Excerpted from The Biggest Legal Mistakes Physicians Make: And How to Avoid Them
Edited by Steven Babitsky, Esq. and James J. Mangraviti, Esq. (©2005 SEAK, Inc.)
Download Free 646 Page E-book: The Biggest Legal Mistakes Physicians Make and How to Avoid Them
Physicians must comply with myriad state and federal laws and regulations governing the privacy of patient information and medical records. Navigating the complex and often convoluted maze of laws and regulations presents a daunting challenge for all physicians. The privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) when combined with applicable state medical record confidentiality laws present an insidious trap for unwary physicians who violate these laws and regulations. Violations can result in civil fines, administrative penalties, and disciplinary action by state licensing boards. Such violations may adversely affect physicians in ancillary areas, such as managed care contracting, licensure applications, medical staff credentialing, and patient relations.
Mistake 1 Failing to Obtain Proper Authorization or Consent to Release Patient Information
Before implementation of the HIPAA privacy regulations, many states had laws and regulations governing the proper release of patient medical records and information. The HIPAA privacy regulations have added to those state laws by creating requirements for the use of written authorizations for the release of patient information in a number of situations, but they do not require a written consent or authorization for the release of patient information for treatment, payment, or health care operations. However, many states have laws and regulations that require a physician to obtain a patient’s written authorization or consent in order to be able to release patient information for payment and some health care operations purposes. Additionally, while the HIPAA privacy regulations do not restrict communications with family members, many states have laws and regulations that prohibit physicians from releasing patient information and medical records to a family member or relative without a written consent or authorization from the patient. Failure to comply with these laws and regulations can result in severe consequences, including civil lawsuits for breach of privacy, administrative action by state and federal agencies, and disciplinary action by state licensing boards.
Action Step Physicians should ensure that they and their employees are properly trained and educated on the requirements of applicable state and federal laws and regulations governing the proper release of patient information and medical records.
Mistake 2 Improper Handling of “Superconfidential” Information
In many jurisdictions, certain types of patient information (e.g., HIV/AIDS, sexually transmitted diseases, substance abuse, and mental health and psychiatric records) are afforded additional protection under applicable laws and regulations. Often, these types of superconfidential categories of patient information require more detailed and specific written consents and authorizations for a physician to be able to release a patient’s superconfidential information. Because of the heightened sensitivity of superconfidential information, physicians who improperly release such information may be exposed to even greater civil and administrative liability than if they had improperly released patient information that is not superconfidential. Therefore, physicians must ensure that superconfidential information in their patients’ medical records is afforded appropriate protection in order to prevent the unauthorized release of such information.
Action Step Physicians should ensure that their employees are properly trained on the handling and release of superconfidential information.
Mistake 3 Improperly Responding to Subpoenas
Almost every physician will receive a subpoena for patient medical records at some point in his or her professional career. Subpoenas are issued in civil, administrative, and criminal cases at both the state and federal levels. Applicable rules of civil procedure and statutory provisions usually govern the issuance and validity of subpoenas and outline the specific requirements for subpoenas that may be seeking patient medical records and information. In addition, the HIPAA privacy regulations have added “reasonable assurance” requirements to an already convoluted subpoena process. Some states have even amended their existing laws and regulations governing subpoenas in reaction to the HIPAA privacy regulations. Failure to properly comply with a subpoena, or failure to observe appropriate patient privacy rights and protections in responding to a subpoena, may subject physicians to unnecessary liability.
Action Step Physicians should consult with experienced legal counsel in order to develop an understanding of how to respond properly to subpoenas and how to release patient information and medical records sought by subpoenas. Physicians should also ensure that their employees are properly trained on the release of patient information and medical records in response to subpoenas.
Mistake 4 Failing to Understand Patients’ HIPAA Privacy Rights
The HIPAA privacy regulations created a number of new patient rights, including allowing patients to access their medical records, request amendments to their records, request accountings of certain disclosures of their medical records, request restrictions on the release of their medical records, and file complaints with a physician’s practice or the federal Office of Civil Rights about alleged privacy violations. The rules accompanying these new patient rights are complex, and in some instances (e.g., record amendments and restrictions on release of records) allow physicians to deny patients their requests to exercise their privacy rights. However, failure to observe the technical requirements associated with these patient rights may result in unintended HIPAA violations.
Action Step Physicians should ensure that they and their staff are familiar with and receive training on the various patient rights under HIPAA.
Mistake 5 Making Improper Telephone Disclosures
Because of the busy nature of physician practices, many physicians are required to disclose some patient information by telephone on a regular basis. It would be impossible to operate a physician practice without doing so. However, many privacy violations and improper disclosures of patient information occur during telephones conversations because staff either fail to properly identify the individual to whom they are speaking and confirm that the individual is authorized to receive a patient’s information or they release too much information during a telephone conversation or as part of a potentially unsecure voicemail message.
Action Step Physicians must implement policies and procedures for their staff to follow when making telephone disclosures of patient information.
Mistake 6 Improperly Storing, Retaining, and Disposing of Old Medical Records
The disposal of old or out-dated patient medical records is a necessity in any physician practice, since physicians cannot afford to store forever all patient medical records they have created. Unfortunately, many physicians either dispose of records without properly shredding or destroying them or they fail to retain the records for the required period of time under applicable state or federal laws. Failure to properly retain or dispose of patient medical records will definitely lead to privacy violations that will subject a physician to severe and unwanted legal consequences.
Action Step Physicians should develop policies and procedures for the appropriate storage, retention, and destruction of patient medical records and ensure that their employees are sufficiently trained on such policies and procedures.
Mistake 7 Seeing Staff As Patients
It is not uncommon for physicians to see their own staff as patients. In these situations, a physician’s other employees often handle another employee’s patient information and medical records, which can lead to unauthorized and unanticipated discussions among staff concerning another employee’s patient information. Employees who are not involved in the care and treatment of another employee should not have access to that employee’s information and medical records. Failure to prevent such access could lead to a privacy violation.
Action Step Physicians must develop and implement policies and procedures that limit access and disclosure by their staff to other employee’s patient information.
Mistake 8 Making Business Associate Contract Mistakes
The HIPAA privacy regulations require physicians who are “covered entities” to enter into written contracts with their business associates. The regulations also require the written contracts to include certain requirements and restrictions concerning the release, access to, and handling of protected health information by business associates. Many physicians fail to properly identify their business associates, enter into written agreements with them, or include the required provisions and restrictions in their written agreements with business associates.
Action Step Because of the technical and complex legal nature of business associate issues and contracts, physicians should consult with experienced legal counsel regarding business associate issues.
Mistake 9 Ignoring or Improperly Handling Patient Complaints
It is inevitable that most physicians will experience some complaints from patients about privacy and medical records issues. Failure to properly and timely respond to and handle patient complaints could lead to additional issues when patients then take their complaints to an attorney, a state regulatory agency or licensing board, or the federal Office of Civil Rights because they feel that a physician is ignoring or improperly handling their complaint. Timely and appropriate handling of patient privacy complaints can prevent such further action by patients if they feel that a physician cares about their complaint and is providing a proper response to it.
Action Step Physicians must develop and implement a well-thought-out policy and procedure for responding to and handling patient privacy complaints. Additionally, physicians should have a position on their office staff for a complaint or grievance resolution officer, and the person who fills that position should not only have extensive knowledge of applicable federal and state privacy laws, but also a very patient and understanding approach and demeanor toward resolving patient complaints.
Mistake 10 Releasing Patient Information via E-mail or the Internet
As a requirement of their busy practices, physicians are becoming more dependent on electronic means of communication with their patients, third-party payers, and other treating physicians and providers. However, many physicians operate computer systems and e-mail software and systems that do not include proper security and encryption measures. Also, many physicians often provide care and treatment advice to patients via e-mail without properly confirming that the individual receiving the e-mail is really the patient for whom the physician is providing care and treatment advice. Sloppy Internet, e-mail, and electronic communications practices and procedures will almost certainly result in an unauthorized disclosure of patient information or some other type of privacy violation. Also, lack of proper security measures may expose a physician’s computer systems and records to unauthorized access or hacking by third parties.
Action Step Physicians must implement appropriate system safeguards and security measures to protect patients’ private information and medical records and should consult with experienced software and computer system consultants when doing so.
Physicians should be mindful of these mistakes and take appropriate steps as outlined to ensure the privacy of their patients’ information and medical records.
Michael R. Lowe, Esq.
Peer reviewed by:
William F. Sutton, Esq.