Health care providers have a general duty to safeguard the privacy of their patient’s individually identifiable health information and their private health information. The disclosure of a patient’s private health information (‘PHI’) is very strictly limited under the Health Insurance Portability and Accountability Act (‘HIPAA’). 42 CFR Part 2. Under HIPAA, PHI may generally be used or disclosed as necessary without patient consent to deliver treatment (including health, mental health, and/or emergency treatment), seek payment or for health care operations only. These functions are sometimes referred to as TPO – Treatment, Payment, and Health Care Operations. Otherwise, patient authorization is required for any other use or disclosure of PHI.
There are exceptions under HIPAA that permit or require the disclosure of PHI without patient consent or authorization. Before disclosing PHI under any exceptions, it is important for the health care providers to make sure that the disclosure is also permitted under any other rules that might protect the type of information to be disclosed (e.g., behavioral health information or HIV information).
Disclosure outside of the exceptions or without patient consent regardless of whether the disclosure is accidental (negligent) can result in civil and criminal penalties anywhere from $100-$50,000 per violation depending upon the nature of the disclosure. 42 USC § 1320d-5. Reported HIPAA violations are also publicly accessible through the Freedom of Information Act (‘FOIA’) leaving a potentially permanent record of violations. Additionally, the violator may also be liable under invasion of privacy laws. All states are not the same; however, Michigan’s handling of this issue is similar to most states and can be used as a guide.
It appears for the moment, however, that negligent violation of patient privacy is potentially excusable where there are no actual damages. Doe, infra. The Court of Appeals recently dismissed an action for alleged invasion of privacy for the negligent disclosure of private health information online. Doe v Henry Ford Health Sys, 2014 Mich App LEXIS 2557 (December 18, 2014). The Plaintiffs in Doe v Henry Ford Health Sys., brought action against Henry Ford hospital for their alleged failure to protect a group of 159 patients who had doctor’s visits at Henry Ford between June 3, and July 18, 2008. Id. *1.
Henry Ford’s third-party data manager had made a configuration change to their server which left certain patient records unprotected. Id. As a result, “Googlebot,” Google’s automated web crawler, indexed the information, thereby making it posible to find the patient information through Google’s search engine. Id. The information made accessible included the patient’s name, medical record number, the date of the patient’s visit, the location of the visit, the physician’s name, and a summary of the visit including medical history and diagnoses. Id. at *1-*2. After Henry Ford learned of the problem all information was removed from the internet, the patients were notified, and corrective measures to protect the data were undertaken. Id. at *2.
The plaintiffs thereafter brought suit claiming invasion of privacy, however, the court dismissed the case on defendant’s motion for summary disposition because the disclosure was negligent and negligent invasion of privacy does not exist as a cause of action in Michigan. Id. at *7. The court stated that to bring a cause of action in Michigan courts for the disclosure to another of private health information, one must bring the case under invasion of privacy through the public disclosure of private facts, a plaintiff must meet three elements: (1) the disclosure of information; (2) that is highly offensive to a reasonable person, and (3) that is of no legitimate concern to the public. Doe v Henry Ford Health Sys, 2014 Mich App LEXIS 2557. *6 (December 18, 2014) quoting Doe v Mills, 212 mich App 73, 80 (1995). Further the “publicity” must be made “to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. (Internal citations omitted).
The court reasoned that there was no precedence for permitting the tort of invasion of privacy to proceed on the basis of negligent disclosure. Id. Accordingly, the court dismissed the invasion of privacy action because there was sufficient evidence to conclude that the disclosure was not intentional. The court further reasoned that the plaintiff’s case could not be maintained under negligence theory or breach of contract theory unless they could prove actual damages. Id. at *8.
The Doe case bodes well for the institution, however, the individual licensed health professional may still be subject to an investigation and complaint by the health provider’s disciplinary subcommittee for the representative board of licensure for their negligent disclosure of PHI. A complaint arising out of allegations of negligent disclosure of PHI may be brought under the Michigan Public Health Code, MCL 333.1101 – 333.25211, in at least two counts. The first is an alleged violation of a general duty, consisting of neligence or failure to excerise due care, including negligent delegation to or supervision of employees or other individuals, whether or not injury results. MCL 333.16221(a). The second is the allegation of incompetence. MCL 333.16221(b)(i). Incompetence is defined as “a departure from, or failure to conform to, minimal standards of acceptable and prevailing practice for a health profession, whether or not actual injury to an invidiual occurs.” Id.
If you are under investigation for your conduct or you have received a letter from the Michigan or Florida Licensing Board or Disciplinary Subcommittee pertaining to your license, it is prudent to seek assistance from Chapman Law Group. Our experienced professional licensing practice will assist you with determining the best course of action and, if necessary, represent you before the licensing board or the administrative hearing system.