[ Friday, November 13, 2015 ]
Jeff [9:16 AM]
State Agencies' Ability to Access Patient Records Without a Warrant: Interesting (if "insider baseball-y") case in California asking whether it violates the California constitution for the California Medical Board to access controlled substance records relating to specific individuals while investigating the individuals' physician. A patient complained to the CMB about his physician; the CMB obtained that patient's records, as well as records of other patients of the same physician, from the California Controlled Substance Utilization Review and Evaluation System (CURES), which is used to track down pill mills. The CMB put the doctor on probation for failing to maintain sufficient records for the patient who complained, but also put him on probation for 2 other patients whose CURES records indicated they had been overprescribed. The doctor sued the CMB, saying they have the right to access the records of the complaining patient, but accessing the records of the other patients violates those patients' right to privacy. The AMA has joined the suit on behalf of the doctor.
Off the top of my head, I would say that the underlying answer is a state law question: does California law allow the CMB to access individual patient records without authorization from the specific patient while conducting a proper investigation the physician? If so, HIPAA would allow it. HIPAA allows HHS to look at an individual patient's medical records while investigating a hospital or physician for Medicare or Medicaid fraud, and I would suspect most state medical practice acts would allow the state medical board to have the same level of access while conducting legitimate board purposes, such as investigating a physician. I suspect the California legislative and regulatory language must me more mushy.
The general rule, of course, is that PHI may be used or disclosed where legally required. A similar case is playing out in Oregon, where the DEA attempted to access records of the Prescription Drug Monitoring Program using administrative subpoenas, and the PDMA refused, demanding that either a search warrant or court order must be presented for them to clear the HIPAA hurdle. There's a federalism slant to that one, and it's police power (the DEA is like the cops) versus administrative power (CMB or CMS have power over California licensed doctors and Medicare/Medicaid providers, respectively), but the underlying question of whether and how the information in those types of databases can be accessed. It certainly makes sense that they could be accessed when looking to take action against the physicians, but not the patients; however, is the patient's right to privacy big enough to prevent that different use? Interesting question (although it really is insider baseball for the casual HIPAA observer).
Blogger: HIPAA Blog - Edit your Template