities must possess a process for assessing the information dispensed in response to non-routine requests. Not the only Federal Law Protecting Patient Information HIPAA is not the only federal law protecting patient information. The Public Health Service Act, and its implementing regulation, 42 CFR, Part 2, protects data related to substance abuse and chemical dependency treatment, which is protected by section 543.1 Although the data apply solely to federally funded specialized alcohol or drug abuse program, it’s assumed to cover all federal programs. These supercede both state law and HIPAA, and mandate that any disclosure of information related to substance abuse and chemical dependency treatment go together with a patient’s signed authorization. HIPAA’s TPO provisions do not apply to this requirement. Only in cases of data exchange that take place involving the Armed Force’s branches, including the Veterans Administration, is this rule not in effect. How State Requirements Figure into the Mix Adding to the complexity of the body of “privacy law” is the existence of state law and state licensing guidelines, which require that medical information be kept private. While an assessment of this is beyond the scope of this article, a recent case that applied the law in this area is interesting. The New York State Health Department reprimanded a cancer specialist for talking to the media about his patient George Harrison without the ex-Beatle’s consent.3 Harrison, 58, died in Los Angeles on Nov. 29, 2001, after battling lung cancer and a brain tumor. Dr. Gilbert Lederman signed an order last month with the department’s Board for Professional Medical Conduct, accepting his censure, reprimand and a $5,000 fine, documents show. The documents don’t mention Harrison by name but say that the patient died on Nov. 29, 2001, and that Lederman discussed his case in the media. The radiation oncologist at Staten Island University Hospital treated Harrison shortly before he died. Lederman explained to The New York Post that Harrison was “quiet and dignified” and that “he believed death was a part of life. He was not fearful of death.” He also said Harrison stayed on Staten Island for 2 weeks getting outpatient treatment after checking out of the hospital. The board said Lederman “revealed to news agencies, magazines and television, personally identifiable facts . . . obtained in his professional capacity.” How Should Doctors Deal with the Vast Body of Privacy Law? The best first step is to not give out patient information or to discuss patient matters outside the scope of medical care. Any distribution of private medical data should be documented in writing and should not take place outside of the channels of patient care (including insurance purposes). Physicians must have in place practices and procedures for protecting patient information. The staff of a doctor’s office must be made aware of the importance of keeping patient information private as well. These are all steps in a process that is an integral part of the doctor patient relationship.
Protecting Patients’ Privacy
T he privacy of patients’ medical information has been a cornerstone of the doctor-patient relationship since the time of Hippocrates. As the complexity of the provision of medical care has increased, in particular since World War II and the creation of medical insurance, other entities besides doctors and patients have had access to this information. Among these other entities are lawyers, employers, insurers and government program administrators. These complexities and multilateral relationships have been accompanied by a variety of legal and administrative defenses for private patient medical data. This article will review some of the cases and content of the protections of private patient data. How Regulations Vary The legal, regulatory and administrative protections for private patient medical data are fragmented and multifaceted. The nature, scope and remedy for violating these protections vary by governmental authority. For example, both state and federal requirements exist. The type of protection also depends on the patient group specified. For example, regulations pertaining to schoolchildren will differ from those regulating the elderly. Regulations also depend upon the party possessing the information. For example, the Social Security Administration would follow different guidelines than a nursing home. The type of regulations would also depend on a patient’s disease (for example, for a patient with HIV, regulations would be much more stringent), type of treatment (records for patients undergoing treatment for substance abuse or a mental health condition would be under tighter control), and other categories. Congress also continues to consider special protection for genetic information.1 What HIPAA Requires The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the first and most comprehensive federal legislation covering the protection of private patient information. Large healthcare institutions were subject to HIPAA requirements for protecting the privacy of patient information beginning in April of 2003. This month, these HIPAA requirements will take effect for entities with sales of less than $5 million. The privacy rule states that medical information can be used for purposes of treatment payment and operations (“TPO”). The meaning of TPO is complex. One aspect of the complexity of TPO is the U.S. Department of Health and Human Services’ (HHS’) statement that allows insurance companies and hospitals to have their market research firms use this information. In May 2003, a suit was filed against HHS by doctors, psychotherapists, 10 consumer and health-advocacy groups and Sally Scofield, a patient. This suit contended HHS has been too expansive in allowing insurers and providers to use private patient information for “routine use” in “business and planning.” Sally Scofield joined the suit because after knee surgery she’d been contacted by a marketing company who asked her about recent knee surgery she’d had at a Chicago hospital. According to the patient, the marketing company had all the details of her treatment. HHS still mandates that information not be sold to third-party marketers that sell unrelated products or services.2 Questions over the use of patient information for marketing aside, HIPPA’s privacy rule imposes a general “minimum necessary” requirement on entities holding and using protected patient health care information. Patient and use of entities covered by institutions exercising treatment payment and operations must limit their uses and disclosures of TPO to “minimum necessary” information required to perform a task. Entities need policies and procedures that spell-out the type of protected patient information that can be seen by the varying levels and classes of their workers and the content of information that can be released in response to routine inquiries. These entities must possess a process for assessing the information dispensed in response to non-routine requests. Not the only Federal Law Protecting Patient Information HIPAA is not the only federal law protecting patient information. The Public Health Service Act, and its implementing regulation, 42 CFR, Part 2, protects data related to substance abuse and chemical dependency treatment, which is protected by section 543.1 Although the data apply solely to federally funded specialized alcohol or drug abuse program, it’s assumed to cover all federal programs. These supercede both state law and HIPAA, and mandate that any disclosure of information related to substance abuse and chemical dependency treatment go together with a patient’s signed authorization. HIPAA’s TPO provisions do not apply to this requirement. Only in cases of data exchange that take place involving the Armed Force’s branches, including the Veterans Administration, is this rule not in effect. How State Requirements Figure into the Mix Adding to the complexity of the body of “privacy law” is the existence of state law and state licensing guidelines, which require that medical information be kept private. While an assessment of this is beyond the scope of this article, a recent case that applied the law in this area is interesting. The New York State Health Department reprimanded a cancer specialist for talking to the media about his patient George Harrison without the ex-Beatle’s consent.3 Harrison, 58, died in Los Angeles on Nov. 29, 2001, after battling lung cancer and a brain tumor. Dr. Gilbert Lederman signed an order last month with the department’s Board for Professional Medical Conduct, accepting his censure, reprimand and a $5,000 fine, documents show. The documents don’t mention Harrison by name but say that the patient died on Nov. 29, 2001, and that Lederman discussed his case in the media. The radiation oncologist at Staten Island University Hospital treated Harrison shortly before he died. Lederman explained to The New York Post that Harrison was “quiet and dignified” and that “he believed death was a part of life. He was not fearful of death.” He also said Harrison stayed on Staten Island for 2 weeks getting outpatient treatment after checking out of the hospital. The board said Lederman “revealed to news agencies, magazines and television, personally identifiable facts . . . obtained in his professional capacity.” How Should Doctors Deal with the Vast Body of Privacy Law? The best first step is to not give out patient information or to discuss patient matters outside the scope of medical care. Any distribution of private medical data should be documented in writing and should not take place outside of the channels of patient care (including insurance purposes). Physicians must have in place practices and procedures for protecting patient information. The staff of a doctor’s office must be made aware of the importance of keeping patient information private as well. These are all steps in a process that is an integral part of the doctor patient relationship.
T he privacy of patients’ medical information has been a cornerstone of the doctor-patient relationship since the time of Hippocrates. As the complexity of the provision of medical care has increased, in particular since World War II and the creation of medical insurance, other entities besides doctors and patients have had access to this information. Among these other entities are lawyers, employers, insurers and government program administrators. These complexities and multilateral relationships have been accompanied by a variety of legal and administrative defenses for private patient medical data. This article will review some of the cases and content of the protections of private patient data. How Regulations Vary The legal, regulatory and administrative protections for private patient medical data are fragmented and multifaceted. The nature, scope and remedy for violating these protections vary by governmental authority. For example, both state and federal requirements exist. The type of protection also depends on the patient group specified. For example, regulations pertaining to schoolchildren will differ from those regulating the elderly. Regulations also depend upon the party possessing the information. For example, the Social Security Administration would follow different guidelines than a nursing home. The type of regulations would also depend on a patient’s disease (for example, for a patient with HIV, regulations would be much more stringent), type of treatment (records for patients undergoing treatment for substance abuse or a mental health condition would be under tighter control), and other categories. Congress also continues to consider special protection for genetic information.1 What HIPAA Requires The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the first and most comprehensive federal legislation covering the protection of private patient information. Large healthcare institutions were subject to HIPAA requirements for protecting the privacy of patient information beginning in April of 2003. This month, these HIPAA requirements will take effect for entities with sales of less than $5 million. The privacy rule states that medical information can be used for purposes of treatment payment and operations (“TPO”). The meaning of TPO is complex. One aspect of the complexity of TPO is the U.S. Department of Health and Human Services’ (HHS’) statement that allows insurance companies and hospitals to have their market research firms use this information. In May 2003, a suit was filed against HHS by doctors, psychotherapists, 10 consumer and health-advocacy groups and Sally Scofield, a patient. This suit contended HHS has been too expansive in allowing insurers and providers to use private patient information for “routine use” in “business and planning.” Sally Scofield joined the suit because after knee surgery she’d been contacted by a marketing company who asked her about recent knee surgery she’d had at a Chicago hospital. According to the patient, the marketing company had all the details of her treatment. HHS still mandates that information not be sold to third-party marketers that sell unrelated products or services.2 Questions over the use of patient information for marketing aside, HIPPA’s privacy rule imposes a general “minimum necessary” requirement on entities holding and using protected patient health care information. Patient and use of entities covered by institutions exercising treatment payment and operations must limit their uses and disclosures of TPO to “minimum necessary” information required to perform a task. Entities need policies and procedures that spell-out the type of protected patient information that can be seen by the varying levels and classes of their workers and the content of information that can be released in response to routine inquiries. These entities must possess a process for assessing the information dispensed in response to non-routine requests. Not the only Federal Law Protecting Patient Information HIPAA is not the only federal law protecting patient information. The Public Health Service Act, and its implementing regulation, 42 CFR, Part 2, protects data related to substance abuse and chemical dependency treatment, which is protected by section 543.1 Although the data apply solely to federally funded specialized alcohol or drug abuse program, it’s assumed to cover all federal programs. These supercede both state law and HIPAA, and mandate that any disclosure of information related to substance abuse and chemical dependency treatment go together with a patient’s signed authorization. HIPAA’s TPO provisions do not apply to this requirement. Only in cases of data exchange that take place involving the Armed Force’s branches, including the Veterans Administration, is this rule not in effect. How State Requirements Figure into the Mix Adding to the complexity of the body of “privacy law” is the existence of state law and state licensing guidelines, which require that medical information be kept private. While an assessment of this is beyond the scope of this article, a recent case that applied the law in this area is interesting. The New York State Health Department reprimanded a cancer specialist for talking to the media about his patient George Harrison without the ex-Beatle’s consent.3 Harrison, 58, died in Los Angeles on Nov. 29, 2001, after battling lung cancer and a brain tumor. Dr. Gilbert Lederman signed an order last month with the department’s Board for Professional Medical Conduct, accepting his censure, reprimand and a $5,000 fine, documents show. The documents don’t mention Harrison by name but say that the patient died on Nov. 29, 2001, and that Lederman discussed his case in the media. The radiation oncologist at Staten Island University Hospital treated Harrison shortly before he died. Lederman explained to The New York Post that Harrison was “quiet and dignified” and that “he believed death was a part of life. He was not fearful of death.” He also said Harrison stayed on Staten Island for 2 weeks getting outpatient treatment after checking out of the hospital. The board said Lederman “revealed to news agencies, magazines and television, personally identifiable facts . . . obtained in his professional capacity.” How Should Doctors Deal with the Vast Body of Privacy Law? The best first step is to not give out patient information or to discuss patient matters outside the scope of medical care. Any distribution of private medical data should be documented in writing and should not take place outside of the channels of patient care (including insurance purposes). Physicians must have in place practices and procedures for protecting patient information. The staff of a doctor’s office must be made aware of the importance of keeping patient information private as well. These are all steps in a process that is an integral part of the doctor patient relationship.
