Enforcement of the HIPAA privacy rule protecting personally identifiable patient information began in 2003. The Health and Human Service’s Office for Civil Rights is responsible for enforcing the rule, and they are the body that generally does so.
However, in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) act was enacted to promote the adoption and meaningful use of health information technology. The HITECH act empowers state attorneys general to enforce HIPAA rules by permitting civil actions against violators, which is what happened to the medical center in this case.
The handful of state attorneys general who have pursued HIPAA enforcement cases thus far includes those from the states of New York, Connecticut, and Massachusetts.
Personally identifiable patient health information is protected and must be treated with great care and caution. This case, however, highlights the challenges that can be faced when a healthcare practitioner changes practices. Healthcare practitioners consider themselves to have an ongoing relationship with their patients from a treatment perspective. Thus, they may believe that they can take a patient list with them when they move from one practice to another. However, absent an agreement to the contrary, the patient list belongs to the former employer, not the healthcare practitioner who was being employed by that employer. Without consent from both the former employer and the patients, their information should not be transferred elsewhere.
It is likely that Ms L was doing what she thought was best for her patients: providing them with an opportunity to continue their care with her, albeit at a different practice. However, she did not tell her current employer (the medical center) what she intended to do with the list, and the medical center clearly provided it because they believed it was going to be used to ease the transition of care for patients from Ms L to another of the medical center’s practitioners.
To best protect yourself from inadvertently violating HIPAA, be sure you know your practice’s policies and procedures, and be clear about what you plan to use the information for in advance.
Ms Latner, a former criminal defense attorney, is a freelance medical writer in Port Washington, NY.