Medical Information Privacy:
A Study Report to the
In 2000, the Michigan Law Revision Commission retained the services of
Elizabeth Price Foley, Professor of Law, Michigan State University-Detroit
College of Law (now at Florida International University College of Law), and Vence L. Bonham, Jr., Associate Professor, Department of
Medicine, College of Human Medicine, regarding federal and Michigan laws
addressing the privacy of medical information.
This study was prompted in part by congressional passage of the Health
Insurance Portability and Accountability Act (commonly referred to as “HIPPA”)
and the promulgation in 2002 of implementing regulations by the U.S. Department
of Health and Human Services. A
preliminary study report was submitted in 2001.
The final study report follows.
One of the primary purposes of a
study report — including the following study report — is to spark discussion
and generate comments from interested groups within the state. The views and opinions expressed in the
following study report are exclusively those of the authors and not those of
the Commission or of any individual member of the Commission. The
Commission wishes to make it clear that it takes no position on the
recommendations and suggestions contained in the final study report.
The Commission also wishes to make
it clear that it has not made any recommendations to the Legislature, nor will
it make any such recommendations until all interested persons have had an
adequate opportunity to comment on Professor Foley’s and Professor Bonham’s
final study report.
Written comments may be submitted to
the Professor Kevin Kennedy, the Commission’s Executive Secretary. Comments are welcome through the end of 2003.
Final Report to
THE
on
MEDICAL
INFORMATION PRIVACY
Elizabeth Price Foley, J.D., LL.M.
Professor of Law
and
Vence L. Bonham, Jr., J.D.
Associate Professor, Department of Medicine,
Table of
Contents
I. Introduction..................................................................................................................... 3
II. Background on HIPAA.................................................................................................. 3
A. HIPAA’s Scope.............................................................................................. 4
B. HIPAA Enforcement........................................................................................ 6
C. HIPAA Preemption......................................................................................... 6
D. August 2002 Final Regulations......................................................................... 8
(1) Consent......................................................................................... 8
(2) Marketing...................................................................................... 9
III. HIPAA Gaps Identified in Preliminary Report........................................................... 13
A. Electronic Data/Internet Issues......................................................................... 13
(1)
(2) HIPAA......................................................................................... 15
(3) Potential
B. Sensitive Medical Information........................................................................... 17
(1)
(2) HIPAA......................................................................................... 18
(3) Potential
C. Business Associates......................................................................................... 19
(1) HIPAA......................................................................................... 20
(2) Potential
D. The “Enforcement Gap”: Creating State Enforcement Authority and/or Private Rights of Action 21
(1) Enforcement Via Common Law..................................................... 21
(a) Invasion of Privacy ................................................................. 22
(b) Medical Malpractice (Breach of Duty of Confidentiality).......... 23
(2) Enforcement Via Specific Statutes................................................. 24
(a) Pre-HIPAA Private Right of Action Statutes............................ 24
(b) Post-HIPAA Enforcement Statutes:
The
IV. Conclusion..................................................................................................................... 27
I.
Introduction
In the summer of
2000, the Michigan Law Revision Commission (MLRC) commissioned research
regarding federal and
A preliminary
report was issued to the Commission in the spring of 2001. The preliminary report surveyed
Since the
preliminary report was issued, important changes have taken place. Most notably, on
It is important to note that this report (unlike the preliminary report) is relatively narrow in its focus. It does not purport to re-summarize the ninety-one pages of new final regulations issued by the Bush Administration. Rather, the purpose of this final report is to summarize for the Commission the most significant changes contained in the new Bush Administration regulations and proceed to focus on the five specific areas identified by the Commission after receipt of the preliminary report as warranting further exploration: (1) medical privacy on the internet; (2) sensitive medical information; (3) marketing; (4) business associates; and (5) a private right of action.
II. Background on HIPAA
An individual’s medical information is contained in numerous forms, including paper records and charts, electronic databases, and even oral information. Medical information is possessed by a dizzying array of health care providers, institutions, and business entities, including physicians, hospitals, nursing facilities, pharmacies, insurers, employers, governmental agencies, third party administrators, and marketing firms. Given the broad array of personal medical information that exists and its potentially wide dissemination (particularly in the computer age), Americans have begun to express concerns about protecting the privacy of personal medical information.
In an attempt to
address public concern about the privacy of medical information, most states,
including
A. HIPAA’s Scope
HIPAA’s privacy regulations are limited to three types of entities:
(1) health plans (e.g., managed care organizations and traditional insurers);[10]
(2) health care “clearinghouses” (i.e., entities that process health claims information for providers and insurers);[11] and
(3) health care providers[12] (e.g., physicians, hospitals, pharmacists) who transmit any health information in standard electronic format.[13]
It is only if a provider or entity
falls within one of these three categories that the provider or entity will be
considered a “covered entity” subject to HIPAA privacy regulations.[14] Thus, while health plans and clearinghouses
are always considered covered entities (and hence, subject to the HIPAA privacy
regulations), health care providers are covered entities only if they transmit
health information in standard electronic format. This requirement is expected to encompass
most health care providers, since most providers accept payments from insurers
or managed care plans which generally require that providers transmit health
information in electronic format (e.g., internet, e-mail, fax, phone, etc.).
Moreover, another portion of HIPAA, the Electronic Data Interchange (EDI)
standards, establishes a uniform standard for all electronic data interchange
of health information by covered entities and requires that, by
B. HIPAA Enforcement
Any person who believes that a covered entity is not complying with the HIPAA privacy regulation may file a complaint with the Secretary of HHS within 180 days of when the individual knew or should have known that the violation occurred.[17] The Secretary may, but is not required to, investigate such complaints.[18] If the Secretary opts to investigate and determines that non-compliance has occurred, the Secretary must notify the covered entity “and attempt to resolve the matter by informal means whenever possible.”[19] If the Secretary determines that the matter cannot be resolved informally, the Secretary may, but is not required to, issue written findings (to both the covered entity and the complainant) documenting the non-compliance.[20]
The HIPAA statute established a general penalty for failure to comply with the requirements and standards of the Act. Specifically, the statute states that the Secretary of HHS “shall” impose upon any person who violates the Act a penalty of not more than $100 for each violation, up to a maximum of $25,000 per calendar year for all violations of an identical requirement or prohibition.[21] In addition, the Act specifically addresses “wrongful disclosure of individually identifiable health information” and provides that a person who knowingly obtains or disclose individually identifiable health information in a manner prohibited by the Act “shall” be punished by a fine of not more than $50,000 and/or imprisonment for now more than one year.[22] If the violation is committed under false pretenses, the punishment escalates to a fine of not more than $100,000 and/or imprisonment for not more than 5 years.[23] If the violation is committed “with an intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm,” the punishment again escalates to a fine of not more than $250,000 and/or imprisonment of not more than 10 years.[24]
Neither the HIPAA statute nor regulations permits a private right of action for violations of the privacy provisions.
C. HIPAA Preemption
While the HIPPA privacy regulations have provided new federal protections for the privacy of medical information, they are considered to be a minimum, or floor, of protection. State laws contrary to and less protective than HIPAA’s protection are preempted; state laws that are “more stringent” than the HIPAA protections are not preempted,[25] even if they are contrary to HIPAA.[26] Three categories of state laws are explicitly not preempted by HIPAA (even if they are less stringent that the protection afforded under HIPAA): (1) state laws that authorize or prohibit disclosure of protected health information about minors to parents, guardians, or persons acting in loco parentis (i.e., parental notification laws);[27] (2) state laws that provide for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health investigations;[28] and (3) state laws that require health plans to report or grant access to information for the purpose of audits, evaluation, or licensure, or certification of facilities or individuals.[29]
A state (acting through its chief elected official or his/her designee) or others may request, in writing, that the Secretary except a state law from preemption.[30] The Secretary may except a state law from preemption of the Secretary finds one of the following: (1) that the state law is necessary to prevent health care fraud and abuse; (2) that the state law is necessary to ensure appropriate state regulation of insurance and health plans; (3) that the state law is necessary for state reporting on health care delivery or costs; (4) that the state law is necessary for purpose of serving a compelling need related to public health, safety, or welfare, and, if a privacy standard is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or (5) that the state law has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances.[31]
D. August 2002 Final Regulations
(1)
Consent
The recent regulations issued by the Bush Administration in August 2002 significantly altered the earlier Clinton Administration final regulations regarding the issue of patient consent. Specifically, the final regulations issued by the Clinton Administration stated that any health care provider with a direct treatment relationship with a patient was required to obtain the patient’s written consent in order to use or disclose protected health information for the purpose of treatment, payment, or health care operations.[32] This written consent had to be signed and dated by the patient,[33] and the patient had the right to revoke consent (in writing) at any time.[34] The Clinton Administration final regulations permitted health care providers to condition treatment or enrollment on obtaining the patient’s written consent.[35]
The August 2002 regulations issued by the Bush Administration deleted the consent requirement. Although covered entities may--if they so choose--obtain patient consent prior to using or disclosing protected health information for treatment, payment or health care operation, they are no longer required to obtain consent prior to such use or disclosure to third parties.[36] Instead of requiring written patient consent prior to such use/disclosure, the revised rules require only that covered entities send a written copy of their privacy practices to their patients.[37] This written notice may be sent by mail or email and is not required to be contained in a separate and distinct mailing (i.e., the notice may be combined with other materials).[38] Providers are required to make a good faith effort to obtain a written acknowledgement of the patient’s receipt of this notice.[39] If the patient’s written acknowledgement is not obtained by the provider, the provider will not be in violation of the privacy rules so long as the provider can document its good faith effort to obtain the patient’s written acknowledgement.[40]
Because the August 2002
regulations have eliminated the requirement of patient consent, covered
entities are now free to use or disclose personally identifiable health
information for treatment, payment, and health care operations, subject only to
the requirement that they notify their patients of their privacy practices
every three years. This significant
modification thus creates a new gap
in HIPAA that states such as
(2)
Marketing
The Clinton Administration’s final regulations permitted covered entities to
disclose protected health information for marketing
purposes, so long as the covered entity obtained written consent from the
patient.[42] Moreover, the patient was given a right to
“opt out” of any future marketing activities of the covered entity.[43] As pointed out in the preliminary report to the
Commission, this initial final regulation was criticized by privacy advocates
as essentially giving covered entities “one free pass” to use/disclose
protected health information for marketing or fundraising purposes. The preliminary report suggested that
The Bush Administration’s final regulations now require that covered entities obtain specific authorization before they may send marketing materials to individuals.[44] While this modification seems, at first blush, to provide greater privacy protections for consumers than those contained in the Clinton Administration’s final regulations, this not the case.[45] By creating several new exceptions to the definition of “marketing,” the Bush Administration’s final regulations have narrowed the term significantly, with the result that many communications previously considered marketing no longer are. The new final regulation’s definition of marketing is complex, but it essentially defines marketing as one of two types of communications: (1) those flowing from a third party directly to patients as the result of the covered entity selling its patient lists to the third party; or (2) those flowing from a covered entity to an individual in which the covered entity has received remuneration for recommending a product or service not related to health.[46] An example of the former type of marketing communication would be a communication sent to patients taking anti-anxiety drugs from a drug manufacturer as a result of a covered entity (e.g., pharmacy) selling its patient lists directly to the drug manufacturer[47]. An example of the latter would be communications sent to patients taking anti-anxiety medications by a pharmacy (a covered entity) that advertises for relaxing vacations (a product or service not related to health), if the communication is paid for by a travel agency. These communications are considered “marketing” under the new final regulations and therefore cannot be made without the individual’s explicit prior authorization.
The types of communications that are not considered marketing under the new final regulations (and which therefore may be made without authorization or consent of the patient) are: (1) communications made by a covered entity to a patient wherein the covered entity is not paid for making the communication; and (2) communications made by a covered entity to a patient wherein the covered entity is paid for recommending a health related product or service.[48] An example of situation number one (unremunerated communications) would be a pharmacy that sends, on its own initiative and at its own expense, a communication to a patient that recommends that the patient switch medications to avoid a possible adverse drug reaction. An example of situation number two (remunerated communications recommending health-related products or services) would be a pharmacy that is paid by a drug manufacturer to send refill reminders to patients taking the manufacturer’s drugs.[49] Another example would be a pharmacy that is paid by a drug manufacturer to identify patients taking a competitor’s drug and send such patients letters encouraging them to switch to the manufacturer’s drug.[50] Although these communications from the covered entity involve remuneration from a third party, such communications are not “marketing” under the new final regulations because they flow directly from the covered entity rather than the third party. The Department’s revised final regulations characterize these communications as provider-patient communications, not marketing and they may accordingly be made without prior authorization, notification that the communication is the result of remuneration, or identification of the party providing the remuneration.[51] Patients do not have the right to “opt out” of these types of health-related communication,[52] even though they are inherently predicated on the use/disclosure of intimate, personally identifiable health information.
These “non-marketing” health-related communications may be made either directly by the covered entity or, more likely, by a business associate of the covered entity. This means that a covered entity can share protected health information with a telemarketer if the covered entity has a business associate relationship with the telemarketer.[53] Given the inability of HIPAA to directly regulate business associates,[54] the August 2002 final regulation’s narrowed definition of marketing creates additional opportunities for breaches of patient confidentiality. Certainly most Americans would be concerned if they understood that telemarketers under contract with a covered entity had access to their health information and would want the telemarketers held to the same standards of confidentiality as the covered entity. Michigan may wish to consider filling this new gap in HIPAA by enacting legislation to prohibit covered entities from using/disclosing protected health information to engage in any marketing communications (whether health-related or not) unless the patient has provided specific authorization.
III. HIPAA Gaps Identified in Preliminary Report
A. Electronic Data/Internet Issues
The electronic collection, storage and transfer of health information has become commonplace. E-health is touted as the future of health care, promising to transform the way health care entities conduct business and change the way patients relate to their health care providers.[55] Although e-health holds the promise of providing easier and more efficient dissemination of information (thus reducing health costs for everyone), it also poses a greater risk of invasion of individual privacy, since unauthorized access to electronic records may result in instant and wide dissemination of personally identifiable health information in a way that unauthorized access to paper records would not. Of all the various places in which e-health information may be found, perhaps the greatest risk to privacy is presented by information collected and stored by health-related websites.
There are thousands of health-related web sites. Individuals can surf the web for any and all types of health information and advice. More than sixty-five million American internet users have sought health and medical information online, and a significant number of them admit that they use this information to make important medical decisions. [56] Of those individuals who surf the net for health-related information and advice, personal privacy is their top concern.[57]
The public’s concern about medical privacy on the internet is warranted. A 1999 report of the Health Privacy Project of Georgetown University documented that major health web sites lack adequate privacy policies and their practices are often in conflict with their existing privacy statements.[58] Moreover, many health-related websites require individuals to provide personally identifiable health information, sometimes without the individual’s knowledge. For example, an individual may participate in a chat room where his/her e-mail address is visible. Or a website may track users through the use of cookies. Cookies allow a website owner/operator to know when a user has visited their site and know precisely where the user went while visiting the site. Cookies help the owners/operators of websites create online user profiles of individuals, which, in turn help sites determine what information, products, and services the visitor may find interesting. They also allow sites to deliver specific content to users based on the individual’s previous online activities. Although cookies are only numbers assigned by a site to each user, personal data can be linked to the number when an individual provides identifiable information to the site (e.g., completing health assessments). This kind of user profiling is not generally disclosed or explained to visitors of a site.
A recent example of internet privacy lapse involved Eli Lilly Pharmaceutical Company’s website for the drug Prozac. On Prozac.com, the pharmaceutical company established a message service in which individuals enrolled received messages reminding them to take the company’s anti-depressant drug. In June 2000, the pharmaceutical company discontinued the program and, in its notice to enrollees of the program’s discontinuance, it disclosed the email addresses of everyone who had signed up for the service.[59] Upon receiving a request to investigate by the American Civil Liberties Union, a complaint was filed by the Federal Trade Commission, alleging that Lilly’s privacy statement on its website was deceptive because Lilly had failed to maintain or implement measures to protect sensitive consumer information.[60] According to the FTC’s complaint, Lilly failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the e-mail; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pre-testing the program internally before sending out the e-mail.[61] Lilly’s failure to implement appropriate measures also violated a number of its own written security procedures.[62] Lilly ultimately agreed to settle the complaint.[63] Although Lilly’s breach of consumers’ privacy was unintentional, it was a serious breach of those consumers’ trust. Companies that obtain sensitive information in exchange for a promise to keeps it confidential must take appropriate steps to ensure the security of that information.
(1)
(2) HIPAA
HIPAA applies to health plans, health care clearinghouses, and health care providers who transmit any health information in an electronic format in connection with a transaction covered by the Act. Because many health-related websites are not owned or operated by a covered entity, they are not regulated by HIPAA.[64] Whether or not a health-related web site is covered by HIPAA thus hinges upon who owns or controls the website, a determination that the average consumer is not in a position to make. Indeed, because of HIPAA’s limited scope, two virtually identical web sites can be regulated differently, one subject to the stringent HIPAA protections, the other subject only to voluntary privacy policies (if any).[65]
One large category of health-related websites that are often unregulated by HIPAA is websites that are information-based. Such sites are extremely popular and provide information about general fitness and nutrition or specific diseases, condition, or medications They may offer a broad range of information (e.g., www.foodfit.com or www.familydoctor.org) or specialize in a certain drug (e.g., www.xanax.com or www.viagra.com), disease or medical condition (e.g., www.thebreastcancersite.com or www.aids.org ). Some of these information websites assess health status and ask the user to provide information regarding personal health. For example, www.healthstatus.com offers free general health assessments as well as disease-specific assessments to determine an individual’s risk for some of the leading causes of death.[66] These sites collect personally identifiable health information of a potentially sensitive nature that can be used or sold to third parties if the owner/operator of the site does not have an “offline existence” whereby the owner/operator engages in covered activities under HIPAA (e.g., treating patients). Thus, because such sites merely furnish health information and the owners/operators do not provide “health care” as defined in the federal regulation, they are not subject to HIPAA. The bottom line is that consumers’ privacy is protected under HIPAA only if they visit a narrow, specific type of website (i.e., one owned/operated by a covered entity such as a health plan or health provider), and consumers will not be able to determine, in most instances, whether the websites they visit are regulated by HIPAA. More often than not, consumers will visit and use websites not covered by HIPAA.
(3)
Potential
States wishing to regulate health-related internet sites face several potential problems. First, the chances are good that any websites that violate state privacy laws would not be located within the geographic boundaries of the state. The ability to enforce the law within the state’s own court system would therefore be limited by the concept of personal jurisdiction over non-resident defendants. If the internet site owner/operator engaged in activity that caused injury within the state, the state may be able to exercise specific personal jurisdiction over the non-resident website owner/operator,[68] provided the owner/operator has the requisite “minimum contacts” [69] with the forum state.
Even
assuming that personal jurisdiction within the state’s court system could be
satisfied (or that the aggrieved state/citizen would be willing to institute
litigation in another forum where minimum contacts could be established), a
question would certainly arise as to whether the state privacy law violated the
Dormant Commerce Clause. A neutral state
law (i.e., a law that is even-handed in application and not discriminatory
against out-of-state interests) may be held to violate the Dormant Commerce
Clause if it imposes an undue burden
on interstate commerce.[70] In the face of a facially non-discriminatory
law, courts will generally apply a balancing test, considering the
non-discriminatory benefits to the state enacting the law and the harms to
interstate commerce resulting from the law.
Strong state interests and a minimal burden on interstate commerce, in
other words, will result in the state law being upheld.[71] The Supreme Court has recognized that state
laws designed to protect citizens’ privacy are strong and legitimate interests
that may warrant some restrictions on the free flow of interstate commerce.[72] If
As
an alternative to enacting a statute regulating all health-related internet
sites, the state could opt to enact a narrower statute regulating only those
health-related internet sites physically maintained in servers located within
the state of
Another
alternative would be to require all health-related internet sites to comply
with a specific set of internet private privacy guidelines, such as those
developed by the American Medical Association.[74] Likewise, the state could enact a statute
that simply requires health-related internet sites to adopt a privacy policy
and recognize an explicit private right of action if the site violates its own
privacy policy.[75] A final alternative would be to statutorily
authorize the creation of a statewide advisory board to act as ombudsman on
issues regarding health information privacy.
The State of
B. Sensitive Medical Information
Certain types of medical information are undoubtedly more sensitive in nature than others because disclosure could result in stigmatization or discrimination against the patient or the patient’s loved ones. Medical information arguably falling within this category would include information about HIV/AIDS, pregnancy/abortion, sexually transmitted diseases, or genetic conditions
(1)
Existing
Since the HIPAA final regulations are now in effect and do not contain any heightened protection for genetic information, state legislation providing such protection may be warranted at this time. Additional privacy protection for genetic information may be desirable due to the stigmatization often associated with such information,[82] as well as the potentially broad-ranging adverse psychological and social effects on the individual as well as third parties (e.g., family members).[83] Indeed, the adverse impact on third parties caused by the dissemination of genetic information makes genetic information unique from other types of sensitive health information and thus may necessitate additional protection here where it may not be warranted or necessary elsewhere.
The HIPAA privacy regulations establish one category of specially protected health information-- psychotherapy notes—which a covered entity may not disclose without prior specific patient authorization.[84] Moreover, under HIPAA, a health plan may not condition enrollment in the plan or provision of benefits under the plan upon the individual providing such authorization.[85] Other sensitive health information that can be stigmatizing is not provided a heightened level of protection.
(3) Potential
The
The amount of genetic information that clinicians will have about their patients will increase substantially in the next several years. The completion of the mapping of the human genome and the identification of increasing number of markers for predisposition for disease will create new complexities regarding how such information is used and maintained to protect the privacy of the individual and the individual’s family. Unlike most medical information, genetic information provides information about other relatives that could be inappropriately released and cause harm to third parties.
Recognizing
the special problems posed by genetic information, some states, such as
C. Business Associates
HIPAA does not permit direct regulation of business associates of covered entities.[89] A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information it receives or creates on behalf of the covered entity.[90] HIPAA attempts to indirectly regulate these business associates by requiring covered entities to include contractual language with business associates that limit the business associate’s use or disclosure of protected health information to that provided for by the contract or as required by law.[91] Furthermore, the contract must require that business associates notify the covered entity of any non-permitted use/disclosure of which the business associate becomes aware.[92] If a business associate breaches these contractual provisions, the covered entity may be held responsible under HIPAA, but only if the covered entity knew of a pattern of activity by the business associate that constituted a material breach of their contractual obligations.[93] Moreover, even if the covered entity has such knowledge, the covered entity will escape responsibility under HIPAA if it takes reasonable steps to cure or end the business associate’s breach.[94]
HIPAA’s inability to directly regulate business associates is viewed as a significant shortcoming within the privacy regulations. Certain business associates of covered entities are in constant possession of individually identifiable health information which, if used or disclosed, could violate the privacy of patients. For example, third party administrators (TPAs) that process claims for a covered entity, independent medical transcriptionists who work on a contractual basis for a covered physician or entity, or pharmacy benefit managers (PBMs) that manage a health plan’s pharmacist network—all of these business associates are not directly regulated by HIPAA and thus lack an independent, professional responsibility of confidentiality. At most, such business associates are merely contractually liable to the covered entity in the event of a breach of patient confidentiality.
(2) Potential
D. The “Enforcement Gap”: Creating
State Enforcement Authority and/or Private Rights of Action
The office within
HHS that has been charged with enforcing the HIPAA privacy regulations recently
admitted that, given its limited resources, the office would need to adopt a
triage approach to enforcement, pursuing first those covered entities which
have engaged in potentially the most broad-ranging violations.[96] Given this environment, it is reasonable to
expect that many violations of the privacy rules will not be pursued by the
Department; thus, there is an important regulatory void that states are
well-positioned to fill. As stated
previously, HIPAA’s enforcement scheme does not permit an aggrieved individual
(whose right of privacy or of access has been violated) to recover damages or
seek injunctive relief. HIPAA allows
only the Secretary of HHS to seek civil and/or criminal penalties against
covered entities that violate the privacy regulations. Moreover, HIPAA does not preempt states from
enacting laws that are “more stringent” than the federal rules.
There
are thus two primary approaches that states could take in order to fill the
enforcement void and help ensure that the federal privacy protections are more
than a paper tiger: (1) enforcement via common law; and (2) enforcement via
enactment of specific enforcement statutes permitting the state and/or private
citizens to seek civil remedies upon violation.
For reasons discussed below, it is the authors’ belief that the latter
approach (enactment of specific enforcement statutes) is preferable.
(1)
Enforcement Via Common Law
As
an initial matter, it should be noted that the existence of the HIPAA privacy
rules themselves could be interpreted as creating new common law duties owed to
patients by covered entities.[97] A court embracing this interpretation of the
privacy rules could therefore be expected to acknowledge an actionable tort
upon the breach of such duties by a covered entity.
Even
if a court did not believe that HIPAA created new duties under tort law,
existing duties defined by tort law could potentially provide a means to
enforce the privacy rules, above and beyond any action taken (or not taken) by
HHS. Specifically, existing torts such
as invasion of privacy (publication of embarrassing private facts)[98]
or breach of fiduciary duty/confidentiality[99]
could be used to impose liability upon a covered entity that uses or discloses
protected health information in violation of the federal privacy rules. Each of these existing tort theories, however,
poses difficulties for a plaintiff who wants to invoke them to remedy a
violation of the HIPAA privacy rules.
(a)
Invasion of Privacy
The
tort of invasion of privacy based upon public disclosure of embarrassing
private facts, for example, requires that the plaintiff establish three prima
facie elements: (1) the disclosure of information; (2) that is highly offensive
to a reasonable person; and (3) that is of no legitimate concern to the public.[100] Although the
Michigan courts have made it clear that a person’s medical treatment or
condition is generally considered private information,[101]
it would, in certain instances, be difficult to prove that disclosure of a
person’s medical information is “highly offensive” or of “no legitimate concern
to the public.”
A recent
decision by the Michigan Court of Appeals, Doe v. Mills, is
illustrative.[102] In Mills, the plaintiffs sued
anti-abortion protesters who learned of the plaintiffs’ intent to obtain
abortions and, while protesting outside the clinic, held up large signs with
the plaintiffs’ names on them.[103] The Michigan trial court judge granted
summary disposition of plaintiffs’ claim of invasion of privacy based upon
publication of private facts,[104]
reasoning that publication of the plaintiffs’ intent to obtain an abortion
could not be viewed as highly offensive by a reasonable person[105]
and that “abortion, no matter how one views this subject, is unquestionably a
matter of great public concern
. . . .”[106]
Although
the Michigan Court of Appeals ultimately rejected the trial court’s reasoning
and reversed in favor of the plaintiff, the trial court’s decision suggests
that there will be instances in which uncertainty will exist as to whether
disclosure of medical information is sufficiently “offensive” or lacking in
“public concern” so as to warrant recovery under the invasion of privacy
tort. This uncertainty, in turn, means
that there will be instances in which disclosure of medical information will
not be actionable, leaving those patients affected by the disclosure
potentially without a civil remedy.
(b)
Medical Malpractice (Breach of Duty of Confidentiality)
The
(2)
Enforcement Via Specific Statutes
The other possible
enforcement mechanism that Michigan may wish to consider for those harmed by
uses and disclosures of medical information is the enactment of a specific
statute that supplements HIPAA by allowing enforcement of state and/or federal
privacy protections by either: (1) citizens acting as “private attorneys
general” (i.e., private right of action statutes); or (2) by state agencies who
are specifically authorized to enforce state and/or federal health privacy laws.
Several states, both pre- and post-
HIPAA have opted to enact such statutes.
(a)
Pre-HIPAA Private Right of Action Statutes
Prior to
the enactment of HIPAA, various states had enacted statutes to permit private
rights of action to remedy a violation of the state’s access or disclosure
statutes. These state statutes vary,
however, with regard to the kinds of remedies available to aggrieved
patients. If a patient is denied access
to his/her own medical records, state statutes often permit the patient to
bring a civil action for equitable relief forcing disclosure to the
patient.
Other
states have opted to permit the recovery of monetary damages beyond merely
costs and attorney’s fees. Louisiana
law, for example, states that failure to provide medical records to a patient
within 15 days of a written request subjects the provider to a civil action not
only for injunctive relief, reasonable attorney fees and expenses,[113]
but also that “except for their own gross
negligence, such health care providers shall not otherwise be held liable in
damages by reason of their compliance with such request or their inability to
fulfill the request[,]”[114]
thereby implying that providers are also subject to monetary damages in
instances of gross negligence.
Some
states even permit recovery of punitive damages. For example, for violation of its disclosure
statute,
An intriguing
approach to enforcement permits private citizens to bring private civil actions
not only to recover personally, but also on behalf of the state. The
(b)
Post-HIPAA Enforcement Statutes—the
Another
approach can be found in
In some
important respects, the
Texas
law, by contrast, states that if a covered entity receives (directly or
indirectly) any financial incentive or remuneration for the use, access, or
disclosure of protected health information, it is considered “marketing”[126]
As such,
the covered entity could not sell, use or disclose protected health information
unless it obtains the consent or authorization of the patient.[127] Moreover, even if the individual consents or
authorizes the covered entity to sell, use or disclose their protected health
information, any written marketing communication must provide the patient with
a toll-free number of the entity that is sending the communication and explain
the patient’s right to have his/her name removed from the sender’s mailing
list.[128]
The
Because
the
IV. Conclusion
Although the federal government has recognized the importance of protecting the privacy of medical information through the enactment of HIPAA and the promulgation of its privacy rules, the federal law clearly offers only a minimum level of privacy protection. It is incumbent upon the states, therefore, to fill the regulatory gaps in HIPAA by enacting laws that provide greater protections to their citizens.
This report
takes the first step toward providing those protections for the citizens of
[1]Pub.
L. No. 104-191, 110 Stat. 1936 (1996).
The initial set of final regulations was issued in the waning days of
the Clinton Administration. See 65 Fed. Reg. 82,801 (
[2]67
Fed. Reg. 53, 182 (
[3]
[4]Press Release, U.S. Dep’t of Health and Human Services, Modifications to the Standards for Privacy of Individually Identifiable Health Information—Final Rule (Aug. 9, 2002), available at http://www.hhs.gov/news/press/2002pres/20020809.html.
[5]Pub. L. No. 104-191, Title II, Subtitle F, §
264(c)(1), 110 Stat. 2033 (1996).
[6]
[7]65 Fed. Reg. 82,801 (
[8]66 Fed. Reg. 12,738 (
[9]67 Fed. Reg. 53,182 (
[10]65 Fed. Reg. 82,799 (
[11]“Health care clearinghouse” is defined as a
“public or private entity, including a billing service, repricing company,
community health management information system or community health information
system, and ‘value added’ networks and switches, that does either of the
following functions:
(1) Processes or facilitates the processing of
health information received from another entity in nonstandard format or
containing nonstandard data content into standard data elements or a standard
transaction.
(2) Receives a standard transaction from anther
entity and processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving entity.
[12]“Health care provider” is defined to include
“any [ ] person or organization who furnishes, bills, or is paid for health
care in the normal course of business.” 65 Fed. Reg. 82,799 (
[13]Examples of the transmission of health
information in electronic form include, inter
alia, the filing of health claims or equivalent encounter information,
enrollment or disenrollment in a health plan, determining eligibility for a
health plan, health plan payment and remittance, and referral certification and
authorization. See Health Insurance
Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at
§ 1173(a)(2).
[14]65 Fed. Reg. 82,799 (defining “covered
entity”).
[15]Administrative Simplification Compliance Act,
Pub. L. No. 107-105, 115 Stat. 1003, at § 3.
This law was signed by President Bush on
[16]
[17]65 Fed. Reg. at 82,801. The Secretary may waive the 180 day time
limit for good cause.
[18]
[19]
[20]
[21]42 U.S.C. § 1320d-5 (2003).
[22]
[23]
[24]
[25]See Health Insurance Portability and
Accountability Act, Pub. L. No. 104-191, Title II, Subtitle F, § 264(c)(2), 110
Stat. 2033 (1996) (“A [health privacy] regulation promulgated [by HHS] shall
not supercede a contrary provision of State law, if the provision of State law
imposes requirements, standards, or implementation specifications that are more
stringent than the requirements, standards, or implementation specifications
imposed by regulation.”).
[26]See
id. at 82, 801. The final regulation defines a “more
stringent “ state laws one which meets one or more of the following criteria:
(1) With respect to a use or disclosure, the law
prohibits or restricts a use or disclosure in circumstances under which such
use or disclosure otherwise would be permitted under this subchapter, except if
the disclosure is:
( i) required by the Secretary in connection with determining whether a
covered entity is in compliance with this subchapter, or
(ii) To the individual who is the subject of the individually
identifiable health information.
(2) With respect to the rights of an individual,
who is the subject of the individually identifiable health information,
regarding access to or amendment of individually identifiable health
information, permits greater rights of access or amendment, as applicable
(3) With respect to information to be provided to
an individual who is the subject of the individually identifiable health
information about a use, a disclosure, rights, and remedies, provides the
greater amount of information.
(4) With respect to the form, substance, or the
need for express legal permission from an individual, who is the subject of the
individually identifiable health information, for use or disclosure of
individually identifiable health information, provides requirements that narrow
the scope of duration, increase the privacy protections afforded (such as by
expanding the criteria for), or reduce the coercive effect of the circumstances
surrounding the authorization or consent, as applicable.
[27]
[28]
[29]
[30]
[31]
[32]See 65 Fed. Reg. 82,510, at § 164.506(a).
[33]
[34]
[35]
[36]67 Fed. Reg. 53,182, 53,208-53,211.
[37]See 67 Fed. Reg. 53,238-53,243 (discussing modifications to Section 164.520, dealing with notice of privacy practices for protected health information).
[38]67 Fed. Reg. at 53,243 (“The Department clarifies that no special or separate mailings are required to satisfy the notice distribution requirements.”).
[39]67 Fed. Reg. at 53,239.
[40]
[41]See Mont.
Code Ann. § 50-16-525(1) (2002); id.
at § 50-16-526. The statute permits
unauthorized disclosure on a “needs to know” basis in certain specific
situations.
[42]65 Fed. Reg. 82,510, 82,810, at § 164.506(a).
[43]See 65 Fed. Reg. 82,819 at § 164.514(e)(2)(C); see also id. at § 164.514(e)(3)(i).
[44]The final regulation states:
Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:
(A) A face-to-face communication make by a covered entity to an
individual; or
(B) A promotional gift of nominal value provided by the covered entity.
67 Fed. Reg. at 53,268, § 164.508(a)(3)(i).
[45]Joanne
Hustead of the Health Privacy Project at
Due to the final modifications released in August 2002, the HIPAA privacy regulation has been furthered weakened. The Health Privacy Project is particularly concerned by HHS’s decision to eliminate the provider consent requirement and to open up people’s medical files for marketing activities with prior authorization. While HHS claims to have strengthened the marketing provisions by requiring prior authorization for marketing, the Department has done quite the opposite: HHS has defined the term ‘marketing’ in a way that effectively legalizes some of the most egregious marketing tactics of the chain drug stores and their partners, the pharmaceutical industry.
Oversight
Hearing on Privacy Concerns Raised by the Collection and Use of Genetic
Information by Employers and Insurers Before the House Comm. on the Judiciary,
Subcomm. on the Constitution, 107th Cong. (
[46]The new definition is found in § 164.50, which states as follows:
Marketing means:
(1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:
(i) To describe a health-related product or service (or payment for such
product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to health plan enrollee that add value to, but are not part of, a plan of benefits.
(ii) For treatment of the individual; or
(iii) For case management or care coordination for the individual, or to
direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
(2) An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
67 Fed. Reg. at 53,267, § 164.501.
[47]See 67 Fed. Reg. at 53,187 (“[M]any were concerned that a pharmaceutical company could pay a provider for a list of patients with a particular condition or taking a particular medication and then use that list to market its own drug products directly to those patients. The commenters believed the proposal would permit this to happen under the guise of the pharmaceutical company acting as a business associate of the covered entity . . . . Therefore, the Department is adding language that would make clear that business associate transactions of this nature are marketing. . . . These communications are marketing and can only occur if the covered entity obtains the individual’s authorization . . . .”
[48]See 67 Fed. Reg. at 53,188 (“Covered entities may, however, use protected health information to communicate with individuals about the covered entity’s own health related products or services, the individual’s treatment, or case management or coordination for the individual. The covered entity does not need an authorization for these types of communications and may make the communication itself or use a business associate.”).
[49]See 67 Fed. Reg. at 53,187 (“The Department does not agree that the simple receipt of remuneration should transform a treatment communication into a commercial promotion of a product or service. For example, health care providers should be able to and can send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication.”).
[50]See 67 Fed. Reg. at 53,188 (“The Department believes that certain health care communications such as refill reminders or informing patients about existing or new health care products or services are appropriate, whether or not the covered entity receives remuneration from third parties to pay for them.”).
[51] See 67 Fed. Reg. at 53,188 (“Requiring disclosure and opt-out conditions on these communications. . . would add a layer of complexity to the Privacy Rule that the Department intended to eliminate. Individuals, of course, are free to negotiate with covered entities for limitations on such uses and disclosures, to which the entity may, but is not required to, agree.”).
[52]
[53]General Overview of Standards for Privacy of Individually Identifiable Health Information, Office of Civil Rights, U.S. Dep’t of Health and Human Services, at 70 (Dec. 3, 2002), available at http://www.hhs.gov/ocr/hipaa/privacy.html.
[54]See infra Section III(C).
[55]“eHealth has been defined as the ‘the use of emerging information and communication technology, especially the Internet, to improve or enable health and health care.” T.R. Eng, The eHealth Landscape: A Terrain Map of Emerging Information and Communication Technologies in Health and Health Care, The Robert Wood Johnson Foundation 20 (2001).
[56]Health Privacy Project, Pew Internet & Am. Life Project Exposed Online: Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protection to Internet Users 1 (2001) [hereinafter Pew Report].
[57]Margaret A. Winker, et al., Guidelines for Medical and Health Information on the Internet, Am. Medical Ass’n, available at http://www.ama-assn.org/ama/pub/printcat/ 1905.htm.
[58]Pew Report at 5.
[59]
[60]Press
Release, Federal Trade Comm’n, Eli Lilly Settles FTC Charges Concerning
Security Breach (
[61]
[62]
[63]
[64]Pew Report at 7.
[65]
[66]Id at 17.
[67]Tex. Health & Safety Code Ann. § 181.001(b)(1)(A) (2002).
[68]Application
of specific personal jurisdiction concepts to internet defendants has been
difficult for the courts. Most courts
seemed to have embraced a “sliding scale” approach that permits the exercise of
specific personal jurisdiction only when the internet defendant knowingly reaches
out to interact with citizens of the forum state. See,
e.g., Zippo Manufacturing Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119,
1124 (W.D. Pa. 1997); Young v.
[69]This
is, of course, the famous test pronounced in International Shoe.
International Shoe Co. v.
[70]See, e.g., Consolidated Freightways
Corp. v.
[71]See, e.g.,
[72]See Breard v.
[73]See Pennoyer v. Neff, 95 U.S. 714, 722 (1877) (“[E]very State possesses exclusive jurisdiction and sovereignty over persons and property within its territory.”); Burnham v. Superior Court, 495 U.S. 604, 610 (1990) (“Among the most firmly established principles of personal jurisdiction in American tradition is that the courts of a State have jurisdiction over nonresidents who are physically present in the State.”).
[74]Margaret A. Winker, et al., Guidelines for Medical and Health Information Sites on the Internet, available at http://www.ama-assn.org/ama/pub/printcat/1905.html.
[75]81% of those who seek information on the internet want the right to sue a site that violates its own privacy policy. Pew Report at 5.
[77]See
the Preliminary Report for a detailed discussion of these
[78]See supra Section II© for a discussion of HIPAA’s preemptive scope.
[79]See Mich.
Comp. Laws § 37.1202 (workplace discrimination);
[80]See Mich. Comm’n on Genetic Privacy & Progress, Final Report & Recommendations 46 (Feb. 1999).
[81]
[82]See Janet L. Dolgin, Personhood, Discrimination and the New
Genetics, 66
[83]See Eric Mills Holmes, Solving the Insurance/Genetic Fair/Unfair Discrimination Dilemma in Light of the Human Genome Project, 85 Ky. L. J. 503, 571-575 (1997) (documenting the stigmatization and psychological trauma associated with genetic information).
[84]65
Fed.Reg. at 82,811. There are a few
limited exceptions in which authorization is not required. See id.
[85]
[86]See Cal. Ins. Code §§ 742.407, 10123.35 (Deering 2003).
[87]See N.Y. Civ. Rights Law § 79-1(Consol. 2003).
[88]See Mo.
Rev. Stat. § 375.1309 (2003).
[89]67 Fed. Reg. at 53,252 (“The Department does not have the statutory authority to hold business associates, that are not also covered entities, liable under the Privacy Rules.”).
[90]See 65 Fed. Reg. 82,798, § 160.103
(defining “business associate”).
[91]
[92]
[93]
[94]
[95]See
[96]Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 Yale J. Health Pol’y L. & Ethics 325, 344 (2002) (citing Louis Altarescu, Address at the Health Privacy Project’s National Consumers’ Summit on Navigating the New Federal Health Privacy Regulations (Feb. 5, 2001)).
[97]See Summary of HIPAA Privacy Rule, Health Privacy Project, Institute for Health Care Research & Policy, Georgetown University, Sept. 13, 2002, at 33 (“[B]ecause the new regulation creates a new ‘duty of care’ with respect to health information, it is possible that violations may be the grounds of state tort actions.”).
[98]See,
e.g., Winstead v. Sweeney, 205
[99]See
Saur v. Probes, 190
[100]Doe v. Mills, 212 Mich. App. 73, 80, 536 N.W.2d 824 (Mich. Ct. App. 1995); see also Winstead v. Sweeney, 205 Mich. App. 664, 668, 517 N.W.2d 874 (Mich. Ct. App. 1994); Fry v. Ionia Sentinel-Standard, 101 Mich. App. 725, 728-29, 300 N.W.2d 687 (Mich. Ct. App. 1980) (citing Restatement (Second) of Torts § 652D).
[101]Doe, 212
[102]212
[103]212
[104]
[105]Id. at 80-81 (noting that the trial judge’s opinion suggested that the disclosure of an individual’s intention to obtain an abortion was not actionable as a matter of law when he stated, “Would plaintiffs seriously suggest or argue that one who contemplates or schedules an abortion has committed an act that is highly offensive to a reasonable person?”).
[106]
[107]Saur
v. Probes, 190
[108]Saur, 190
[109]The Court of Appeals in Saur justified its recognition of tort liability for breach of confidence as follows:
Also particularly compelling in favor of recognizing a legal duty to maintain patient confidentiality is this state’s medical licensing statute. . . . A physician is ethically obligated under the licensing statute not to disclose information obtained through the physician-patient relationship. In light of a psychiatrist’s ethical obligation to maintain patient confidences, as well as the state’s interest in preserving its policy of protecting physician-patient confidences, we conclude that a legal duty does exist on the part of a psychiatrist not to disclose privileged communications.
See id. at 639.
[110]See id. at 638-39 (“[T]hese statute [creating evidentiary privileges for psychiatrists, psychologists and physicians] do exhibit this state’s policy of promoting physician-patient confidences absent a superseding public or private interest.”).
[111]Conn. Gen. Stat. § 20-7c (2001). See also N.H. Rev. Stat. Ann. § 151:30 (2002).
[112]735 Ill. Comp. Stat. Ann. 5/8-2003 (West 2002).
[113]La. Rev. Stat. Ann. § 40:1299.96(A)(2)(c) (West 2002).
[114]
[115]Mont. Code Ann. § 50-16-553 (2002).
[116]R.I.
Gen. Laws § 5-37.3-4(a)(1)
(2002). In addition, the
[117]Cal. Civil Code §56.35 (Deering 2001).
[118]Me. Rev. Stat. Ann. tit. 22, § 1711-C(13)
(West 2001). The CMPs may not exceed
$5,000, plus costs, unless the court finds the violations occurred after “due
notice of the violation conduct with sufficient frequency to constitute a
general business practice,” in which case the CMPs may be imposed up to $10,000
for individual health care providers and $10,000 for health care
facilities.
[119]See
[120]
[121]
[122]
[123]
[124]See 67 Fed. Reg. 53,182, 53,187 (“The Department does not agree that the simple receipt of a remuneration should transform a treatment communication into a commercial promotion of a product or a service.”).
[125]67 Fed. Reg. at 53,187 (“For example, health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party payors subsidizes the communication.”).
[126]Tex. Health & Safety Code Ann. § 181.001(b)(5) (Vernon 2002).
[127]
[128]
[129]
[130]
[131]
[132]
[133]