Posts Tagged: privacy

“Should I Tell Someone?” Permissible Disclosures by Massachusetts Health Providers and the Need for Greater Statutory Clarification

By William M. Mandell

In the wake of the recent Newtown shootings and the Boston Marathon bombings, a lingering question for health providers has been whether they ever have a duty, or the option, to disclose information derived from patient encounters if that information could help prevent an attack or a violent crime, help apprehend a suspect, or solve a criminal investigation.

Health care lawyers are frequently confronted with questions from hospitals, physicians and other providers about how to navigate and apply the conflicting legal and ethical duties to maintain and protect patient privacy rights but also to protect third parties and the general public from harm. Can medical groups proactively report to the police that a patient is mentally unstable and may have access to guns? May hospitals release information about victims of an attack to the police without consent?

This article summarizes current federal and Massachusetts law on the circumstances in which Massachusetts health care providers are authorized to share patient information with law enforcement and public safety personnel and agencies, notwithstanding patient privacy laws. This article also identifies some shortcomings under current Massachusetts law, and proposes a legislative solution to the confusion between HIPAA and a lack of clarity under existing applicable Massachusetts law.

A. Federal HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule  established by the Office of Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) does identify a variety of permissible urgent situations in which a health care provider may disclose patient health information.

Notwithstanding this fact, since the effective date of the HIPAA Privacy Rule in 2003, providers have had a greater reluctance to talk or report facts to law enforcement, either because of a failure to properly understand or apply HIPAA or a fear of liability.

Criminal and civil penalties can be imposed on both individuals and organizations under HIPAA for impermissible disclosures, but there are no such statutory penalties for failing to make disclosures to law enforcement or government agencies that HIPAA authorizes. Additionally, many states, including Massachusetts, have very strong and broadly established patient privacy rights over additionally protected areas of sensitive information but less clearly delineated exceptions for disclosures without patient consent for public safety and law enforcement reasons.Although it establishes a minimum level of privacy rights under federal law, the HIPAA Privacy Rule does not pre-empt any state laws that grant greater protections over patient health information. Thus, health lawyers must help provider clients harmonize the application of a HIPAA provision with a state law that may be more protective of patient health information.For example, HIPAA permits a hospital to release a patient record including HIV test results or psychiatric treatment communications upon a subpoena alone and without written patient authorization or a court order, if the discovering party can show it has meet certain procedural requirements ensuring that proper notice has been given to the patient’s counsel and no objections or motions for protective orders have been filed. However, Massachusetts statutes covering HIV test results or psychiatric treatment communications  – more protective of patient rights and thus not pre-empted by HIPAA – require the presentation of either a written patient consent or a court order before that portion of a patient record may be disclosed.

OCR, in the Privacy Rule, attempted to strike the right balance between patient privacy and the need to protect public safety, and in doing so permits the use and disclosure of protected health information, without an individual’s authorization or permission, for twelve national priority purposes. OCR has noted that these disclosures are permitted, although not required, by the Privacy Rule in recognition of the important uses made of health information outside of the health care context. For each public interest purpose, OCR included specific conditions or limitations in the Privacy Rule to strike the right balance between the individual privacy interest and the public interest need for such information.

Among these 12 national priority purposes, the HIPAA Privacy Rule permits non-patient consented disclosures in the following circumstances:

  • To assist law enforcement in certain extreme situations
  • To avert serious threats to health or public safety
  • To protect national security
  • To protect the public health

          1. Assist Law Enforcement

HIPAA permits providers to disclose patient health information without permission from the patient for a law enforcement purpose to a law enforcement official in the following situations:

Providers can disclose health information to comply with federal or state reporting laws, including laws that require the reporting of certain types of wounds or other physical injuries.

In response to a law enforcement official’s request for information for the purpose of identifying or locating a suspect, fugitive, material witness, missing person, a provider may disclose the following:

(1) Name and address;

(2) Date and place of birth;

(3) Social security number;

(4) ABO blood type and rh factor;

(5) Type of injury;

(6) Date and time of treatment;

(7) Date and time of death, if applicable; and

(8) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

However, DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue can only be released upon issuance of a court order, warrant, or written administrative request.

In response to a law enforcement official’s request for patient information about an individual who is or is suspected to be a victim of a crime if the individual is incapacitated, or there  are other emergency circumstance, as long as:

(A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person, other than the victim, has occurred, and such information is not intended to be used against the victim;

(B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

(C) The disclosure is in the best interests of the individual as determined by the provider, in the exercise of professional judgment.

          2. To Avert Serious Threats to Health or Public Safety

The HIPAA Privacy Rule also permits providers, acting consistent with applicable law and standards of ethical conduct, to disclose patient health information without consent where the provider in good faith believes the use or disclosure:

Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and is to a recipient reasonably able to prevent or lessen the threat, including the target of the threat; or

Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the provider reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

The information provided must not be more than what meets the minimum necessary standard. For purposes of identifying or apprehending an individual, the information authorized to be disclosed is limited to the same eight basic identifying items that can be disclosed in response to a law enforcement official’s request for information for the purpose of identifying or locating a suspect, fugitive, material witness, missing person.

HIPAA presumes that the disclosing provider in these instances has acted in good faith with regard to the belief of the necessity for such public safety disclosures.

          3. National Security and Intelligence Activities

Providers may also disclose protected health information to authorized federal officials under the HIPAA Privacy Rule for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act and implementing authority.  Those activities can include efforts to create counter-terrorism intelligence databases, including health records.  Thus, the reporting of possible or suspected terrorists or terrorist activity by a provider is not necessarily prohibited under HIPAA and a provider meeting the minimally necessary standard could share its suspicions with federal and state law enforcement agencies without violating the HIPAA. The bigger question is whether such a disclosure would run afoul of more protective state laws protecting patient privacy, and whether a provider could be subject to a lawsuit for invasion of privacy or patient rights under Massachusetts law.

          4. Public Health Protection

The HIPAA Privacy Rule also allows unauthorized disclosures of protected health information to public health authorities to carry out their mission to protect the public’s health and safety.

The Privacy Rule permits – but does not require – providers to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for a variety of widely accepted public health functions such as: the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority.  Covered entities who are also a public health authority may use, as well as disclose, protected health information for these public health purposes.

Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursuant to an individual’s authorization, or for disclosures that are required by other law.  Since most public health disclosures are made by providers under specific mandatory reporting laws established by both federal and state agencies the minimum necessary rule under HIPAA is often not applicable when a provider is fulfilling a mandatory reporting obligation. Furthermore, the HIPAA Privacy Rule also allows covered entities to reasonably rely on a minimum necessary determination made by the public health authority when it initiates a request for protected health information.

Permissible public health disclosures under HIPAA also cover mandatory or suggested disclosures to authorized third parties who have a need to know, such as to the police in the case of known or suspected abuse or neglect of children or the elderly, or victims of domestic violence or rape. Similarly, if state law allows providers to warn third parties of exposure to a communicable disease HIPAA also allows the same disclosure as necessary to carry out public health interventions or investigations to prevent or control the spread of the disease.

B. New OCR Guidance

Following the Newtown tragedy, the HHS Office of Civil Rights published a letter to the nation’s healthcare providers in January, 2013 to make them aware of their ability under HIPAA to disclose information and their ethical “duty to warn” when they believe a patient poses a serious and imminent threat.

The OCR letter clarifies that the HIPAA Privacy Rule permits disclosure when a health care provider believes in good faith that a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.  If the disclosure is made consistent with applicable law and standards of ethical conduct, the provider may alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. The provider is presumed to have such a good faith belief when the provider warns and discloses upon obtaining actual knowledge of facts from interaction with the patient or in reliance on a credible representation by a person with apparent knowledge or authority, such as a friend or family member of the patient.

The OCR letter further states that a health care provider may disclose patient information, including information from mental health records, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.

Thus, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member or others who may be able to intervene to avert harm from the threat.

Such disclosures are not only permitted by HIPAA, but are also advisable under state tort laws following the duty to warn standard  first recognized by the 1974 California Supreme Court in Tarasoff v. the Regents of the University of California. Tarasoff established a common law duty upon health care providers to warn potential victims and the authorities, notwithstanding patient privacy rights, when an individual makes a credible threat of violence.  The Tarasoff rule can be best summarized in its most often quoted passage: “The protective privilege ends where the public peril begins . . . .”

C. Massachusetts Law on Patient Privacy and Disclosure

In sharp contrast, the scope of permitted disclosures to warn third parties or avert possible imminent harm to possible victims is more limited under Massachusetts law. Furthermore, Massachusetts law articulates very stringent privacy and confidentiality protection and duties to maintain patient confidentiality, with only a handful of stated exceptions related to public safety. Unlike other state’s patient privacy laws, Massachusetts does not have a single comprehensive statutory act governing all facets of health care information confidentiality and permitted disclosure.  Instead, the law of patient privacy and confidentiality in Massachusetts is comprised of a patchwork of different sources: constitutional, statutory, common law, and a variety of state agency regulations.

Generally, the right of privacy in Massachusetts is either implicitly or explicitly recognized and protected under the state constitution, Opinion of Justices, 375 Mass. 795, 806-9 (1978), by common law, Commonwealth v. Wiseman, 356 Mass. 251 (1969), and by statute.  Massachusetts Gen. Laws c. 214, § 1B provides for a general right to privacy (“[a] person shall have a right against unreasonable, substantial or serious interference with his privacy”) and authorizes a civil tort action to recover damages for any interference with that privacy right.

Specific to health information, Mass. Gen. Laws c. 111, §§  70 and 70E (the “Massachusetts Patient’s Bill of Rights”), and Mass. Gen. Laws c. 112 § 12CC , and a variety of other statutes and licensing board regulations, establish the right of patients of  Massachusetts hospitals, licensed facility, physicians and other practitioners to the confidentiality of all records and communications.

In addition, the Massachusetts Supreme Judicial Court has ruled that physicians have an affirmative duty to maintain the confidentiality of patients’ medical information, and a breach of patient confidentiality can result in tort liability for the physician as well as the discovering party.  Alberts v. Devine, 395 Mass. 508 (1985).

The Massachusetts Legislature has also implicitly recognized the general legal and ethical obligation not to release medical information without patient consent by enacting several statutes establishing qualified evidentiary privileges protecting certain medical information and by authorizing and immunizing particular non-consensual disclosures.  These statutes (and the cases interpreting them) comprise the body of medical information confidentiality laws in Massachusetts.

Generally, absent written patient consent or an appropriate court order or subpoena, Massachusetts health providers are not explicitly permitted to divulge medical information to the police or other law enforcement agencies.

 Under the Massachusetts statutory version of the Tarasoff  rule, Mass. Gen. Laws c. 123, § 36B, licensed mental health professionals have a professional duty to take reasonable precautions to warn or protect a potential victim or victims of a patient (and are granted immunity against invasion of privacy claims) in the following circumstances:

The patient has communicated to the licensed mental health professional an explicit threat to kill or inflict serious bodily injury upon a reasonably identified victim or victims and the patient has an apparent intent and ability to carry out the threat or,

The patient has a history of physical violence which is known to the practitioner and the practitioner has a reasonable basis to believe that there is a clear and present danger that the patient will attempt to kill or inflict serious bodily injury against a reasonably identifiable victim or victims.

In such instances, licensed mental health professionals are authorized to disclose confidential patient communications by taking one or more of the following reasonable precautions:

Communicate the threat to the reasonably identified victim or victims;

Notify the appropriate law enforcement agency in the vicinity where the patient or potential victim resides;

Arrange for voluntary hospitalization, or initiates proceedings for involuntary commitment.

In situations where Massachusetts providers, other than a mental health practitioner, believe that failure to disclose patient information will result in serious danger to the patient or others, they have tended to make the disclosure. Even without explicit statutory authority these disclosures are usually made by hospitals, physicians and other non-psychotherapist providers from a risk management and general common law standpoint to disclose limited information to prevent serious and imminent danger. The Massachusetts Supreme Judicial Court has recognized a “serious danger exception” to a physician’s common law duty to maintain patient confidentiality.

Massachusetts providers have generally disclosed only that information necessary to prevent serious danger, but there have been many instances where police departments, hospitals and other providers have disputed whether and to what extent such disclosures are allowed without a court order or written patient authorization.

While the right of privacy is not absolute under Massachusetts law and it is the unreasonable interference that is actionable, the specific statutory exceptions for mandatory reporting (e.g. bullet wounds) and permissible public safety disclosure are confusing under the variety of applicable Massachusetts legal sources, and as noted above beyond psychotherapists are not governed explicitly by a state statutory exception for hospitals and physicians to report instances of serious and imminent danger and granting them immunity for doing so.

D. Recent Tragic Events Should Compel Massachusetts to Take Legislative Action

Massachusetts is in need of comprehensive, consolidated legislation on the balance between patient privacy rights and permissible and necessary limited disclosures to protect the public.   Such legislation should contain explicit statutory provisions applicable to all classes of providers, in order to delineate and provide clear guidance on what type of public safety disclosures are permitted, and in what circumstances.

The Massachusetts Legislature could ease the confusion among providers and lessen the risk of future preventable tragedies by having Massachusetts law adopt and follow the permissible HIPAA public safety exceptions described above, and grant immunity under state law for providers who follow these HIPAA permissive disclosures. HIPAA’s limited pre-emption of state law still leaves it to state governments to identify when they want to be more protective of patient rights and limit disclosures that may be otherwise permitted under HIPAA   Providers in Massachusetts would be better served by such a state statute law, as it would diminish the current uncertainty and case-by-case effort hospitals, medical practices and other providers must regularly engage in when they balance their legal and ethical duties to patients against the safety of the general public.


Bill Mandell is a founding member and co-managing partner of Pierce & Mandell, P.C.. He represents health care providers in regulatory and transactional matters, including practice start-ups, buy-ins and buy-outs, hospital-physician relationships, risk management, professional contracts and regulatory compliance. He also represents non-profit organizations, corporate executives, start-ups, and small and family businesses.  He serves frequently as a neutral hearing officer and advisor to medical staff hearing panels for medical staff disciplinary action and peer review appeals.

F.A.A. et al v. Cooper and the Coming Conflict between Privacy and Health Care

By: Denise McWilliams, Esq. and Richard Juang, Esq.

       The majority decision in Federal Aviation Administration et al v Cooper, 566 U.S. ____  (2012) (No 10-1024 ) marks another step forward in the relentless national erosion of privacy protections. In Cooper,the Supreme Court held that, under the Privacy Act of 1974, a cornerstone of federal privacy protections, mental anguish and humiliation for individual plaintiffs were not “actual damages.”  Although the outcome was not unpredictable, Justice Alito’s decision is, nonetheless, starkly at odds with the long-standing principle that, fundamentally, the purpose of privacy protections is to prevent and redress “[t]he mental distress from having been exposed to public view.”[1]  Without recognition of that basic injury, privacy jurisprudence loses focus and purpose.

         The facts of Cooper remind us of how complicated things get when medical information intersects with non-medical interests, cultural realities around stigma, and institutional information-sharing. Stanmore Cooper, a licensed pilot since 1964, was diagnosed with HIV in 1985.  At that time, the Federal Aviation Administration would not issue a medical certificate, a prerequisite to obtaining a pilot’s license, for those with HIV.  Medical certificates are not cursory, but include information about the applicant’s illnesses, surgeries and medications and are renewable every two to three years depending on age. Rather than apply and be rejected, Cooper let his license lapse, effectively grounding himself.

         In 1995, Cooper’s health declined until he was no longer capable of working.  Cooper applied for and received Social Security Disability Income (SSDI).  Notably, 1995 also saw the first effective treatment for HIV.  Cooper then experienced a significant recovery of health, voluntarily requested termination of his SSDI benefits, and returned to work.

         In 1998, Cooper, investigating a return to flying, researched the FAA procedures for those with HIV.  At that time the FAA still had not established a protocol for applicants with HIV and agency responses to such applicants varied considerably. Cooper simply withheld all information about his HIV status when he applied and, as a result, received his medical certificate.  In subsequent renewals, Cooper continued to omit information regarding his HIV illness until his fraud was detected by Operation Safe Pilot in 2005.

         Operation Safe Pilot began in 2002 and involved the FAA and the Social Security Administration (SSA) exchanging and comparing their respective records in an attempt to detect fraudulent medical certificates.  Going well beyond a simple computer comparison, the exchange, at least in Cooper’s case, included a hard copy of Cooper’s complete disability file.  After a review of Cooper’s SSA file, the FAA revoked his medical certificate and indicted him on three counts of making false statements to a government agency. Cooper ultimately pled guilty to one count of making and delivering a false official writing in violation of 18 U.S.C. §1018. He was fined $1,000.00 and sentenced to two years probation.  (Cooper’s pilot license had since been reinstated.)

         Subsequently, Cooper filed suit against the FAA, SSA, and the Department of Transportation under the Privacy Act. Enacted in the aftermath of the Watergate conspiracy, the Act details the requirements for the management of confidential records held by federal agencies.  The Privacy Act requires agencies to establish mechanisms to avoid disclosure of confidential information which “[c]ould result in substantial harm, embarrassment, inconvenience, or unfairnesss to any individual on whom information is maintained.”[2]  In essence, federal agencies are permitted to exchange information only with the consent of the individual whose information is being held, or pursuant to a number of exceptions, none of which were relevant in Cooper’s case. The lower courts in Cooper consistently concluded that the agencies had wrongfully disclosed Cooper’s confidential information and had done so “in a manner which was intentional or willful.”[3] Under such circumstances, a wronged individual can recover the “actual damages sustained by the individual.”[4]

         Cooper, however, ran into a countervailing legal matter: the question of whether Congress, in waiving sovereign immunity, had also consented to suits alleging only emotional and mental distress, absent clear pecuniary damages. The Supreme Court majority, in ruling against Cooper relied, in large part, on United States v Nordic Village, Inc. 503 U.S. 30 (1991) which held that “plausible” interpretations of a statue are sufficient to defeat a claimed waiver of sovereign immunity. Looking therefore, only to the statutory phrase “actual damages,” Justice Alito analogized the phrase to libel per quod and slander, both of which require “special damages” or actual pecuniary loss, instead of “general damages” which are not necessarily pecuniary in nature.[5]  Because of this parallel the Court concluded that the required “unequivocal expression” did not exist.  The established and commonsensical principle that the “actual damage” inherent to a privacy violation is mental anguish was, then, defeated by a rigid and arguably unreachable requirement that damages be allowed only when there is an “unequivocal expression” of sovereign consent. In effect, Cooper demoted privacy from a fundamental individual interest to a statutory entitlement, to be conferred or revoked depending on the vagaries of statutory construction and fuzzy legislative compromises.

         The Court’s retreat from expansive privacy protections warns us that the traditional tort-based and fundamental rights approaches to privacy are no longer viable ways of protecting people’s confidential information. On the one hand, Cooper signals to holders of personal data that the mental distress and humiliation of public exposure is no longer a protected interest. On the other hand, Cooper further signals to the public that the sole means for individuals to protect their personal information is to refuse to disclose it. The Court’s sharp restriction on individual enforcement of privacy interests suggests that, going forward, withholding personal information may well be the only tool available when interacting with misbehaving federal agencies.

         At the same time, withholding information may no longer be an option for most individuals. The health care sector, both in Massachusetts and nationally, are decisively moving toward increasingly integrated database technologies. The main example (indeed the cornerstone) of this is the implementation of portable Electronic Medical Records (EMRs).

         EMRs promise more efficient and accurate delivery of medical services. It is widely accepted that successful implementation of EMRs depends on the public’s belief that the information contained therein will be protected from unauthorized disclosures:

“Privacy and security are the bedrock of building trust, a must-have component that is essential to achieving meaningful use and realizing the value of health IT. Patients and providers must feel confident that laws, policies, and processes are in place to keep their health information private and secure, and that they will be enforced when violations occur.”[6]

         However, the reality of EMRs is rather more complicated than the ideal of teams of medical professionals seamlessly exchanging information on a common patient. Many diverse parties, completely unrelated to the treatment needs of the person whose information is contained in an EMR, such as insurers, researchers, law enforcement personnel, among many others, want access to that information, preferably without the consent of the individual — indeed, sometimes without alerting that individual. Their interests are as varied as quality assurance, health outcomes and fraud detection to name but a few. The single unifying theme in the promotion of EMRs is that all of these players seek unconsented access to individuals’ health information for some “greater good.”

         Nonetheless, it is far from clear what, other than institutional restraint, will prevent or deter the misuse of individual information. Fear of misuse could easily drive people to withhold information, even when health and safety are at stake. Cooper should be read as a warning: we are, increasingly, legally unprepared for the growing conflicts between institutional power and individual privacy needs, which lay at the very heart of institutional changes in health care.

Denise McWilliams is General Counsel of AIDS Action Committee of Massachusetts, Inc., the Commonwealth’s largest AIDS service organization. She is a graduate of Northeastern University Law School.

Richard Juang is Assistant General Counsel of AIDS Action and a graduate of Northeastern University Law School.

[1] Times, Inc. v. Hill, 385 U.S. 374, 385, n. 9 (1967).

[2] 5 U.S.C. §552a(e)(10).

[3] 5 U.S.C. §552a(g)(4).

[4] 5 U.S.C. §a(g)(4)(A).

[5] Cooper at 10.

[6] Federal Health Information Technology Strategic Plan 2011-2015  Goal III Inspire Confidence and Trust in Health IT, p. 29.