Health Insurance Portability and Accountability Act
Confidentiality has been a core principle of medical care for centuries. Indeed, the Hippocratic Oath commands that all “that may come to my knowledge in the exercise of my profession...which ought not to be spread abroad, I will keep secret and will never reveal.” The Health Information Portability and Accountability Act (HIPAA), passed in 1996, codifies this principle by including a privacy rule that creates a national minimal standard to protect personal health information.
Although HIPAA greatly affects the flow of medical information, it does not prevent or require specific authorization for sharing of information among health care providers involved in the care of the patient. Each provider, however, is obligated to comply with HIPAA, and most attorneys favor separate disclosure of privacy practices and consents whenever possible. When an interstate transfer is involved, conflicting state laws may become an issue, and the “higher” or more restrictive standard applies.Privacy notice forms are complex documents that must reflect many detailed elements of federal and state laws. These documents should be prepared by counsel and standardized for use by the transport service. All personnel should be trained regarding the content and use of the forms and in the privacy practices applicable in their jurisdiction. Emergency services such as transport teams are required to provide notice of privacy practices to patients “as soon as reasonably practicable after the emergency treatment situation.” This determination of practicability will probably be somewhat lenient in scene response situations, and provision of the information at the destination hospital will likely be acceptable. In transfer situations, however, it is more likely that the privacy notice will be expected before transfer.
It is generally advisable to obtain a signature evidencing receipt of the notice of privacy practices, but when the patient or family refuses signature or it is not practical to obtain a signature, it should be documented that the notice form was given to the patient or family.
If the situation is too involved for providers, patients, or family to rationally cope with legal notices, the situation should be documented, and notice may be provided later when circumstances permit.Violation of HIPAA regulations may result in fines to a provider and federal criminal charges against individuals for certain intentional violations. Additionally, providers are required to disclose breaches of protected health information (PHI) to patients within 60 days, and when more than 500 patients are involved (easier to do in the era of laptops, jump drives, and smartphones) the Department of Health and Human Services must be notified as well as “prominent media outlets.” Congress recently increased the size of monetary penalties, authorized state attorneys general to bring civil actions against violators in federal district court, and now allows plaintiffs to receive a percentage of any penalty or settlement.
State requirements may impose additional penalties, including criminal charges against individuals, for privacy violations. Although HIPAA creates a new civil liability, privacy violations can be used as grounds for medical malpractice suits in all jurisdictions. HIPAA also has the effect of standardizing privacy practices, which in turn may create a new standard of care over time.