Health care providers have a general duty to safeguard the privacy of their patient’s individually identifiable health information and their private health information.
The disclosure of a patient’s private health information (“PHI”) is very strictly limited under the Health Insurance Portability and Accountability Act (“HIPAA”).
Under HIPAA, PHI may generally be used or disclosed as necessary without patient consent to deliver treatment (including health, mental health, and/or emergency treatment), seek payment or for health care operations only. These functions are sometimes referred to as TPO: treatment, payment, and health care operations. Otherwise, patient authorization is required for any other use or disclosure of PHI.
There are exceptions under HIPAA that permit or require the disclosure of PHI without patient consent or authorization. Before disclosing PHI under any exceptions, it is important for the health care providers to make sure that the disclosure is also permitted under any other rules that might protect the type of information to be disclosed (e.g., behavioral health information or HIV information).
Disclosure outside of the exceptions or without patient consent regardless of whether the disclosure is accidental (negligent) can result in civil and criminal penalties anywhere from $100 to $50,000 per violation depending upon the nature of the disclosure.
Reported HIPAA violations are also publicly accessible through the Freedom of Information Act (“FOIA”), leaving a potentially permanent record of violations. Additionally, the violator may also be liable under invasion of privacy laws. All states are not the same; however, Michigan’s handling of this issue is similar to most states and can be used as a guide.
It appears for the moment, however, that negligent violation of patient privacy is potentially excusable where there are no actual damages. The Michigan Court of Appeals in Doe v Henry Ford Health Sys, 2014 Mich App LEXIS 2557 (December 18, 2014) dismissed an action for alleged invasion of privacy for the negligent disclosure of PHI online.
The Plaintiffs in Doe brought action against Henry Ford Health System for their alleged failure to protect a group of 159 patients who had doctor’s visits at Henry Ford between June 3, 2008, and July 18, 2008.
Henry Ford’s third-party data manager had made a configuration change to their server which left certain patient records unprotected. As a result, “Googlebot,” Google’s automated web crawler, indexed the information — making it possible to find the patient information through Google’s search engine.
The information made accessible included the patient’s name, medical record number, the date of the patient’s visit, the location of the visit, the physician’s name, and a summary of the visit including medical history and diagnoses.
After Henry Ford learned of the problem, all information was removed from the internet, the patients were notified, and corrective measures to protect the data were undertaken.
The plaintiffs thereafter brought suit claiming invasion of privacy, though the court dismissed the case on defendant’s motion for summary disposition because the disclosure was negligent and negligent invasion of privacy does not exist as a cause of action in Michigan.
The court stated that to bring a cause of action in Michigan courts for the disclosure to another of private health information, one must bring the case under invasion of privacy through the public disclosure of private facts, and a plaintiff must meet three elements: (1) the disclosure of information; (2) that is highly offensive to a reasonable person, and (3) that is of no legitimate concern to the public.
Further the “publicity” must be made “to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.”
The court reasoned that there was no precedence for permitting the tort of invasion of privacy to proceed on the basis of negligent disclosure.
Accordingly, the court dismissed the invasion of privacy action because there was sufficient evidence to conclude that the disclosure was not intentional. The court further reasoned that the plaintiff’s case could not be maintained under negligence theory or breach of contract theory unless they could prove actual damages.
Although Doe bodes well for the institution, the individual licensed health professional may still be subject to an investigation and complaint by the health provider’s disciplinary subcommittee for the representative board of licensure for their negligent disclosure of PHI.
A complaint arising out of allegations of negligent disclosure of PHI may be brought under the Michigan Public Health Code, MCL 333.1101–333.25211, in at least two counts.
The first is an alleged violation of a general duty, consisting of negligence or failure to exercise due care, including negligent delegation to or supervision of employees or other individuals, whether or not injury results.
The second is the allegation of incompetence, which is defined as “a departure from, or failure to conform to, minimal standards of acceptable and prevailing practice for a health profession, whether or not actual injury to an individual occurs.”
If you are under investigation for your conduct or you have received a letter from the Michigan or Florida Licensing Board or Disciplinary Subcommittee pertaining to your license, we at Chapman Law Group can advise and represent you.
Our experienced Professional Licensing Practice attorneys will assist you with determining the best course of action and, if necessary, represent you before the licensing board or the administrative hearing system.
In addition, our national Compliance Practice lawyers can review or help you build your compliance program, and make sure your practice understands and follows HIPAA guidelines.
For 35 years, Chapman Law Group has helped clients with professional licensing matters in Michigan (including Detroit, Ann Arbor, Grand Rapids, Dearborn and Troy), while our offices in Florida handles licensing matters across the state, including for Miami, Tampa, Jacksonville, West Palm Beach and Orlando.
For HIPAA compliance matters, our Compliance Practice attorneys serve clients all across the U.S.
Contact us today for a consultation.
Send this to a friend