HIPAA Blog

[ Wednesday, October 22, 2003 ]

 

An exclamation point to the listserv conversation on who is a "person" subject to HIPAA penalties.

As I mentioned below, the AHLA listserv on HIPAA has been abuzz with commentary on the applicability of HIPAA's criminal penalties to "persons." The question started around the issue of whether an individual working for a covered entity could be subject to HIPAA criminal penalties, if the worker wasn't a covered entity himself/herself. With regard to the healthcare fraud provisions, the answer seems to be that he/she would be subject to criminal penalties. The question is still an open one with regard to the privacy/security/TCS provisions.

The impact of this question, as well as some scary thoughts on globalization and outsourcing, is highlighted in this article from the San Francisco Chronicle. The medical center at the University of California-San Francisco contracts with a firm across the bay in Sausalito to provide transcription services (transcribing doctors' verbal and/or written comments and notes into the medical record of a patient). The Sausalito company subcontracts with a network of transcribers, including a woman in Florida. The Florida woman sub-subcontracts with a man in Texas, who sub-sub-subcontracts with a woman in Pakistan (there is a large industry in India and Pakistan providing transcription services, software development, call centers, and a lot of other activities, since there's a relatively large population of well-educated English-speakers who will work at relatively low wages). The Texas man didn't pay the Pakistani woman, who notified UCSF that if they didn't pressure him to pay her, she would release the medical records over the internet.

As the story notes, this exposes a concern that globalization raises. But that isn't the whole story. Let's imagine that the Pakistani woman was actually an American, in some state without any specific medical record privacy law other than HIPAA. She is not a covered entity; UCSF is, and the Sausalito company is a Business Associate of UCSF. UCSF can release the information to the Sausalito company, but must have a business associate agreement in place with them. That BAA must contractually obligate the Sausalito company to protect the PHI and not pass it along unless its subcontractors agree to provide the same protections. Each subcontractor agrees to require any additional subcontractors to make the same promises. Is the Sausalito company subject to HIPAA if it violates its contractual agreement to protect the information in a HIPAA-like fashion? Probably not, but UCSF would have a breach of contract claim against them. Likewise, if the Florida company exposed the PHI, it would not be subject to HIPAA's civil or criminal penalties (since it isn't a covered entity), but would be subject to contractual breach claims by the Sausalito company.

And so on down the line. Now, if the Pakistani woman were a resident of any American state without a specific medical record privacy law, she could expose the information. If she were not paid by the Texas man, even if the Texan had entered into a subcontract with her requiring her to comply with HIPAA, she could still expose the PHI with impunity, since the Texan couldn't sue her for breach of contract if he hadn't complied with his obligations under the contract. Therefore, the issue isn't really one of globalization, it's one of subcontracting law.

So, how about we fix this problem by enacting a law that you can't expose PHI, even if you're not a HIPAA covered entity? The first problem I see with that is how the First Amendment protects the press; if the press had PHI, they are protected by the First Amendment in reporting it.

This surely looks like a big gaping hole in the privacy of PHI; however, why hasn't this problem appeared already in multiple instances? The reason is that the vast, vast majority of PHI has very little need for privacy. There are a microcosmically small number of people who could profit from or who would have any interest at all in the fact that I take high blood pressure medication or a cholesterol-lowering drug. The vast majority of medical information isn't embarrasing or sensitive. And for the tiny portion of embarrasing or sensitive information, if it isn't about a famous person, then the recipient of the information would have to have a connection with the subject of the information for there to be any harm. Do you care if Joe Blow in Paducah had VD in '83? Not unless you know Joe.

That's one of the really interesting things about PHI and the concept of medical record privacy. By and large, your desire for your medical records to be kept private relates only to keeping the information private from certain people. If I could promise (and guarantee) to you that your information would be known by everyone in the universe EXCEPT anyone who knows you or will ever know you, would you have any objection? Really, the only medical record privacy you want is for the information to be protected from a limited number of people/entities.

That being said, the breach of privacy with respect to that very, very limited number of people can have devastating consequences. Jobs can be lost, families torn asunder, people murdered if particular PHI on a particular person is disclosed to the wrong person. So, while it is a tiny, tiny fraction of information that needs to be protected from a tiny, tiny number of people, the need for that protection is extremely great. What a conundrum.

If you want the best medical care possible, you should want for PHI to be as widely-available as possible. Another doctor might be able to cure what ails you, or your PHI might be useful for a doctor treating another patient in a similar situation. That's the best for healthcare, but the worst for privacy. However, if you want the best privacy possible, you should want PHI to be as minimally available as possible. No one, not even your doctor, should know. That's the best privacy, but really hurts the progress of healthcare.

Food for thought.
Jeff [11:10 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here