Aetna "forgets" file cabinet full of patient information

A reminder to all covered entities out there that may be considering selling their business – don’t forget your file cabinet!! (or computers .. or disks ... or seemingly “empty” boxes where PHI may be lurking…..well, you get the picture).

NJ Times reports today that Aetna is notifying 7,250 people after paper files containing their PHI was accidentally left in a file cabinet that was being sold after an office move. The press release indicates that over 2,346 New Jersey residents were affected and over 4,013 in Pennsylvania, as well as a few in Connecticut and Delaware. Apparently, the files were voluntarily returned to Aetna after the individual who purchased the file cabinet discovered them. Aetna issued a press release indicating that it “has no reason to believe the information will be misused in any manner." Nevertheless, Aetna is notifying affected individuals and offering them a credit-monitoring service. Aetna also indicates that it has many privacy policies and processes in place, but corrective action will be taken to ensure that such a “mistake” does not happen again.

The Aetna “breach” raises a number of interesting questions, many which I often am asked about in similar contexts. Specifically: 1) Can PHI be disclosed in connection with a sale of a business? 2) Must a seller purge or maintain PHI that is not transferred in connection with the sale of such business? and, 3) Who do I have to notify in the event of a breach?

I’ll tackle Questions #1 & #2 in today’s post, and save #3 for follow-up.

HIPAA actually does not require a patient’s written authorization to use or disclose PHI in connection with the sale of a business, in certain limited circumstances. A sale of a business is considered a “health care operation,” which is defined in the HIPAA Privacy Rule to include:

“the business management and general administrative activities of the covered entity including, but not limited to … (iv) the sale, transfer, merger, or consolidation of all or part of such entity with another covered entity, or an entity that following such activity [or completed purchase] will become a covered entity, and the due diligence related to such activity.” See §164.501.

Therefore, if Aetna had sold its filing cabinet to an entity that was acquiring its health plan business, then there would have been no breach under the federal standards. However, in this situation, it appears that the patients’ files were simply inadvertently left in Aetna’s file cabinet after furniture was sold to a random buyer in connection with an office move.  As such, there appears to have been a lapse in either following or implementing adequate safeguards.

The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI from intentional and unintentional use or disclosure that is in violation of the Privacy Rule (see § 164.530(c)(1)-(2). However, it is the Security Rule that provides more detailed guidance on the types of safeguards that may be useful. Specifically, the Security Rule requires covered entities to:

“implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within a facility.” (see §164.310(d)(1).

The Rule goes on then to require covered entities to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored (see §164.310(d)(2)(i)-Disposal). The Security Rule also requires covered entities to maintain a record of the movements of hardware and electronic media and any person responsible therefore. (see §164.310(d)(2)(iii)–Accountability).

Although the Security Rule technically applies only to electronic PHI, the Aetna situation illustrates why it makes sense to implement similar sorts of controls for paper PHI. After all, if it makes sense to keep track of computers that store electronic PHI so that such information does not inadvertently end up in the hands of someone who should not have it, would it not make sense to implement similar safeguard controls for a file cabinet that “houses” paper PHI?

It would seem so.

HIE Standard of Care -- What You Don't Join Can't Hurt You.. or Could it?

It should come as no surprise that many providers are still leery about joining a HIE due to concerns over becoming potentially exposed to new liabilities. Questions such as “Who owns the data” “How can I be certain of data accuracy and completeness” and “Is the HIE secure?” are very common to hear during discussions with providers who are evaluating joining a HIE. Providers are also concerned that participation in a HIE will create a new obligation to access and review seemingly endless electronic reams of information about a patient, and many want to know if in the event that they “miss something” buried deep in the electronic HIE abyss, can they be sued and held liable for malpractice?

Whether or not a provider will be held liable for “misses” will always depend on the facts and circumstances surrounding a particular case. However, the “standard of care” in medicine evolves over time, especially when dealing with new technologies. Therefore, what may not yet be the standard of care today, may very well be just that in the very near future. Sooner or later, this will likely hold true with use of electronic medical record (EMR) and HIE technology as well.

To get a different perspective on the question, I decided to ask an old law school friend who now happens to be a successful medical malpractice attorney (I try not to hold that against him!) what he thought about HIEs and malpractice.  Initially, we both agreed that if the relevant information is hidden deep inside the HIE and is not reasonably accessible to the busy practicing provider, is not presented in a way that is of value or conducive to making clinical judgments, or it is just plain too expensive to join the HIE, then it will be unlikely that the physician's "failure" to “find” or “access” such information would be found by a jury to be negligent or falling below the “standard of care.” However, my friend then did a 180º on me when he said the following…

But, if joining the HIE is not cost prohibitive, and the information was available to the physician in a meaningful, easily-accessible and useful way that, had it been accessed through the HIE, could have prevented harm to the patient, but the physician did not join the HIE simply because he/she did not want the new obligation and burden of having to review such information, then I would definitely sue the physician for not joining the HIE and not accessing the information because it could have prevented harm to my client…

Now, I have to admit I did not see that one coming and immediately thought to myself "so, is this a case of 'damned if you do' and 'damned if you don’t'”?  I don’t think so. However, the reasons why providers decide not to join a HIE should be very carefully considered and weighed against the potential benefits joining a HIE may have for their patients, namely potentially improving safety and quality of care. That said, before HIE technology can become a standard of care, at a minimum it must be easy to use, offer useful information, be secure, and not cost prohibitive to the busy practicing provider. Once that happens, however, what will happen if providers don’t join and patients suffer as a result? .... well, I guess my old law school friend may be waiting!

The 800-Pound HIE Gorilla Tiger in "Meaningful Use"

There has been a lot of discussion around the Meaningful Use (MU) criteria. CMS has an entire website dedicated to the subject, as does ONC. Although the clinical criteria of MU may garner much of the attention, the privacy and security components are also significant.  In particular, the MU criteria pertaining to Health Information Exchange (HIE) raise certain fundamental privacy questions.

In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest?  In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria

This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception".  In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).

Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular.  For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...

The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.

Continue Reading

HIE-ho, HIE-ho, it's off to Court ACLU Goes

The Director of the Rhode Island Department of Health (RI-DOH) was sued last week in connection with RI-DOH's proposed rules for implementing and enforcing the State's health information exchange(HIE) under the Rhode Island Health Information Exchange Act of 2008 (HIE Act).

The Rhode Island chapter of the American Civil Liberties Union (ACLU) filed the Complaint alleging that:

the proposed rules failed to comply with the HIE’s statutory mandates by not addressing provisions in the statute that require adoption of regulations on certain specific issues to further promote the confidentiality, security, due process and informed consent due the affected patients

The ACLU argues that the RI-DOH cannot supplement gaps in the proposed rules through the adoption of policies and that the RI-DOH must address these concerns through Rhode Island's public rulemaking process in order to fulfill its obligations under the HIE Act. However, the RI-DOH has countered that the policies provide sufficient safeguards to protect patients' information while offering more flexibility to make adjustments quickly as national standards for privacy and security in the HIE context continue to evolve rapidly.

The lawsuit serves as an example of how important these concerns are to the public as well as highlights the potential for challenges to others developing HIE regulations. This case is worth watching closely to see how it develops.

This post was prepared by Krystyna Nowik.  Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE. 


Hello, and welcome to Legal HIE.  My name is Helen Oscislawski – but, for obvious reasons many simply call me 'Helen O'. Either way, I am the founding member of Oscislawski LLC, a boutique health law practice in Princeton, New Jersey. I have been advising the health care sector on legal issues for over a decade, and am particularly known for my experience with guiding many through the legal minefields of electronic health information exchange (HIE).

In 2009, Governor Corzine appointed me to serve on the New Jersey Health Information Technology Commission as the 'attorney with demonstrated expertise in privacy law issues.' In 2007, I was instrumental in advising one of the first HIE initiatives in New Jersey when I helped a large health care system develop a privacy and patient consent framework based upon federal and state law. Since then, I have provided legal guidance to dozens upon dozens of organizations, health care providers, and other stakeholders on the various aspects of planning and implementing a Regional Health Information Organization (RHIO), and with regard to engaging in HIE. I have also prepared many key documents needed for HIE, including trust agreements, licensing contracts, policies, and various compliance materials, as well as helped clients navigate around fraud and abuse laws, privacy laws, and state regulations, among others, which can be implicated in HIE.

Because HIE continues to evolve at lightning speed, I dedicate time every day to stay on top of legal developments in this specific niche area. I also continue to be integrally involved as HIE takes shape at the state level, and beyond. Recently, I was asked to chair a committee that was assembled in order to provide input to the State in connection with its efforts to develop a privacy and security legal framework that is more in line with standards that support beneficial and secure health information exchange.

As the HIE journey continues across the nation, I often have observations and thoughts that I want to share and exchange with others in the industry. This was the impetus for starting the Legal HIE Blog. My goal is to make Legal HIE thought-provoking, insightful, and informative – and, at times, maybe even mildly entertaining. I hope that you find all of these qualities in the coming posts.

Thanks for taking the time to read my personal introduction. I hope that you will visit this Blog often, and share with others the items of interest you come across on Legal HIE.

Best Regards,

Helen O.