It has been almost eighteen years since the U.S. Department of Health and Human Services, late in 2000, issued the HIPAA Privacy Rules to promote the privacy of individuals’ “protected health information.” Shortly thereafter, patients started seeing in their doctors’ offices “Notices of Privacy Practices”—usually in little pamphlet forms, or else just printed on standard 8 1/2”x 11” paper. These Notices are supposed to inform us of our rights and how the health care provider complies with HIPAA. But like so many other things mandated by the government to be delivered in writing to consumers in “ordinary language,” such Notices are difficult to read—long, boring, filled with qualifications, and almost inscrutable. I suspect the percentage of patients who have sat down and slogged through these is very small. I suspect, also, that these Notices are still written in a style that is beyond the reading comprehension of a substantial percentage of adults. The result is that in our society as a whole, very few really understand any of the details, but all are saturated with the general idea that our medical records are very, very private.
Though HIPAA has become almost a household name, several years before the federal government issued the HIPAA Privacy Rules, Maine enacted its own “Confidentiality of health care information” statute, found at 22 M.R.S.A. § 1711-C (the “Maine Privacy Statute”). Under the federal HIPAA rule, if a state law provides greater privacy protection for health information than the HIPAA Privacy Rule, the state law governs in that respect. And though there are many similarities and overlaps, in some ways the Maine Privacy Statute provides greater protection. In some ways not. In some ways, well, it’s just hard to tell.
At the outset, though, as almost always, the law has even further complications.
The Maine Privacy Statute covers information that relates to an individual’s “physical or mental condition.” Yet Maine has a separate statute, passed fifteen years before the Maine Privacy Statute, 34-B M.R.S.A. § 1207, that pertains to mental health records of any “client,” where “client” is defined rather vaguely as any person “receiving services from the department [i.e., from Maine DHHS], from any state institution, or from any “agency licensed . . . to provide services falling under the jurisdiction of [DHHS].” This would include the records of patients of any organization in Maine with a Mental Health Agency License from the DHHS. And though the history of this separate statute and its interpretation by the Office of the Maine Attorney General is that this statute was meant to cover mental health records, subsection 1(D) of this statute permits the disclosure of the client’s “physical condition or mental status” (emphasis added) to the client’s “spouse or next of kin,” but only upon “proper inquiry”—whatever that means. Neither the HIPAA Privacy Rules nor the Maine Privacy Statute, referred to above, has such a broad exception for “spouses or next of kin.”
There are also other and more specific federal and Maine statutes and regulations that pertain, e.g., to records of alcohol and substance abuse treatment or HIV status. Indeed, the laws concerning the privacy of anything having to do with alcohol and substance abuse treatment are by far the most strict and protective of all—which is ironic, since at the same time, under Maine and federal law, thousands of individuals receiving (overpriced) outpatient methadone opiate addiction treatment are literally required every single day, 365 days a year, to parade in and out each morning, in full public view, at various clinics around the state. Out of deference to “privacy laws,” no such clinic would ever, ever confirm or deny over the telephone that a particular individual attends that clinic, yet people can just watch them go in and out.
Go figure.
Altogether these federal and Maine privacy laws and regulations are a hodgepodge that create a labyrinth of general rules and multitudinous, crisscrossing exceptions that no one can master or even fully comprehend. Furthermore, despite all of these laws, to my knowledge, not a single federal or Maine privacy law gives the patient the right to sue for general damages if his or her privacy rights are violated. In technical jargon, this means that the statute provides no “private right of action.” So instead, for the most part, if your privacy rights are violated, you are supposed to complain to the appropriate federal or Maine agency, and then that federal or Maine agency might or might not investigate and eventually fine or penalize the culprit.
True, the Maine Privacy Statute does give a patient the right to sue someone who “intentionally” violates the patient’s privacy rights under the statute. However, the patient is not entitled to damages for mental anguish or other loss or suffering on account of any invasion of privacy, and is not entitled to attorneys’ fees. Instead, if victorious, the patient is basically only able to recover a penalty “not to exceed $5,000.” This is less than the small claims court limit in Maine. So except in some very unusual circumstance, a patient whose rights have been violated under the statute would not be able to find an attorney willing to take the case on contingency, and it would not be cost effective for the patient to pay the attorney for what could be a long battle against a well funded health care provider.
Although these various laws are brutally complicated in detail, there are at least some basic general principles.
For example, with very limited exceptions (such as certain mental health records of a patient that his psychiatrist thinks would be dangerous to disclose to that patient), a patient always has the right to see copies of his or her records. This general rule gets tricky, however, when the patient is a minor (especially if parents are divorced or never married) or when the patient is possibly mentally incompetent. Who, then, gets to see the records? The various laws provide more or less guidance to health care professionals when this happens, but there are so many variations it is beyond this blog to attempt to summarize.
The general rule, also, is that if you are willing to sign the right form, you have the authority to authorize your health care provider to release any or all of your records to anyone for whatever purpose you desire. And sometimes, when it is just darn unclear under the law as to whether the law permits (or maybe even requires) the disclosure of the information, it’s easier and more cost effective just to have the patient sign something authorizing the disclosure.
HIPAA provides an elaborate apparatus for you to amend your records if upon inspection you think they contain an error. In this day and age where, for example, perfectly healthy 40- year old people get turned down for term life insurance because of some blemish in their records, these rights to amend can be important. This can also be important if you are the victim of an accident bringing a personal injury claim and the defense finds something in your past records to use against you. If you think the records are flawed, HIPAA provides a roadmap for you to try to fix it.
The general rule under HIPAA is that a health care provider—or anyone your provider contracts with for services and who is privy to your records on that basis—can always, without any special authorization from you, use or disclose any of your otherwise protected health information (1) to treat you, (2) to obtain payment for services, or (3) for “health care operations.” The caveat to this general rule is that when your information is used or disclosed for any of these three purposes, the user or discloser must make “reasonable efforts to limit [the use or disclosure of] protected health information to the minimum necessary to accomplish the intended purpose of the use [or] disclosure.” 45 C.F.R. § 164.502(b). So in other words, when your doctor is trying to get paid, your doctor doesn’t need your permission to disclose any of your information to anyone, as long as your doctor makes reasonable efforts to disclose nothing more than needed for your doctor to get paid.
And what, you might ask, are “health care operations”?
Health care operations are defined under the HIPAA Privacy Rules as many things: conducting quality assessment and improvement reviews; reviewing the competence or qualifications of doctors; audits; fraud and abuse detection; business planning and development; customer service; and the “sale, transfer, merger, or consolidation of all or part” of the doctor’s practice to or into another doctor’s practice. And though this might seems like a long list of things for which your doctors or hospitals can use your protected health information, remember the general rule is always that when using your protected health information for any of these purposes, your provider must take reasonable steps to use or disclose what is minimally necessary for the task.
There is also a very elaborate set of HIPAA Security Rules (alongside the Privacy Rules) that define how records need to be stored and communicated in order to safeguard privacy. These rules run the gamut from technical issues of firewalls and encryption, to very simple things like making sure computer screens cannot be seen by visitors who might lean over the counter and making sure lap top computers are not accidentally left behind at fast food restaurants. Large institutions that have run afoul of one or more of these rules have been fined, literally, millions of dollars when there have been significant security breaches impacting the protected health information of many patients.
The Maine Privacy Statute starts with the general rule that an individual’s health care information may not be disclosed other than to the individual and other than in accordance with the exceptions provided in various subsections and sub-subsections thereafter.
The first of these exceptions is that a health care provider may disclose an individual’s information pursuant to a written authorization signed by the individual, as long as the authorization satisfies a bunch of formal criteria set out in the statute. The next exception, however, is that if it’s “not practical to obtain [such a] written authorization” from an individual, or when the individual “chooses to give oral authorization,” the provider may disclose health care information pursuant to just an oral authorization. The next exception is that if the individual is “unable” to provide either a written or an oral authorization, the provider may disclose information based on an authorization from the individual’s spouse, parent, aunt, uncle, niece or nephew, or an “adult who has exhibited special concern for the individual and who is familiar with the individual’s personal values.” When doing so, the provider is instructed that it can disregard any authorization from such a third party if the provider determines that “it would not be in the best interest of the individual” to abide by the wishes of that third party. How on earth are providers supposed to make such determinations?—who knows.
Thereafter the Maine Privacy Statute, like HIPAA, provides a general exceptions for disclosure for the treatment of the individual, to obtain payment, and for items similar to what HIPAA calls “health care operations.” The Maine Privacy Statute, like HIPAA, also has provisions that generally require that disclosures be limited to what is minimally necessary to accomplish the legitimate purpose in question.
Both federal and Maine laws also contain sundry other exceptions for things like court orders, public health emergencies, information given about inmates to correctional facilities, various forms of scientific and medical research, and catch-all provisions for any other disclosures “required or permitted by law.”
When this author started the practice of law, HIPAA and the Maine Privacy Statute literally did not exist. Yet somehow my generation and my parents’ generation managed to survive. Now there is an oversized two-volume, several thousand page three-ring binder set of materials on my shelf called “Employer’s Guide To HIPAA Privacy Requirements.” That’s just for employers—not nurses, doctors, school clinics, or health plans.
The author of this blog can be fairly characterized as a lifelong social liberal. At the same time, however, the author’s personal opinion is that we are choking ourselves in regulations. Are we in the United States, as a whole, happier, or better off, thanks to HIPAA Privacy Rules? And how much money spent on HIPAA could have been spent to provide better and lower cost medical services? I don’t know.