Federal Laws and Regulations
- Background on HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in 1996. Sections 261 through 264 of HIPAA required the Secretary of the Department of Health and Human Services to publicize standards for the electronic exchange, privacy and security of health information. These are called the Administrative Simplification provisions.
HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information if Congress did not enact privacy legislation within three years. Congress did not enact privacy legislation. The Department of Health and Human Services then developed a proposed rule. The final regulation, the Privacy Rule, was published in late 2000. In August, 2002, the rule was modified and finalized. A text combining the final regulation and the modifications can be found at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
The Privacy Rule and the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to health care providers who transmit health information in electronic form. Under the rules they are “covered entities” and are subject to regulations set forth by the Department of Health and Human Services, including the Privacy Rule and the Administrative Simplification Rule.
- Protected Health Information
45 C.F.R. § 160.103 provides that protected health information is information, including demographic data, that relates to an individual’s past, present, or future physical or mental health, their conditions, the provision of health care to a person, or the past, present, or future payment for the provision of health care to a person, and which identifies the person or reasonably could identify the person. Individually identifiable health information is considered to include a person’s name, address, birth date, and social security number.
- Disclosure and Required Authorization to Disclose Protected Health Information
45 C.F.R. § 164.502(a) provides that a covered entity may not use or disclose protected health information unless: 1) permitted by the Privacy Rule or 2) authorized to do so in writing by the individual who is the subject of the information (or their personal representative).
Because covered entities themselves may disclose protected health information in their treatment or business among itself, authorized third-party businesses, and the patient, it is optional for a covered entity to obtain a consent form from a patient to utilize a patient’s protected health information for the permitted uses identified under the Privacy Rule. This is authorized by 5 C.F.R. § 164.506(b). Those permitted uses are for an entities own: 1) treatment, 2) payment, and 3) healthcare operations. They are defined at 45 C.F.R. § 164.501.
A doctor or covered entity may obtain informal permission from a patient, but it must be done in a manner that clearly gives the patient the opportunity to agree, acquiesce, or object. Informal permission allows a covered entity to disclose to the patient’s family, relatives, or friends, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care. But permission must be first obtained from the patient. This is addressed in 45 C.F.R. § 164.510(b).
Not all incidental disclosures are prohibited by the Privacy Rule. A use or disclosure of protected health information that occurs incident to a permitted disclosure is allowed if reasonable safeguards have been put in place under the Privacy Rule. This is addressed in 45 C.F.R. §§ 164.502(a)(1)(iii).
45 C.F.R. § 164.508 requires that for any disclosure not listed as a permitted use, a covered entity must obtain written authorization from the patient for any use or disclosure of protected health information. For instance, if a pharmaceutical company wants to obtain protected health information to market, then a written authorization is required.
Mental health records also require an individual’s written authorization before using or disclosing the mental health records. This is addressed in C.F.R. § 164.501 and 45 C.F.R. § 164.508(a)(2).
- Marketing Involving Protected Health Information
Marketing is addressed in 45 C.F.R. §§ 164.501 and 164.508(a)(3). Marketing also is an arrangement between a covered entity and any other entity where the covered entity discloses protected health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value. No authorization is needed to make a communication that falls within one of the exceptions to the marketing definition. An authorization for marketing that involves the covered entity’s receipt of direct or indirect remuneration from a third-party must reveal that fact.
- Restrictions and Requirements for Internal Use of Protected Health Information
Internal Access and use of records is also an important facet of the Privacy Rule. This is covered by the “minimum necessary” portion of the Privacy Rule found at 45 C.F.R. §§ 164.501 and 164.508(a)(3). For internal use of protected health information, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to their jobs.
- Privacy Policies and Procedures are Required.
A covered entity must develop and implement privacy policies and procedures consistent with the Privacy Rule under 45 C.F.R. § 164.530(i).
- A Covered Entity Must Train its Workforce
Under 45 C.F.R. § 164.530(b) a covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. The workforce is defined as employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity under 45 C.F.R. §160.103. For violations of the rules, a covered entity must have sanctions in place for persons who violate the entity’s privacy policies and procedures or the Privacy Rule. 45 C.F.R. § 164.530(e).
- A Covered Entity Must Have Privacy Personnel.
45 C.F.R. § 164.530(a) requires covered entities to designate a privacy official responsible for developing and implementing its privacy policies and procedures. A covered entity must also designate a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
- Data Safeguards
45 C.F.R. § 164.530(c) requires that a covered entity must maintain administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule.
- Privacy Practices Notice Requirements
Most covered entities have a notice requirement under 45 C.F.R. §§ 164.520(a) and (b). A patient must receive a notice from the covered entity that provides the entities privacy practices to the patient. For a covered entity that provides direct treatment to a patient, this notice must be delivered to the patient in one of three ways: by personal delivery, by electronic service, or by mail. The covered entity must post the notice at the site of service for the patient where people obtaining service will be able to read the notice. Any website a covered entity maintains for customer service or benefits information must also make electronically available their privacy notice.
The notice must describe how the covered entity may use and disclose protected health information. It must also contain the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the current notice. It also must include the patient’s individual rights including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must comply with the notices they provide.
A covered entity must provide their privacy notice to anyone upon request under 45 C.F.R. § 164.520(c). Finally, a covered entity must make a good faith effort to obtain a written acknowledgment of receipt of the privacy practices notice under 45 C.F.R. § 164.520(c).
- Complaints About Privacy Violations
45 C.F.R. § 164.530(d) requires that covered entities have procedures in place for individuals to complain about an entity’s compliance with its privacy policies and procedures and the Privacy Rule. 45 C.F.R. § 164.520(b)(1)(vi) requires this procedure be outlined to the patient in the required privacy practices notice disclosed to patients. The notice requires identification of the person at the covered entity who receives the complaint and it must also advise the person that their complaint can be submitted to the Secretary of the Department of Health and Human Services.
- Breach Notification Rule
The Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires covered entities and business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions apply to vendors of personal health records and third party service providers, under section 13407 of the HITECH Act.
A breach is an impermissible use or disclosure that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of the following factors: 1)The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2) The unauthorized person who used the protected health information or to whom the disclosure was made; 3) Whether the protected health information was actually acquired or viewed; and 4) The extent to which the risk to the protected health information has been mitigated.
Following a breach of unsecured protected health information, covered entities must provide notification to affected individuals, the Secretary of the Department of Health and Human Services, and, sometimes to the media (when 500 or more people have been affected by the breach). In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Covered entities must notify affected individuals following discovery of a breach. Covered entities must provide the individual notice in written form by first-class mail, or alternatively, by e-mail if the individual has agreed to receive notice electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.
Individual notification must occur no later than 60 days following discovery of the breach. The notification must include: 1) a description of the breach; 2) a description of the type of information included in the breach; 3) the steps an individual should take to protect themselves from harm; 4) a description of what the entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and 5) provide contact information for the covered entity or business associate.
The covered entity must also report the breach to the Secretary of Health and Human Services by filling out the breach report form on the HHS website. For large-scale breaches affecting 500 people or more, the covered entity has 60 days to report the breach to the Secretary. For breaches affecting less than 500 people, a covered entity must report the breach no later than 60 days after the end of the calendar year in which the breach was discovered.
Covered entities and business associates have the burden of demonstrating that all required notifications were provided or that a use or disclosure did not constitute a breach. A covered entity or business associate is required to maintain documentation that all required notifications were made. Alternatively they are required to maintain documentation to demonstrate that notification was not required.
- Retaliation is Not Allowed
45 C.F.R. § 164.530(g) prevents covered entities from retaliating in any manner against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another authority, or for opposing an act or practice that the person believes violates the Privacy Rule. A covered entity also may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility under 45 C.F.R. § 164.530(h).
- Patient’s Right of Access to Their Protected Health Information
45 C.F.R. § 164.524 provides that individuals may review and obtain a copy of their protected health information from a covered entity. The records under 45 C.F.R. § 164.501 are known as the “designated record set” which is defined as the records maintained by a covered entity used in whole or part to decide about individuals, that is a medical record or billing records about an individual, or is about their health plan enrollment, payment, claims adjudications, or their case or medical management record systems. Covered entities may impose reasonable, cost-based fees for the cost of copying and postage.
- Patient’s Right to Obtain an Accounting of Disclosures of their Protected Health Information
A patient has a right to know if and to whom their medical information has been shared under 45 C.F.R. § 164.528 when it does not fall within specified non-accounting disclosures. A covered entity or one of its business associates must maintain disclosures for six (6) years to comply with the accounting requirement. However, the accounting is limited only to certain situations. An accounting is not required for disclosures: (a) for treatment, payment, or health care operations; (b) to the individual or the individual’s personal representative; (c) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; (d) under an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.
- Mitigation of Damages by a Covered Entity
When a covered entity learns that any harmful effects occurred to a patient because of an unauthorized disclosure or use of protected health information by its workforce or business associate in violation of its privacy policies and procedures or the Privacy Rule, the entity must mitigate any harmful effects caused by the disclosure. This is required by 45 C.F.R. § 164.530(f).
- Records Retention
45 C.F.R. § 164.530(j) requires a covered entity to maintain for six years its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
HIPAA and federal regulations provide significant protections for a patient and provide rights to patients that protects the confidentiality of their health information. Federal employees also have protection of such information through another statute, known as the Federal Privacy Act, which provides additional remedies for privacy violations. If you believe any of your rights protected by HIPAA’s Privacy Rule have been violated, you should immediately file a complaint both with the entity who you believe violated your rights and the Department of Health and Human Services, Office of Civil Rights. While this section summarizes federally protected medical privacy rights, the section below addresses several state laws which provide additional protection of a person’s medical privacy rights. This section is focused on Florida, but most states have similar laws providing additional protections. Remember also that HIPAA does not preempt state laws which provide a greater level of protection than required by the Privacy Rule.
State Laws in Florida
Florida has several statutes which provide legal protections for a patient’s protected health information. Below is a summary of some of the most relevant statutes and caselaw which provides remedies for violations of both federal and state laws and regulations protecting a patient’s medical privacy.
- Fla. Stat. § 456.07(10)
All medical providers must protect medical record confidentiality and implement policies and procedures to protect them. Fla. Stat. § 456.07(10): “All records owners shall develop and implement policies, standards, and procedures to protect the confidentiality and security of the medical record. Employees of records owners shall be trained in these policies, standards, and procedures.”
- Fla. Stat. § 456.07(11)
All disclosures of records must be tracked and maintained. Fla. Stat. § 456.07(11): “Records owners are responsible for maintaining a record of all disclosures of information contained in the medical record to a third-party, including the purpose of the disclosure request. The record of disclosure may be maintained in the medical record. The third-party to whom information is disclosed is prohibited from further disclosing any information in the medical record without the expressed written consent of the patient or the patient’s legal representative.”
- Fla. Stat. § 456.07(7)
Fla. Stat. § 456.07(7) prohibits a physician from discussing a patient’s medical condition with any person other than the patient or the patient’s legal representative and healthcare providers involved in the care or treatment of the patient, except upon written authorization of the patient.
- Fla. Stat. § 381.004
This statute provides special protections for persons with HIV and for persons taking HIV tests. Fla. Stat. § 381.004(2)(e) provides that the identity of any person upon whom an HIV test has been performed is confidential and is exempt from disclosure under Florida’s Public Records laws. It also provides that any person who has obtained or has knowledge of a test result cannot disclose and cannot be compelled to disclose the test result in a manner that identifies the person who took the HIV test except in very limited circumstances. Fla. Stat. 381.004(2)(f) provides that whenever a disclosure is made concerning any HIV test of a patient that it contain a specific written statement that: “This information has been disclosed to you from records whose confidentiality is protected by state law. State law prohibits you from making any further disclosure of such information without the specific written consent of the person to whom such information pertains, or as otherwise permitted by state law. A general authorization for the release of medical or other information is NOT sufficient for this purpose.” If an oral disclosure is made the statute requires that an oral notice be provided and followed by the previously mentioned written notice within 10 days of the disclosure.
The statute also provides penalties for violations of the statute. Fla. Stat. § 381.004(5) provides that a violation by a facility or licensed health care provider is grounds for disciplinary action under the facility or professional’s licensing chapter found in Florida’s statutes. Any person who violates the confidentiality provisions of this law commits a misdemeanor of the first degree.
Florida Cases on Medical Privacy Violations
While HIPAA and Florida laws which protect patients’ medical privacy rights provide no cause of action, it does not matter. Florida has long recognized that statutes and regulations can be used with common law negligence claims as the standard of care and as evidence of negligence.
“The courts of Florida have long recognized that the violation of a statute may be utilized as evidence of negligence.” Florida Dept. of Corr. v. Abril, 969 So. 2d 201, 205 (Fla. 2007). The Alford v. Meyer, 201 So. 2d 489 (Fla. 1st DCA 1967) court stated it as follows:
The rationale supporting the admission of a statute, ordinance, or administrative rule or regulation as prima facie evidence of negligence is that the standard of conduct or care embraced within such legislative or quasi-legislative measures represent a standard of at least reasonable care which should be adhered to in the performance of any given activity.
Abril, 969 So. 2d at 205 (quoting Alford, 201 So. 2d at 491). Under Florida law it is well-established that both federal and state statutes provide the standard of reasonable care for negligence claims. Showing that a medical provider has violated such a statute is therefore considered prima facie evidence of negligence.
In Abril, a case involving a laboratory’s unauthorized disclosure of a patient’s HIV status, the Florida Supreme Court cited to several applicable statutes and stated “Florida has a long tradition of recognizing the privacy interests of patients in confidential medical records.” Id. at 205-206. “[T]his [Florida Supreme] Court has consistently and rigorously enforced the rights of patients to confidentiality in their medical records.” Id. at 206. These cases form the backbone of Florida law which authorize suits for violations of medical privacy rights in Florida.
Both federal and state law provide ample medical privacy rights to individuals. While only regulatory remedies are provided for in HIPAA, the Privacy Rule, and the Florida Statutes addressed above a person is not without a private remedy. Florida’s Supreme Court has made it clear that a person has private remedies for violations of their medical privacy rights. In combination, HIPAA, the Privacy Rule, Florida law and its caselaw provide robust protections of a person’s medical privacy rights.