As a physician or person involved in the healthcare workforce, you likely encounter ongoing challenges complying with Federal Health Insurance Portability and Accountability Act (HIPAA) regulations in all areas of your practice.
This “Case of the Month” involves a HIPAA breach by a physician who attended a weekly “stats conference” in an academic acute hospital setting.
The Case:
In the case, Koos v. Medical Staff of Ronald Reagan UCLA Medical Center, analyzed by Christopher J. Allman JD, CPHRM, DFASHRM, in the Journal of Healthcare Risk Management's Case Law Update, Dr. C, a resident, presented a de-identified case involving an infant with 0/0/0 Apgar scores.¹ Dr. K, an attending obstetrician, was in attendance. Following the presentation, Dr. K asked Dr. C for both the mother and infant’s medical record numbers. Dr. C declined this request since Dr. K was not part of the patients’ treatment team. Dr. K persisted to obtain the medical record numbers over the next several days. Eventually, Dr. C relented and provided the numbers. Dr. K obtained the fetal heart tracings and reviewed these in a resident room with an unauthorized non-UCLA physician. When another attending physician questioned Dr. K’s actions, Dr. K responded that he, Dr. K, “sanctioned” the review. The matter was reported to the obstetrics (OB) department chair and ultimately to UCLA’s medical staff executive committee. This committee determined Dr. K’s action did not meet regulatory or UCLA policy and recommended a 90-day suspension, education, and $25,000 fine.¹
A three-day hearing was held where Dr. K stated his review of the records was for “patient safety” and “quality improvement” which fell under the HIPAA healthcare operations privacy rule. Both the hearing panel and subsequent administrative panel disagreed and upheld the medical staff’s decision. When Dr. K filed an action in the California Superior Court to set aside this decision, the court denied his request. Dr. K subsequently appealed the decision to the California Court of Appeals. The appellate court upheld the decision, finding that the administrative panel's decision was supported and justified by the evidence presented at Dr. K's hearing.¹
Analysis:
HIPAA allows use of protected health information (PHI) for healthcare operations which include certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.² These operations and activities are defined by the covered entity, in this case, the hospital. Although Dr. K purported that his review of the records was for “quality improvement,” he failed to invoke (hospital) policy supporting his position that he was authorized to review the records prior to the hearing.1,3 Additionally, UCLA policy provided that Workforce members “should only access and use PHI as necessary for their job functions.”¹
The U.S. Department of Health and Human Services (HHS) indicates six allowances under HIPAA for the Permitted Uses and Disclosures of PHI. One allowance is related to Treatment/Payment/Healthcare Operations:4
■ Treatment Purposes
Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
■ Payment Purposes
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for healthcare delivered to an individual and activities of a healthcare provider to obtain payment or be reimbursed for the provision of healthcare to an individual.
■ Healthcare Operations
Healthcare operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity
Dr. K additionally argued that the event was a sentinel event for which a root cause analysis was needed to further support his review of the records. However, the appeal board found this testimony not credible due to his failure to invoke the policy prior to the hearing, or report the alleged sentinel event to anyone at the university.³
Risk Management Considerations:¹
When rules are not followed, both the physician and the institution are subject to potential liability from the involved patients, and, possibly, other patients along with the Office of Civil Rights and other state and federal authorities.
When proper protocols are not followed, any quality review or peer review protection that may be afforded to the information obtained in a review may be lost. This may mean that the information obtained may become evidence in a professional liability or other court action.
As a provider, you should understand your role in protecting a patient’s PHI and know when it is allowed and when it is NOT allowed to review a medical record. Unauthorized access can put you at risk of professional disciplinary action and a monetary fine.
Reduce your risk of a violation:
- Only access PHI for quality reviews or patient safety reasons if you are authorized by the healthcare organization.
- Complete yearly HIPAA training: 1) refresh your knowledge; 2) be aware of any changes.
- Complete a HIPAA Risk Assessment of your practice.
- Only use a HIPAA-compliant patient portal, email, or text platform.
- Do not share PHI with other providers who are not part of the treatment team.
Know the 6 Most Common HIPAA Violations:4
- Improper Use and Disclosure of PHI
- Publicly Disclosing PHI
- Failing to Maintain Mandated HIPAA Documentation and Conduct Risk Assessments
- Exposing Yourself to Hackers/Cyber Risk
- Compromising Data by No or Poor Encryption Technology
- Improperly Disposing of PHI
Contact CAP for information on Federal HIPAA guidelines. You can also find a full explanation of the HIPAA Privacy Rule at HHS.gov
Rikki Valade, RN, BSN, PHN is a Senior Risk Management and Patient Safety Specialist at Cooperative of American Physicians, Inc.. Questions or comments related to this article should be directed to RValade@CAPphysicians.com.
Sources
¹Allman, CJ. “Case Law Update.” Journal of Healthcare Risk Management 42, no 3-4 (2023): 52-61. https://doi.org/10.1002/jhrm.21532
²U.S. Department of Health and Human Services. "Uses and Disclosures for Treatment, Payment, and Health Care Operations". 45 CFR 164.506. Accessed 2.6.2024. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosure…
³Collins, J. “Koos v. Med. Staff of Ronald Reagan UCLA Med. Ctr.” Legal research tools from Casetext, November 29,2022. https://casetext.com/case/koos-v-med-staff-of-ronald-reagan-ucla-med-ctr. https://scholar.google.com/scholar_case?case=16017561303953823629&q=Koo…
4U.S. Department of Health and Human Services, HIPAA for Professional; Permitted Uses and Disclosures. Oct 19, 2022. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/in…
5Risk Management Tools and Resources, The Cooperative of American Physicians; HIPAA Action Guide for Physicians, The 6 Most Common HIPAA Violations; May 2016 (page 2-11). http://www2.capphysicians.com/six-most-common-hipaa-violations?utm_sour…