Louisiana DPS&C HIPAA Lawsuit, Law Office of William Most, 2016
Download original document:
Document text
Document text
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
Law Office of William Most 637 Kerlerec Street ♦ New Orleans, LA 70116 650-465-5023 williammost@gmail.com MEMORANDUM TO: File FROM: William Most RE: Louisiana DPS&C HIPAA Lawsuit DATE: March 2, 2016 Question Presented: Has the LA Department of Public Safety and Corrections violated HIPAA by refusing to give inmates access to their their medical records? And if so, can we enforce it by means of § 1983? Short Answer: Yes to the first question, no to the second. Every case I’ve seen that directly addresses the question says that 1983 cannot be used as a vehicle to enforce HIPAA violations. DISCUSSION I. HIPAA’s Privacy Rule “The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which provides for the promulgation of privacy regulations (the HIPAA Privacy Rule)1 is the key federal law that shapes the legal environment underlying health information-sharing in correctional contexts. HIPAA provides a baseline standard of privacy protection for health information—federal and state laws that offer more stringent privacy protections are not superseded by the Privacy Rule.2” (Melissa Goldstein, Health Information Privacy in the Correctional Environment (April 2012).) Relevant portions of the Privacy Rule: 45 C.F.R. 164.524 (a) Standard: Access to protected health information (1) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) Psychotherapy notes; and (ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. (2) Unreviewable grounds for denial. A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. (i) The protected health information is excepted from the right of access by paragraph (a)(1) of this section. (ii) A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, 1 2 45 C.F.R. §§ 160, 164 45 C.F.R. § 160.203. March 2016 HIPAA Memorandum employee, or other person at the correctional institution or responsible for the transporting of the inmate. ... (b) Implementation specifications: Requests for access and timely action (1) Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. (2) Timely action by the covered entity. (i) Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access no later than 30 days after receipt of the request as follows. (A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. (B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section. Note: The section about incarcerated inmates left out the word “inspect.” Incarcerated inmates may be denied a copy of their records, but the relevant section does not say they can’t inspect their records. “As explained by the drafters of the Rule, the purpose for the exception, and the reason that the exception is limited to denying an inmate a copy of the PHI, is to “give correctional institutions the ability to maintain order in these facilities and among inmates without denying an inmate the right to review his or her protected health information.” (Health Information Privacy in the Correctional Environment, citing Department of Health and Human Services, Final Rule, Preamble, 65 Fed. Reg. at 82555.) II. Relevant State Law and Prison Policies DOC has a number of overlapping and contradictory policies. (Compare HC-33 § 11(A) (“Medical records . . . shall be available to anyone having a legitimate interest”) with HC-25 § 5(b)(3) (“Persons who are not direct health care providers shall not be given access to health records/information of an offender.”).) A. State Law Equivalent – 1299.96 A. R.S. 44:7 Hospital records C. Whenever the past or present condition, sickness or disease, physical or mental, of any patient treated in any hospital, adult or juvenile correctional institution, center or school, set forth in Subsection A of this Section shall be at issue or relevant in any judicial proceeding, the charts, records, reports, documents and other memoranda referred to in said Subsection A shall be subject to discovery, subpoena and introduction into evidence in accordance with the general law of the state relating to discovery, subpoena and introduction into evidence of records and documents. B. 22 LAC § 101(H)(1): 2 March 2016 HIPAA Memorandum “Access to and release of medical records is governed by R.S. 44:7 and Health Care Policy No. HC-33 “Offender Medical Records.” C. Department Regulation No. B-03-004 (20 January 2009) “Access to and release of medical records is governed by La. R.S. 44:7 and Health Care Policy No. HC33 ‘Offender Medical Records.’” D. Health Care Policy No. HC-33 “Offender Medical Records” § 6(B): “Medical information shall not be disclosed to anyone except in accordance with Health Care Policy No. HC-25 ‘Confidentiality’ and applicable state and federal law.” §6(E): “Offenders shall not be allowed access to their medical record or the medical record of other offenders unless authorized by the Warden or designee.” § 11(A): “Medical records, except psychiatric records (which includes any psychological or mental health records), shall be available to anyone having a legitimate interest, provided the offender or in case of death, the legal heir or next of kin, has consented in writing to their release utilizing the Authorization to Release Medical Information (Form HC-33-A). Upon receipt of advance payment of the copying charges, the medical records shall be released. § 11(H): The Department does not conduct covered transactions defined in the Health Insurance and Portability Act of 1996 (HIPPA) [sic] and therefore, is not a “covered entity’ under HIPPA. E. Health Care Policy No. HC-25 “Confidentiality” § 5(b)(3): “Persons who are not direct health care providers shall not be given access to health records/information of an offender. Any disclosure of such health information shall be approved by the Health Authority.” § 5(b)(8): “Only the information necessary to preserve the health and safety of an offender, other offenders, volunteers, visitors or correctional staff shall be released regarding an offender’s health status.” To Get: Authorization to Release Medical Information (Form HC-33-A). Health Information Disclosure Reference Chart (attachment to HC-33) III. Is the DOC A Covered Entity? The DOC claims it isn’t. (HC-33 § 11(H): “The Department does not conduct covered transactions defined in the Health Insurance and Portability Act of 1996 (HIPPA) [sic] and therefore, is not a “covered entity’ under HIPPA.”) But, in its contracts with hospitals, it says “Each party agrees to comply with [HIPAA] . . . including, without limitation, the federal privacy regulations contained in 45 C.F.R. Parts 160 and 164 . . . 142” (Bruce Reilly Files “Payments, reimbursements, Medicaid” at 307-308.) 3 March 2016 HIPAA Memorandum According to one commentator: In response to the initial version of the Privacy Rule, which would have excluded the individually identifiable health information of correctional facility inmates from the definition of PHI because “unimpeded sharing of inmate identifiable health information is crucial for correctional and detention facility operations,”3 DHHS received many, ultimately persuasive, comments arguing that excluding such information from protection sends the message that, with respect to this population, abuses do not matter. Commenters argued that, on the contrary, inmates have a right to privacy in their health information and that information obtained in these settings can be misused. . . The drafters of the final regulation were persuaded by these arguments and eliminated the exception.4 . . . Guidance produced by the Centers for Medicare and Medicaid Services indicates that such institutions therefore are not health care clearinghouses or health plans within the meaning of the Rule.5 A correctional institution’s status as a covered entity would then depend solely on its qualification (or lack thereof) as a health care provider who transmits health information in electronic form in connection with a covered transaction. That is, if the organization “furnishes, bills, or is paid for health care in the normal course of business”6 and transmits information in electronic form in connection with one of the following eight types of transactions, it is a covered entity and must comply with HIPAA: health care claims or equivalent encounter information; eligibility for a health plan; referral certification and authorization; health care claim status; enrollment and disenrollment in a health plan; health care payment and remittance advice; health plan premium payments; and coordination of benefits. Although correctional institutions are not likely to engage in most of the transaction types specified by the regulations, it is conceivable that one might transmit clinical encounter information for the purpose of reporting health care; request review of health care in order to secure an authorization; and/or receive payment of health care claims from a private or public health plan. If the correctional institution electronically transmits one of these transactions or has a contract with another provider who transmits the health care information electronically, it will be required to comply with HIPAA.7 Melissa M. Goldstein, Health Information Privacy in the Correctional Environment (April 2012). https://www.statereforum.org/system/files/hit_corrections.pdf 3 Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information; Proposed Rule, 64 Fed. Reg. 59918-60065, 59938 (November 3, 1999). 4 Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information; Final Rule, Preamble, 65 Fed. Reg. 82462-82829, at 82540-82541, 82622 (Dec. 28, 2000). 5 See US Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS). Covered Entity Charts: Guidance on How to Determine Whether an Organization or Individual is a Covered Entity Under the Administrative Simplification Provisions of HIPAA, http://www.cms.gov/HIPAAGenInfo/ Downloads/CoveredEntitycharts.pdf (accessed March 2012). 6 “Health care provider” is defined as “a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. § 160.103. 7 45 C.F.R. §§ 162 Subparts J-R; See CMS, Covered Entity Charts 4 March 2016 HIPAA Memorandum Source: Corrections, Law Enforcement & the Courts We know that at least LSP uses the Eceptionist electronic system to schedule surgeries for patients. (E.g., Eceptionist Doc.) This may constitute a “referral certification, authorization.” Also, LSP participates in a telemedicine program. More investigation is necessary here to determine whether these activities bring the DOC within the scope of HIPAA. There may be other ways of the DOC being covered. According to another commentator: If the correctional institution does employ its own health care providers (including psychiatrists, psychologists, etc.) and, say, checks a prisoner’s eligibility to receive Medicare, Medicaid or veteran’s benefits with the intent of taking advantage of those health plan benefits (all of these referenced “plans” are governmental but are specifically defined as covered entity health plans pursuant to HIPAA) to offset the costs to the correctional institution and eligibility is checked through a web site, the correctional institution (or at least the health care part of the correctional institution) would be a covered entity health care provider pursuant to the HPAA Administrative Simplification Provisions because eligibility verification is a HIPAA transaction and HIPAA specifically allows the use of web based transactions instead of batch transactions (it is called direct data entry or DDE). If the correctional institution medical staff check eligibility via a web site, this would make the correctional institution a hybrid entity – part covered by HIPAA and part not. Even if state laws allow correctional institution to withhold certain healthcare information, HIPAA would trump because it provides the correctional institution, as an individual, greater access to his or her medical information (considered more stringent than state law). All states have differing laws around health care information and prisoners as it relates to the release of medical records. If the prison is found to be a hybrid entity, though, they cannot withhold the mental/behavioral health information relating to the prisoner’s treatment. See 45 CFR 164.512(k)(5)(ii). (Chris Apgar, HIPAA – Even States Must Comply.) 5 March 2016 HIPAA Memorandum IV. DOC’S Violations of HIPAA Assuming the DOC is covered by HIPAA, some provisions of the DOC policies may be facial violations of HIPAA’s Privacy Rule. (E.g., HC-25 § 5(b)(3): “Persons who are not direct health care providers shall not be given access to health records/information of an offender.”) DOC practices may also violate the Privacy Rule. The DOC’s failure to respond at all to requests for medical records access should violate 45 C.F.R. 164.524(b)(2)(i) (“the covered entity must act on a request for access no later than 30 days after receipt of the request”). Or, if the DOC is denying requests without a individualized assessment of the risk associated with records disclosure, it is likely violating 45 C.F.R. 164.524(a)(2)(ii). V. Can We Use 1983 As a Cause of Action for the DOC’s HIPAA Violations? No. Every case I’ve seen that directly addresses the question says that 1983 cannot be used as a vehicle to enforce HIPAA violations. A. Background “While HIPAA imposes a host of obligations on covered entities in an attempt to increase patient privacy, it does not explicitly create any individual rights for patients affected by medical privacy violations. Therefore, a patient who has been seriously harmed as a result of these privacy leaks cannot bring a lawsuit against the responsible party.” Joshua Collins, Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy Rule Violations, Vanderbilt L. Rev. Vol. 60:1:199 (January 2007.) Since Thiboutot, § 1983 has played an important role in the enforcement of private rights by empowering private citizens to bring actions against those who are not in compliance with constitutional or statutory requirements. However, the Court has chipped away at Thiboutot’s broad interpretation of § 1983, a trend culminating in Gonzaga University v. Doe8 and City of Rancho Palos Verdes v. Abrams.9 ... Plaintiffs seeking to use § 1983 to redress Privacy Rule violations must allege that HIPAA gives them the right to medical privacy and that the defendant deprived them of this right by disclosing their private medical information. However, the Supreme Court’s trend toward limiting the applicability of § 1983 makes it doubtful that a plaintiff could successfully use § 1983 to enforce a violation of HIPAA’s Privacy Rule. The Privacy Rule ostensibly lacks the explicit rights-creating language that the court required in Gonzaga. Additionally, Abrams poses a barrier to the use of § 1983 to enforce Privacy Rule violations since the administrative remedies set forth by HIPPA arguably preclude resort to § 1983. (Toothless HIPAA at 202, 208.) 8 9 Gonzaga Univ. v. Doe, 536 U.S. 273 (2002). City of Ranch Palo Verdes v. Abrams, 544 U.S. 113 (2005). 6 March 2016 HIPAA Memorandum B. Case law specifically addressing HIPAA and 1983 “Defendants move for dismissal of plaintiffs’ complaint on the ground that HIPAA creates no private right of action enforceable under § 1983. It does not, so I must dismiss plaintiffs’ § 1983 claims.” Richard Clyde Adams v. Eureka Fire Protection District, Case No. 4:08CV1309 CDP (E.D. Missouri 01/08/09). “It is well established that, because there is no private right to action under HIPAA, a violation of the Act cannot serve as the basis of a § 1983 claim.” Rodgers v. RENSSELAER COUNTY SHERIFF'S DEPARTMENT No. 1:14-CV-01162 (N.D. NY. July 17, 2015). "Since HIPAA does not create a private right, it cannot be privately enforced . . . via § 1983. . . ." Dade v. GAUDENZIA DRC, INC., Dist. Court, ED Pennsylvania 2013, citing Adams v. Eureka Fire Prot. Dist., 352 F. App'x 137, 138 (8th Cir. 2009) “HIPAA provides no private right of action enforceable in a section 1983 action.” Taylor v. Sherman, Civil Action No. 13-00516-KD-M, (S.D. Alabama February 26, 2014). “Because HIPAA does not include any express or implied right, plaintiff cannot enforce any HIPAA rights in a section 1983 action.” Woods v. Colon, Case No. 3:14-cv-1467 (VLB) (D. Conn. October 6, 2015.) VI. False Claims Act? A plaintiff attempting to establish a cause of action under the FCA for a Privacy Rule violation must prove two major elements. First, the plaintiff must show that the covered entity either expressly or impliedly certified compliance with HIPAA regulations. The plaintiff may be able to point to an actual representation of compliance since Medicare laws expressly require claimants to certify compliance with all federal laws.120 However, even absent evidence that claimants have expressly certified compliance, the plaintiff could proceed under the implied false certification theory by arguing that Medicaid hospitals have an affirmative duty to ensure compliance with all HHS regulations.121 Second, the plaintiff must prove that a recent Privacy Rule violation made the representation of compliance legally false. In the current health care climate, where Privacy Rule violations occur on a regular basis, this second requirement would be easily met. (Toothless HIPAA at 218.) But Toothless HIPAA comes up with many reasons not to use the FCA for HIPAA enforcement. VII. Other Recourse File a “complaint with the Department of Health and Human Services (“HHS”).10 If HHS decides to pursue a victim’s complaint, it may impose fines against the responsible covered entity.11 However, since HIPAA’s 10 11 45 C.F.R. § 160.306. 42 U.S.C. § 1320d-6(b) (2006). 7 March 2016 HIPAA Memorandum enactment, HHS has rarely imposed fines or criminal sanctions.12 Regardless of any enforcement action taken by HHS, the victim will not be compensated for the harm caused by this breach of privacy.” (Toothless HIPAA at 202.) Phone call with Elizabeth Cumming on 3/3/2016 – she suggested that the Privacy Rule could be enforced under tort law – that it might be the standard of care. VIII. Does HIPAA Supersede This State Law? “A provision…requirement…or a standard or implementation specification adopted or established…shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.” But a “provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall not supersede a contrary provision of State law, if the provision of State law— . . . (B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.” Public Law 191, 110 Stat. 2030, 104th Congress, 2nd Session (21 August 1996), Health Insurance Portability and Accountability Act. IX. Other States Records Policies “Several state correctional systems have declared themselves a “covered entity” under the provisions of HIPAA (e.g., Florida). Other states have determined that their correctional systems are not covered entities (e.g., Washington), but have ongoing efforts to assure reasonable compliance.” Dave Thomas and Jacqueline Thomas, HIPAA and YOU Covered Entities— Do you even have to bother? AMERICAN JAILS (March/April 2003). The Massachusetts Department of Public Health regulations, which apply to all correctional facilities, including jails, require the jail to allow prisoners to inspect and have copies of their medical records. http://www.mass.gov/courts/docs/lawlib/104-105cmr/105cmr205.pdf Texas has recognized prisoners’ right to access PHI for many years. Op.Atty.Gen.1981, No. MW-381 (quoting that ‘with regard to all Texas Department of Corrections medical records which are generated or held by a physician, an inmate has a statutory right of access unless the physician determines that access "would be harmful to the physical, mental or emotional health" of the inmate’). California: West's Ann.Cal.Civ.Code § 56.35 § 56.35. Compensatory and punitive damages; attorneys' fees and costs 12 According to one report, HHS had not yet brought a single civil enforcement action under HIPAA as of November, 2005. Joseph Conn, Ruling Called HIPAA Barrier, MODERN HEALTHCARE, Nov. 14, 2005, at 16. There has only been one criminal conviction under HIPAA. United States v. Gibson, No. CR04-0374RSM, 2004 WL 2188280 (W.D. Wash. Aug. 19, 2004); Trial Pleading, United States v. Gibson, No. CR04-0374RSM, 2004 WL 2237585 (W.D. Wash. Aug. 19, 2004). 8 March 2016 HIPAA Memorandum In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 or 56.104 or 56.20 or subdivision (a) ofSection 56.26 and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars($3,000), attorneys' fees not to exceed one thousand dollars ($1,000), and the costs of litigation. West's Ann.Cal.Civ.Code § 56.36 § 56.36. Misdemeanors; violations; remedies (a) Any violation of the provisions of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor. (b) In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: (1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. (2) The amount of actual damages, if any, sustained by the patient. (c)(1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. X. Can An Inmate’s Lawyers Get Access to Medical Records? From the HHS FAQs: Q: Can the personal representative of an adult or emancipated minor obtain access to the individual's medical record? A: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. . . . There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. XI. Cost of Access to Records 9 March 2016 HIPAA Memorandum From the HHS FAQs: Q: If patients request copies of their medical records as permitted by the Privacy Rule, are they required to pay for the copies? A: The Privacy Rule permits the covered entity to impose reasonable, cost-based fees. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information. See 45 CFR 164.524. The HITECH Act does not create a private right of action, but it does give financial incentives to complainants. Individuals who are harmed by HIPAA violations may now be able to share in any monetary penalties or settlements collected as a result of those violations. - See more at:https://www.shrm.org/legalissues/federalresources/pages/intensifiedhipaaenforcement.aspx#sthash.NXklnK Gl.dpuf Note: CC attorney general, who can sue for civil violations of HIPAA 10