[ Wednesday, October 22, 2003 ]
An exclamation point to the listserv conversation on who is a "person" subject to HIPAA penalties.
As I mentioned below, the AHLA listserv on HIPAA has been abuzz with commentary on the applicability of HIPAA's criminal penalties to "persons." The question started around the issue of whether an individual working for a covered entity could be subject to HIPAA criminal penalties, if the worker wasn't a covered entity himself/herself. With regard to the healthcare fraud provisions, the answer seems to be that he/she would be subject to criminal penalties. The question is still an open one with regard to the privacy/security/TCS provisions.
The impact of this question, as well as some scary thoughts on globalization and outsourcing, is highlighted in this article
from the San Francisco Chronicle. The medical center at the University of California-San Francisco contracts with a firm across the bay in Sausalito to provide transcription services (transcribing doctors' verbal and/or written comments and notes into the medical record of a patient). The Sausalito company subcontracts with a network of transcribers, including a woman in Florida. The Florida woman sub-subcontracts with a man in Texas, who sub-sub-subcontracts with a woman in Pakistan (there is a large industry in India and Pakistan providing transcription services, software development, call centers, and a lot of other activities, since there's a relatively large population of well-educated English-speakers who will work at relatively low wages). The Texas man didn't pay the Pakistani woman, who notified UCSF that if they didn't pressure him to pay her, she would release the medical records over the internet.
As the story notes, this exposes a concern that globalization raises. But that isn't the whole story. Let's imagine that the Pakistani woman was actually an American, in some state without any specific medical record privacy law other than HIPAA. She is not a covered entity; UCSF is, and the Sausalito company is a Business Associate of UCSF. UCSF can release the information to the Sausalito company, but must have a business associate agreement in place with them. That BAA must contractually obligate the Sausalito company to protect the PHI and not pass it along unless its subcontractors agree to provide the same protections. Each subcontractor agrees to require any additional subcontractors to make the same promises. Is the Sausalito company subject to HIPAA if it violates its contractual agreement to protect the information in a HIPAA-like fashion? Probably not, but UCSF would have a breach of contract claim against them. Likewise, if the Florida company exposed the PHI, it would not be subject to HIPAA's civil or criminal penalties (since it isn't a covered entity), but would be subject to contractual breach claims by the Sausalito company.
And so on down the line. Now, if the Pakistani woman were a resident of any American state without a specific medical record privacy law, she could expose the information. If she were not paid by the Texas man, even if the Texan had entered into a subcontract with her requiring her to comply with HIPAA, she could still expose the PHI with impunity, since the Texan couldn't sue her for breach of contract if he hadn't complied with his obligations under the contract. Therefore, the issue isn't really one of globalization, it's one of subcontracting law.
So, how about we fix this problem by enacting a law that you can't expose PHI, even if you're not a HIPAA covered entity? The first problem I see with that is how the First Amendment protects the press; if the press had PHI, they are protected by the First Amendment in reporting it.
This surely looks like a big gaping hole in the privacy of PHI; however, why hasn't this problem appeared already in multiple instances? The reason is that the vast, vast majority of PHI has very little need for privacy. There are a microcosmically small number of people who could profit from or who would have any interest at all in the fact that I take high blood pressure medication or a cholesterol-lowering drug. The vast majority of medical information isn't embarrasing or sensitive. And for the tiny portion of embarrasing or sensitive information, if it isn't about a famous person, then the recipient of the information would have to have a connection with the subject of the information for there to be any harm. Do you care if Joe Blow in Paducah had VD in '83? Not unless you know Joe.
That's one of the really interesting things about PHI and the concept of medical record privacy. By and large, your desire for your medical records to be kept private relates only to keeping the information private from certain people. If I could promise (and guarantee) to you that your information would be known by everyone in the universe EXCEPT anyone who knows you or will ever know you, would you have any objection? Really, the only medical record privacy you want is for the information to be protected from a limited number of people/entities.
That being said, the breach of privacy with respect to that very, very limited number of people can have devastating consequences. Jobs can be lost, families torn asunder, people murdered if particular PHI on a particular person is disclosed to the wrong person. So, while it is a tiny, tiny fraction of information that needs to be protected from a tiny, tiny number of people, the need for that protection is extremely great. What a conundrum.
If you want the best medical care possible, you should want for PHI to be as widely-available as possible. Another doctor might be able to cure what ails you, or your PHI might be useful for a doctor treating another patient in a similar situation. That's the best for healthcare, but the worst for privacy. However, if you want the best privacy possible, you should want PHI to be as minimally available as possible. No one, not even your doctor, should know. That's the best privacy, but really hurts the progress of healthcare.
Food for thought.
Jeff [11:10 AM]
Blogger: HIPAA Blog - Edit your Template