HIPAA Blog

Trump's Medical Records: If you follow me on Twitter (and you should; I'm easy to find @JeffDrummond), you've seen a couple of jabs at the whole matter involving Trump's crazy doctor's latest public proclamations.  Harold Bornstein, who was Donald Trump's doctor for many years, recently told NBC News that in February 2017 Trump's bodyguard, lawyer, and a third man conducted a "raid" on his office, without notice, and took all of Trump's medical records.  Bornstein also indicated that he felt "raped, frightened, and sad" when the Trump aides came for his records.  Apparently, Bornstein had told the press a few days earlier that he had prescribed a drug to Trump to treat hair loss, and because of that, he was dumped from the Trump Train.

NBC News reports, "Bornstein said he was not given a form authorizing the release of the records and signed by the president known as a HIPAA release — which is a violation of patient privacy law."  As with virtually everything else about that story, that's not actually correct.

So, what's legally required for an associate/friend to retrieve a patient's medical records?  Well, let's start here: HIPAA requires "covered entities" to limit uses and disclosure of "protected health information" (or "PHI") to certain permitted uses/disclosures (the "HIPAA Rules"), and grants patients certain enumerated rights to their PHI (the "HIPAA Rights").  Most healthcare providers are covered entities, unless they never ever conduct electronic transactions.  Most billing is done electronically, so only those providers who operate in a paper-only environment are not covered by HIPAA.  It's rare, especially for a physician (psychologists and counselors, and others who operate on a cash only or non-insurance basis, are more easily excluded), but possible.

It's possible Bornstein isn't a "covered entity" and HIPAA doesn't even apply to him.  If that's the case, there are still state law requirements, which generally require a provider to meet community standards and ethical obligations regarding patient privacy.  Given the broad reach and scope of HIPAA, it's usually hard to argue that, even if you aren't a covered entity, you aren't ethically required to follow HIPAA  (or something pretty close to it) anyway.  So let's assume HIPAA applies.

Now, can Bornstein give the PHI to Trump's agents?  Must he?  Is he prohibited from giving the PHI up if the agents don't have a signed "HIPAA release"?  (OK, let's nip this one in the bud -- it's not a "HIPAA release," it's a patient "authorization" that is HIPAA compliant.)

The HIPAA Rules allow disclosures to the patient.  They also allow disclosures to two types of persons connected to the patient: the patient's "personal representative" and persons who are "involved in the care" of the patient.  The "personal representative" is someone with the power to make healthcare decisions on behalf of the patient; basically, to be a personal representative, you need to have the authority to agree to surgery for the patient.  Thus, the prototypical "personal representative" is a parent of a minor child, or a court-appointed guardian for someone who is not competent to make decisions on their own behalf.  Clearly, Trump's bodyguard, lawyer, and whoever that third guy was [Ted Cruz's father?] were not personal representatives, but might be considered to be "involved in the care" of Trump.  Someone "involved in the care" is usually a friend or family member who helps the patient out in some way, but really could be anyone; it's up to the patient.  This issue came up prior to the court cases requiring states to recognize gay marriage: there were reported cases where a patient wanted his/her gay lover to be involved in the decision-making process, but the hospital was requiring that only family members could be so involved.

The HIPAA Rights require the covered entity to grant the patient access to his/her PHI.  In other words, if you ask your doctor for a copy of your records, he must give them to you (with very few exceptions, none of which are conceivably applicable here).  HIPAA does not require the provider to give up all copies of the information, and usually the provider merely gives over copies and keeps the originals.  And if the patient has the right to receive the PHI, the patient also has the right to make the provider give it not only to the patient, but to whomever the patient asks the provider to give it.

Thus, if the patient asks for his PHI, the provider may give it to him (under the HIPAA Rules) and must give it to him under the HIPAA Rights.  But what if it's not the patient asking, but someone else?  If that someone else is a "personal representative," it's as if the patient himself asked, and the provider must give up the PHI.  If it's someone "involved in the care," the provider may give up the PHI, as long as the disclosure is limited to the involvement of the third party in the patient's care.  Generally speaking, if the patient asks the provider to give the PHI to the third party, that's pretty clear evidence that the third party is "involved in the care" at least to the extent of being the recipient of the PHI.

Now, since in this case it's a "may" disclose situation, not a "must" disclose situation (i.e., it's a person "involved in the care," not a "personal representative"), the provider might want to obtain some protection against the patient later saying, "no, I didn't want you to give that PHI to my lawyer."  In that case, and certainly whenever there's any doubt about whether the patient approves, it's generally good advice to the provider to refuse to give up the PHI unless there is a HIPAA-compliant authorization (which must be signed by the patient).  However, that's not a requirement.

So, what about this situation?  If Bornstein had good reason to believe that these were Trump's attorney and bodyguard, and that Trump wanted the records delivered to them, Bornstein would be permitted to disclose the PHI to them under HIPAA.  But he could refuse, and demand a HIPAA-compliant authorization.  He also could have contacted Trump by phone for additional confirmation.  Could Trump report Bornstein for disclosing PHI to the bodyguard and attorney?  Possibly, but it would only be a violation if Bornstein knew or should have known that those three weren't "involved in the care" to a sufficient level to be able to get copies of the records in that situation; I can't see any reviewer of the facts finding that to be the case.

Was Bornstein required to give up the originals?  No, and probably shouldn't have.  But he could have been ordered to do so, particularly given these circumstances, where the patient had another treating physician and was apparently seeking to sever ties with his former physician.  A physician does not automatically have a right to retain a patient's personal information; if a patient accused a physician of raping her and demanded the physician turn over all records, a court would likely require the physician to turn over the records (although might require they be turned over to a third party so they would be available in case the physician needed them to defend himself).

In this case, it appears that Bornstein violated Trump's medical privacy rights, and almost certainly violated HIPAA (OK, maybe Trump signed a HIPAA-compliant authorization, but I sincerely doubt it), by reporting on his Propecia prescription, as well as other disclosures that were not specifically approved by Trump.  Even though he "can't believe anybody was making a big deal out of a drug to grow his hair that seemed to be so important," it's not Bornstein's decision to make, and there's really no "no harm, no foul" rule when it comes to whether a disclosure is permitted or not (determining if it's a breach, that's another story).  With that background, I think it would be fairly easy for Trump to sue Bornstein to give up all copies of his records.  Additionally, I think the Secret Service could also come in and take them; there's a whole category of "permitted" uses and disclosures related to the military, prisons, and the Secret Service that come into play here.  Of course, it doesn't look like the Secret Service was involved, but if they were, there would be even more avenues to explore.

Should Bornstein have allowed Trump's aides unfettered access to his office?  Certainly not.  The best policy would have been to have office personnel determine the appropriate files, make copies, and give them to Trump's representatives.  To the extent the trio of Trumpsters improperly accessed or saw any other patient's data, that's Bornstein's fault, not the Trump crew.

So, is Trump or his crew in trouble here?  I can't see how.  Is Bornstein in trouble?  Not for delivering Trump's records to Trump's crew.  He could be (and really should be) in trouble for disclosing the Propecia information, and anything else he discussed without the President's permission.