Update: even though Mr. Sly denies the leak and Mr. Manning denies the use of banned substances (we have no reason to question that this is true) there is still a privacy breach issue for Guyer Institute.
Merely disclosing the NAME of a patient by Guyer Institute workforce, business associates, (including unpaid trainees or contractors), whether Manning took banned substances or not is still a HIPAA violation.
As an expert witness, I receive questions from attorneys, plaintiffs, and defendants about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information. A companion statute called the HITECH Act also provides certain provisions for safeguarding information and what qualifies as a breach of information. I will attempt to explain and clarify this issue a little in this blog, using the recent news about Peyton Manning as an example.
What in summary are the issues?
According to what we have read in the press:
- Peyton Manning was a patient at some point of Guyer Institute
- Guyer Institute is a ‘covered entity‘ under HIPAA rules meaning that it had a duty to protect patient information.
- There are also ethical guidelines and industry best practices for medical specialties that may apply regarding patient confidentialtiy.
- Even if the unpaid student intern Charles Sly who allegedly disclosed the information was not an employee, he would have been covered under the HIPAA Privacy Rule as either a member of the Guyer workforce, or a contractor of Guyer Institute known as a ‘business associate.’ We can find no exception for Mr. Sly’s behavior as reported in the media if the allegations that he made a disclosure are true.Business associates are not to disclose HIPAA protected information in any form whether publicly, privately, in paper form, digital form or verbal form.
Some detail definitions for the terminology above, and a few relevant statutes and industry best practices
HIPAA Privacy Rule 45 CFR Part 160 and Subparts A and E of §164 specifically prohibit HIPAA covered entities from disclosing any personally identifiable health information about their patients, which include the name of the patient and any medication they may be taking.
A “covered entity” is defined as a health plan, a health care clearinghouse or health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter. (See 45 CFR 160.103.) Guyer Institute is almost certainly a HIPAA covered entity. “Transaction” means the transmission of information between two parties to carry out financial or administrative activities related to health care. Therefore if Guyer ever transmitted information between its organization and another party for reimbursement for example, it is a HIPAA covered entity. Though the organization currently says it does not accept or process insurance on its web site, a review of past practices would answer this question.
The HIPAA Security Rule sets forth organizational requirements regarding both ‘workforce‘ and ‘business associates.’
45 CFR 164.530 – Administrative requirements (b)(1) provides, “Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
The HIPAA Security Rule sets forth organizational requirements regarding business associates. (See 45 CFR 164.314.)
A business associate means, with respect to a covered entity, a person who, on behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
- A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
- Any other function or activity regulated by this subchapter; or
- provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. (See 45 CFR 160.103.)
The U.S Department of Health & Human Services (HHS) recently adopted new rules which make changes to existing privacy, security and breach notification requirements in what is often referred to as the final “HIPAA Omnibus Rule.” These new rules stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the same law that created the Electronic Health Records (EHRs) Incentive Program under Medicare and Medicaid. Section 13400(1) of the HITECH Act defined “breach” as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information – (See more at: http://www.shrm.org/legalissues/federalresources/pages/hipaa-rule-breach.aspx#sthash.QEcgpEjF.dpuf)
Additionally, after any breach there are other requirements of a HIPAA covered entity in terms of the actions they must take.
The HIPAA Security Rule requires covered entities to have contracts or other arrangements with business associates that will have access to the covered entities’ electronic protected health information. (See 45 CFR 164.314(a)(1).)
The HIPAA Security Rule requires that the contract between a covered entity and a business associate must provide that the business associate will (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity, (ii) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it, (iii) report to the covered entity any security incident of which it becomes aware, and (iv) authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. (See 45 CFR 164.314(a)(2)(i).)
The HIPAA Security Rule requires covered entities to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule. (See 45 CFR 164.316(a).) These policies and procedures must be maintained in written form. (See 45 CFR 164.316(b)(1)(i).) The HIPAA Security Rule permits a covered entity to change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the HIPAA Security Rule. (See 45 CFR 164.316(a).)
The HIPAA Security Rule requires covered entities to maintain a written record of any action, activity, or assessment required to be documented by the HIPAA Security Rule. (See 45 CFR 164.316(b)(1)(ii).)
The HIPAA Security Rule requires covered entities to make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. (See 45 CFR 164.316(b)(2)(ii).)
The HIPAA Security Rule requires covered entities to review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. (See 45 CFR 164.316(b)(1)(iii).)
Michael Arrigo is a HIPAA Privacy and HIPAA Security expert witness who has provided opinions for cases in State and Federal Court.