Peyton Manning Privacy Violated According HIPAA Rules

Peyton Manning‘s privacy was violated by Guyer Institute IF the press is accurately presenting the facts.

Peyton Manning wears Denver Broncos colors as he exits from a plane. Royalty paid to Shutterstock for use of this image.
Peyton Manning wears Denver Broncos colors as he exits from a plane. Royalty paid to Shutterstock for use of this image.

Update: even though Mr. Sly denies the leak and Mr. Manning denies the use of banned substances (we have no reason to question that this is true) there is still a privacy breach issue for Guyer Institute. 

Merely disclosing the NAME of a patient by Guyer Institute workforce, business associates, (including unpaid trainees or  contractors), whether Manning took banned substances or not is still a HIPAA violation.

As an expert witness, I receive questions from attorneys, plaintiffs, and defendants about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information.  A companion statute called the HITECH Act also provides certain provisions for safeguarding information and what qualifies as a breach of information.  I will attempt to explain and clarify this issue a little in this blog, using the recent news about Peyton Manning as an example.

What in summary are the issues?

According to what we have read in the press:

  1. Peyton Manning was a patient at some point of Guyer Institute
  2. Guyer Institute is a ‘covered entity‘ under HIPAA rules meaning that it had a duty to protect patient information.
  3. There are also ethical guidelines and industry best practices for medical specialties that may apply regarding patient confidentiality.
  4. Even if the unpaid student intern Charles Sly who allegedly disclosed the information was not an employee, he would have been covered under the HIPAA Privacy Rule as either a member of the Guyer workforce or  a contractor of Guyer Institute known as a ‘business associate.’    We can find no exception for Mr. Sly’s behavior as reported in the media if the allegations that he made a disclosure are true. Business associates are not to disclose HIPAA-protected information in any form whether publicly, privately, in paper form, digital form, or verbal form.

Some detail definitions for the terminology above, and a few relevant statutes and industry best practices

HIPAA Privacy Rule 45 CFR Part 160 and Subparts A and E of §164 specifically prohibit HIPAA-covered entities from disclosing any personally identifiable health information about their patients, which includes the name of the patient and any medication they may be taking.

A “covered entity” is defined as a health plan, a health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered by the subchapter.  (See 45 CFR 160.103.)  Guyer Institute is almost certainly a HIPAA-covered entity.  “Transaction” means the transmission of information between two parties to carry out financial or administrative activities related to health care.  Therefore if Guyer ever transmitted information between its organization and another party for reimbursement, for example, it is a HIPAA-covered entity.  Though the organization currently says it does not accept or process insurance on its website, a review of past practices would answer this question.

The  HIPAA Security Rule sets forth organizational requirements regarding both ‘workforce‘ and ‘business associates.’

45 CFR 164.530 – Administrative requirements (b)(1) provides, “Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

The HIPAA Security Rule sets forth organizational requirements regarding business associates.  (See 45 CFR 164.314.)

A business associate means, with respect to a covered entity, a person who, on behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

  1. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
  2. Any other function or activity regulated by this subchapter; or
  • provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. (See 45 CFR 160.103.)

The U.S Department of Health & Human Services (HHS) recently adopted new rules which make changes to existing privacy, security and breach notification requirements in what is often referred to as the final “HIPAA Omnibus Rule.” These new rules stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the same law that created the Electronic Health Records (EHRs) Incentive Program under Medicare and Medicaid. Section 13400(1) of the HITECH Act defined “breach” as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information – (See more at: http://www.shrm.org/legalissues/federalresources/pages/hipaa-rule-breach.aspx#sthash.QEcgpEjF.dpuf)

Additionally, after any breach there are other requirements of a HIPAA covered entity in terms of the actions they must take.

The HIPAA Security Rule requires covered entities to have contracts or other arrangements with business associates that will have access to the covered entities’ electronic protected health information.  (See 45 CFR 164.314(a)(1).)

The HIPAA Security Rule requires that the contract between a covered entity and a business associate must provide that the business associate will (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity, (ii) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it, (iii) report to the covered entity any security incident of which it becomes aware, and (iv) authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.  (See 45 CFR 164.314(a)(2)(i).)

The HIPAA Security Rule requires covered entities to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule.  (See 45 CFR 164.316(a).)  These policies and procedures must be maintained in written form.  (See 45 CFR 164.316(b)(1)(i).)  The HIPAA Security Rule permits a covered entity to change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the HIPAA Security Rule.  (See 45 CFR 164.316(a).)

The HIPAA Security Rule requires covered entities to maintain a written record of any action, activity, or assessment required to be documented by the HIPAA Security Rule.  (See 45 CFR 164.316(b)(1)(ii).)

The HIPAA Security Rule requires covered entities to make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.  (See 45 CFR 164.316(b)(2)(ii).)

The HIPAA Security Rule requires covered entities to review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.  (See 45 CFR 164.316(b)(1)(iii).)

According to 45 CFR 160.103:
Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in§ 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity may be a business associate of another covered entity.
(3) Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

Michael Arrigo is a HIPAA Privacy and HIPAA Security expert witness who has provided opinions for cases in State and Federal Court.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Michael F. Arrigo

Michael Arrigo brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health IT, and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations who provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and medical billing, fraud damages, as well as electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, medical malpractice, insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software SA (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls IT audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and is published in Healthcare IT News.

Leave a Reply