 |
|
| Sample Newsletters | MarketPlace AIS Products & Services |
| HIPAA Compliance StrategiesFeatured Health Business Daily Story, April 6, 2010
Complexities Abound in HIPAA Interactions Between Law Enforcement and Covered Entities Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions. Having a sit-down with law enforcement officials proved to be a good strategy for Medical College of Georgia (MCG) Health Medical Center when a standoff was brewing over patient custody and privacy.
MCG Health was tired of getting burnt by police agencies that waited to arrest sick or injured suspects until they were discharged. In addition to stiffing MCG Health on hospital bills, it meant the police weren’t protecting employees and other patients from the alleged criminal. And then the hospital’s hands were tied by HIPAA when it came to disclosing to police when the suspect was being discharged.
So Augusta, Ga.-based MCG Health invited all area police agencies — including the sheriff’s department, state police, city police and outlying areas’ law enforcement — to a September 2009 HIPAA education meeting. The crux of the discussion: “The do’s and don’t’s of HIPAA and law enforcement in terms of what information the hospital could share if law enforcement has custody of the patient versus if they don’t have custody,” says Michael Spake, vice president of legal affairs for MCG Health.
Meeting with law enforcement agencies is an effective way to educate them on HIPAA and smooth over misunderstandings. HIPAA gives hospitals latitude to release basic PHI to law enforcement officers hot on the trail of a criminal, for example, and permits them to disclose medical records in response to a court order. But not everything is cut and dried when privacy regulations and real-world experiences collide. “The quickest way to resolve things is to get everyone around the same table,” Spake says.
MCG Health’s meeting went a long way toward easing strains with law enforcement. Tension had reached fever pitch after a suspect left by police for treatment at the hospital hit the road while on a smoking break. The man crashed his car during a police chase, and was brought to the MCG hospital for treatment. But police didn’t place the man under arrest before bringing him to the hospital, which meant no officer stayed to guard him. “It hit the newspaper we were allowing prisoners to escape,” says Deborah Humphreys, MCG Health’s director of communications.
“We have a history of law enforcement departments leaving suspects here for treatment, and the moment they are discharged, they arrest them” — a sequence of events that allows police to avoid charges for both hospital services and guarding the suspects, Humphreys says. MCG Health treats its fair share of gunshot wounds and stabbings, so this problem arises with some regularity.
Then there is the privacy angle. Under HIPAA and state privacy laws, the hospital can’t call the police to inform them of the patient’s discharge if he or she is not in police custody, says Christine Adams, privacy officer and compliance coordinator for MCG, the academic medical center’s health sciences university, which includes the medical school.
Law Enforcement Wants It Both Ways
Law enforcement can’t have it both ways, but that message was not getting through. After the man went AWOL from the hospital and media coverage inflamed the community, “we needed to be face-to-face with law enforcement so we could understand each other’s [viewpoint],” Humphreys says.
During the meeting, MCG Health conveyed to law enforcement agencies that its hospital could not disclose to police information about patients who are not in custody, Adams says. By refusing to place suspects or witnesses under police custody, the police were no longer authorized under HIPAA to receive health information, such as discharge status, about these patients, she says.
MCG Health then sent law enforcement agencies a letter on Sept. 23 explaining the covered entity’s new policy on hospitalized suspects and prisoners:
(1) The county that delivers the patient will be billed for medical expenses.
(2) The county that delivers the patient “is required to guard him or her at all times. If it becomes necessary for the MCG Public Safety Division and/or the MCG Health Safety and Security Department to provide a guard, the cost of security will be added to the bill sent to the law enforcement agency.”
MCG Health explained that its position was supported by Georgia case law. In a 1993 case, the Georgia appeals court ruled that a person could not be “unarrested” so law enforcement could evade a hospital bill. In a 1996 case, the appeals court determined that the relevant law enforcement agency is responsible for hospital bills for a person injured while trying to escape.
Pursuant to its policy, MCG Health said in the letter, “we will share any appropriate medical information, including date of discharge, as permissible under federal and state law.”
The link between custody and HIPAA is clear. “The police are the personal representatives of the patient” when the patient is still in custody, Spake says. “We can share the date they are being discharged. However, if the patient is not under their custody, we can’t share that information.”
Since the meeting, Humphreys says there have been no incidents of law enforcement bringing in suspects, witnesses or fugitives to the MCG hospital unless they are in police custody. MCG Health is sympathetic to the dilemma faced by smaller police agencies, whose budgets can be broken by one criminal’s hospital bill, she says. But the hospital has to protect its own budget and the safety of other patients and staff. (The escaping smoker/patient returned to the hospital on his own accord, Humphreys notes.)
Privacy Rules Have Plenty of Leeway
The privacy rule gives covered entities some leeway to share PHI with police agencies. Apparently, however, there will continue to be incidents where law enforcement requests more PHI than CEs are allowed to disclose under HIPAA or state law, which may be more stringent.
HIPAA lets covered entities disclose a person’s PHI to law enforcement, under certain circumstances, without the person’s authorization, according to HHS. For example, covered entities can disclose PHI to law enforcement for the purpose of:
Covered entities also can inform law enforcement about a suspected perpetrator if the victim is a member of the covered entity’s workforce, or to help catch a person who admits involvement in a violent crime, as long as the admission wasn’t therapy-related. And if a crime occurs on the CE’s premises, it can report PHI to law enforcement. Similarly, if someone dies at the hospital and it seems suspicious, the hospital can alert law enforcement under HIPAA.
Some PHI reporting to law enforcement is mandatory. For example, “state laws commonly require health care providers to report incidents of gunshot or stab wounds or other violent injuries; and the [privacy] rule permits disclosures of PHI as necessary to comply with these laws,” HHS says.
Law enforcement reporting can come up in unexpected ways. At her previous job, Adams found herself balancing the informational needs of the U.S. Department of Homeland Security against her patient’s right to privacy and HIPAA’s constraints.
Adams worked at a community mental health center (CMHC) when a Homeland Security official called for information on a patient. Her first move was to verify the bona fides of the caller. She got his name and location and then hung up and called the local Homeland Security office to verify his identity. When everything checked out, Adams was then told a surprising tale about one of her CMHC patients, who had been observed leaving a shoebox in a public area of a 15-story federal building. Because the person left a suspicious box in a public area in a federal building a couple years after 9-11, the building was evacuated in case there was a bomb inside.
There was no bomb — the shoebox contained dried flowers — but the government wasn’t going to let the matter drop. The man’s behavior scared people and apparently Homeland Security had already identified him as a mental patient. As part of its threat assessment, Homeland Security wanted access to the patient’s entire mental health record. Adams says she “respectfully requested a compromise” to bring the patient and the patient’s case manager to a federal judge’s chambers so they could weigh the patient’s privacy rights against potential public safety perils. “The Homeland Security people wanted to know all about this person’s diagnosis, treatment plan and medications, but I said it probably wasn’t necessary,” Adams explains.
Requests Must Be Specific
Though she is allowed to disclose certain PHI to law enforcement if the purpose is legitimate, “their request has to be specific and the disclosure must be relevant to their inquiry,” Adams explains. “That’s why I went to the court. Homeland Security wanted the entire mental health record, but that was not necessary. The PHI has to be limited, and Homeland Security just really wanted to know whether CMHC health care providers could work with him” to ensure he doesn’t do it again, she says. As the judge mediated, the case manager and psychiatrist modified the treatment plan to address the issues around the shoebox and the federal building. “The patient understood the seriousness,” Adams says. “We came up with a good plan to prevent this from happening again and were able to limit the disclosure of this patient’s information to the minimum necessary.”
Because privacy and compliance officers can’t train members of the workforce for every situation, it’s essential they know where to turn when law enforcement needs arise, Adams says. “We have worked really hard” to make sure employees aren’t placed in compromising situations, she says. “It’s about educating them and letting them know they have resources.” All MCG Health policies are easily accessed on the intranet and a compliance representative is available 24/7. “A lot of law enforcement things are happening at 2 a.m., so the hospital has a system where you can call and someone will call you right back,” regardless of the hour, Adams says.
PO or CO Often Must Intervene
And it often takes a privacy or compliance officer to intervene in a law enforcement request. That’s what Frank Ruelas, compliance and privacy director at Maryvale Hospital in Phoenix, learned when law enforcement officers showed up recently at its emergency department (ED). The police wanted a copy of the medical records of a 16-year-old girl who had just been treated in the ED and released. The rationale the police gave was the girl was a suspected victim of abuse, and “under certain state laws we can release the PHI if police sign an attestation that there is a sign of crime.” But when the medical records clerk gave police the attestation form, which requires the officer to put down his or her name and badge number, “the police were hedging,” Ruelas says. Eventually he pieced together the real reason police wanted the medical records. The mother of the girl was not allowed contact with her daughter, apparently because of an allegation of abuse, and the police believed it was possible the mom had brought the girl to the hospital. Ruelas explained that the medical records would not state who brought the girl to the ED and who picked her up, which is the information the police were after. If the police wanted the medical records, they would have to ask for the girl’s authorization.
The lesson: When you don’t get a straight answer about why law enforcement wants PHI or the answer doesn’t fit with the circumstances, “that is a red flag,” Ruelas says. Be sure to ask more questions before turning over PHI. |
 |
1100 17th Street, NW, Suite 300, Washington, DC 20036
Phone 202-775-9008 or 800-521-4323; E-mail customerserv@aishealth.com