|
Inappropriate Disclosures of Private Healthcare Information
Howard L. Sollins
410-347-7369
hlsollins@ober.com
Appeared in HIT News
Spring 2001
All too frequently, healthcare facilities find themselves to be the source of unconsented and unplanned disclosures of healthcare information. This can occur inadvertently, because of a lapse in security measures coupled with human error or when security measures are absent. A necessary part of establishing a plan to protect private healthcare information is having in place an effective process for responding to these embarrassing and sometimes costly disclosures.
The news media publicizes some of the most attention-grabbing. Examples include a healthcare facility that inadvertently faxes information about individuals with mental health diagnoses to others, a computer hacker gaining access to health information databases, or a teenager arranging to receive pages intended for an attending physician and who proceeds to give medical directives to nursing staff in a hospital.
Healthcare providers adopt record retention policies that call upon them to hold and store large volumes of medical records, sometimes as long as ten years, or even longer when minors are involved. Providers may retire or cease operations and the locations in which information is stored may not be as secure as those located within an active facility or business operation. This author once received a telephone call from a state agency, which had been called by a local nurse in the community. The nurse interrupted her son and his friends playing with boxes of papers they had retrieved from an empty building that had once operated as a nursing home represented by the author’s firm. The papers turned out to be stored medical records.
The examples need not involve electronic media. The disclosure may not be in the form of a writing or image. Confidential healthcare information can be wrongly disclosed through verbal communication. Simple gossip takes on a greater dimension when it includes confidential healthcare information.
A New Environment, The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations is changing in fundamental ways the manner in which we think about the protection and communication of private health information. HIPAA is a law that not only establishes standards, but it is also a reflection of our increasing expectations for privacy protection. The final regulations, when effective, require under 42 C.F.R. § 164.528 that an individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, subject to certain exceptions. Inappropriate disclosures still are subject to an accounting. Also covered entities will have an obligation to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of the regulations or provider policies and procedures.
I. Advance Planning Tips
The following advance planning tips outline steps that can be taken now to ensure a swifter and more effective response to an unplanned disclosure of private information.
A. Establish and empower a response team
Rapid response can aid in swiftly identifying that a disclosure has occurred, acting to contain it, and initiating protective and corrective measures. The “Privacy Officer” will certainly need to be on the team, but may not be the best leader. The leader needs to have the skills to assess the extent of the problem and bring together the persons best qualified to respond. For example, a breach of electronic security will require Information Services specialists and, potentially, outside consulting support. On a more basic level, Human Resources staff may best address improper sharing of confidential information or verbal disclosures. Social Services staff may need to be involved to address the impact on patients and their family. Risk Management staff will wish to evaluate the potential for adverse litigation. Public Relations personnel may need to be consulted depending on the extent and impact of the disclosure. Of course, involvement of legal counsel may be necessary. Depending on the nature, cause and impact of the disclosure, the Corporate Compliance Officer will wish to be advised.
B. Identify sources of outside support in advance
Intrusions by hackers from the outside, security breaches by disgruntled employees, other breaches that result in the disclosure of protected health information may require an immediate response by expert staff. Healthcare providers may be reliant on internal or consulting staff that are primarily trained to ensure the smooth operation of existing information systems but who lack the expertise to block and detect disclosures and, just as important, to identify and track the source of the intrusion. Security specialists may need to be consulted immediately. Advance planning should include identification of sources of immediate, expert support.
C. Determine whether and which law enforcement authorities should be notified and involved
Violations of federal or state law associated with the unplanned and inappropriate disclosure may support the immediate or eventual involvement of law enforcement agencies. However, not all offices of the FBI, state police or local police may have locally and immediately available support. While the media have publicized instances in which law enforcement agencies have immediately assisted companies victimized by electronic intrusion, it cannot be assumed that healthcare providers can readily look to such support on an urgent basis. However, advance identification of such agencies, their resources and policies will aid in developing a rapid response team. The plan should identify in advance any special requirements or protections governing the information in question.
D. Evaluate liability insurance policies
Determine the kind of acts or omissions by the healthcare provider that are covered, including coverage for acts or omissions by employees, independent contractors or those agents acting with actual or apparent authority. Provide notice of claims as required to insurers. As part of this activity, monitor the contracting process to determine when one party or the other is responsible for maintaining confidentiality of records and whether contractual indemnification provisions may impose uninsured risks.
E. Identify administrative agencies and/or accrediting organizations that must or should be notified
Applicable law and accrediting standards should be reviewed to determine when disclosure is required or advisable. Identify the person or persons who will be the liaison with these bodies to avoid inconsistent communication and misunderstanding concerning the provider’s response. Be prepared for a visit by agency representatives who may assert authority to conduct a review while the provider is likewise conducting its own investigation and initiating a response.
F. Stop the disclosure and redisclosure; retrieve the information if feasible
Depending on the facts and technology involved, this may be more or less difficult than anticipated. Immediate efforts to block further disclosure should include an evaluation of the extent to which the information has been disclosed or is susceptible to redisclosure. Some materials can be returned but others may be in a format where this is impossible. Determine where reliable assurances of destruction can be obtained.
G. Who did it?
Has an employee stepped forward to self-identify their mistake? Is the disclosure of information the cause of an intrusion from the outside? Investigation may be necessary to identify the true source of the intrusion, using either existing staff or outside experts. In some instances, “John Doe” litigation may need to be initiated to avail the healthcare provider of discovery tools that can yield needed information. Coordination with law enforcement agencies will need to occur.
H. Secure advice of counsel
Advice of either or both of in-house and external counsel is important in developing a response plan. Aspects of the disclosure may require an investigation that should be subject to attorney-client privilege. However, an overly aggressive approach to assertions of privilege can create problems where information needs to be shared among persons actively engaged in addressing the problem. When consultants are retained, for example, it is important to be clear concerning their role and to whom they report, where a privileged review is also being conducted. Different legal issues arise, depending on whether such persons are consulting on operational issues, are acting as the arm of a quality assurance committee or have been retained by legal counsel. The role of such persons and the manner in which their reports are gathered and disseminated for these various purposes must be clear to those involved. Coordination between Risk Management staff and legal counsel is an obvious part of the response.
I. Determine when notice to patients is required or advisable
Depending on the applicable law, notice to persons who have been the subject of the disclosure may be required. Also, it is important for the Response Team to know what agreements or representations have been made in any Privacy Policy, because these might be deemed to have created a stricter, contractual obligation. If disclosure of mental health records have occurred, consultation with mental health professionals may be required. Healthcare decision making information gathered in connection with the Federal Self-Determination Act will need to be accurate, up to date and accessible, because contacts with responsible persons other than the patient may be necessary.
J. Is a public relations strategy needed?
How can contacts with the media be managed without initiating further violations by sharing otherwise confidential information? For example, even where there has been a disclosure of confidential information, there can be a continuing obligation not to make further disclosures. Who has the final authority to speak for the healthcare provider? Who will be the messenger to put a human and public face on the provider’s response?
K. Take steps to avoid future unplanned disclosures
A review of employee policies and related training will follow. It should be coupled with a review of security and access requirements and restrictions. Commitments made in Privacy Policies, admission agreements and otherwise will need to be revisited. Paramount will be a system that ensures staff have access to the information they need to know to deliver care and for the provider to meet its obligations to patients and the community and to comply with applicable law. Whether the disclosure could or should have been anticipated, whether it represents an aberrant act or is the product of a systematic attack will influence the response. However, the response should prompt a broader review of related vulnerabilities.
L. Initiate required or advisable legal responses
The healthcare provider may need to both pursue and defend against challenges flowing from the unplanned and inappropriate disclosures. In part, these depend on the nature of the disclosure, the extent to which it has been contained and the source of the disclosure. Violations of federal or state law may be pursued by law enforcement agencies and the provider will wish to cooperate with any investigation. Civil action, either based on asserted private rights of action under specific laws or under theories of breach of contract or under tort may be pursued by or against the healthcare provider. Third parties with culpability or who have indemnified against such damages need to be identified. Notice to them within definitive deadlines may be required under the applicable contracts. Disciplinary action against employees will need to be considered.
M. Coordinate with the corporate compliance process
The Corporate Compliance process will need to function as planned, with the Compliance Officer monitoring closely any confidential and anonymous or other information gathered through hotlines or similar processes. The Compliance Officer will have direct reporting obligations to one or more persons on the provider’s governing body.
II. Conclusion
Ultimately, it is impossible for a healthcare provider to guaranty that there will not be some inappropriate disclosure of confidential healthcare information. What is most important is for providers to place the importance of preserving confidentiality among their highest priorities and to put in place systems to ensure those who need access have it and those who do not, are screened from it. Planning includes measures to respond immediately to inappropriate disclosures, put in place the resources best suited to containment, mitigation, identification of the cause, remediation and future compliance.
|
