Doctor Faces Criminal Charges for Wrongful Disclosures under "False Pretenses"

Tripping on the heels of the HIPAA criminal charges against Chelsea Catherine Stewart for theft of patient information, (see my previous post on June 14, 2011), a physician was indicted June 21, 2011 on three counts of HIPAA violations in the U.S. District Court for the Eastern District of Virginia.  Dr. Richard Alan Kaye, a licensed osteopath and board certified in psychiatry, was formerly the medical director of the Psychiatric Care Center at the Sentara Obici Hospital in Suffolk, Virginia, and had treated the patient whose individually identifiable health information was allegedly disclosed without authorization.

According to the U.S. Attorney's Office for the Eastern District of Virginia, Dr. Kaye had provided in-patient mental health treatment to a patient and upon the patient's discharge in September of 2007, he had indicated in the discharge summary that the patient was not a danger to others.  Despite this, in February of 2008, Dr. Kaye disclosed information on three occasions to an agent of the patient's employer under "false pretenses" that the patient was a serious and imminent threat to the safety of the public.

According to the Virginia Board of Medicine, the Board had already investigated the incidents and fined Dr. Kaye $5,000 for "one patient case of releasing confidential information and breach of confidentiality" in May 2010.  He was placed on probation until he completed eight hours in professional ethics.  Dr. Kaye's license was restored by the Board on October 4, 2010 after compliance with the terms of his probation.

What makes this indictment against Dr. Kaye unique among previous HIPAA criminal prosecutions, however, is that it alleges false pretenses for wrongful disclosures made to an employer.  As it is unclear what the motive for Dr. Kaye's actions was in disclosing the information to the employer, one has to wonder what the "trigger" was that led to the FBI's involvement and U.S. Attorney's criminal charges.  Criminal prosecution under HIPAA is still a rare, albeit increasing occurrence, especially in comparison to the number of HIPAA violations investigated by OCR each year.

Under § 1320d-6(b)(2), Dr. Kaye could face a fine of up to $100,000 and up to five years in jail if convicted of disclosing the information under "false pretenses."  Dr. Kaye is scheduled to be arraigned on July 13.  A copy of the press release can be found here.  

U.S. Supreme Court Strikes Down Vermont's Prescription Drug Data Mining Ban Law

Last Friday, the United States Supreme Court struck down the Vermont Prescription Confidentiality Law allowing prescriber-identifying information to be sold and disclosed by pharmacies and pharmaceutical manufacturers for marketing purposes.  You can retrieve a copy of the U.S. Supreme Court's full opinion here.  A fantastic history of the case as well as various Amicus Briefs filed for and against Sorrell vs. IMS are posted on Vermont Office of Attorney General's website.  The case was argued on April 26, 2011, and you can listen to the oral arguments in front of the Justices here.  Many have been anxiously awaiting the Court's decision, which promised to have a profound affect either way on how deidentified information is collected and used for various purposes, including healthcare research and quality improvement, as well as for marketing.

Justice Kennedy, writing for the 6-3 majority, held that the Vermont law was an unconstitutional content-based restriction on First-Amendment protected expression. The majority asserted that speech restraint of this kind must be subject to strict judicial scrutiny. Kennedy concludes that the Vermont law fails this test because, in seeking to advance its goal of lowering health care costs and promoting public health, it restrict “certain expression by certain speakers.”

Justice Breyer, in his dissent, argued that the Vermont law only modestly affects expression, by depriving “pharmaceutical and data-mining companies of data… that could help pharmaceutical companies create better sales messages.”

The dissenting justices contend that these messages are commercial speech, and that government regulation of commercial speech has not been subjected to the heightened judicial scrutiny employed by the majority. In this light, Justice Breyer concludes that the statute permissibly regulates commercial activity. The Court’s dissent also raised concerns over long-term precedential trouble created by the majority’s decision. Justice Breyer states that, “at best the court opens a Pandora’s Box of First Amendment challenges to many ordinary regulatory practices that may only incidentally affect a commercial message… [and] at worst, it reawakens Lochner’s pre-New Deal threat of substituting judicial for democratic decision-making where ordinary economic regulation is at issue.”

For some, the Court's decision is a huge disappointment, but others will undoubtedly welcome the Court's decision as the correct outcome.  In my previous post about this case, I included the in depth analysis of Sorrell vs. IMS prepared by the Centers for Democracy and Technology (CDT).  There, CDT pointed out, among other things, that:

The first thing to recognize about the data at issue is that it contains doctors╩╝ names but it does not contain patient names. The data is [']patient de-identified['] pursuant to standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA already prohibits the use of patient-identified data for marketing to patients or to doctors. Vermont went one step further and said that even patient de-identified data cannot be used to market drugs to doctors.

CDT also pointed out it its analysis:

[i]f the Supreme Court were to accept some of the privacy claims, it could do damage to privacy by discouraging use of de-identified data. And claims that doctors have a privacy right in their drug prescribing practices could upset a host of policy goals associated with improving the efficiency and safety of the health care system.

Finally, the CDT memo points out:

The behavior of physicians and other health care professionals is routinely scrutinized by federal and state regulators, accrediting organizations, licensing boards, and health care plans, among others. A broadly recognized privacy interest in prescriber-identifiable data could have implications for multiple important issues, including quality measurement and public reporting, as well as comparative effectiveness research, which are critical to reform of our health care system. If the Court were to agree that prescriberrecords need to be protected like corporate “tradesecrets” or that there is no role for outside review of physician decision making, important reform activities that depend on access to and use of prescriber identified data could be impaired or prohibited.

Clearly, the U.S. Supreme Court agreed.

Hospital Theft Leads to HIPAA Criminal Charges

An Alabama woman has been slapped with criminal charges in connection with the theft of patient information from Trinity Medical Center in Birmingham, Alabama, as reported by The Birmingham News.  Section 1320d-6 imposes criminal penalties where any person knowingly uses a unique health identifier or obtains or discloses individually identifiable health information in violation of HIPAA. 

The young woman, identified as Chelsea Catherine Stewart, allegedly stole paper surgery schedules from a closed patient registration area at the hospital while visiting a patient.  Stewart was arrested the beginning of June after hundreds of pages of the schedules were found in the house where she was staying by police in connection with an ongoing investigation for mail theft and credit card fraud.   

The schedules contained the names, dates of birth, social security numbers and certain medical information of approximately 4,500 patients of the hospital.  In addition to the patient information, an affidavit by postal inspector John Bailey stated there were handwritten notes with information of other individuals which could be used for identity theft and a "to-do" list of sorts for fraud.  Notes allegedly read, "Get hospital records together and run credit reports on people to get info."  

The notice of the theft on Trinity Medical Center's website states,

"All stolen information has been recovered....The hospital has no reason to believe this information has been or will be used in a way that would cause harm." 

However, Trinity Medical Center will be offering free credit monitoring for those affected patients.  In addition to the notice on its website, the hospital also notified affected individuals of the theft by mail.

If convicted, Stewart could face the maximum criminal penalties under §1320d-6 for "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" and up to 10 years in jail and $250,000 in penalties.  Stewart also faces unrelated charges of credit card fraud and breaking into a vehicle.  

Maine Reverts Back to Opt-Out Approach for HIE

In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet.  Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy.  Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE.  Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository. 

After considerable push-back from HealthInfoNet, as well as physicians, hospitals and their respective professional associations, the Maine legislature has reconsidered and revised the proposal.

As rewritten, the proposed legislation would permit HealthInfoNet to continue operating on an opt-out basis, but would dictate specific rules for informing patients of their right to do so. Individuals would need to be provided with, at a minimum:

  • A separate form at the point of initial contact with a description of the risks and benefits of participating in the HIE;
  • A description of how and where to obtain more information or how to contact the HIE;
  • An opportunity for the patient to refuse to participate in the HIE; and
  • A declaration that health care treatment would not be withheldfrom the patient solely based upon the patient's refusal to participate in the HIE.

Although information regarding the HIE is currently included on provider and hospital Notice of Privacy Practices, many patients were not aware that their information was being exchanged through the HIE.  As Amy Landry, communications director at HealthInfoNet acknowledged, "nobody reads the Notice of Privacy Practices." The proposed legislation reflects a compromise between concerns for patient privacy and awareness and the need of the HIE to have a large enough patient population to be of value to physicians and hospitals.

Furthermore, the proposed legislation would require confidentiality policies and procedures for protecting the confidentiality, security and integrity of health care information.  It would also require the HIE to maintain records of all disclosures made by and through the HIE in addition to requiring compliance with all applicable federal laws and regulations dealing with privacy, security and breach notification as defined by 45 CFR Part 160 and 164. 

The amended Bill (LD 1337) may be accessed here.  

HHS Releases Proposed Rule for Accounting of Disclosures

A Notice of Proposed Rulemaking (NPRM) concerning the accounting of disclosures (AOD)requirement under the HIPAA Privacy Rule was posted last Friday, May 31, 2011.  The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) states in its Press Release regarding the NPRM:

This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information . . . We need to protect peoples’ rights so that they know how their health information has been used or disclosed.

HHS points out that people would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information (PHI). Although covered entities are currently required by the HIPAA Security Rule to track access to electronic PHI, they are not required to share this information with patients.  HHS also points out that the NPRM requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests.

Interestingly, with regard to health information exchange (HIE) specifically, HHS notes in the Preamble to the NPRM that it considered but rejected requiring that a full accounting of disclosures be made through a HIE at this time.  However, HHS states its intentions to work with ONC to assess whether standards for exchanges of information should include information about the purpose of each transaction.  It also notes that to the extent such information would fall under a disclosure required to be accounted for (e.g., public health), the individual would still have a right to learn of such a disclosure.

For a summary of the AOD NPRM prepared by Attorneys at Oscislawski LLC, click here.

Public comments are due by August 1, 2011 and can be submitted by clicking here.