State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.
In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients.
Formal Requests for PHI
As discussed previously, there are a number of provisions under HIPAA that permit health care providers to disclose protected health information (or “PHI”) to regulatory or law enforcement authorities. However, these HIPAA provisions aren’t open-ended and there are requirements that must be met before a provider may disclose PHI. If a government request fails to meet criteria, the provider is not obligated to respond and in fact, is at risk of violating HIPAA if he or she responds to a request outside the parameters of the rule.
The chart below depicts examples of HIPAA provisions permitting the disclosure of PHI to regulatory authorities and questions for providers to ask themselves to ensure that any disclosure complies with HIPAA requirements.
Informal Requests for PHI
As state abortion bans become effective, providers are also likely to receive informal requests for PHI from regulatory authorities, law enforcement and others. HIPAA does not permit the disclosure of PHI in response to an informal request, even if the individual making the request appears to have some sort of authority, such as a uniform or agency credentials. An inappropriate disclosure results in a HIPAA breach.
Providers must educate staff and make sure that employees understand that there is a difference between lawful requests for PHI and informal requests that may seem official. Employees must understand the importance of not being threatened or bullied into providing PHI. Providers should have policies and procedures for directing third party requests for PHI to a single point of contact within the organization, such as a Privacy Officer, who is qualified to evaluate them or who has access to support necessary to evaluate them. It’s important for staff to understand what to do when a purported “authority” shows up in the office making demands.
In some states, pressure from authorities or laws incentivizing private citizens to report illegal abortions may increase the risk of employee snooping, in violation of HIPAA and state law. Accordingly, providers should regularly audit workforce member access to PHI to ensure that access is authorized and to identify and address instances of snooping. Providers should make workforce members aware of ongoing auditing activity as well as the consequences of violating patient privacy in order to dissuade snooping.
Finally, in our last blog post, we discussed rights under HIPAA that patients may use to protect their PHI to the greatest extent possible. Providers should take steps to educate patients about their rights and make it easier for them to understand and exercise those rights, especially patients who are younger or who have other challenging circumstances. A provider’s HIPAA Notice of Privacy Practices provides an excellent basis for the discussion of patient rights. Providers could consider developing forms to make it easier for patients to exercise these rights.
Pay Attention to Details
As discussed above, providers need to take affirmative protective actions to dissuade (and identify) medical record “snooping.” It is difficult for practices to keep up with technology advances and ever-growing amounts and sources of data. Mitigating snooping has always been important to avoid HIPAA violations, but in states with abortion bans, it is now even more critical to protect patients.
Here are some steps to help mitigate snooping.
- Take stock of the data. The first step to data security is to understand where the data lives within the organization and why you have it. By doing so, organizations gain a clear understanding of who should be accessing what and why. For example, email systems should never be used as a “storage” place for patient data.
- Implement data monitoring software – and tell your employees about it. With the sheer amount of patient data and records handled by the typical practice, automation is a necessity. This type of technology can identify unusual access behaviors (such as time of access and other key details).
- Communicate policies & train employees. Transparency about what monitoring procedures are in place reaffirm a culture of privacy and also reinforces the idea that privacy breaches – regardless of existing law – are unacceptable and offenders will be identified.
To repeat: Email is not document storage. This is a good time to review your email practices and how your staff uses email. Email should not be used as storage for documents containing PHI or even for calendar services for practice administration. As a general rule, free and Internet-based web mail services (Gmail, Hotmail, AOL) are not secure for the transmission of PHI, whether in an attachment to an email or in the body of an email itself. OCR has imposed penalties on providers for not taking steps to protect PHI and for using Internet-based email and calendar services. Utilization of secure services like patient portals for the transmission of communications containing PHI or relating to treatment reduces the documentation you have on premises.
HHS: When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
JAMA: Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information