A Study Report to the Michigan Law Revision Commission
on Medical Information Privacy
The
Michigan Law Revision Commission is currently studying the subject of medical
information privacy in the State of Michigan. In 2001 the Commission retained
the services of Professor Elizabeth Price Foley, Michigan State
University-Detroit College of Law, and Associate Professor Vence L. Bonham,
Department of Medicine, College of Human Medicine, Michigan State University,
to examine this subject and to prepare a
preliminary report for the Commission.
Their report which follows focuses on five issues:
(1)
patients= access to their own medical records,
(2)
third-party access (e.g., insurers, managed care organizations, employers,
pharmacies) to a patient=s medical records,
(3)
third-party use of information contained in a patient=s medical records (e.g., researchers, peer review
organizations, licensing boards),
(4)
treatment of sensitive medical information with a high potential for
stigmatization or discrimination (e.g., information related to HIV, mental
health, substance abuse, sexually transmitted diseases, abortion, or genetic
information), and
(5)
the retention and disposal of medical records.
The Commission takes no position on any of these issues at this time nor does it make any recommendations to the Legislature at this time. In 2002 Professors Foley and Bonham will be submitting legislative proposals to the Commission for its review and consideration. The Commission will report to the Legislature on these proposals in its 2002 annual report.
Preliminary Report to
THE MICHIGAN LAW REVISION COMMISSION
on
MEDICAL INFORMATION PRIVACY
Elizabeth Price
Foley, J.D., LL.M.
Professor of Law
Michigan State University, Detroit College of Law
and
Vence L. Bonham, Jr., J.D.
Associate Professor, Department of Medicine,
College of Human Medicine, Michigan State University
Table of Contents
I. Introduction 6
A. Background..................................................................................................................... 6
(1) Enactment of HIPAA........................................................................................... 6
(2) HIPAA=s Scope................................................................................................. 7
(a) Who Is A ACovered Entity@
Under HIPAA?........................................... 7
(b) ABusiness Associates@ Under HIPAA..................................................... 9
(3) HIPAA Enforcement.......................................................................................... 10
(4) HIPAA Preemption............................................................................................ 10
B. Limitations of This Report .............................................................................................. 13
II. Patients=
Access to Their Own Medical Records 13
A. Michigan Law................................................................................................................ 13
B. Federal Law.................................................................................................................. 15
(1) The Privacy Act of
1974.................................................................................... 15
(2) Nursing Home
Residents= Right of
Access......................................................... 16
(3) Medicare + Choice
Enrollees= Right of
Access.................................................. 16
(4) Mammography Records..................................................................................... 17
(5) HIPAA............................................................................................................. 17
(a) HIPAA=s General Right of Access......................................................... 17
(b) Denials of Access Under HIPAA.......................................................... 18
(i). Denials for which there is no right of review................................ 19
(ii). Denial for which there is a right to external
review...................... 20
III. Third Party Access to/Disclosure of a Patient=s Medical Records 21
A. Michigan Law................................................................................................................ 21
(1) State Licensing
Boards....................................................................................... 21
(2) Private Accreditation and Peer Review Boards.................................................. 22
(3) Health Provider-Patient
Evidentiary Privileges..................................................... 22
(4) Licensed Health
Facilities= &
Agencies= Records.............................................. 23
(5) Non-Profit Health
Care Corporations= Records................................................. 23
(6) Pharmacy Records............................................................................................. 24
(7) Third Party
Adminstrator (TPA) Records........................................................... 25
(8) Dental Records.................................................................................................. 25
(9) Nursing Homes= Records.................................................................................. 26
(10) Governmental Agency Access to Records....................................................... 26
B. Federal Law.................................................................................................................. 26
(1) The Privacy Act of 1974................................................................................... 26
(2) Nursing Home &
Home Health Agency Records................................................ 28
(3) Hospital Records............................................................................................... 28
(4) Medicare + Choice
Records.............................................................................. 28
(5) HIPAA............................................................................................................. 29
(a) Permitted Disclosures
for Governmental Health Oversight Purposes......... 29
(b) Disclosures to
Private Peer Review & Accrediting Organizations............. 29
(c) Disclosures for which
Patient Consent is Required................................... 30
(d) Disclosures for which
Patient AAuthorization@ is Required...................... 31
(e) When Is Consent or
Authorization Not Required by HIPAA?................. 32
i. General Exceptions...................................................................... 32
ii. Disclosure/Use for Marketing &
Fundraising Purposes................. 33
(f) Patients= Right to Accounting of Disclosures........................................... 35
(6) The Freedom of Information Act....................................................................... 35
IV. Privacy in Medical
Research 36
(1) Federal Law..................................................................................................... 36
(a) The Common Rule................................................................................. 37
(b) HIPAA.................................................................................................. 37
(c) HIPAA Shortcomings............................................................................ 41
(2) Michigan Law.................................................................................................... 41
(3) Other States...................................................................................................... 42
V. Sensitive Medical
Information 44
A. Mental Health Information.............................................................................................. 44
(1) Michigan Law................................................................................................... 44
(2) Federal Law..................................................................................................... 47
B. Substance Abuse Information......................................................................................... 47
(1) Michigan Law................................................................................................... 47
(2) Federal Law..................................................................................................... 48
C. HIV/AIDS..................................................................................................................... 50
(1) Michigan Law................................................................................................... 50
(2) Federal Law................................................................................................................. 52
D. Other Sexually Transmitted Diseases.............................................................................. 53
(1) Michigan Law................................................................................................... 53
(2) Federal Law..................................................................................................... 54
E. Pregnancy/Abortion Services.......................................................................................... 54
(1) Michigan Law................................................................................................... 54
(2) Federal Law..................................................................................................... 55
F. Child Abuse Information................................................................................................. 55
(1) Michigan Law.................................................................................................. 55
(2) Federal Law..................................................................................................... 56
G. Genetic Information........................................................................................................ 56
(1) Michigan Law................................................................................................... 56
(2) Federal Law...................................................................................................... 58
VI. The Retention and Disposal of Medical Records........................................................................ 59
A. Michigan Law................................................................................................................ 59
(1) Health Maintenance Organizations..................................................................... 60
(2) Nursing Homes................................................................................................. 60
(3) Dentists=
Offices.............................................................................................. 60
(4) Hospices........................................................................................................... 60
(5) Mental Health Hospitals, Sanatoria, &
Psychiatric Facilities................................ 60
(6) Methadone Treatment Programs........................................................................ 61
(7) Pharmacies....................................................................................................... 61
(8) Alteration of Medical Records or Charts............................................................ 61
B. Federal Law.................................................................................................................. 62
(1) Mammography
Facilities..................................................................................... 62
(2) Controlled Substances
Prescriptions................................................................... 62
(3) Medicare Claims................................................................................................ 62
(4) Blood & Blood
Products.................................................................................... 63
(5) Clinical Laboratory
Reports................................................................................ 63
(6) OSHA Employee Medical
Records.................................................................... 63
(7) HIPAA.............................................................................................................. 63
VII. Issues Relating to
the Privacy of Health Information on the Internet 64
(A) Michigan Law.............................................................................................................. 64
(B) Federal Law................................................................................................................. 64
(C) HIPAA Shortcomings.................................................................................................... 65
VIII. Conclusion 67
(1) Business Associates/Definition
of Covered Entity............................................................ 67
(a) General Limitations of
Coverage for Business Associates..................................... 67
(b) Health-Related Web
Sites.................................................................................. 68
(2) Sensitive Medical
Information......................................................................................... 68
(3) Private Right of
Action................................................................................................... 68
(4) Marketing/Fundraising
Communications.......................................................................... 69
I. Introduction
In the summer of 2000, the Michigan
Law Revision Commission (MLRC) initiated a comprehensive review of Michigan
laws regarding medical information privacy and commissioned a research project
on the topic. This report presents the
preliminary findings and conclusions of that research. In its charge, the MLRC indicated that it is
particularly interested in knowing what Michigan=s
medical record privacy laws are, and how they compare with laws enacted by the
federal government, particularly the Health Insurance Portability and
Accountability Act (AHIPAA@).
This report addresses these and other related matters.
A. Background
An individual=s medical information is contained in
numerous forms, including paper records and charts, electronic databases, and
even oral information. It is also
possessed by a dizzying array of providers, health care institutions, and
business entities, including physicians, hospitals, nursing facilities,
pharmacies, insurers, employers, governmental agencies, third party
administrators, and marketing firms.
Given the broad array of personal medical information that exists and
its potentially wide dissemination--particularly in the age of
computers--Americans have begun to express concerns about protecting the
privacy of such medical information. An
August 2000 survey conducted by Gallup for the Institute for Health Freedom[1]
found that 78% of those surveyed felt that it was Avery
important@ that
their medical records be kept confidential.[2]
Not surprisingly, then, a January 1999 survey conducted by Princeton Survey
Research Associates found that 1 in 7 Americans had done something out of the
ordinary to keep personal medical information
confidential, including providing inaccurate information to, or withholding
information from, health care providers, doctor-hopping to avoid a consolidated
medical record, paying out-of-pocket for care that is covered by insurance, and
even avoiding care altogether.[3]
(1) Enactment
of HIPAA
In an attempt to address the public=s concern, most states, including Michigan, have enacted numerous scattered, uncoordinated laws providing varying degrees of access to, and
privacy protection for, medical information possessed by
health care providers or institutions.
Because these state laws regarding medical information privacy were so
varied and incomplete, Congress, as part of the Health Insurance Portability
and Accountability Act of 1996 (AHIPAA@),[4]
imposed upon itself a three-year deadline for developing federal health privacy
protections.[5] Recognizing that congressional agreement on
such health privacy protections may not be politically feasible, HIPAA mandated
that, if Congress could not reach agreement on federal health privacy
protections within the three-year time period, the task would be delegated to
the Secretary of the U.S. Department of Health and Human Services (AHHS@).[6] Perhaps not surprisingly, Congress did not
meet its self-imposed deadline for developing federal health privacy
protections. The task thus fell to HHS,
which promulgated proposed rules on November 3, 1999.[7] Final regulations were promulgated in late
December 2000.[8]
(2) HIPAA=s Scope
(a) Who Is A ACovered Entity@ Under HIPAA?
It is important to note that the
HIPAA privacy regulations are limited in scope; they do not cover all persons
or entities that have access to personal health information. More specifically, the HIPAA privacy
regulations only directly cover three types of entities:
(1) health plans (e.g., managed
care organizations and traditional insurers);[9]
(2) health care Aclearinghouses@ (i.e., entities that process health claims
information for providers and
insurers);[10]
and
(3) health care providers[11] (e.g., physicians, hospitals, pharmacists) who transmit any health information in electronic form.[12]
It is only if a provider or entity falls within these three categories that the provider or entity is considered a Acovered entity@ under HIPAA.[13] Thus, while health plans and health care clearinghouses are always covered entities (and hence, subject to the privacy regulations), health care providers are covered entities only if they transmit health information in electronic form.[14] This is expected to cover most health providers, however, since most providers accept payments from insurers or managed care plans, which, in turn, generally requires that the providers transmit health information in electronic form (e.g., internet, e-mail, fax transmission, phone transmission, etc.). Moreover, another provision of HIPAA, the Electronic Data Interchange
(AEDI@) standards, establishes and requires
the use of a uniform standard for electronic data interchange by covered
entities[15]
and requires that, by October 16, 2003, all claims for reimbursement by
Medicare submitted by providers must be submitted electronically pursuant to
the uniform standard.[16] With a few narrow exceptions, paper claims to
Medicare will no longer be accepted.[17]
(b) ABusiness Associates@ Under HIPAA
Covered entities are also required
under HIPAA to impose contractual restrictions on the use or disclosure of
individually identifiable health information by so-called ABusiness Associates.@[18] Thus, if a covered entity hires another
company or consultant and provides them with access to protected health
information, the covered entity=s
contract with the Business Associate must establish the permitted and required
disclosures of such information by the Business Associate, [19]
and provide that the Business Associate will not further use or disclose the
information other than permitted or required by the contract or as required by
law, will use appropriate safeguards to prevent use or disclosure not permitted
by the contract, and report (to the covered entity) any use or disclosure of
the information not permitted by contract, of which it becomes aware.[20]
It is important to note, however, that Business Associates are not directly subject to the HIPAA privacy regulations. It is the covered entity, not the Business Associate, that is solely liable for violations of privacy by the Business Associate (although, of course, the covered entity may sue the Business Associate for breach of contract). A covered entity will be deemed Anot in
compliance@
with the HIPAA privacy regulations due to breaches of privacy by a Business
Associate if the covered entity knew of a pattern of activity or
practice of the Business Associate that constituted a material breach or
violation of the Business Associate=s
obligation under the contract.[21] However, a covered entity will escape
liability for the Business Associate=s
practices if the covered entity took Areasonable
steps@ to cure
the breach or end the violation by the Business Associate and, if such steps
were unsuccessful, either (1) terminated the contract, if feasible; or (2) if
termination is not feasible, reported the problem to the Secretary.[22] Essentially, therefore, covered entities are
held responsible for privacy breaches by a Business Associate only if the
covered entity actually knew about the breach and did nothing to remedy it.
(3) HIPAA Enforcement
Any person who believes that a
covered entity is not complying with the HIPAA privacy regulations may file a complaint with the
Secretary of HHS within 180 days of when the individual knew or should have
known that the violation occurred.[23] The Secretary may, but is not required to,
investigate such complaints.[24] If the Secretary opts to investigate and
determines that non-compliance has occurred, the Secretary must notify the
covered entity Aand
attempt to resolve the matter by informal means whenever possible.@[25] If the Secretary determines that the matter
cannot be resolved informally, the Secretary may, but is not required to, issue
written findings (to both the covered entity and the complainant) documenting
the non-compliance.[26]
Section 1176 of the HIPAA statute establishes a general penalty for failure to comply with the requirements and standards of the Act. Specifically, the Secretary Ashall@ impose upon any person who violates the Act a penalty of not more than $100 for each violation, up to a maximum of $25,000 per calendar year for all violations of an identical requirement or prohibition. Section 1177 of the Act specifically addresses Awrongful disclosure of individually identifiable health information@ and provides that a person who knowingly obtains or discloses individually identifiable health information in a manner prohibited by the Act Ashall@ be punished by a fine of not more than $50,000 and/or imprisonment for not more than one year. If the violation is committed under false pretenses, the punishment escalates to a fine of not more than $100,000 and/or imprisonment for not more than 5 years. If the violation is committed
Awith
an intent to sell, transfer, or use individually identifiable health
information for commercial advantage, personal gain or malicious harm,@ the punishment again escalates to a
fine of not more than $250,000 and/or imprisonment of not more than 10 years.
Neither the HIPAA statute nor
regulations permit a private right of action for violations of the privacy
provisions.
(4) HIPAA Preemption
While the final regulations have
provided significant new federal protections for the privacy of medical
information, they are considered to be a minimum, or floor, of protection. State laws contrary to and less
protective than HIPAA=s
protections are preempted; state laws that are Amore
stringent@ than the
HIPAA protections are not preempted,[27]
even if they are contrary to HIPAA.[28] Three categories of state laws are explicitly
not preempted by HIPAA (even if they are less stringent that the
protections afforded under HIPAA): (1) state laws that authorize or prohibit
disclosure of protected health information about minors to parents, guardians,
or persons acting in loco parentis (i.e., parental notification laws);[29]
(2) state laws that provide for the reporting of disease or injury, child
abuse, birth, or death, or for the conduct of public health investigations;[30]
and (3) state laws that require health plans to report or grant access to
information for the purpose of audits, evaluation, or licensure, or
certification of facilities or individuals.[31]
A state (acting through its chief
elected official or his/her designee) or others may request, in writing, that
the Secretary except a state law from preemption.[32] The Secretary may except a state law from
preemption of the Secretary finds one of the following: (1) that the state law
is necessary to prevent health care fraud and abuse; (2) that the state law is
necessary to ensure appropriate State regulation of insurance and health plans;
(3) that the state law is necessary for state reporting on health care delivery
or costs; (4) that the state law is necessary to serve a compelling need
related to public health, safety, or welfare, (and, if a privacy standard is at
issue, if the Secretary determines that the intrusion into privacy is warranted
when balanced against the need to be served); or (5) that the state law has as
its principal purpose the regulation of the manufacture, registration,
distribution, dispensing, or other control of any controlled substances.[33]
Given the general lack of understanding
and awareness of state law regarding medical information privacy and the broad
allowance under HIPAA for the continued operation of state law, the MLRC asked
the authors of this report to survey both Michigan and federal law to determine
the contours of the privacy of medical information. Specifically, the authors were asked to focus
on 5 issues:
(1) patients=
access to their own medical records;
(2) third parties=
access to a patient=s medical
records (e.g., insurers, managed care
organizations, employers, pharmacies);
(3) third party use of information in a
patient=s medical
records (e.g., researchers, peer
review organizations, licensing boards);
(4) treatment of sensitive medical information
with a high potential for stigmatizing or
discriminatory impact, such as information related to HIV, mental
health/substance abuse, sexually
transmitted diseases, abortion, or genetic information; and
(5) the retention and disposal of medical
records.
Each of these areas will be addressed
separately within this preliminary report.
B. Limitations of This Report
It should be noted that, while this report provides a comprehensive overview of the major laws relating to medical information privacy, it is not intended to be an exhaustive document. The final regulations implementing the privacy components of HIPAA, for example, were issued in late December 2000 and total over 360 pages in the Federal Register. The final regulations took effect April 14, 2001, although covered entities have until April 14, 2003 to actually comply with the rules.9 Because of the volume and complexity of the final rule, its relatively recent effective date, and the fact that most health care organizations are not expected to be in compliance with the rules for many months, it will undoubtedly take years for the full meaning and effect of the regulations to be well-understood. Likewise, except for the HIPAA regulations, our survey of state and federal law generally has been limited to a review of selected statutory law (as opposed to common law or implementing regulations), due to the sheer number, variety and complexity of relevant materials. Moreover, given that our task was to provide an overview
of state and federal laws relating to medical information
privacy, we have not attempted to obtain or discuss privacy standards developed
or required by private accrediting organizations (e.g., JCAHO).
II. Patients=
Access to Their Own Medical Records
A. Michigan Law
Michigan law currently states that
all licensed health facilities and agencies that provide services directly to
patients Ashall
adopt@ a policy
describing the rights and responsibilities of admitted patients.10
Included in the list of statutorily specified minimum patients= rights is the right to inspect and
copy his/her medical record upon request.11 The law explicitly states that the
enumerated patients= rights
and responsibilities Aare
guidelines@ and that
no individual shall be criminally or civilly liable for failure to comply therewith.12
Although no private right of action by an aggrieved patient is
permitted, the Michigan Department of Public Health may seek administrative
remedies, including license suspension/revocation or fines, against a licensed
facility that denies patients=
rights.13
Because this law only applies to
licensed health facilities and agencies (i.e., licensed
institutions), it does not give patients a right to access
medical records maintained outside the licensed institutional setting (e.g., a
physician=s office). Thus, patients in Michigan do not have a
statutory right to access general medical records maintained by physicians= offices or other non-institutional
offices.
There is, however, more specific protection under Michigan law for patients receiving mental health services. The statutes provide such patients the right to access their mental health records, provided the patient has not been adjudicated legally incompetent and does not have a
legal guardian.14 The entity or person who maintains a mental
health record is required to provide the patient with a copy of the record Aas expeditiously as possible@ but in no event later than the earlier
of 30 days of receiving the patient=s
request or, if the patient is receiving treatment from the holder of the
record, before the patient is released from treatment.15
Access may be denied to the patient if, in the written judgment of
the record holder, disclosure to the patient would be Adetrimental
to the [patient] or to others.@16
Upon receipt of their mental health services record, a patient may
challenge the accuracy, completeness, timeliness or relevance of the factual
information contained in the record.17 The patient may insert a statement into
the record that corrects or amends the information therein.18
B. Federal Law
(1) The Privacy Act of 1974
Under the Privacy Act of 1974,19 individuals have a right to examine, copy and amend records about them maintained by federal agencies20 and contractors thereof,21 including medical records maintained by federal agencies such as the Center for Medicare and Medicaid Services (ACMS@).22 When a federal agency collects information from an individual, the Act requires that the agency notify the individual of the fact of collection, the authority under which the information is being collected, the principal purpose for the information, routine uses that may be
made of the information, whether the individual is required
to supply the information, and any effects of not so providing.23
A federal agency that refuses to
comply with an individual=s
request to examine or copy his/her own records is subject to a civil suit by
the individual.24 The statute
states that the remedies for this situation are limited to the issuance of an
injunction and order of production against the withholding agency25 and assessment of reasonable
attorney fees and other litigation costs incurred.26
(2) Nursing Home Residents= Right of Access
As part of OBRA >87, Congress enacted a comprehensive
set of rights for the residents of nursing homes.27
The statute requires that nursing facilities receiving Medicaid
reimbursement (as most nursing homes do) must maintain clinical records on all
patients28 and states that
residents have the right to both Aconfidentiality
of personal and clinical records@
but also Ato access
to current clinical records of the resident upon request.@29 Once a request for access to the patient=s clinical record has been made (by
either the resident or the resident=s
legal representative), the nursing facility must provide such access within 24
hours (excluding weekends or holidays).30
(3) Medicare + Choice Enrollees= Right of Access
Medicare
beneficiaries enrolled in Medicare + Choice plans (i.e., managed care or
fee-for-service plans) have a statutory right to Atimely
access@ to
medical records or other information about them maintained by the plan.31
Unfortunately, the statute does not specify precisely what is meant by Atimely access,@
nor does the implementing regulation.32
(4) Mammography Records
Federal law states that upon the
request of the patient, a mammography facility must transfer the patient=s mammogram to either: (1) a medical
institution; (2) a physician of the patient; or (3) the patient directly.33
However, neither this statute nor its implementing regulation34 appear to give the patient
a right to demand that the mammography facility transfer the mammogram directly
to the patient. In other words, the
statute appears to permit a mammography facility faced with a patient=s transfer request to choose options 1
(medical institution) or 2 (physician) rather than 3 (transfer to patient
directly).
(5) HIPAA
(a) HIPAA=s General Right of Access
A central feature of HIPAA is that
individuals are granted a right to access their own protected (i.e.,
individually identifiable) health information35
maintained by a provider, health plan, or a health plan=s
business partner(s), if the health information is used, in whole or in part, to
make health care treatment or payment decisions for the individual.36
So-called Ade-identified@ health information is not covered by
the regulation.37
An individual=s right of access includes the right to
inspect and copy such records and exists as long as a covered entity maintains
the record in which the information is contained.38
A covered entity has up to 60 days (from the date of receiving the
patient=s
request) to respond to a request if the information is maintained by the
covered entity on-site, or up to 90 days to respond if the information is
maintained off-site.39
The final regulation also specifies
that there are three types of information to which the patient does not
have a right of access: (1) psychotherapy notes; (2) information compiled in
reasonable anticipation of, or for use in, a civil, criminal, or administrative
action or proceeding, and (3) information maintained by a clinical laboratory
subject to the Clinical Laboratory
Improvement Act (CLIA), 42 U.S.C. 263a et seq.40
While the first two of these types
of information are relatively self-explanatory, the third warrants brief
explanation. The federal law regulating
clinical laboratories, CLIA, requires clinical labs to disclose test results to
Aauthorized persons,@ as defined by state law.41
If no state law defines Aauthorized persons,@ the federal law defines it as the
person who orders the testB
usually the health care provider. 42
Thus, if state law does not define the patient tested to be an Aauthorized person,@ the patient has no right to access the
test results from the laboratory itself.43 Assuming the laboratory reports the results
to the patient=s health care provider, however, the provider
is likely to be a Acovered
entity@ subject
to HIPAA; hence, the patient would have the right, pursuant to the HIPAA final
regulation, to inspect and copy any results conveyed to the health care
provider.44 In this indirect way, then, most patients
will ultimately have the right, pursuant to the HIPAA final regulations, to
access their own medical records containing the results of clinical laboratory
tests.
(b) Denials of Access Under HIPAA
In addition to the three situations in which a patient lacks a right of access (see supra
Section I(B)(1), HIPAA=s
final regulations specify eight situations in which a patient does, in general,
have a right of access, but under which a covered entity may denyBif they so desireBa patient=s
request. If a covered entity opts to
exercise its denial rights, it must notify the patient, in writing, of the
basis for the denial and provide the patient with information regarding a right
to review, if it exists.45 Five of these eight bases for denial are
absolute, in the sense that the patient does not have a right to demand a
review of the denial. Three of the eight
bases, however, are qualified, in the sense that a patient denied access for
one of these three reasons is given a right to demand review from a licensed
health care professional.
(i). Denials for which there is no right of review
As stated above, the regulations
list five situations in which a covered entity may deny a patient access to
his/her medical information and for which the patient will have no right to
external review of this decision.
First, of course, information
requested that falls within any of the three categories listed above (see
supra Section I(B)(1)) may be denied.46 Second, correctional institutions (or
providers acting under the direction of correctional institutions) may deny an
inmate=s request
to copy his/her own medical information if obtaining a copy would Ajeopardize the health, safety,
security, custody, or rehabilitation of the individual or other inmates or the
safety of any officer, employee or other person at the correctional institution
or responsible for transporting of the inmate.@47
The regulation thus permits denial of the right to copy in
situations involving a risk to health or safety, but it does not permit denial
of the inmate=s right
to inspect his/her medical information, which must still be honored,
unless one of the other permissible denial situations applies.48
Third, the regulations allow a
covered entity to deny a request for access to information by patients who are
participants in a treatment research study, but only during the time in which
the research is in progress, and only if the patient explicitly consents to
having such access denied during the course of the research.49
Once the research study has ended, the patient=s right of access is automatically
reinstated.50 Fourth, a covered entity may deny access
under HIPAA if the information requested is contained in records that are
subject to the Privacy Act, and the Privacy Act would allow denial of access by
the individual.51 Finally, the regulations permit a covered
entity to deny access to information that is obtained from someone other than a
health care provider acting under a promise of confidentiality and providing
access Awould be
reasonably likely to reveal the source of the information.@52
(ii). Denial for which there is a right to external
review
The final regulations specify three
permissible bases for denying a patient=s
requested
access to his/her medical information for which the covered
entity must provide external review upon demand by the patient. If the patient demands review of the denial,
the regulations specify that the covered entity will need to have the denial
determination reviewed by a licensed health care professional.53
This professional need not be a physician, but may be any other health
care professional licensed by the state, including a nurse or a physician=s assistant.54
The regulations specify that the health care professional who
conducts the review must not have been involved in the original decision to
deny access.55
The three bases for denial for
which a right to review attaches are as follows. First, access may be denied if providing access is Areasonably likely to endanger the life
or physical safety of the individual or another person.@56
The regulations make clear, however, that this basis for denial does not
permit denial based upon the general Asensitivity@ of the medical information or the
likelihood that the information will cause emotional or psychological harm.57
It is only if the information is likely to result in physical violence
that this basis for denial may be invoked.
Under the second basis for denial for which a right to review attaches,
however, emotional or psychological harm may be appropriately taken into
account. Specifically, the regulations
state that a patient may be denied access if the information requested makes a
reference to a third party (other than a health care provider) and the patient=s health care provider has determined,
in the exercise of professional judgment, that giving the patient access to
such information is Areasonably
likely to cause serious harm@
to the third party.58 The regulations specifically state that
denial may be based upon the likelihood not just of physical harm to the third
party, but also the likelihood of emotional or psychological harm.59
Third, access may be denied (with
no right of review) if the access is requested by the patient=s personal representative and the
covered entity has a Areasonable
belief that the individual has been or will be subjected to domestic violence,
abuse, or neglect by the personal representative@
or that allowing the representative=s
access to the medical information may endanger the patient somehow and
that it is therefore not in the patient=s
best interests to allow the representative such access.60
III. Third Party Access to/Disclosure of a Patient=s Medical Records
This section will discuss the
various laws regarding whether, and to what extent, a third party may access a
patient=s medical
information. This would include, inter
alia, access by entities such as insurers, employers, marketing companies, and governmental
agencies.
A. Michigan Law
(1) State Licensing Boards
Michigan law provides authority to the Department of Consumer and Industry Services (DCIS) to investigate activities related to the practice of a health professional and order relevant testimony. Specifically, the statute says:
Sec.
16221. The department may investigate
activities related to the practice of a health profession by a licensee, a
registrant, or an applicant for licensure or registration. The department may hold hearings, administer
oaths, and order relevant testimony to be taken and shall report its findings
to the appropriate disciplinary subcommittee…61
The
Attorney General, on behalf of a state licensing board, may request the circuit
court to issue a subpoena requiring a health professional to produce books,
papers, or documents (including medical records) pertaining to the
investigation62 Failure to comply with the subpoena issued by
result in discipline by the licensing board.63 The department or a disciplinary subcommittee
appointed may request and shall receive reports, including information from a
licensed health care facility, as to disciplinary action taken by it against a
health professional. 64
(2) Private Accreditation and Peer Review Boards
Michigan laws access
for investigation laws do not directly apply to private peer review boards and
private accreditation agencies. A health
care corporation shall not disclose records containing personal data that may
be associated with an identifiable member, or personal information concerning a
member without the patient=s consent except when
the disclosure is made to a governmental entity. 65
(3)
Health Provider-Patient Evidentiary Privileges
Michigan
law recognizes several patient-health provider evidentiary privileges.
Most
notably, Michigan statutory law establishes a physician-patient evidentiary
privilege, which states that a licensed physician or surgeon Ashall not disclose any information that
the [physician or surgeon] has acquired in attending a patient in a
professional character, if the information was necessary to enable that person
to prescribe for the patient as a physician, or to do any act for the patient
as a surgeon.@ 66 In addition, Michigan statutes recognize an
evidentiary privilege for mental health providers such as psychologists and
psychotherapists. 67
Of course, these evidentiary privileges are just thatBevidentiary privilegesBand, as such, merely prevent the health provider from testifying in court as to what the patient has told him/her in his/her capacity as a health provider. Such privileges do not prevent the health provider from divulging a patient=s confidences outside the courtroom setting; however, the licensing statutes may prevent such disclosure. Specifically, Michigan statutes provide that the state licensing board may take disciplinary action against a licensed health care provider for “unprofessional
conduct.” 68 The statute specifies that “unprofessional
conduct” includes “betrayal of a professional confidence.” 69 Thus, a provider who divulges information
conveyed by a patient as confidential may face adverse action against his/her
license.
(4)
Licensed Health Facilities=
& Agencies=
Records
Michigan
law provides that all licensed health facilities and agencies must adopt
policies that include a right of each patient to have his/her medical
records treated as confidential. 70 These policies adopted by licensed
facilities and agencies should include a right of the patient to refuse
dissemination of their records to third parties except as required for transfer
to another health facility, by a third party payment contract, or by law. 71 As with the situation regarding patient
access to his/her own records, this law, by only applying to licensed health
facilities and agencies, does not include physician=s
offices, which are not licensed by the state.
Thus, under current Michigan statutes, a patient does not have a legal
right to stop his/her physician from disseminating medical records to a third
party.72 And again, because the statute merely
prescribes general guidelines for the policies that must be implemented by a
licensed health facility or agency, there is no specific civil or criminal
penalty for non-compliance. 73
(5)
Non-Profit Health Care Corporations=
Records
Michigan has enacted a specific statute regarding the disclosure of medical information by non-profit health care corporations (e.g., Blue Cross/Blue Shield). Specifically, the statute states that a non-profit health care corporation has a duty to use reasonable care to secure its member=s records from unauthorized access and to collect only personal data that is necessary for the proper review and payment of claims. 74 The Board of Directors of the non-profit health care
corporation
must adopt specific corporate policies regarding the protection of member=s privacy and confidentiality of
personal data.75 These corporate policies must also specify
that access within the corporation to a member=s
personal data is limited to those persons with a Aneed
to know@ only.76 A non-profit health care corporation that
violates this law is subject to criminal misdemeanor penalties of not more than
$1,000 per violation and a private civil action for recovery of actual damages
or $200, whichever is greater, in addition to reasonable attorneys= fees and costs. 77
In
addition to these internal policies and responsibilities, the non-profit health
corporation may not disclose identifiable personal data, including a member=s medical treatment records, without
the prior, written, specific, informed consent of the member.78 Exceptions are allowed for disclosure
(without patient authorization) to courts, the state insurance commissioner,
and governmental agencies or entities.79 The statute also protects against re-disclosure
by stating that if the patient has consented to allow the health care
corporation to disclosure information to a third party, the corporation shall not release the patient=s information to such third party
unless the third party agrees not to further disseminate the information
without obtaining another prior, specific, written, informed consent by the
patient.80
(6)
Pharmacy Records
Michigan law states that persons having custody or access to prescriptions shall not disclose their contents or provide copies thereof without the patient=s authorization, with seven exceptions: (1) the patient him/herself; (2) another pharmacist acting on behalf of the patient; (3) the prescriber who wrote the prescription; (4) a licensed health professional who is currently treating the patient; (5) an agency/agent of the government responsible for enforcement of laws relating to drugs and devices; (6) a person authorized by court order; (7) a person engaged in research projects or studies with protocols approved by the state licensing board.81 The statute
does
not specify how patient authorization may be validly obtained, which suggests
that any form of authorization -- oral or written--is permissible. Pharmacists who violate this
confidentiality provision are subject to discipline by the state licensing
board.82
(7)
Third Party Administrator (TPA) Records
Third party administrators (i.e., those entities hired to process insurance or benefit claims)83 are under a statutory duty to treat as confidential personal data of an individual covered by a plan.84 As such, the statute states that a TPA shall not disclose identifiable information on a patient to any third party without the patient=s prior consent, except as necessary to comply with
a court order, to verify or adjudicate claims, to conduct an ERISA audit, to purchase or make claims under excess loss insurance, to the Michigan Insurance Commissioner, or for other proper plan administration.85 Because the statute does not specify precisely how the patient=s consent must be obtain, presumably it may be in oral or written form. The statute goes further,
however,
and states that, once a patient has provided consent for the release of
identifiable information to a third party, the third party is also under a duty
to keep the information confidential unless the patient Aexecutes
in writing another consent authorizing the additional release.@86 It is thus clear that, at least with
regard to re-disclosure, the patient=s
authorization must be in writing.
Although
this statutory protection appears on its face rather stringent, it does not
appear to provide any penalties or remedy in the event that a TPA violates a
patient=s
confidentiality.87
(8)
Dental Records
Michigan
law states that a patient=s
dental records are confidential and privileged, and may not be disclosed
without the written consent of the patient (or the patient=s attorney in fact or personal
representative)88 except in
certain narrowly defined situations, including, inter alia, as necessary to defend
a claim challenging the dentist=s
professional competence, to make a claim for payment, pursuant to an audit or
other good faith examination of the dentist=s
records for correctness, pursuant to court order, or pursuant to a death
examination by a medical examiner.89
(9)
Nursing Homes=
Records
Licensed
nursing homes are under a duty to keep patients=
records confidential and Ashall
not divulge or disclose the contents of a record in a manner that identifies a
patient, except upon a patient=s
death to a relative or guardian, or under judicial proceedings.@ 90
(10) Governmental Agency Access to Records
Michigan
law provides numerous allowances for access to a patient=s
medical information by various governmental agencies (including the courts)
under a wide variety of circumstances. Because of the variety and number of
such statutes, only a few of the major exceptions will be documented here. The state insurance commissioner, courts,
other “government entit[ies]” and other Agovernmental
agenc[ies]@ are
allowed to obtain access to records of patients who are members of non-profit
health care corporations (e.g., Blue Cross/Blue Shield) without the need for
obtaining the patient=s
consent.91 The records of nursing homes are available to
state regulators and inspectors who need to determine if the nurising home is
in compliance with state and federal standards.92 The department of consumer and industry
services is allowed to access the records of all health care facilities it
regulates Ato the
extent necessary to carry out the purpose@
of relevant laws it is charged with enforcing.93
B. Federal Law
(1) The Privacy Act of 1974
The
Privacy Act generally prohibits disclosure to any person (or to another agency)
of any record maintained about an individual by a federal agency, unless the
prior written request or consent of the individual is obtained.94 Thus, for example, medical records
maintained by agencies such as the Center for Medicare and Medicaid Services
(CMS)95 may
not be disclosed without the individual=s
consent, except in twelve specific situations, referred to as conditions of
disclosure.96 One permissible condition of disclosure
permits disclosure of information to an employee of a federal agency if the
employee needs the record to perform his/her duties.97 Another permits disclosure for so-called Aroutine uses,@98 which are defined
as use of the record Afor
a purpose which is compatible with the purpose for which it was collected.@99
The
Act also imposes a duty upon federal agencies to assure that their records are Aaccurate, complete, timely and relevant
for agency purposes@ prior to
disseminating any record about an individual to any third party (other than a
federal agency).100 Agencies are also required to Amake reasonable efforts@ to notify individuals when records
pertaining to the individual are Amade
available to any person under compulsory legal process when such process
becomes a matter of public record.@101
The Act provides for both civil and criminal penalties for violation of the disclosure provisions. Specifically, intentional or willful violation by an agency of the provisions of the act subjects the agency to civil liability of actual damages sustained by the individual (but in no case shall the individual receive less than $1,000 as compensation for such injury), plus reasonable attorney fees and costs of bringing such civil action against the agency.102 Willful disclosure of an individual=s record by an officer or employee of an agency to any person or agency not
entitled
to receive such record is punishable as a misdemeanor and fine of not more than
$5,000.103 Likewise, the knowing and willful
request or obtainment of any individual=s
record under false pretenses is punishable as a misdemeanor and fine of not
more than $5,000.104
(2)
Nursing Home & Home Health Agency Records
As
stated in Section II(B)(2) (relating Patient=s
Access to Medical Records), the residents of nursing facilities receiving
Medicaid reimbursement (virtually all nursing homes) have a statutory right to
the confidentiality of personal and clinical records.105 In addition, federal law requires, as a
condition of participation in the Medicare program, that home health agencies
are required to ensure the confidentiality of the clinical records of patients.106
(3)
Hospital Records
Federal
regulations107 require
that, as a condition of participation in the Medicare program, hospitals must
maintain medical records for every individual treated or evaluated in the
hospital.108 Records must be retained in their original
(or legally reproduced) form for at least five years.109 The regulations also require that the
hospital Ahave a
procedure for ensuring the confidentiality of patient records.@110 Furthermore, information from or copies of
hospital records may be released only to Aauthorized
individuals@ (not
specified in the regulation) and Amust
ensure that unauthorized individuals cannot gain access to or alter patient
records.@111 The regulation goes on to say that Aoriginal medical records must be released
by the hospital only in accordance with Federal or State laws, court orders, or
subpoenas.@112 It is thus not clear, given the awkward
working of this regulation, whether: (1) non-original medical records are
somehow considered distinct from original medical records; and (2) the records Amay@
(as opposed to Amust@) be released in other, non-specified
situations.
(4)
Medicare + Choice Records
Federal
law provides that health plans participating in the Medicare + Choice program
must Aestablish
procedures@ to Asafeguard the privacy of any
individually identifiable enrollee information.@113 The implementing regulation associated with
this statute, moreover, specifies, inter alia, that the Medicare + Choice plan
must have procedures that specify: (1) for what purposes such information will
be used within the organization and (2) to whom and for what purposes the plan
will disclose the information outside the organization.114 Neither the statute nor regulations prohibit
the plan from disclosing information to outside entities, nor does it give the
enrollee a right to prohibit the plan from so disclosing.
(5) HIPAA
(a)
Permitted Disclosures for Governmental Health Oversight Purposes
HIPAA
provides that a permitted disclosure is for health oversight activities such as
licensure, fraud and abuse investigations, and audits:
A(d)
Standard: Uses and disclosures for health oversight activities. (1) Permitted
disclosures. A covered entity may disclose protected health information to a
health oversight agency for oversight activities authorized by law, including
audits; civil, administrative, or criminal investigations; inspections;
licensure or disciplinary actions; civil, administrative, or criminal
proceedings or actions; or other activities necessary for appropriate oversight
of: (i) The health care system; (ii) government benefit programs for which
health information is relevant to beneficiary eligibility; (iii) Entities subject to government
regulatory programs for which health information is necessary for determining
compliance with program standards; or (iv)
Entities subject to civil rights laws for which health information is
necessary for determining compliance.@
This
provision would provide authority to state licensing boards to access personally
identifiable health information to conduct oversight activities for licensure
and disciplinary actions.115
(b)
Disclosures to Private Peer Review & Accrediting Organizations
The HIPAA privacy rule applies directly only to health plans, health care clearinghouses, and certain health care providers. Thus, for purposes of obtaining access to protected health information, a private peer review or accrediting organization (e.g., JCAHO) would be a
ABusiness Associate@ of covered entities and thus regulated
only indirectly, via contractual provisions with the covered entity.
(c)
Disclosures for which Patient Consent is Required
The HIPAA final rule requires that health care providers who have a Adirect treatment relationship@116 with their patients must obtain the patient=s written consent in order to disclose117 or use118 protected health information to third parties when such disclosure or use is for the purpose of treating the patient, obtaining payment, or for health care operations.119 Importantly, the consent form may be combined with other types of written legal permission (e.g., informed consent for treatment) if the disclosure consent is visually and organizationally separate from such other written legal permission and is separately signed by the individual and dated.120 The consent form must refer the individual to a notice that contains a detailed discussion of the provider=s health information practices.121 The consent form must also inform the patient that he/she has a right to ask the covered entity to request certain restrictions regarding the use or disclosure of the information, that the covered entity is not required to agree to such restrictions, and that the individual has the right to revoke the consent in writing.122
Health
care providers who do not have a direct treatment relationship with the
patient (e.g., laboratories), health plans, and health care clearinghouses may
use and disclose protected health information for purposes of treatment,
payment or health care operations without obtaining patient consent. The final rule permits such entities to
obtain patient consent, if they so choose.123
One
other significant aspect of the HIPAA consent requirement is that the final
rule explicitly permits a provider or health plan to condition treatment or
enrollment on obtaining the patient=s
consent.124 Thus, providers and institutions may,
consistent with federal law, refuse to treat or enroll a patient if the patient
does not consent to the disclosure of his/her medical records for purposes of
treatment, payment, or health care operations.125 Although patients are permitted to request
that providers not share their medical information with others for the purpose
of treatment, payment, or health care operations, providers are not required by
law to agree to such a request. The
HIPAA final regulations have thus been criticized by privacy advocates as
essentially coercing consent from patients. On the other hand, CMS, in issuing
the final regulations, recognized that Ait
would be difficult, if not impossible, for health care providers to treat their
patients and run their businesses without being able to use or disclose
protected health information for [treatment, payment, or health care
operations] purposes.@126
(d)
Disclosures for which Patient AAuthorization@ is Required
If the use or disclosure of protected health information is for a purpose other than treatment, payment, or health care operations, the rules are more stringent. No longer will mere Aconsent@ suffice; more is required. Specifically, the rules require Aauthorization@ by the patient, which (like consent) must be in writing, but (unlike consent) may generally not be combined with other documents and may not be made a condition to the individual=s treatment, eligibility for
benefits,
payment, or health plan enrollment.127 Moreover, unlike the open-ended consent, an
authorization must contain an expiration date.128
(e)
When Is Consent or Authorization Not Required by HIPAA?
i. General Exceptions
One of the primary shortcomings of HIPAA is that it permits the disclosure of protected health information for many broadly defined purposes without the need for obtaining patient consent or authorization129, including, inter alia: (1) disclosure to U.S. public health authorities or foreign governmental agency officials acting in collaboration with a public health authority;130 (2) disclosure to any person subject to FDA jurisdiction in order to report adverse events, product defects, for purposes of product tracking or post-marketing surveillance, or to enable product recalls, repairs or replacement;131 (3) disclosure to health oversight agencies for oversight activities authorized by law;132 (4) disclosure required by other laws, including state laws;133 (5) for law enforcement proceedings and activities;134 (6) disclosure for judicial and administrative proceedings;135 (7) disclosure to employers if the information relates to work-related illness or injury;136 (8) disclosure to coroners, medical examiners and funeral directors regarding deceased
individuals;137 (9) disclosure to
organ procurement organizations138,
blood banks, sperm banks, tissue banks;139
(10) disclosure for research purposes;140
and (11) disclosure about victims of abuse, neglect, or domestic violence;141 and (12)
disclosure for workers=
compensation.142 When making these types of non-consent
disclosures, covered entities are required to implement policies and procedures
for disclosing the Aminimum
necessary@ amount
of health information.143
ii.
Disclosure/Use for Marketing &
Fundraising Purposes
HIPAA
states that a covered entity may use or disclose (to a Business Associate that
assists the covered entity with such communication) protected health information
for purposes of marketing144
health-related goods or services in three situations:
(1)
face-to-face marketing communications with the patient regarding the entity=s own services or products or the
services/products of a third party (e.g., providing free samples or other
information to the patient upon an office visit);145
(2) providing the patient with products or services of nominal value that contain a marketing communication (e.g., distributing pens, calendars, toothbrushes, key chains,
etc. with the name of the covered entity on it or the name of a third party);146 and
(3)
marketing health-related products/services (offered by the covered entity or a
third party) to the patient, but only if the communication identifies who is
making the communication, states that the covered entity is being compensated
for making the communication (if that is so), and informs the patient how to Aopt out@
of future marketing communications.147 This provision does not allow a covered
entity to disclose information to third parties, but merely allows the covered
entity to inform patients about potentially beneficial health-related
products/services offered by itself or third parties.148 Covered entities will thus be permitted to
inform patients of potentially beneficial drugs, treatments, or other health-related
products/services.
HIPAA
contains similar restrictions on fundraising by covered entities. Specifically, the final regulation states
that a covered entity may use or disclose (to a Business Associate or
institutionally-related foundation)149
certain limited protected health information for purposes of conducting
fundraising (for its own benefit only), so long as: (1) the covered entity
includes, in the notice of privacy practices required by the regulation,150 a statement that
the entity may contact the individual to raise funds for the covered entity;151 and (2) the
fundraising materials sent to the patient inform the patient how they may Aopt out@
of future fundraising communications.152 The regulation explicitly limits
use/disclosure for fundraising purposes to two specific types of health
information: (1) demographic information relating to the individual; and (2)
dates of health care provided to the individual.153 Any other protected health information may
not be used or disclosed for purposes of fundraising.
Because
the regulations require that the covered entity inform the patient of their
right to Aopt out@ of future marketing or fundraising
communications, the regulations may be viewed as providing covered entities
with Aone free pass@ for such communications. Thus, covered entities may use or disclose
protected health information to engage in marketing/fundraising communications
once, but must give patients the right to Aopt
out@ of future such communications if they
so desire.
(f)
Patients=
Right to Accounting of Disclosures
Another
significant aspect of HIPAA is that it establishes a right of individuals to
obtain an accounting of any disclosures of protected health information by a
covered entity within six years prior to the date of the requested accounting.154 Exceptions are made for, inter alia,
disclosures to carry out payment, treatment, or health care operations (i.e.,
necessary disclosures).155 The accounting provided to the patient must
include the name of the entity or person who received the information, the date
of disclosure, a brief description of the information disclosed and a brief
statement of the purpose of the disclosure.156 The accounting generally must be provided to
the patient within 60 days after receipt of the request therefore.157
(6) The Freedom of Information Act
The
Freedom of Information Act (AFOIA@)158
requires the federal government to disclose,
upon
request, many different types of information possessed by the federal
government. Exemption 6 of FOIA,
however, allows federal agencies to withhold Apersonnel
and medical files and similar files the disclosure of which would constitute a
clearly unwarranted invasion of personal privacy.@ 5 U.S.C. '
552(b)(6). Pursuant to the
final HIPAA rules, HHS has taken the position that disclosures prohibited
pursuant to HIPAA would also be subject to FOIA Exemption 6, thus avoiding most
(if not all) potential conflicts between the two laws.
IV. Privacy in Medical Research
Biomedical,
epidemiologic, and health services research based on the study of patient
medical records has been instrumental in our understanding of outcomes,
patterns of practice, use, and determinants of the cost of health care. Medical information used for health services
research has helped to identify potential risks for under-treatment in systems
of care, evaluate cost effectiveness of surgical procedures, and other
important medical interventions methods and measures to assess the quality of
care provided by health plans, hospitals, physician groups and individual
physicians.159 The State of Michigan and society overall
must decide how best to pursue simultaneously the protection of individuals= right to privacy of health information
while preserving justified research access to personally identifiable health
information to conduct research to benefit society.160
(1) Federal Law
Most
research involving human subjects operates under the current Federal Policy for
the Protection of Human Subjects known as the Acommon
rule@ (codified
for the Department of Health and Human Services (HHS) at Title 45 Code of
Federal Regulations Part 46) and/or the Food and Drug Administration=s (FDA) human subjects protection
regulations.161 These
federal regulations have provisions that address confidentiality and are
similar to, but separate from the HIPAA Privacy Rule=s
provisions for research.162
(a)
The Common Rule
The
Common Rule, which was developed largely to protect the rights and safety of
human subjects, contains two general provisions to protect the privacy of
health information used for research.
Institutional Review Boards were required to be established pursuant to
45 C.F.R. 46 for the purpose of reviewing and having the authority to approve,
require modification in, or disapprove all research activities covered by the
regulations163 including, (1)
Provisions to protect the privacy of human research subjects and
maintain the confidentiality of data, when appropriate, and (2) Requiring researchers to provide research
subjects information regarding confidentiality and use of their health
information as a part of the subjects=
decision to consent to participate in the study. Basic element of informed consent shall
include, Aa
statement describing the extent if any, to which confidentiality of records
identifying the subject will be maintained.@164
A
1999 report by the General Accounting Office (GAO), Medical Records Privacy,
reported that, AAccording
to the Director of OPPR, confidentiality protections are not a major thrust of
the Common Rule and IRBs tend to give it less attention than other research
risks because they have the flexibility to decide when it is appropriate to
review confidentiality protections.@165 The Common Rule provides Institutional Review
Boards with discretion to determine whether the research involves no more than
minimal risk to the subjects and that informed consent may not be necessary to
access personally identifiable health information.
Within
the last several years, several universities=
research programs have been halted because of failures of their Institutional
Review Boards to protect human research subjects.166 What roles if any
should the State have in the protection of research subject=s privacy?
(b) HIPAA
The
HIPAA final privacy rule requires that research167 cannot be
conducted that also involves clinical treatment where protected health
information (APHI@)168
is collected without obtaining the authorization for the use or disclosure of
such information from the individual patient.
Health information is any information, whether oral or recorded in any
form or medium, that is created or received by a health care provider, health
plan, public health authority, employer, life insurer, school or university, or
health care clearinghouse; and relates to the past, present, or future physical
or mental health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the provision of
health care to an individual.169
Prior
to initiating a research study a researcher must assess the extent to which
information about the individual will be used by the research team, as well as
used by and disclosed to parties outside of the research team. AExcept
as otherwise permitted by '164.512(i),
a covered entity that creates protected health information for the purpose, in
whole or in part, of research that includes treatment must obtain an
authorization for the use or disclosure of such information.@170 The consent to use the information must
contain:
(A) A description of the extent to which such
protected health information will be used or disclosed to carry out treatment,
payment, or health care operations;171
(B) A description of any protected health
information that will not be used or
disclosed.172
For
example, if the covered entity/researcher intends to seek reimbursement from
the research subject=s
health plan for routine costs of care associated with the protocol, the
authorization must describe types of information that will be provided to the
health plan.@173
The rule also creates a new review body called a APrivacy Board.@ A privacy board must: (1) have members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual=s privacy rights; (2) have at least one member who is not affiliated with the covered entity, and not affiliated with any entity conducting or sponsoring the research; and (3) not have any member participating in a review of any project in which the member has a conflict of interest.
The
HIPAA final privacy rule provides a mechanism for researchers to waive
authorization requirements for use of protected health information (PHI) for
research purposes. The final rule provides
that IRBs or the HIPAA created privacy boards have authority to make exceptions
to the authorization requirements. The
focus of the review is whether privacy interests of the individual will not be
adversely affected.174 A covered entity may receive authorization to
use or disclose protected health information.
Specifically, the regulations state as follows:
(2) Documentation of waiver approval by the
Privacy Board or IRB. For a use or disclosure to be permitted based on a
Privacy Board action the documentation must include all of the following:
C Identification and date of action. A
statement identifying the IRB or privacy board and the date on which the
alteration or waiver of authorization was approved;
C Waiver criteria. A statement that the IRB or
privacy board has determined that the alteration or waiver, in whole or in
part, of authorization satisfies the following criteria:
C The use or disclosure of protected health
information involves no more than minimal risk to the individuals;
C The alteration or waiver will not adversely
affect the privacy rights and the welfare of the individuals;
C The research could not practicably be
conducted without the alteration or waiver;
C The research could not practicably be
conducted without access to and use of the protected health information;
C The privacy risks to individuals whose
protected health information is to be used or disclosed are reasonable in
relation to the anticipated benefits if any to the individuals, and the
importance of the knowledge that may reasonably be expected to result from the
research;
C There is an adequate plan to protect the
identifiers from improper use and disclosure;
C There is an adequate plan to destroy the
identifiers at the earliest opportunity consistent with conduct of the
research, unless there is a health or research justification for retaining the
identifiers, or such retention is otherwise required by law; and
C There are adequate written assurances that
the protected health information will not be reused or disclosed to any other
person or entity, except as required by law, for authorized oversight of the
research project, or for other research for which the use or disclosure of
protected health information would be permitted by this subpart.
$ A
privacy board must review the proposed research at convened meetings at which a
majority of the privacy board members are present, and the alteration or waiver
of authorization must be approved by the majority of the privacy board members
present at the meeting, unless the privacy board elects to use an expedited
review procedure;
C A privacy board may use an expedited review
procedure if the research involves no more than minimal risk to the privacy of
the individuals who are the subject of the protected health information for
which use or disclosure is being sought. If the privacy board elects to use an
expedited review procedure, the review and approval of the alteration or waiver
of authorization may be carried out by the chair of the privacy board, or by
one or more members of the privacy board as designated by the chair.175
An IRB must follow the requirements of the Common Rule, including the normal review procedures. To use personally identifiable health information without authorization of the individual the researchers must document: (A) The use or disclosure of protected health information involves no more than minimal risk to the individuals; (B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals; (C) The research could not practicably be conducted without the alteration or waiver; (D) The research could not practicably be conducted without access to and use of the protected health information; (E) The privacy risks to individuals whose protected health information is to be used or disclosed are
reasonable
in relation to the anticipated benefits if any to the individuals, and the
importance of the knowledge that may reasonably be expected to result from the
research; (F) There is an adequate plan
to protect the identifiers from improper use and disclosure; (G) There is an
adequate plan to destroy the identifiers at the earliest opportunity consistent
with conduct of the research, unless there is a health or research justification
for retaining the identifiers, or such retention is otherwise required by law;
and (H) There are adequate written
assurances that the protected health information will not be reused or
disclosed to any other person or entity, except as required by law, for
authorized oversight of the research project, or for other research for which
the use disclosure of protected health information would be permitted.176
The
research community including leading universities, medical schools, scientific
societies, and pharmaceutical research, medical device and biotechnology firms
have expressed concerns regarding the impact the Privacy Rule will have on
research. AThe
academic and industry research communities believe that the rule=s restrictions on the use and disclosure
of protected health information for research purposes and limits on retention
of research data will seriously impair our ability to conduct clinical trials,
clinico-pathological studies of the natural history and therapeutic
responsiveness of disease, epidemiologic and health outcome studies, and
genetic research.@177
HIPAA
Privacy Rule does not directly apply to researchers who are also not directly
treating patients. The Privacy Rule
applies to individually identifiable health information gained in the course of
medical treatment. AThe odd result is that for research
involving treatment, PHI is protected by this special authorization
requirement, but for research that does not involve treatment, (which includes
research that may yield vital and possibly harmful PHI, such as for example,
personal genetic information), no such special authorization is specifically
required. The best practice,
nevertheless, would be for IRBs, institutions and researchers to require these
authorizations for all human subjects research, regardless of whether that
research includes medical treatment.@178
(2)
Michigan Law
Michigan
Law regarding the use of medical records for purposes of research is
limited. The relevant statute provides
that data including written reports, statements, notes, memoranda and other
records shared with the department in the conduct of a medical research
project, for the purpose of reducing the morbidity or mortality from any cause
or health condition are confidential and shall be used solely for the medical
research purposes. The statute reads as
follows:
Sec.
2631. Confidentiality of Information
The information, records of
interviews, written reports, statements, notes, memoranda, or other data or
records furnished to, procured by, or voluntarily shared with the department in
the conduct of a medical research project, or a person, agency, or organization
which has been designated in advance by the department as a medical research
project which regularly furnishes statistical or summary data with respect to
that project to the department for the purpose of reducing the morbidity or
mortality from any cause or condition of
health are confidential and shall be used solely for statistical,
scientific, and medical research purposes relating to the cause or condition of
health.[179]
This provision was enacted as a part of the Public Health Code of 1978. The provision is limited to research conducted by the Department of Community Health and does not apply to other medical research conducted in the State of Michigan. The law does not provide any express penalties for violation. MCL 333.2632 provides that furnishing data to the department in the conduct of a medical research project does not result in the loss of a privilege protecting the data.
MCL
333.2619 provides for the establishment of registry for cancer cases and other
specified diseases. The law states, A(3) the department shall maintain
comprehensive records of all reports submitted pursuant to this section. These reports shall be subject to the same
requirements of confidentiality as provided in section 2631 for data or records
concerning medical research projects.@[180]
This provision is limited to the Department and designated persons; agencies or
organizations provided the information for research purposes by the
department. A cancer registry developed
by a hospital, university or other organization are not covered by the
provision.
(3) Other States
A state that has legislatively addressed in a comprehensive manner access to health information for purposes of research is Minnesota. In 1997, Minnesota passed a progressive law to protect the privacy of individuals’ health information. The law provides that patients’ health records cannot be used for research purposes without a reasonable effort to obtain the patient=s written consent.[181] Specifically providers must obtain the patients consent for release of health
records
in writing. Authorization may be
established if an authorization is mailed at least two times to the patient=s last known address with postage
prepaid return envelope and conspicuous notice that the patient=s medical records may be released if the
patient does not object.
In
commentaries on the law researchers within the state of Minnesota expressed
their concern as to how the law would adversely impact the research enterprise
within the State of Minnesota.[182]
This law has provided an opportunity for researchers to study whether a
requirement to obtain consent prior to release of health information for
research purposes would adversely affect the ability to conduct research. A 1999 study found that ARequiring a patient informed consent to
gain access to medical records for a specific research study was associated
with a low participation rate among members of one health plan in this
observational study.@[183] In the study only 53% of the individuals
contacted to participate responded and only 19% authorized the use of medical
records and 34% declined.
V. Sensitive Medical Information
Certain
types of medical information pose special privacy concerns because of the high
potential for discrimination or stigmatization that often results from
dissemination of such information.
Included in this category generically described as Asensitive medical information@ includes information pertaining to
HIV/AIDS, mental health or substance abuse treatment, abortion, child abuse and
genetic information.
A. Mental Health Information
(1) Michigan Law
Michigan
law has numerous special requirements for medical information pertaining to
mental health services. One important
statutory provision states that information contained in a record or acquired
in the course of providing mental health services to a patient Ashall be kept confidential and shall
not be open to public inspection.@174 Once this
general statement is made, however, the statute goes on to establish three
separate categories of possible disclosure: (1) situations in which disclosure must
be made; (2) situations in which disclosure may be made, provided
patient consent (or a relevant proxy, such as a guardian) is obtained; and (3)
situations in which disclosure may be made at the discretion of the
record holder, without the need for patient consent.
With
regard to the first categoryBi.e.,
situations in which disclosure of mental health information must be madeBthe statute lists seven (7) such
situations: (1) compliance with a subpoena issued by a court or legislature;
(2) to prosecuting attorneys as needed to participate in a proceeding governed
by the act; (3) to the patient=s
attorney (but only if the patient or, if applicable, his/her guardian or
parent, consents); (4) if needed to comply with another provision of law; (5)
if needed by the department of mental health; (6) if needed by the office of
the auditor general; and (7) to a surviving spouse (or, if no surviving spouse,
to the individual(s) most closely related to the patient within the 3d degree
of consanguinity) for the purpose of applying for and receiving benefits.175
With
regard to the second categoryBi.e.,
situations in which disclosure may be made, with the patient=s consent (or, if applicable, his/her
guardian, custodial parent, a court-appointed personal representative of the
patient, or the executor of the estate of a deceased patient)--there are two
(2) situations specified: (1) disclosure to another provider who is providing
mental health services to the patient; or (2) disclosure to the patient (or
his/her guardian or, if the patient is a minor, the patient=s parent) unless the holder of
the information expresses its judgment, in writing, that Adisclosure would be detrimental to the
recipient or others.@176
Finally,
the statute sets forth a third category, wherein disclosure of mental health
information may be made by the record holder, without the need for
obtaining the patient=s
(or anyone else=s)
consent. This type of disclosure is
permissible in the Adiscretion
of the holder of the record@
and is limited to three situations: (1) as needed for the patient
to apply for or receive benefits; (2) as needed for the purpose of outside
research, evaluation, accreditation, or statistical compilation; and (3) to a
provider of mental health or other health services or a public agency if Athere is compelling need for disclosure
based upon a substantial probability of harm to the recipient or other
individuals.@177 In the situation permitting
disclosure for research, evaluation, accreditation, or statistical compilation,
the statute specifies that the mental health information disclosed must be
stripped of identifiable information Aunless
the identification is essential in order to achieve the purpose for which the
information is sought or if preventing the identification would clearly be
impractical, but not if th subject of the information is likely to be harmed by
the identification.@178
In
addition, there is a special Michigan statute that imposes upon mental health
professionals a duty to disclose a communication by a patient involving a
threat of physical violence against a reasonably identifiable third party,
provided the patient has the apparent intent and ability to carry out such
threat in the foreseeable future.179 The mental health professional may
generally discharge this duty by hospitalizing the patient or communicating the
threat to the third party and relevant law enforcement authorities.180 Mental health professionals and
licensed mental health facilities are also under a statutory duty to report
suspected criminal abuse of their patients to relevant law enforcement
authorities, provided there is reasonable cause to suspect such abuse.181
Michigan
law also provides special statutory protection for the mental health records of
prisoners,182 which is
essentially the same as the protections afforded to mental health information
of non-prisoners, with one important difference. First, and most importantly, all of the
disclosures of prisoners’ mental health information permitted by the statute
are permissive, not mandatory.183 As mentioned above, the statute establishing
confidentiality of non-prisoner mental health information lists seven (7)
instances in which disclosure of such information is mandatory.184 These same seven instances are listed in the
prisoner confidentiality statuteBwith
one relatively minor difference185B but they are permissive rather
than mandatory disclosures. Thus, the
holder of a prisoner=s
mental health records is not required to disclose in these seven situations,
whereas the holder of a non-prisoner=s
mental health records is required to disclose.
Ironically, in this regard, prisoners appear to enjoy a greater right to
privacy with regard to mental health information than do non-prisoners.
(2) Federal Law
HIPAA
provides heightened protection to Apsychotherapy
notes.@186 For most purposes, a covered entity may not
disclose information contained in psychotherapy notes without specific patient
authorization.187 A health plan may not condition enrollment in
the plan or provision of benefits under the plan upon an individual providing
authorization for disclosure of psychotherapy notes.188
B. Substance Abuse Information
(1) Michigan Law
Michigan
law provides that records maintained in connection with a substance abuse
treatment, rehabilitation, prevention, or emergency medical service are
confidential.189 Disclosure may be made with the
patient=s written
consent in three situations: (1) to health professionals for the purpose of
diagnosing or treating the patient; (2) to any governmental personnel for the
purpose of obtaining benefits to which the patient is entitled; or (3) to any
other person specifically authorized by the patient.190 Disclosure may also be made without the
patient=s consent
in four situations: (1) to medical personnel to the extent necessary to meet a
bona fide medical emergency; (2) to qualified personnel for the purpose of
conducting scientific research, financial audits or program evaluations,
provided the identity of the individual is not disclosed by such personnel; (3)
as ordered by a court of competent jurisdiction in order to determine whether
an individual is under treatment by an agency; and (4) as ordered by a court
for purposes of conducting a hearing to determine the need of a minor for
substance abuse rehabilitation or treatment.191
There
is a separate state statute that authorizes a treating physician (or other
health professional acting on the advice and direction of a treating physician)
to disclose information relating to substance abuse treatment given to or
needed by a minor to the minor=s
spouse, parent, guardian or person in loco parentis.192 This disclosure may be made for
medical reasons in the judgment of the treating physician or other health
professional, even if the minor expressly objects.193
(2) Federal Law
Federal law provides that any program relating to substance abuse education, prevention, training, treatment, rehabilitation or research which conducted, regulated, or directly or indirectly assisted by any U.S. department or agency shall keep patient records confidential.194 The statute provides for four general categories of exceptions to this general rule of confidentiality: (1) substance abuse records may be disclosed with the prior written consent of the patient;195 (2) they may be disclosed (without patient consent) to Amedical personnel to the extent necessary to meet
a
bona fide medical emergency;@196 (3) they may be
disclosed (without patient consent) to Aqualified
personnel for the purpose of conducting scientific research, management audits,
financial audits, or program evaluation@
except that, in conducting such research/audits/program evaluation,
such personnel may not disclose the identity of any individual patient;197 and (4) they may
be disclosed (without patient consent) by court order upon a showing of good
cause.198
The
federal statute explicitly states that it does not preempt state laws regarding
the reporting of incidents of suspected child abuse and neglect.199 Penalties for violation of the law are
subject to the imposition of fines in accordance with Title 18 of the U.S.
Code.200
The
commentary section of the HIPAA privacy regulation acknowledges that there are
a number of health care providers who will be subject to both the federal
substance abuse confidentiality statute and the HIPAA final regulations.201 However, HHS states that, Ain most cases, a conflict will not
exist between these rules.@202 This is so because, while the HIPAA privacy
rules do permit providers to make disclosures not permitted by the
substance abuse statute, the Agency emphasizes that Abecause
these disclosures are permissive and not mandatory, there is no conflict. An entity would not be in violation of the
[HIPAA] privacy rules for failing to make these disclosures.@203 In other words, while a provider may
be permitted to disclose under HIPAA, he/she is not required to do so. If he/she chooses not to disclose,
there is no violation of either HIPAA or the federal substance abuse
statute. If, on the other hand, the
provider chooses to disclose, he/she will not violate HIPAA, but may violate
the federal substance abuse statute. It
is apparently left to the provider to choose whether or not to disclose under
such circumstances.
C. HIV/AIDS
(1) Michigan Law
Michigan
has numerous, scattered statutes relating to the privacy of medical information
relating to HIV/AIDS.
As
an initial matter, the statutes provide that all records relating to HIV/AIDS
testing or test results are confidential under Michigan law.204 HIV or AIDS infected individuals may
expressly authorize release of their HIV/AIDS records, but such authorization
must be in writing.205 Information about HIV infection or AIDS may
be released upon court order within tightly circumscribed parameters.206 The statute also permits disclosure to the
state department, local health departments and health care providers if
disclosure would (1) protect the health of an individual, (2) prevent further
transmission, or (3) assist with the diagnosis and care of a patient.207 The information may also be disclosed
to individuals who have had contact with the infected patient if the physician
or local health officer determines that disclosure is needed to prevent a
reasonably foreseeable risk of further transmission of the disease.208 Persons who violate the statute and
release HIV/AIDS records without legal authority are subject to misdemeanor
prosecution, with penalties of up to one year imprisonment and fines of not
more than $5,000, in addition to civil liability for actual damages or $1,000,
whichever is greater, plus costs and reasonable attorney fees.209
In
addition to the above-referenced statute, Michigan has adopted a special
statute dealing with the provision of treatment to minors who are, or who
profess to be infected with, venereal disease or HIV.210 Specifically, the statute states that
treating physicians (or other health professionals acting on the advice and
direction of the treating physician) may, but are not obligated to, disclose Afor medical reasons@ the treatment given or needed to the
minor=s spouse,
parent, guardian or person in loco parentis.211 Such disclosure may occur even if the minor
objects thereto.212
State
law also provides that individuals who apply for a marriage license must
check-off a box acknowledging that they have received information regarding the
availability of HIV tests.213
If a marriage license applicant chooses to undergo such testing and the results
are positive, the statute provides that the physician (or her designee) Aimmediately shall inform both
applicants of the test results@
and shall provide them with counseling.214
Police
officers, fire fighters, and certain emergency medical personnel who assists a
patient who is subsequently transported to a health facility may, in certain
instances, be notified that the patient was subsequently tested for HIV, HBV or
other infectious agents.215 If the police officer, fire fighter or
other emergency medical personnel sustains a percutaneous, mucous membrane, or
open wound exposure to the blood or bodily fluids of the emergency patient,
they may request that the emergency patient be tested for HIV or HBV infection.216 If the results of such test(s) are positive,
the results may be disclosed to the exposed individual,217 but the identity
of the emergency patient shall not be revealed.218 The exposed individual who receives the
results of a test performed on an emergency patient may disclose such
information to others Aonly to the extent consistent with the
authorized purpose for which the information was obtained.@219
Blood
banks or other health facilities that receive donated blood that is tainted
with HIV are required to immediately notify the local health department of the
violation.220
Women
who undergo an initial examination for pregnancy or who have recently delivered
an infant may be tested for venereal disease, HIV (or antibody to HIV), and
hepatitis B.221 The statute makes it clear, however, that
such tests are not required if the woman does not consent to be tested or if
the health provider determines, in his/her professional opinion, that the tests
are medically inadvisable.222 If such tests are performed on the woman, the
statute provides that the health providers shall make and retain a record of
the tests and the test results (or, if no such tests were provided, the record Ashall contain an explanation of why the
tests were not ordered.@).223 The statute also states that the test results
and records relating thereto are not public records but Ashall
be available to a local health department and to a physician who provides
medical treatment to the woman or her offspring.@224
Each
incoming prisoner in a state correctional facility shall be tested for HIV (or
antibody to HIV).225 If the prisoner tests positive and
subsequently behaves in a manner that could transmit HIV to others, the
prisoner must be housed in administrative segregation.226 In addition, each positive test result must
be reported to the department of community health.227
(2) Federal Law
Federal
law provides that states may obtain federal grant money for carrying out
programs to provide partner counseling and referral services, but only if the
states receiving federal grant money comply with various federal requirements.228 One of the prerequisites for receiving
federal grant money is that states must establish and carry out a program for
partner notification (which must not disclose the identity of the infected
individual).229 In addition, the state must require entities
which provide HIV tests to Aconfidentially
report the positive test results to the State public health officer in a manner
recommended and approved by the Director of the Centers for Disease Control and
Prevention, together with such additional information as may be necessary for
carrying out such program.@230
Another
federal statute, enacted as part of the Violence Against Women Act, provides
that the victim of a sexual assault may obtain an order from a U.S. District
Court requiring that the defendant be tested for the presence of HIV.231 The test results may be communicated to both
the victim and the defendant.232 If the initial test is negative, follow-up
tests may be ordered by the court six and twelve months from the date of the
initial test.233 The statute further provides that the
victim may disclose the test results only to Aany
medical professional, counselor, family member or sexual partner(s) the victim
may have had since the attack@
and that A[a]ny
such individual to whom the test results are disclosed by the victim shall
maintain the confidentiality of such information.@234 Any person who fails to maintain
confidentiality of the test results may be held in contempt of court.235
D. Other Sexually Transmitted Diseases
(1) Michigan Law
An
individual who is arrested and charged with certain crimes relating to enticing
a child for immoral purposes,236
gross indecency,237
prostitution238 or
criminal sexual conduct239
shall be examined or tested for venereal disease, hepatitis B, and for
the presence of HIV or an antibody to HIV if the district court determines there
is reason to believe the violation involved sexual penetration or exposure to a
bodily fluid of the defendant.240 The examinations and tests administered shall
be administered confidentially, except that the statute permits disclosure of
test results in numerous situations: (1) to the victim or person who was
exposed to the bodily fluids;241
(2) to the court or probate court;242
(3) to the state department of community health;243 (4) to the local
health department;244 (5) to
the department of corrections (if the defendant is placed in custody thereof);245 (6) as required
by law;246 or (7) upon
written authorization of the defendant.247
(2) Federal Law
There
currently is no federal law that specifically addresses the confidentiality of
medical information relating to sexually transmitted diseases.
E. Pregnancy/Abortion Services
(1) Michigan Law
State
law states that the identity and address of a patient who is provided
information relating to abortion services or who consents to an abortion is confidential
and may be disclosed Aonly
with the consent of the patient or by judicial process.@248 Given that the statute does not
appear to require written consent, presumably oral consent is valid. In addition, a local health department that
possesses a record containing the identity of such a patient may release such
information only to a physician (or qualified person assisting the physician)
in order to verify the receipt of information required by law (i.e., Michigan
requires that certain specific material be given to individuals seeking an
abortion prior to obtaining an abortion) and must destroy any records
containing the identity and address of the patient within 30 days after
providing the patient with such information/counseling.249
Michigan
law also requires disclosure of a minor=s
intent to obtain an abortion to at least one of the parents or the legal
guardian of the minor.250 Consent must be obtained by both the
minor and one of the parents or the legal guardian prior to performing an
abortion on a minor.251 Violation of this provision is a
misdemeanor and may be the subject of a civil action, with punitive damages
awardable.252
A
treating physician (or other health professional acting on the advice and
direction of the treating physician) may also, for medical reasons, inform the
putative father of a child, or the spouse, parent, guardian or person in loco
parentis of a minor, as to health care provided or needed by that minor
relating to prenatal and pregnancy related care.253 Such information may be disclosed by
the treating physician or other health professional even if the minor expressly
objects.254
(2) Federal Law
There
currently is no federal law specifically addressing the confidentiality of
medical information relating to pregnancy or abortion services.
F. Child Abuse Information
(1) Michigan Law
Current state law provides that, upon written request by a family independence agency caseworker or administrator, a licensed health professional must release medical records that are pertinent to an investigation of child abuse if such records are needed to determine whether child abuse or neglect has occurred or to protect a child where there is a substantial risk of harm.255 Upon receiving such a request for medical records, the health professional must review the
records
to determine if there is information pertinent to the investigation.256 If pertinent information is contained in the
record, the health professional shall release the record(s) within fourteen
days of receiving the request therefor.257 The statute explicitly states that no health
professional-patient privileges are applicable to medical information released
pursuant to the statute.258
A
separate state statute requires numerous persons not employed by FIA to report
suspected child abuse or neglect, including health professionals such as
physicians, coroners, dentists, registered dental hygienists, medical
examiners, nurses, and licensed emergency medical care providers.259 Such reports must be made orally and immediately,
by telephone or otherwise; a written report must be completed within 72 hours
after making the initial oral report.260
State
law also provides that, prior to placing a child with foster parents, the
foster parents shall be provided written information regarding the child=s history of abuse/neglect, all known
emotional and psychological problems, and any behavior problems that might
present any risk to the foster family.261 The child placing agency shall explain to the
foster parents that the information so provided about the child and the child=s family is confidential.262 The statute does not provide a penalty for a
violation of this confidentiality provision by the foster family.
(2) Federal Law
There
currently is no federal law regarding the confidentiality of medical
information related to child abuse or neglect.
G. Genetic Information
(1) Michigan Law
AThe advancement of human genetic
technologies may prove the defining scientific achievement of the 21st
century. The success of the Human Genome
Project in meeting its two main scientific goalsCidentifying
the genes and sequencing the chemical bases in human DNACensures
that the genetic revolution in science will continue apace as the new century
progresses.@263 The implications of
the genetic revolution are only beginning to be unraveled by scientists. By the year 2010, predictive genetic tests
will be available for common conditions, allowing individuals who wish to know
this information to learn their individual susceptibilities and to take steps
to reduce those risks for which interventions are or will be available.264 By the year 2020 pharmacogenomics approach
for predicting drug responsiveness will be standard practice for a number of
diseases. Gene-based Adesigner drugs@
will be introduced to the market for diabetes mellitus, hypertension, mental
illness, and many other conditions.265
Today certain genetic information can provide information important in the making healthcare decisions for individual tested and for family members but the information can also be misused.266 The State of Michigan has been a leader in genetic-related legislation. The State legislature in 2000 enacted laws to protect individuals from employment discrimination. An employer may not fail or refuse to hire, recruit or promote an individual because of a disability or genetic information that is unrelated to the individual=s ability to perform the duties of a particular job or position.267 An employer may not discharge or discriminate against an individual with respect to compensation or terms, conditions or privileges of employment because of genetic information.268 An employer cannot require an individual to submit to a genetic test to provide genetic information as a condition of employment or promotion.269 The law does not prohibit an individual from voluntarily providing to an employer genetic information that is related to the employee=s health and safety in the workplace and the employer using the information if provided.270 Health insurers, HMOs and nonprofit health care corporations cannot require enrollees, applicants, or their dependents to undergo genetic testing as condition of issuing, renewing or continuing an expense-incurred health insurance policy, nor can they require an enrollee, applicant, or their dependents to disclose whether genetic testing has been conducted (or the results of those tests) as a requirement of application for health care benefits.271
The
legislation enacted in 2000 was proposed as the result of the work of the
Governor=s
Commission on Genetic Privacy and Progress that released its Final Report and
Recommendations in 1999. The Commission
studied three issues related to genetic privacy: 1. Is there a specific need for state privacy
laws concerning genetic information? 2.
Should there be any exceptions allowing physicians to disclose genetic
information? 3. Should there be considerations for research?272
The
Commission recommended that the genetic information not have a special or
exceptional status but be protected just as all medical information is
protected. The Commission concluded that
research uses are important and access can be controlled in a way that keeps
confidentiality intact. The Commission
determined that exceptions to confidentiality should exist for criminal
investigations, court proceedings, paternity disputes, decedent identification,
convicted criminals and newborn screening.
The Commission stated: AAfter
the federal government enacts privacy legislation the state can conduct an
analysis to determine the need for any state legislation.@273
This
Report to the Michigan Law Revision Commission provides an opportunity to
determine whether further legislation may be needed to protect the privacy of
personally identifiable genetic information.
(2)
Federal Law
Genetic
information that is collected by a researcher and not Acreated
or received by a health care provider, health plan, public health authority,
employer, life insurer, school or university or health care clearinghouse is
not covered by the Privacy Rule.274
A researcher could collect DNA samples and use them for research and
conceivably be exempt from the Privacy Rule.
Genetic information that is collected for treatment purposes or by an
employer or insurer would be covered by
the rules. Genetic information is not
provided any special status or heightened protection under the Privacy Rule.
Several
bills have been introduced to prohibit health insurance discrimination on the
basis of genetic information. The Genetic Nondiscrimination in Health Insurance
and Employment Act addresses the issue of privacy of genetic information:
e)
DISCLOSURE OF PROTECTED GENETIC INFORMATION- A group
health
plan, or a health insurance issuer offering health insurance coverage in
connection with a group health plan, shall not disclose protected genetic
information about an individual (or information about a request for or the
receipt of genetic services by such individual or family member of such
individual) toB
(1)
any entity that is a member of the same controlled group as such issuer or plan
sponsor of such group health plan;
(2)
any other group health plan or health insurance issuer or any insurance agent,
third party administrator, or other person subject to regulation under State
insurance laws;
(3)
the Medical Information Bureau or any other person that collects, compiles,
publishes, or otherwise disseminates insurance information;
(4)
the individual's employer or any plan sponsor; or
(5)
any other person the Secretary may specify in regulations.275
The
proposed federal law, if enacted, shall not be construed to supersede any
provision of State law which establishes, implements, or continues in effect a
standard, requirement, or remedy that more completely protects the
confidentiality of genetic information or the privacy of an individual (or a
family member of the individual) with respect to genetic information including
information about a request for or the receipt of genetic services by an
individual (or a family member of such individual) than does the proposed law.276
VI. The Retention and Disposal of Medical Records
A. Michigan Law:
Michigan
has numerous, scattered statutes and administrative rules dealing with the
retention or disposal of various types of medical records. There is clearly no uniform approach.
(1) Health Maintenance Organizations
HMOs
are required to maintain accurate clinical records for each currently enrolled
member.277 If a patient dies or disenrolls from the
HMO, the HMO must safely store and preserve the record, either electronically
or as an original record or microfilm.278 The administrative rules do not specify
the minimum time period for retention of inactive enrollee files, but does
state that the HMO Ashall
adopt a policy concerning the length of time and provisions for the retention
of inactive clinical records, which shall include a contingency plan for the
retention of existing records in the event of cessation of operations.@279
(2) Nursing Homes
Nursing
homes and nursing care facilities must maintain a clinical record for each
patient in the home.280 These records must be maintained for a
minimum of six (6) years from the date of discharge or, if the patient is a
minor, three (3) years after the patient becomes an adult under state law,
whichever is longer.281
(3) Dentists=
Offices
Dentists
must maintain records of all dental treatments provided and must retain such
records for at least ten (10) years after the performance of the last service
to the patient.282
(4) Hospices
Hospices
must maintain records of services rendered and must maintain then for at least
five (5) years after death or discharge of the patient or, if the patient is a
minor, at least three (3) years after the patient becomes an adult under state
law, whichever is longer.283
(5) Mental Health Hospitals, Sanatoria, &
Psychiatric Facilities
Mental
health hospitals, sanatoria, and psychiatric facilities must maintain current
records on each patient.284 There is no minimum retention period
specified in the statutes or administrative code.
(6) Methadone Treatment Programs
Methadone
treatment programs must maintain client records for a period of at least three
(3) years after termination of treatment.285
(7) Pharmacies
Pharmacies
must preserve their prescription records for at least 5 years,286 including
prescriptions for controlled substances.287
(8) Alteration of Medical Records or Charts
The Michigan Penal Code makes it a felony for any health care provider to intentionally or willfully place (or direct another to place) in a patient=s medical record or chart misleading or inaccurate information regarding diagnosis, treatment or cause of a patient=s condition.288 A health care provider who recklessly places misleading or false information in a medical record or chart is guilty of a misdemeanor.289 Persons other than health care providers are also prohibited from altering medical records. Non-providers who intentionally, willfully, or recklessly place or direct others to place misleading or inaccurate information in a medical record or chart are guilty of a misdemeanor.290
Michigan
law also states that a health care provider who intentionally or willfully
alters or destroys (or directs another to alter or destroy) a patient=s medical records or charts for the
purpose of concealing his or her responsibility for the patient=s injury, sickness or death is guilty
of a felony.291 Non-providers who engage in the same act
are subject to misdemeanor punishment of imprisonment for not more than one
year or a fine of not more than $1,000, or both.292 A private right of action is explicitly
prohibited for violation of these statutory provisions.293
B. Federal Law
(1)
Mammography Facilities
Federal
law requires that facilities performing mammography services must maintain a
mammogram in the permanent records of the patient for a period of not less than
5 years, or not less than 10 years if no subsequent mammograms are performed at
the facility (or longer if mandated by state law).294
(2)
Controlled Substances Prescriptions
Pursuant
to federal regulation, a DEA registrant must retain and make available
inventories and records of controlled substances for at least 2 years from the
date the drug is dispensed.295
Hospitals must maintain records showing
the dates, quantity and batch or code marks of controlled substances used for
inpatient substance abuse treatment or detoxification for at least 3 years.296
(3)
Medicare Claims
The Medicare Intermediary Manual requires that providers who make claims for payment under the Medicare program must retain all original source documentation and medical records pertaining to the Medicare claim for at least 75 months after the claim is paid.297
(4)
Blood & Blood Products
FDA
regulations require that blood processing facilities must retain records of
blood and blood product testing for not less than 5 years after the processing
of the records has been completed, or 6 months after the latest expiration
date, whichever date is later.298 If the blood or blood product does not have
an expiration date, the records must be retained indefinitely.299
HHS
regulations require clinical laboratories to retain records of blood and blood
product testing for not fewer than 5 years after processing records have been
completed, or 6 months after the latest expiration date, whichever is later.300
(5)
Clinical Laboratory Reports
In
addition to the requirement relating to blood and blood product testing just
mentioned, federal regulations specify differing retention periods for records
relating to various types of tests performed by clinical laboratories,
including cytology (generally 5 years)301
histopathology and pathology (generally 10 years)302 and
immunohematology (5 years).303 In addition, clinical labs must maintain the
written authorization for any testing they perform for at least 2 years.304
(6)
OSHA Employee Medical Records
Federal
OSHA regulations require that any record regarding an employee=s exposure to a toxic substance must be
retained by the employer for at least the duration of employment plus 30 years.305 Records relating to an employee=s exposure to noise must be maintained
for at least 2 years.306
(7)
HIPAA
HIPAA
does not specify any time period for the retention or disposal of medical
information. The HIPAA provision
granting individuals the right to access their own medical information, for
example, merely states that such right of access exists only Aas long as the protected health
information is maintained in the designated record set.@307
VII. Issues Relating to the Privacy of Health
Information on the Internet
There
are thousands of health-related web sites.308 Individuals can surf the web for all types of
health information, health advice, Internet extensions of physician group
practices or hospital systems, online patient databases, and/or prescription
and drug-related sites. AeHealth
is touted as the future of health care, promising to transform the way health
care entities conduct business and change the way patients relate to their
health care providers. More than
sixty-five million American Internet users have sought health and medical
information online, and a study last fall by the Pew Internet & American Life
Project showed that a significant number of them use this information to make
important decisions about medical care for themselves and loved ones.@309
(A) Michigan Law
Michigan
law does not provide any special protections for personally identifiable health
information that is transmitted on the Internet.
(B) Federal Law
HIPAA
applies to health plans, health care clearinghouses, and health care providers
who transmit any health information in an electronic form in connection with a
transaction covered by the Act.310 However, many health web sites are not owned
or operated by a covered entity. ADifferent
rules may apply to different web sites offering the same services. Because only web sites that fit within the
definition of a Acovered
entity@ are
required to comply with the privacy regulation, specific activities like filing
a prescription, receiving e-mail alerts or getting a second opinion may be
covered by the new regulation at one site and unregulated at another.@311
Electronic
records have a special vulnerability that does not exist in paper records. Electronic transfer of information provides
easy and efficient dissemination of the information, which can also create a
greater chance of invasion of privacy. AA
report of the Health Privacy Project in 1999 documented that major health web
sites lack adequate privacy policies, and their practices are often in conflict
with their existing privacy statements.@312
Health
care-related web sites promote their ability to provide consumers greater
control of their health care. That the web
sites provide information to assist the patient in being a partner with their
health care provider in their medical decisions. However, numerous web sites require the
consumer to provide personal information about their health. Web sites also
collect information regarding the user without their knowledge. “A user might participate in a chat room
where her e-mail addresses used as well. Additionally, a site may have banner
advertisers that collect information without users ever knowing. Many of these sites track users through
cookies. Cookies files allow a web site to know when a user has visited a sites
and each page the user visits to create online user profiles. User profiles
help sites determine what information, products, and services the visitor uses.
They also allow sites to deliver specific content to users based on their
previous online activities. Although cookies are only numbers assigned by a
site to each user, personal data can be linked to the number when an individual
provides identifiable information to the site (e.g., completing health
assessments). A 1999 study of health Brelated web sites found, however, that
profiling is not generally disclosed or explained to visitors of a site.@313
(C)
HIPAA Shortcomings
Many
web sites are not covered by HIPAA regulations because they are not a covered
entity.314 AIn
effect the most popular web sites such as eDirects.com and drkroop.com, will
remain uncovered by the privacy rule because they are not run by health plans
(such as health insurers or HMOs) or covered health care providers. The result is that the same activities
conducted at different web sites will be subject to different legal treatment.@315
Much information is transmitted that
is not covered by the Privacy Rule. AFor users concerned about protecting
their privacy, where they go (i.e., what sites they visit) will
determine whether there are enforceable rules about how their health
information is protected. More often
than not, however, users will be getting health information and services from
web sites that are not covered at all by the new federal health privacy
regulations. Here are some examples of
web sites that are not covered:
Some
of the most popular health web sites are information-based. In other words,
they provide people with information about general fitness and nutrition (e.g.,
www.foodfit.com), medical conditions (e.g., www.drkoop.com), and treatment options (e.g., www.medigenesis.com).
Some offer a broad range of information, while other specializes in a certain
drug or medical condition. They do not have an offline existence where they
engage in covered activities like treating patients. They only furnish health
information B they do
not provide Ahealth
care,@ as it is
defined in the federal regulation.@316
Certain
web sites assess health status and ask the user to provide information
regarding their health. “For example, www.HealthStatus.com offers free general health
assessments as well as disease specific assessments to determine an individual=s risk for some of the leading causes
of death.”317 These sites collect personal information that
can provide a third party personally identifiable health information of a
sensitive nature.
A
recent example of a privacy lapse involved Eli Lilly Pharmaceutical Company=s web site for the drug Prozac. On Prozac.com, the pharmaceutical company
established a message service that more than 669 individuals enrolled to
receive messages reminding the subscribers to take the company=s anti-depressant drug Prozac. In June
2000 the pharmaceutical company discontinued the program and while notifying
the consumers that enrolled in the program that it was discontinued the company
disclosed the email addresses of everyone who had signed up for the service. Upon receiving a request to investigate by
the American Civil Liberties Union a complaint was filed by the Federal Trade
Commission alleging that Lilly=s
privacy statement on its web site was deceptive because Lilly failed to
maintain or implement internal measures appropriate to protect sensitive
consumer information.
AThe FTC complaint alleges that Lilly=s claim of privacy and confidentiality
was deceptive because Lilly failed to maintain or implement internal measures
appropriate under the circumstances to protect sensitive consumer information,
which led to the company=s
unintentional June 27th disclosure of Medi-messenger subscribers= personal information (i.e., e-mail
addresses). In fact, according to the complaint, Lilly failed to: provide
appropriate training for its employees regarding consumer privacy and
information security; provide appropriate oversight and assistance for the
employee who sent out the e-mail, who had no prior experience in creating,
testing, or implementing the computer program used; and implement appropriate
checks and controls on the process, such as reviewing the computer program with
experienced personnel and pretesting the program internally before sending out
the e-mail. Lilly=s
failure to implement appropriate measures also violated a number of its own
written security procedures.@318
Eli
Lilly Company agreed to settle the complaint of unauthorized disclosure of
sensitive personal information collected from consumers thorough its Prozac.com
web site. The Director of the FTC=s Bureau of Consumer Protection stated:
AEven the unintentional release of
sensitive medical information is a serious breach of consumers= trust. Y
Companies that obtain sensitive information exchange for a promise to keeps it
confidential must take appropriate steps to ensure the security of that
information.@319
Health
care web sites have access to significant amount of personal health information
that is freely provided by consumers without any knowledge that information may
be disclosed to a third party without the individuals consent. The HIPAA Privacy Rule does not apply to many
of these organizations that are collecting this personal health information.
VIII. Conclusion
The
enactment of HIPAA has radically transformed the landscape for the privacy of
medical
information. Important new federal
privacy protections now in place are only beginning to be understood and
implemented. HIPAA=s full impact will take months or years
to be fully understood and its intricate contours will likely continue to
evolve as its impact becomes clearer. Nonetheless, several areas not addressed
(or inadequately addressed) by HIPAA have already emerged, in which states
(including Michigan) may wish to consider state legislative action. These gaps include:
(1)
Business Associates/Definition of Covered Entity:
(a)
General Limitations of Coverage for
Business Associates
As
detailed in this report, HIPAA does not directly regulate Business Associates
of covered entities. Thus, any entity
that receives private health information that is not a provider, health plan,
or health clearinghouse is not covered by HIPAA. Although HIPAA attempts to indirectly
regulate these Business Associates, this indirect regulation relies solely upon
contractual provisions between the covered entity and the Business
Associate. Specifically, the covered
entity=s
contract with the Business Associate must limit the Business Associate=s use/disclosure of protected health
information to that provided for by the contract or as required by law. Furthermore, the contract must require that
Business Associates notify the covered entity of any non-permitted
use/disclosure of which the Business Associate becomes aware. If a Business Associate breaches these
contractual provisions, the covered entity may be held responsible under HIPAA,
but only if the covered entity knew of a pattern of activity by the Business
Activity that constituted a material breach of their contractual
obligations. Moreover, even if the
covered entity has such knowledge, the covered entity will escape
responsibility under HIPAA if it takes reasonable steps to cure/end the
Business Associate=s breach.
HIPAA=s inability to directly regulate
Business Associates is viewed as a significant shortcoming within the privacy
regulations. State legislatures (such as
Michigan) may wish to enact their own statutes that extend the HIPAA privacy
protection regulations to Business Associates (as defined by HIPAA). Such statutes would, of course, need to
specify state enforcement and penalties for non-compliance by Business
Associates.
(b)
Health-Related Web Sites
Particularly
unregulated by HIPAA are numerous health-related web sites that collect
personal health information. For
example, web sites may collect information about medical condition/disease status
of an individual and over-the-counter and prescription drug usage. Many of these web sites will not be Acovered entities@
subject to HIPAA. Thus, whether or not a
health-related web site is covered by HIPAA will hinge upon who owns or
controls the web site, a determination that the average consumer is not in a
position to make. Indeed, because of
HIPAA=s limited
scope, two virtually identical web sites can be regulated differentlyB one subject to the stringent HIPAA
protections, the other subject only to voluntary privacy policies (if any).
(2)
Sensitive Medical Information
HIPAA
essentially treats all protected health information the same. The only exception to this general rule is
for psychotherapy notes, which receive heightened protection, requiring a
specific patient authorization (as opposed to a blanket consent form, which is
used for all other protected health information). HIPAA thus does not provide any special
protections for other types of sensitive health information, including information
related to genetics, HIV/AIDS, substance abuse, pregnancy/abortion, child
abuse, and sexually transmitted diseases.
Existing
Michigan statutes that specifically address these categories of sensitive
health information should, presumably, remain in effect post-HIPAA because they
are more stringent than the federal privacy rules and thus not subject to
preemption. One category of sensitive health information not covered by
Michigan law, however, is genetic information.
Although Michigan has recently enacted anti-discrimination statutes
relating to genetic information, these statutes do not address or provide
privacy protections for genetic information.
Additional privacy protections for genetic information may be desirable
due to the stigmatization associated with such information, as well as the
potentially broad-ranging adverse psychological and social effects on third
parties (e.g., family members). Indeed,
the adverse impact on third parties caused by the dissemination of genetic
information makes genetic information unique from other types of sensitive
health information and thus may necessitate additional protection here where it
may not be warranted or necessary elsewhere.
The
Michigan legislature thus may want to consider enacting additional statutes to
provide heightened privacy protection for genetic information. For example, other states, such as
California, have recently enacted special privacy protections for genetic
information that require the use of a separate authorization for the release of
such information and penalties for breach of privacy relating to such
information.
(3)
Private Right of Action
As
mentioned in this report, HIPAA=s
enforcement scheme does not permit an aggrieved citizen (whose privacy or right
of access has been violated) to institute a civil suit to recover damages or
seek appropriate injunctive relief.
HIPAA only permits the Secretary of HHS to seek civil and criminal
penalties against a covered entity that violates the privacy regulations. States (including Michigan) may wish to adopt
their own statutes providing for a private right of action against covered
entities (and Business Associates, if the state expands HIPAA to directly cover
such Business Associates) for violation of the HIPAA privacy protections and/or
denial of the patient=s
right of access.
(4)
Marketing/Fundraising CommunicationsError!
Bookmark not defined.
HIPAA
permits covered entities to use/disclose protected health information for
marketing or internal fundraising purposes, so long as the covered entity has
obtained from the patient a general treatment, payment and health care
operations consent form and provides the patient with the right to Aopt out@
of any future marketing/fundraising communications. Some have criticized this approach as
essentially providing entities with Aone
free pass@ to use
or disclose health information for such purposes. States (including Michigan) thus may wish to
consider enacting legislation that would prohibit covered entities from
using/disclosing protected health information to engage in any marketing or
fundraising communications unless the patient has provided specific
authorization for the entity to use/disclose health information to send such
communications.
[1]The
survey was conducted by telephone with 1,000 adults between August 11 and
August 26, 2000. The margin for error of
the survey is plus or minus 3 percent.
The full survey report may be found at http://forhealthfreedom.org/Gallupsurvey/.
[2]An additional 14% of those surveyed felt that it was Asomewhat important@ that medical records be kept confidential, 5% thought it was Anot too important,@ and 3% felt that it was Anot at all important.@
[3]The results of this poll, conducted for the California HealthCare Foundation, are reported on the website of the Institute for Health Care Research and Policy, Georgetown University, at http://www.healthprivacy.org/usr_doc/Polling%20Data%2Epdf.
[4]Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified in various parts of 42 U.S.C.).
[5]Pub. L. No. 104-191, Title II, Subtitle F, ' 264(c)(1), 110 Stat. 2033 (1996).
[6]Id.
[7]64 Fed. Reg. 59,918 (Nov. 3, 1999).
[8]65 Fed. Reg. 82,801 (Dec. 28, 2000).
[9]Id. at 82,799 (defining Ahealth plan@). The definition of health plan is extremely broad, including, inter alia, self-insured ERISA plans, HMOs, traditional insurers, Medicare, Medicaid, Medigap policy issuers, issuers of long-term care insurance policies, employee welfare benefit plans that offer health benefits, CHAMPUS, the Indian Health Service, and SCHIP plans. Id. See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1171(5).
[10]AHealth care clearinghouse@ is defined as a Apublic or private entity, including a billing service, repricing company, community health management information system or community health information system , and Avalue added@ networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.@
Id. at 82,799. See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1171(2).
[11]AHealth care provider@ is defined to include Aany [] person or organization who furnishes, bills, or is paid for health care in the normal course of business.@ Id. See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1171(3).
[12]Examples of the transmission of health information in electronic form include, inter alia: the filing of health claims or equivalent encounter information, enrollment or disenrollment in a health plan, determining eligibility for a health plan, health plan payment and remittance, and referral certification and authorization. See Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at ' 1173(a)(2).
[13]See 65 Fed. Reg. 82,799 (defining Acovered entity@).
[14]65 Fed. Reg. 82,802 (Section 164.104).
[15]See generally 45 C.F.R. ' 162.100 et seq. See also 65 Fed. Reg. 50,312 (Aug. 17, 2000).
[16]Administrative Simplification Compliance Act, Pub. L. No. 107-105, 115 Stat. 1003, at ' 3. This law was signed by President Bush on December 27, 2001.
[17]Id. The Administrative Simplification Compliance Act does state that the Secretary of HHS Ashall waive@ the requirement for submission of claims in electronic format if: (1) there is no method available for the submission of claims in an electronic format; or (2) the entity submitting the claim is a small provider of services or supplier; and (3) may waive the requirements in such unusual circumstances as the Secretary finds appropriate. Id. See also id. at ' 3(a)(2) (defining Asmall provider@).
[18]See 65 Fed. Reg. 82,798, ' 160.103 (defining Abusiness associate@).
[19]The contract may permit the Business Associate: (1) to Ause and disclose protected health information for the proper management and administration of the business associate@; and (2) to Aprovide data aggregation services relating to the health care operations of the covered entity.@ Id. at 82,808, ' 164.504(e)(2)(i).
[20]Id. at ' 164.504(e)(2)(ii).
[21]Id. at 82,808, at ' 164.504(e)(1)(ii).
[22]Id.
[23]Id.
at 82,801. The Secretary may waive the
180-day time limit for good cause. Id.
[24]Id. at 82,802.
[25]Id.
[26]Id.
[27]See Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, Title II, Subtitle F, ' 264(c)(2), 110 Stat. 2033 (1996) (AA [health privacy] regulation promulgated [by HHS] shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed by the regulation.@).
[28]See id. at 82,801. The final regulation defines a Amore stringent@ state law as one which meets one or more of the following criteria:
(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:
(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or
(ii) To the individual who is the subject of the individually identifiable health information.
(2) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; provided that, nothing in this subchapter may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian, or person acting in loco parentis of such minor.
(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and
remedies, provides the greater amount of information.
(4) With respect to the form or substance of an authorization or consent for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.
(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.
(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
Id. at 82,800-01.
[29]Id. at 82,800.
[30]Id. at 82,801.
[31]Id.
[32]Id.
[33]Id.
9The effective date is extended by one year--to April 14, 2004--for small health plans.
10Mich. Comp. Laws ' 333.20201(1) (2001).
11Id. at ' 20201(2)(b). Covered facilities include ambulance operations, clinical laboratories, county medical care facilities, freestanding surgical outpatient facilities, health maintenance organizations, homes for the aged, hospitals, nursing homes, and hospices. See id. at ' 333.20106(1)(a)-(k) (defining Ahealth facility or agency@).
12Id. at ' 333.20203(1). The statute goes on to say that the enumeration of patients= rights and responsibilities Ashall not be construed to expand or diminish other remedies at law available to a patient or resident under this code or the statutory and common law of this state.@ Id. at ' 333.20203(2).
13Id. at ' 333.20165(1)(f).
14Id. at ' 330.1748(4).
15Id. at ' 330.1748(4).
16Id. at ' 330.1748(6).
17Id. at ' 330.1749.
18Id.
195 U.S.C. ' 552a.
20Id. at ' 552a(d). Numerous agencies are exempted from Privacy Act requirements, including the Central Intelligence Agency and agencies Awhich perform[] as its principal function any activity pertaining to the enforcement of criminal laws.@ See id. at ' 552a(j).
21See id. at ' 552a(m).
22CMS is the new name for the former Health Care Financing Administration (AHCFA@), the federal agency charged with administering the Medicare and Medicaid programs. CMS and its contractors collect personally identifiable information on Medicare patients, inter alia, to pay claims, determine benefits eligibility, make payment to managed care plans, monitor fraud and abuse, administer the secondary payer program, and conduct research and demonstration projects.
235 U.S.C. ' 552a(e)(3).
24Id. at ' 552a(g)(1)(B).
25Id. at ' 552a(g)(3)(A).
26Id. at ' 552a(g)(3)(B).
27See 42 U.S.C. ' 1396r. See also id. at ' 1396r(a) (defining Anursing facility@).
28Id. at ' 1396r(b)(6)(C).
29Id. at ' 1396r(c)(1)(A)(iv).
30Id.
3142 U.S.C. ' 1395w-22(h)(3).
3242 C.F.R. ' 422.118(d).
3342 U.S.C. ' 263b(f)(1)(G)(i)(II).
34See 42 C.F.R. ' 900.12(c)(4)(ii).
35AProtected health information@ is broadly defined in the final regulation as Aindividually identifiable@ health information that is transmitted or maintained in any medium, whether electronic, oral, or written. 65 Fed. Reg. 82,805. AIndividually identifiable@ health information is defined as information that identifies the individual and is created by a provider, health plan, employer, or health care clearinghouse that Arelates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.@ Id. at 82,804.
3665 Fed. Reg. 82,554, 82,823. The final regulation makes clear that health information that is not used to make treatment or payment decisions is not accessible to the patient. Examples given are Ainformation systems that are used for quality control or peer review analyses.@ See id. at 82,554.
37Id. at 82,806. The regulations specify acceptable ways in which health information may be de-identified. See id. at 82,818.
38Id. at 82,823.
39Id. at 82,823-24.
40Id.
at 82,823.
41Id. at 82,554.
42Id.
43Id.
44Id. (AWe note, however, that individuals have the right of access to this information if it is maintained by a covered health care provider, clearinghouse, or health plan that is not subject to CLIA.@).
45Section 164.524(d) B at 323-24.
46See id. at 82,823.
47See id. at 82,555.
48Id.
49Id.
50Id.
51Id.
52Id.
53Id.
54Id.
55Id.
at 82,557. The reviewer must make a
determination Awithin a
reasonable period of time,@
id., and the covered entity must then promptly notify the patient, in
writing, of the reviewer=s
decision. Id.
56Id.
at 82,555. The regulations state that A[t]he most commonly cited example is
when an individual exhibits suicidal or homicidal tendencies.@ Id.
57Id.
58Id.
59Id. at 82,555-56.
60Id. at 82,556.
61Mich. Comp. Laws ' 333.16221(e)(ii).
62Id. at ' 333.16235(l).
63Id. at ' 333.16221(h).
64Id.
at ' 333.16243(a).
65Id. at
' 550.1406(l).
66 Mich. Comp. Laws '600.2157.
The statute also provides for situations in which the privilege
may be waived. Id.
67See
id. at '' 333.18237, 333.20175.
70 Mich. Comp Laws '333.20201.
71Id.
72There is a possibility that a patient could sue his/her physician under common law privacy torts, such as the tort for publication of private facts or intrusion into seclusion. There is also the possibility, of course, that the state could take adverse action against the provider for Aunprofessional conduct.@
73See Mich. Comp. Laws ' 333.20203. Again, as with the issue of patient access to his/her own records, there is the possibility of administrative fines being levied against a facility that actually denies the patient=s rights. Mich. Comp. Laws ' 333.20165.
74Mich. Comp. Laws '550.1406(l).
75 Id. at ' 550.1406(2).
76Id. at ' 550.1406(2)(c).
77Id.
at '
550.1406(3)-(4).
78Id. at ' 550.1406(1). See also id. at ' 550.1105 (defining Ahealth care corporation@); id. at ' 550.1107 (defining Apersonal data@). The statute does permit a health care corporation to release, by telephone, a patient=s information to the patient him/herself, provided the identity of the patient can be identified. Id. at ' 550.1406(1).
79Id. at ' 550.1406(l).
80Id.
81 Id. at ' 333.17752(2).
82Id. at ' 333.17768.
83 See id. at ' 550.902(k) (defining AThird Party Administrator@ as Aa person who processes claims pursuant to a service contract and who may also provide 1 or more other administrative services pursuant to a service contract . . . .@).
84Id.
at '
550.934(l).
85Id. at ' 550.934(1)-(2).
86Id.
87See id. at ' 550.940 (defining prohibited conduct under the Third Party Administrator Act). See also id. at ' 550.950 (establishing penalties for violating statute).
88Id. at ' 333.16648(l).
89 For a complete list of exceptions, see Mich. Comp. Laws ' 333.16648(2).
90Id. at ' 333.21743(2).
91Id. at ' 550.1406(1).
92See id. at ' 333.21743(2).
93Id. at ' 333.20155(11).
945 U.S.C. ' 552a(b).
95 CMS is the new name for the former Health Care Financing Administration, the federal agency charged with administering the Medicare and Medicaid programs.
965 U.S.C. ' 552a(b)(1)-(12).
97Id. at ' 552a(b)(1).
98Id. at ' 552a(b)(3).
99Id. at ' 552a(a)(7).
100Id. at ' 552a(e)(6.
101Id. at ' 552a(e)(8).
102Id. at ' 552a(g)(4).
103Id. at ' 552a(i)(1).
104Id. at ' 552a(i)(3).
10542 U.S.C. ' 1396r(c)(1)(A)(iv).
10642 U.S.C. ' 1395bbb(a)(1)(C). A separate statute requires that home health agencies actually maintain clinical records for each patient. 42 U.S.C. ' 1395x(o)(3).
107The statutory provisions cited as authorizing this regulation are very general, merely providing the HHS Secretary with the authority to prescribe Asuch regulations as may be necessary@ to carry out the Medicare program. See 42 U.S.C. ' 1395hh(a).
108See 42 C.F.R. ' 482.24.
109Id.
at ' 482.24(b)(1).
110Id. at ' 482.24(b)(3).
111Id.
112Id.
11342 U.S.C. ' 1395w-22(h)(1).
11442 C.F.R. ' 422.118(a)-(b).
115C.F.R. ' 164.512(d).
116A Adirect treatment relationship@ is defined as Aa treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.@ Id. at 82,803. An Aindirect treatment relationship@ is defined as Aa relationship between an individual and a health care provider in which: (1) The health care provider delivers health care to the individual based on the orders of another health care provider; and (2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care , directly to another health care provider, who provides the services or products or reports of the individual.@ Id. at 82,804. Providers with indirect treatment relationships to patients are not required to obtain the patient=s consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. Id. at 82,810.
117ADisclosure@ is defined as Athe release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.@ Id. at 82,803.
118AUse@ is defined as Athe sharing, employment, application, utilization, examination, or analysis of [individually identifiable] information within an entity that maintains such information.@ Id. at 82,805.
11965 Fed. Reg. 82,510, 82,810, at ' 164.506(a). AHealth care operations@ is broadly defined and includes, inter alia, such things as quality assessment, reviewing the competency of providers or health plan, accreditation, licensing, or credentialing activities, underwriting, medical review, auditing, fraud and abuse detection and compliance, and business planning, development, or management. See id. at 82,803-04.
120Id. at 82,810.
121Id. See also id. at 82,820 (detailing the notice requirements).
122 Id. at 82,810. If a covered entity agrees to a requested restriction by a patient, the restriction is binding on the entity. Id. In addition, a written revocation of consent to disclosure by a patient is only valid to the extent that the covered entity has not taken action in reliance on the patient=s consent. Id.
123See id. at 82, 810, at ' 164.506(a)(4).
124Id. at 82,810, at ' 164.506(b).
125See id. at 82,511.
126 Id. at 82,649.
127Id. at 82,811. There are a few limited exceptions where such a condition may be imposed. See id.
128Id. at 82,812.
129See generally id. at 82,813-18 (listing uses and disclosures for which consent is not required).
130Id. at 82,525.
131Id.
132Id. at 82,528.
133Id. at 82,524-25.
134Id. at 82,531-33. This includes administrative and civil proceedings. Id. at 82,531. The final rules also explicitly state that covered entities are permitted to disclose protected health information for law enforcement purposes as required by other law, including state law. Id.
135Id. at 82,529.
136Id.
at 82,526.
137Id. at 82,534.
138Id.
139Id. at 82,477. The final rule states that Athe procurement or banking of organs, blood (including autologous blood), sperm, eyes or any other tissue or human product is not considered to be health care under this rule and the organizations that perform such activities would not be considered health care providers when conducting these functions.@ Id.
140Id. at 82,535.
141Id. at 82,527.
142Id. at 82,542.
143See id. at 82,544, 82,819.
144AMarketing@ is defined in the regulation as Aa communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.@ 65 Fed. Reg. 82,804 at ' 164.501.
145Id. at 164.514(e)(2)(A); see also id. at 82,545 (discussing intent behind marketing provisions).
146Id. at 82,819 at ' 164.514(e)(2)(B); see also id. at 82,545 (discussing intent behind marketing provisions).
14765 Fed. Reg. 82,819 at ' 164.514(e)(2)(C); see also id. at 82,820 at '164.514(e)(3)(i).
148See id. at 82,546 (discussing intent behind this provision).
149An Ainstitutionally related foundation@ is a foundation that qualifies for Internal Revenue Code Section 501(c)(3) status and that has, in its charter statement, an explicit linkage to the covered entity. 65 Fed. Reg. 82,546.
150For details on the information that must be divulged in the covered entity=s notice of privacy practices, see 65 Fed. Reg. 82,820-21, ' 164.520(b)(1).
151See id. at 82,820, ' 164.514(f)(2)(i).
152Id. at ' 164.514(f)(2)(ii).
153Id. at 164.514(f)(1)(i)-(ii).
154Id. at 82,826, at ' 164.528.
155Id. Exceptions are also made for disclosures for national security or intelligence purposes, to correctional institutions or law enforcement officials, etc. See id. at ' 164.528(a).
156Id. at ' 164.528(b).
157Id.
at ' 164.528(c)(1). Under certain narrow circumstances, the
covered entity may extend the time frame for providing the accounting by up to
30 days. Id.
1585 U.S.C. ' 552 et seq.
159Gostin,
Health Services Research: Public
Benefits, Personal Privacy and Propriety Interests, 129 Annals Med (10)83.
160AAs the fundamental nature of care, and
of health data and their uses, is changing dramatically, society mustCnowBexamine
and redecide how much it cares about protecting health privacy. Health researchers must be certain that they
are taking all reasonable measures to safeguard the data they collect and use,
and to maintain the respect for privacy that is embodied in the very compact
with society under which they work. And
society must reformulate and update some of the rationales and criteria under
which the health experience of individuals may be studied to benefit society.@
Lowrance, W.W. Privacy and Health Research, at http://aspe.os.dhhs.gov/adminsimp/PHRintro.htm.
16121C.F.R. ' 46.111(a)(7).
162AQ: Do the Privacy Rule=s requirements for authorization and
the Common Rule=s
requirements for informed consent differ?
A: Yes. Under the Privacy Rule, a
patient=s
authorization will be used for the use and disclosure of PHI for research
purposes. In contrast, an individual=s
informed consent as required by the Common Rule and FDA=s
human subjects regulations is a consent to participate in the research study as
a whole, not simply a consent for the research use or disclosure of PHI.@
Office of Civil Rights HIPAA
Privacy Technical Assistance HHS, 164.512I.001, at http://www.hhs.gov/ocr/hipaa/research.html.
16345
C.F.R. ' 46.109
(1991).
164Id. ' 46.116 (a)(5).
165United
States General Accounting Office Report to Congressional Requesters “Medical
Privacy Records” (February 1999).
166Stout,
Citing Safety, U.S. Stops Human Research Aid at Duke, The New York
Times, May 12, 1999 at Sec. A; Col. 2.; Brainard, Watchdog Agency Blocks New
Human-Research Projects at U. of Illinois at Chicago, The Chronicle of
Higher Education, September 10, 1999 at 20.
167See 45
C.F.R. ' 164.501,
“Research means a systematic investigation, including research development,
testing, and evaluation, designed to develop or contribute to generalizable
knowledge.”
168Protected
Health Information (PHI) is individually identifiable health information that is
a subset of health information, including demographic information collected
from an individual, and: (1) Is created or received by a health care provider,
health plan, employer, or health care clearinghouse; and (2) Relates to the
past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an
individual; and (i) That identifies the individual; or (ii)
With respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
16945
C.F.R. ' 160.103.
17045
C.F.R. ' 164.508(f).
171Id. at (f)(1)(ii)(A).
173
Office of Civil Rights HIPAA Technical Assistance, HHS, 164.512I.001, at http://www.hhs.gov/ocr/hipaa/research.html.
174See
45 C.F.R. ' 164.512(i).
175
Id. at C.F.R. ' 164.512
(i).
176C.F.R. ' 164.512(2).
177Letter to HHS Secretary
Thompson on HIPAA Privacy Regulations and Research, August 14, 2001, at http://www.aamc.org/research/Thompson.htm. MICH.COMP.LAWS.
' 333.2619(3) (1978).
178Barnes and Krauss, The
Effect of HIPAA on Human Subjects Research, BNA Health Law Reporter Vol. 10
No. 26, pp.1026 et. seq. (June 28,
2001).
[179]Mich. Comp. Laws '
333.2619(3) 1978
[180]Mich. Comp. Laws ' 333.2631 (1978)
[181]The Minnesota statute provides:
(d)
Notwithstanding paragraph (a), health records may be released to an external
researcher solely for purposes of medical or scientific research only as
follows:
(1) health records generated before January 1,
1997, may be released if the patient
has not objected or does not elect to object after that date;
(2) for health records generated on or after
January 1, 1997, the provider must:
(i)
disclose in writing to patients currently being treated by the provider
that health records, regardless of when
generated, may be released and that the patient may object, in which case the
records will not be released; and
(ii)
use reasonable efforts to obtain the patient's written general authorization
that describes the release of records in
item (i), which does not expire but may be revoked or limited in writing at any time by the patient or the
patient's authorized representative;
(3) authorization may be established if an
authorization is mailed at least two
times to the patient's last known address
with a postage prepaid return envelope and a conspicuous notice that the patient's medical records may be
released if the patient does not object, and at least 60 days have expired
since the second notice was sent; and the provider must advise the patient of
the rights specified in clause (4);
(4)
the provider must, at the request of the patient, provide information on how the patient may
contact an external researcher to whom the health record was released and the
date it was released. In making a
release for research purposes the provider shall make a reasonable effort to
determine that:
(i)
the use or disclosure does not violate any limitations under which the record
was collected;
(ii)
the use or disclosure in individually identifiable form is necessary to
accomplish the research or statistical
purpose for which the use or disclosure is to be made;
(iii)
the recipient has established and maintains adequate safeguards to protect the
records from unauthorized disclosure, including a procedure for removal or
destruction of information that identifies the patient; and
(iv)
further use or release of the records in individually identifiable form to a
person other than the patient without the patient's consent is prohibited.
Minn.
Stat. '144.335-3a(d) (2001).
[182] “In
addition to documenting clinical details that patients cannot readily recall,
such information is crucial for identifying the patients who qualify for
case-control studies of the cause of disease or for retrospective cohort
studies of long-term prognosis or the effectiveness of treatment. Such studies complement prospective
investigations and clinical trials, which invariably involve highly selected
subgroups of patients. Under the new
Minnesota law, patients who decline to provide the broad general authorization
can be contacted to determine their willingness to participate in a particular
study. This is administratively
cumbersome, however, and it is likely that selection bias will be introduced
into certain studies, especially at institutions unable to afford the
considerable expense of obtaining prior authorization.” Melton, The Threat to Medical-Records
Research, The New Eng. J. 337(20) 1466 (1997).
[183]Douglas,
et al., Medical Records and Privacy:
Empirical Effects of Legislation, HSR. 34(:1) (April 1999, Part II)
417-25, 422.
174Mich. Comp. Laws ' 330.1748(1).
175Id.
at ' 330.1748(5).
176Id.
at ' 330.1748(6).
177Id.
at ' 330.1748(7).
178Id.
at ' 330.1748(7)(b).
179See
id. at '
330.1946.
180See
id. at '
330.1946(2).
181Id.
at ' 330.1723.
182Id.
at '
330.2004a(5).
183Id.
(Ainformation
pertaining to a prisoner receiving mental health services from the corrections
mental health program may be disclosed under 1 or more of the following
circumstances . . . .@).
184See
id. at '
330.1748(5).
185The
difference is that, with non-prisoner records, one of the situations in which
mandatory disclosure is required is A[t]o
a prosecuting attorney as necessary for the prosecuting attorney to participate
in a proceeding governed by this act.@ Id. at '
330.1748(5)(b). This exception is
obviously not applicable to prisoners and thus is not found in the prisoner
confidentiality statute. In its place,
however, the prisoner confidentiality statute states that a record holder may
disclose mental health information A[t]o
the department of corrections if the information is necessary to protect the
safety of the prisoner, other prisoners, or the public, or to protect the
prisoner=s
interactions with others in the state correctional facility.@
Id. at '
330.2004a(5)(d).
186APsychotherapy notes@ are defined as Anotes
recorded (in any medium) by a health care provider who is a mental health professional
documenting or analyzing the contents of conversation during a private
counseling session or a group, joint, or family counseling session and that are
separated from the rest of the individual=s
medical record. Psychotherapy notes
excludes medication prescription and monitoring, counseling session start and
stop times, the modalities and frequencies of treatment furnished, results of
clinical tests, and any summary of the following items: Diagnosis, functional
status, the treatment plan, symptoms, prognosis, and progress to date.@
65 Fed. Reg. 82,805.
187Id.
at 82,811. There are a few very limited
exceptions wherein authorization is not required. See id.
188Id.
189Mich. Comp. Laws ' 333.6111.
190Id.
at ' 333.6112.
191Id.
at ' 333.6113.
192Id.
at '
333.6161(2).
193Id.
19442
U.S.C. '
290dd-2(a). Substance abuse programs
covered by the federal law thus include not only federally conducted or funded
programs, but also federally licensed or certified programs and programs that
are tax exempt. See 65 Fed. Reg.
82,482.
195Id.
at '
290dd-2(b)(1).
196Id.
at ' 290dd-2(b)(2)(A).
197Id.
at ' 290dd-2(b)(2)(B).
198Id.
at ' 290dd-2(b)(2)(C). The statute says that good cause includes Athe need to avert a substantial risk of
death or seriously bodily harm.@ Id.
It also specifies that, in determining whether good cause for disclosure
exists, the court Ashall
weigh the public interest and the need for disclosure against the injury to the
patient, to the physician-patient relationship, and to the treatment services.@
Id.
199Id.
at ' 290dd-2(e).
200Id.
at ' 290dd-2(f).
201See
65 Fed. Reg. 82,482.
202Id.
203Id.
204Mich. Comp. Laws ' 333.5131(1).
205Id.
at ' 333.5131(5)(d).
206See
id. at '
333.5131(3). Information on HIV
infection or AIDS may be released upon a court order or subpoena only if the
court determines both: (1) that other ways of obtaining the information are not
available or would not be effective; and (2) that the public interest and need
for disclosure of the information outweighs the potential injury to the
patient. Id. at ' 333.5131(3)(a). If a court finds both of these requirements
satisfied, the court must limit disclosure to those portions of the patient=s record that are essential to fulfill
the objectives of the court=s
order, to persons whose need for the information is the basis for the court=s order, and include such other
measures as considered necessary to limit disclosure for the protection of the
patient. Id. at ' 333.5131(3)(b).
207Id.
at ' 333.5131(5)(a).
208Id.
at ' 555.5131(5)(b) (this is the so-called Apartner notification@ law).
There is also a special section that permits notification of HIV/AIDS
status to an employee of a school district if disclosure is needed to prevent a
reasonably foreseeable risk of transmission to students. Id. at '
555.5131(5)(c).
209Id.
at '
555.5131(8).
210Id.
at '
333.5127(1).
211Id.
at ' 333.5127(2).
212Id.
213Id.
at ' 333.5119(2).
214Id.
at '
333.5119(3).
215Id.
at ' 333.20191(1).
216Id.
at ' 333.20191(2).
217Id.
at ' 333.20191(4).
218Id.
at ' 333.20191(5).
219Id.
220Id.
at ' 333.11101. The same statute states that an individual
shall not sell or donate his/her blood knowing that he/she has tested positive
for HIV or an antibody to HIV. Id. The statute does not, however, establish a penalty
for violation of this provision.
221Id.
at ' 333.5123(1).
222Id.
223Id.
at ' 333.5123(2).
224Id.
at '
333.5123(3).
225Id.
at ' 791.267(2).
226Id.
at '
791.267(3).
227Id.
at '
791.267(4).
228See
generally 42 U.S.C. '
300ff-38.
229Id.
at ' 300ff-38(b)(3)(B).
230Id.
at ' 300ff-38(b)(2).
23142
U.S.C. ' 14011; see
also United States v. Ward, 131 F.3d 335, 339-40 (3d Cir. 1997) (applying
statute and discussing interpretation thereof).
23242
U.S.C. '
14011(b)(1).
233Id.
at ' 14011(b)(3).
234Id.
at ' 14011(b)(5).
235Id.
at ' 14011(b)(7).
236Mich. Comp. Laws '
750.145a.
237See
id. at ''
750.338 (gross indecency between male persons), 750.338a (gross indecency
between female persons), 750.338b (gross indecency between male and female
persons).
238See
id. at ''
750.450 (aiders and abettors), 750.452 (keeping house of ill fame), 750.455
(pandering).
239See
id. at ''
750.520b (criminal sexual conduct in the first degree), 750.520c (criminal
sexual conduct in the second degree), 750.520d (criminal sexual conduct in the
third degree), 750.520e (criminal sexual conduct in the fourth degree),
750.520g (assault with intent to commit conduct involving sexual penetration).
240Id.
at ' 333.5129(3).
241Id.
at '
333.5129(5). If the victim is a minor,
the statute permits disclosure of the test results to the minor=s parents, guardian, or person in loco
parentis. Id.
242Id.
at ' 333.5129(6).
243Id.
at ' 333.5129(6)(c).
244Id.
at ' 333.5129(6)(b).
245Id.
at '
333.5129(7).
246Id.
at '
333.5129(6)(f).
247Id.
at '
333.5129(6)(e).
248Id.
at '
333.17015(19).
249Id.
at '
333.17015(20).
250Id.
at ' 722.903.
251Id.
252Id.
at ' 722.907.
253Id.
at ' 333.9132(4).
254Id.
255Mich. Comp. Laws ' 333.16281(1).
256Id.
257Id.
258This
would include, inter alia, privileges such as the physician-patient privilege,
the licensed professional counselor-patient privilege.
259Mich. Comp. Laws ' 722.623(1).
260Id.
261Id.
at ' 722.954(2).
262Id.
at '
722.954(3).
263Lawrence
O. Gostin, James G. Hodge Jr and Cheye M. Calvo, September 2001, Genetics
Policy and Law A Report for Policymakers, National Conference of State
Legislatures September 2001.
264Francis S. Collins.
Implications of the Human Genome Project for Medical Science. 285(5) JAMA
540-544, 543, February 7, 2001.
265Id. at 544.
266AThe
collection, aggregation, and analysis of genetic information may be used to
prevent or delay the onset of disease, alleviate the burden of illness, or
assist people in planning their futures, but genetic information can be used
for a variety of other, more controversial purposes not directly related to
research or the delivery of appropriate medical care.@ Powers M., Justice and Genetics: Privacy Protection and Moral Basis of Public
Policy, Chapter 19, Ethics and Law, 355-368.
267Mich. Comp. Laws '
37.1202 (1) (a).
268Id. at (1)(b).
269Id. at (1)(h).
270Id. at (2).
271Mich. Comp. Laws ' 550.1401 and '
550.3407b.
272Michigan Commission on
Genetic Privacy and Progress, Final Report and
Recommendations
February 1999, at 46.
273Id.
274Id. at 160.163. See Definition of Covered Entity and
Health Information
275H.R. 602 107th
Congress, Genetic Nondiscrimination in Health Insurance and Employment Act ' 2754 (c) (2001).
276Id. at H.R. 602 107th
Congress, '
2754 (e) LIMITATIONS ON GENETIC TESTING AND ON COLLECTION AND DISCLOSURE OF
PROTECTED GENETIC INFORMATION .
277Mich. Admin. Code r. 325.6801(1) (2000); see
also id. at 325.6805 (describing minimum contents of patient records).
278Id.
at 325.6810(1).
279Id.
at 325.6810(2).
280Mich. Admin. Code r. 325.21102(1) (2000).
281Id.
at 325.21102(6). The statute specifies
that if the nursing home goes out of business, the records must be transferred
with the patient to another health care facility. Id. at 325.21102(7).
282Mich. Comp. Laws ' 333.16644(1) (2000); see also Mich. Admin. Code r. 338.11120 (2000).
283Mich. Admin. Code r. 325.13109 (2000).
284Mich. Comp. Laws ' 330.1141 (2000); see also id. at
' 330.1746; Mich. Admin. Code r. 330.1276 (2000).
285Mich. Admin. Code r. 325.14419(1)
(2000).
286Mich. Comp. Laws ' 333.17752(1) (2001). The statute does not specify precisely
when the 5 year retention clock begins ticking, but presumably it requires
retention of a record of each prescription for at least 5 years from the date
the prescription was filled. See also
Mich. Admin. Code R. 338.480a.
287Mich. Comp. Laws ' 333.7303a(3). See also Mich. Admin. Code R. 338.3153a(3).
288Id.
at ' 750.492a(1).
289Id.
at ' 750.492a(1)(b). The misdemeanor punishment is limited to
imprisonment for not more than one year, or a fine of not more than $1,000, or
both. Id.
290Id.
at ' 750.492a(1)(c)-(d). The statute specifies that non-providers who
act intentionally or willfully are subject to punishment of imprisonment of not
more than one year, or a fine of not more than $1,000, or both. Id. at '
750.492a(1)(c). Non-providers who act
recklessly, on the other hand, are guilty of a misdemeanor, although the
statute does not specify any applicable penalty. Id. at '
750.429a(1)(d).
291Id.
at '
750.492a(2).
292Id.
293Id.
at ' 750.492a(4) (AThis
section does not create or provide a basis for a civil cause of action for
damages.@).
29442
U.S.C. '
263b(f)(1)(G)(i)(I).
29521
C.F.R. ' 1304.04.
29621
C.F.R. ' 291.505.
297Medicare
Intermediary Manual, Pt. 3 (HCFA Pub. 13-3), '
3601.4.
29821
C.F.R. '
606.160(d).
299Id.
30042
C.F.R. '
493.1107.
30142
C.F.R. '
492.1257(g).
302Id.
at '
493.1259(b).
303Id.
at ' 493.1107, 493.1109, 493.1777(d)(1); see
also 21 C.F.R. '
606.160(d).
30442
C.F.R. '
493.1105.
30529
C.F.R. '
1910.1920. The medical records of
employees who have worked for the employer less than one year need not be
retained if the medical records are provided to the employee upon termination
of employment. Id. at ' 1910.20(d)(1)(i)(C).
306Id.
at ' 1910.95(m)(3).
30765
Fed. Reg. 82,823 (Dec. 28, 2000).
308 Eng, The eHealth
Landscape: A Terrain Map of Emerging
Information and Communication Technologies in Health and Health Care, The
Robert Wood Johnson Foundation (2001).
309Hudson,
Exposed Online: Why the new federal
health privacy regulation doesn=t
offer much protection to Internet users, Report of the Pew Internet &
American Life Project, November 2001 at 1.
311
Id. at iii.
312Id
at 5. Health care web sites have access
to significant amount of personal health information that is freely provided by
consumers without any knowledge that information may be disclosed to a third
party without the individuals consent.
The HIPAA Privacy Rule does not apply to many of these organizations that
are collecting this personal health information. Report on the Privacy Policies and
Practices of Health Web Sites, The California HealthCare Foundation
(January 2000).
313Id at 18.
314 AFor
example, both the local bricks and mortar CVS drug store and CVS.com will be
required to obtain written permission to use an individual=s information to fill their
prescription. In contrast, an online
pharmacy that fills the same prescription but is not covered by the regulation,
such as Abee Well Pharmacy, would not be required to obtain the patient=s written permission since it does not
accept insurance.@ Id at 10.
315Id at 7.
316Id at 17.
317Id.
318Press Release, Federal
Trade Commission, AEli Lilly
Settles FTC Charges Concerning Security Breach,@
File No 012 3214, Jan.18, 2002.
319Id.