Health Law

Your Privacy Protected: HIPAA and its impact on Michigan's health professionals


by Elizabeth Callahan Morris and Patrick J. Haddad and Daniel J. Schulte

View this article as it appeared in the magazine PDF

Quick Links

HIPAA's Privacy Rule
Other HIPAA Rules
HIPAA Preemption
Physician-Patient Privilege Issues
Parental Access to Children's Health Care Information
Mandatory Reporting Obligations
Peer Review Activities
Conclusion
Footnotes

 

 

Send comments on this article to Opinion and Dissent at: aellsworth@mail.michbar.org

Fast Facts:

A person acting in good faith, without malice, is not civilly or criminally liable under Michigan law for furnishing information or data to a review entity.

HIPAA permits, but does not mandate, the disclosure of PHI in response to subpoenas.

HIPAA should not impede attorneys who represent professional liability plaintiffs from obtaining PHI to evaluate an injury claim or for use in litigation.

The Privacy Rule’s compliance deadline is April 14, 2003.

The Health Insurance Portability and Accountability Act of 19961 (HIPAA) is complex federal legislation impacting the delivery of health care. HIPAA creates uniform, nationwide standards for maintaining the privacy of health-related information. To comply with HIPAA’s Privacy Rule, Michigan’s health professionals must reconcile their legal obligations under HIPAA with
Michigan statutes regulating the disclosure, use, or reporting of confidential health care information.

HIPAA’s Privacy Rule

HIPAA’s Privacy Rule2 requires health professionals to implement specific policies and procedures to maintain the confidentiality of protected health information (PHI). PHI is individually identifiable information that is either transmitted or maintained, in any form or medium, relating to:

• The past, present, or future physical or mental health or condition of an individual

• The provision of health care to an individual or

• The past, present, or future payment for the provision of health care to an individual3

The Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with a transaction covered by the rule (e.g., electronic billing, etc.).4 If the rule applies to a health care provider, it applies to all PHI maintained by the provider, whether or not the PHI is transmitted electronically.

The Privacy Rule’s compliance deadline is April 14, 2003.5 By then, health professionals must:

• Follow the use and disclosure rules6

• Provide patients with a notice of privacy practices and make a good faith effort to obtain a signed acknowledgement (we recommend that health professionals document unsuccessful attempts to obtain signed acknowledgements)7

• Obtain a detailed, written authorization from patients for ‘‘non-routine’’ uses and disclosures (‘‘routine’’ uses and disclosures are for treatment, payment, and health care operations, and when permitted or required by law)8

• Permit patients to exercise certain rights, including accessing PHI and obtaining an accounting of non-routine uses and disclosures of PHI9

• Designate a privacy official and contact person responsible for privacy policies, procedures, and patient inquiries10

• Train staff on proper privacy practices and impose sanctions for non-compliance11

Enter into special confidentiality agreements with business associates12

• Develop other administrative, technical, and physical safeguards to prevent the improper use or disclosure of PHI13

Civil penalties for noncompliance begin at $100 per violation per standard and can go up to $25,000 per person per standard per year.14 The Privacy Rule has more than 50 standards. Criminal penalties can go up to $250,000 and 10 years imprisonment.15

Other HIPAA Rules

HIPAA’s Electronic Transactions and Code Sets Rule16 requires health professionals to use standard electronic formats for eight specified transactions, such as the submission of health care claims or encounter information. The standard formats must be used beginning October 16, 2002, unless a compliance extension plan was submitted to the government by October 15, 2002.17 This submission extends the compliance deadline to October 16, 2003.

HIPAA’s Security Rule18 has been issued in ‘‘proposed’’ form only and is expected to be finalized sometime this year. The Security Rule requires health professionals to implement procedures designed to protect the electronic transmission and storage of PHI.

HIPAA’s Unique Identifier Rules require covered entities to use unique identifiers when conducting electronic standard transactions. For example, employers19 will be identified by their employer identification number and it is proposed that health care providers20 be identified by an eight-digit alphanumeric, such as their Medicare provider identification number.

HIPAA Preemption

HIPAA preempts contrary state laws, except in limited circumstances. State laws that are more stringent than HIPAA are exempted from preemption. HIPAA similarly exempts from preemption state laws providing for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention. HIPAA also exempts from preemption state laws pertaining to certain health plan reporting, as well as state laws meeting certain criteria, such as drug control laws.21

Physician-Patient Privilege Issues

Michigan’s physician-patient privilege statute generally bars allopathic and osteopathic physicians from disclosing any information acquired in attending a patient in a professional character, if the information was necessary to enable the person to prescribe for the patient as a physician, or to do any act for the patient as a surgeon.22 Other health professionals subject to similar privileges include dentists,23 counselors,24 optometrists,25 physician assistants,26 psychologists,27 and social workers.28

MCLA 600.2157 provides that the privilege is waived if the patient brings an action against a physician to recover for any personal injuries, or for malpractice, and the patient produces a physician as a witness in the patient’s own behalf who has treated the patient for the injury for which the malpractice is alleged. MCLA 600.2912f specifically states that the privilege is waived by giving a notice of intent under MCLA 600.2912b or by filing a medical malpractice action. Otherwise, the privilege may only be waived by the patient or other authorized individual, or as provided by law.

Although HIPAA and MCLA 600.2157 both require physicians to maintain the confidentiality of PHI, HIPAA does not expressly permit a physician to automatically use or disclose PHI to defend a malpractice claim or action. Nevertheless, the same result should be achieved under HIPAA as under Michigan practice. HIPAA permits the use and disclosure of PHI, without the patient’s written consent or authorization, in judicial and administrative proceedings in response to an order of the court or tribunal, or in response to a subpoena or discovery request unaccompanied by an order, if the party seeking the information has given the patient notice and an opportunity to object and other conditions are satisfied.29 In light of MCLA 600.2157 and 600.2912f, Michigan courts should be expected, if necessary, to enter an order confirming the patient’s waiver of any objection to the disclosure and use of PHI for purposes of HIPAA.

Physicians and other providers often receive subpoenas for medical records. Unless the privilege is waived by operation of MCLA 600.2157 or 600.2912f, providers are typically advised by legal counsel that under Michigan law, they should not release PHI solely on the basis of an attorney-issued subpoena unaccompanied by the patient’s written consent or court order. This remains prudent advice under HIPAA. HIPAA permits, but does not mandate, the disclosure of PHI in response to subpoenas or discovery requests when the provider receives satisfactory assurances from the requesting party that certain enumerated conditions have been satisfied, including reasonable efforts by the requesting party to provide the patient with notice or an opportunity to secure a qualified protective order.30 Because Michigan law does not expressly authorize providers to disclose PHI under these circumstances, the requirements of Michigan law are arguably more stringent than, and take precedence over, HIPAA’s standard.

HIPAA should not impede attorneys who represent professional liability plaintiffs from obtaining PHI to evaluate an injury claim or for use in litigation. Under HIPAA, a written authorization from the patient will be required in order for a physician or other provider to release clinical records directly to the patient’s attorney.31 Alternatively, the patient may directly obtain the clinical records from the provider.32 Attorneys who represent physicians and other providers may access and use PHI pursuant to the business associate rules. Among other things, the attorney and provider/client must enter into a written agreement meeting specified requirements.33

Parental Access to Children’s Health Care Information

HIPAA does not preempt, and maintains the status quo of, state laws giving parents or guardians the authority to act on behalf of an unemancipated minor in making health care decisions.34 Consequently, HIPAA does not modify Michigan law giving the parents of unemancipated minors the legal authority over access to their children’s medical records.35 HIPAA similarly preserves state laws permitting unemancipated minors to consent to certain health care services without parental consent or knowledge.36

Mandatory Reporting Obligations

HIPAA does not preempt, and expressly permits compliance with, any state law that requires the disclosure of PHI, including state laws mandating the reporting of certain types of wounds or other physical injuries to law enforcement officials.37 Similarly, HIPAA permits compliance with state laws providing for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health investigation or intervention. This means that a health professional’s obligations under Michigan law to report PHI, including positive HIV test results,38 communicable diseases,39 wounds inflicted by violence,40 and suspected child abuse or neglect,41 are not altered by HIPAA.

Peer Review Activities

By statute, Michigan protects the confidentiality of the proceedings, reports, findings, and conclusions of peer review entities.42 The statute permits any person to provide a review entity with information or data relating to the physical or psychological condition of a person; the necessity, appropriateness, or quality of health care rendered to a person; or the qualifications, competence, or performance of a health care provider. A person acting in good faith, without malice, is not civilly or criminally liable for furnishing information or data to a review entity.

HIPAA does not specifically authorize the disclosure of PHI to peer review entities. Peer review activities, however, are included in HIPAA’s definition of ‘‘health care operations.’’43 Consequently, PHI may be used and disclosed, without a patient’s written authorization, for peer review activities qualifying as a provider’s own health care operations or those of another covered entity subject to HIPAA. For example, a physician may disclose PHI to the peer review committee of a hospital that also treated the patient, without first obtaining the patient’s written authorization. Similarly, a provider that engages a peer review entity to furnish quality assessment services may disclose PHI to the peer review entity without obtaining the patient’s written authorization, provided a business associate agreement44 is in place.

Under HIPAA, it is unclear whether a provider can disclose PHI, without obtaining the patient’s written authorization, to a peer review entity, that is neither a covered entity subject to HIPAA nor a party to a business associate agreement with the provider. For example, HIPAA arguably requires a patient to give a written authorization before a health professional may disclose PHI to the peer review committee of a statewide professional association reviewing a complaint made by the patient over the professional’s competence. In this instance, HIPAA’s requirements are more stringent than, and supersede, Michigan law providing immunity to persons who furnish information to peer review entities in good faith and without malice, irrespective of whether the patient authorizes the disclosure.

HIPAA does not specifically address the disclosure of PHI by peer review entities. However, review entities are required by Michigan statute to de-identify the patient whenever releasing privileged information. Review entities subject to HIPAA should be able to comply with HIPAA’s de-identification standards.45

Conclusion

Michigan’s health professionals will need to modify their practices to conform to HIPAA’s standards. Beyond this, however, HIPAA should not impede health professionals from complying with their obligations under Michigan statutes regulating the use, disclosure, and reporting of PHI.

Footnotes

1. Public Law 104-191, enacted August 21, 1996.

2. See 65 Fed Reg 82461 (Dec 28, 2000) and 67 FR 53181 (Aug 14, 2002) (publishing regulations codified at 45 CFR § 164.101 et seq).

3. 45 CFR § 164.501.

4. 45 CFR § 160.103.

5. 45 CFR § 164.534(a).

6. 45 CFR § 164.502 to § 164.514.

7. 45 CFR § 164.520.

8. 45 CFR § 164.508(a)(1).

9. 45 CFR § 164.522 to § 164.528.

10. 45 CFR § 164.530(a)(1).

11. 45 CFR § 164.530(b)(1) and (e)(1).

12. 45 CFR § 164.504(e)(2).

13. 45 CFR § 164.530(c)(1).

14. Public Law 104-191, § 1176.

15. Public Law 104-191, § 1177.

16. See 65 Fed Reg 50312 (Aug 17, 2000) (publishing regulations codified at 45 CFR § 162.101 et seq).

17. Public Law 107-105, § 2(a), enacted Dec 27, 2001.

18. See 63 Fed Reg 43241 (Aug 12, 1998) (publishing regulations to be codified at 45 CFR § 142.101 et seq).

19. See 67 Fed Reg 38009 (May 31, 2002) (publishing regulations codified at 45 CFR § 162.602 et seq).

20. See 63 Fed Reg 25320 (May 7, 1998) (publishing regulations to be codified at 45 CFR § 162.402 et seq).

21. 45 CFR § 160.203.

22. MCLA 600.2157. See also MCLA 767.5a(2).

23. MCLA 333.16648.

24. MCLA 333.18117.

25. Mich Admin R 338.291(b).

26. MCLA 333.17078(1).

27. MCLA 333.18237.

28. MCLA 333.18513(2).

29. 45 CFR § 164.512(e)(1)(i).

30. 45 CFR § 164.512(e)(1)(ii).

31. See 45 CFR § 164.508.

32. 45 CFR § 164.524.

33. 45 CFR § 164.502(e).

34. 45 CFR § 164.502(g).

35. See, e.g., Dierickx v Cottage Hospital Corp, 152 Mich App 162, 393 NW2d 564 (1986).

36. See, e.g., MCLA 333.9132.

37. 45 CFR § 164.512(f)(1).

38. MCLA 333.5114.

39. See MCLA 333.5111, and Mich Admin R 325.172–.173.

40. MCLA 750.411.

41. MCLA 722.623(1).

42. MCLA 331.531 et seq.

43. See 45 CFR § 164.506(c)(4).

44. 45 CFR § 160.103.

45. 45 CFR § 164.514.



Elizabeth Callahan Morris is an associate with Butzel Long. She concentrates her practice in health law and chairs her firm’s HIPAA Task Force, a multi-disciplinary team of health, technology, and labor attorneys.

Patrick J. Haddad is a member of Kerr, Russell and Weber, PLC. He practices in health, insurance, and corporate law. Mr. Haddad is a member of the State Bar of Michigan’s Health Law Section, the American Bar Association’s Health Law Section, and the American Health Lawyers Association.

Daniel J. Schulte is a member of Kerr, Russell and Weber, PLC. He practices in health and business law. Mr. Schulte is a member of the State Bar of Michigan’s Health and Business Law Sections and is also a member of the American Health Lawyers Association.


PDF Printable Version

Michigan Bar Journal Home
Archived Issues