[ Monday, November 15, 2004 ]
From the HIT list:
There was a very lively, interesting discussion this Monday on the American Health Lawyers' Association Health Information Technology listserv. The initial query: can a covered entity get an individual to authorize the covered entity to treat the individual's information in a way that violates the Security Rule? We all know that a covered entity can make uses and disclosures that would be violations of the Privacy Rule if the individual who is the subject of the PHI signs a proper HIPAA authorization. The authority to do so is written right there in the Privacy Rule: 45 CFR Sec. 164.502(a)(1)(iv), referencing Sec. 164.508. But there's nothing written in the Security Rule that would allow an individual to authorize a covered entity to waive a requirement of the Security Rule for the individual.
The discussion quickly devolved into two camps: of course you can, and of course you can't. On the Can
side, the point is made that the information is the patient's, and the Privacy Rule requires the covered entity to make concessions to the individual if the individual wants the information provided in a particular way. If the individual told his doctor to send his PHI to the New York Times, the doctor would probably have to do so. If the individual told the doctor to email his records to the Times in unencrypted format, or to send the information over shortwave radio to a receiver in remote Alaska, even if the doctor had determined that unencrypted email or radio transmission was unacceptable under his Security Rule risk analysis, the prerogative belongs to the patient and the doctor should comply.
In the Can't
camp, the analysis is that the security rule is drafted by and enforced by regulators, and they didn't give anyone the right to wire around it. They'll be the ones enforcing it, even if the patient isn't bothered by the breach (or even ordered it). Additionally, the legal authorities are making determinations of the benchmark [however amorphous that is] for security for everyone, and it's not up to an individual to remake that determination (sort of a nanny-state approach). A further example would be a patient who presented to a surgeon asking for a right leg amputation, but signed a waiver allowing any limb to be amputated: it would still be malpractice for the surgeon to cut off the bad limb, even if the patient waived any claims for it; there might not be a malpractice case, but the licensing authorities should get involved. And perhaps patients shouldn't be able to waive or authorize such bad behavior, since the waiver or authorization could be coerced or gotten through deceit. If a practice has done a Security Rule risk analysis and determined that it is unreasonable under any circumstances to send out unencrypted email, then it should stick to that and protect the patient from himself.
Of course, there are ways around these hypotheticals. The covered entity can provide the PHI to the patient, who could then email it to the NY Times or short-wave it. And encrypting isn't that hard to do anyway. Also, keep in mind that the Security Rule doesn't have too many required acts or duties, but rather required the covered entity to review its processes and situation and make determinations of what is reasonable and appropriate for it to do to comply. The covered entity could have some trap doors or escape hatches built into its policies and procedures that allow it to take the requested action: for example, the covered entity's email policy could say, "We will require encryption of all outgoing email, unless specific circumstances warrant otherwise; a determination will be made by the Security Officer whether such circumstances exist."
Anyway, an interesting discussion.
Jeff [5:29 PM]
Blogger: HIPAA Blog - Edit your Template