Massachusetts Case Involving HIPAA

A Massachusetts federal jury recently convicted a local physician of allowing a pharmaceutical company representative access to her patients’ protected health information (PHI) without consent, in violation of HIPAA. Specifically, in addition to accepting fraudulent payments and lying to federal investigators, the physician violated HIPAA by disclosing patients’ PHI to the pharmaceutical company so that they could target these patients for their products.1

Among the many impermissible uses and disclosures of PHI is the sale and use by third parties. Specifically, 45 CFR § 164.502(5)(ii)(A) states, “[e]xcept pursuant to and in compliance with § 164.508(a)(4), a covered entity or business associate may not sell protected health information.”

This case underscores the following reminders:

  • HIPAA violations can result in criminal prosecution;
  • Relationships with pharmaceutical and medical device companies need to be disclosed to patients and certain requirements need to be met; and
  • Illegal payments made by companies to physicians are never acceptable.

New SAMHSA Fact Sheets Released about Part 2

The Office of the National Coordinator of Health Information Technology, in collaboration with SAMHSA, released two new fact sheets about 42 CFR Part 2: Confidentiality of Substance Use Disorder Patient Records (Part 2). The fact sheets help health information exchange organizations and healthcare providers learn how Part 2 provisions can be used across different environments, including through electronic health information exchange (HIE) mechanisms and in provider office settings.

Specifically, “Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me?” explains a Part 2 Program and how healthcare providers can determine how Part 2 applies to them.

In addition, “Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data?” describes how Part 2 applies to the electronic exchange of healthcare records with a Part 2 Program.

Connecticut Case Involving HIPAA

The Connecticut Supreme Court in Byrne v. Avery Center for Obstetrics & Gynecology, recently held that patients have a private right to bring legal action against a provider for HIPAA violations.2 HIPAA does not provide a private right of action for patients to collect damages.

Specifically, the Court rejected the provider’s claim that disclosing medical records in response to a subpoena does not require patient consent. The Court concluded that the nature of the physician-patient relationship merits recognition of a common-law cause of action for breach of the duty of confidentiality. The Court’s ruling establishes a new legal precedent for the state, joining other states (NY, MA, MO) finding that there is a duty to protect a patient’s confidentiality and that a breach of this duty can lead to compensation for damages. For further information, consult your local attorney or risk management professional.

1 United States v. Luthra, 2018 U.S. District. LEXIS 62879

2 Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, (2018)