Nobody knows better than hospitals how difficult, complicated and expensive it is to comply with the confidentiality requirements of HIPAA (for Health Insurance Portability & Accountability Act). And hospitals and their lawyers are well aware of HIPAA’s provision preempting all contrary state laws.
But on Nov. 11 the Conn. Supreme Court will officially release a decision reminding us that patients may have breach-of-confidentiality claims against hospitals under state law, even if they have complied with HIPAA. In other words, compliance with HIPAA is necessary, but it may not be sufficient, to protect a hospital from liability.
Here’s what happened. Emily was a patient at Avery Center for Obstetrics & Gynecology. When she broke up with Andro, she told the Center not to disclose her medical records to him. But when the Center got a subpoena from Andro in a paternity suit, it complied and sent a copy of Emily’s records to the court.
Emily sued the Center for breach of confidentiality and emotional distress. The trial court granted the Center’s motion to dismiss on the grounds that HIPAA preempts “any contrary provision of law.” Emily appealed, and the Supreme Court reversed the trial court’s dismissal. The Supreme Court ruled that while HIPAA preempts state law that is contrary to its provisions, it doesn’t preempt state law that is more stringent than those provisions or that imposes “liability over and above” the provisions.
Bottom line? A hospital needs to understand state law, statutory and common alike, on confidentiality and make sure it complies with that state law in addition to understanding and complying with HIPAA.
The case is Byrne v. Avery Ctr. for Obs. & Gyn., 2014 BL 308749, Conn., No. SC 18904.
Today’s post was contributed by Norman G. Tabler, Jr.
Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.
State laws, like Texas HB 300, are good examples of confidentiality laws that apply to Protected Health Information. To know about these laws and the safeguards to implement, organizations need to training employees. With that said, what’s really missing when it comes to healthcare and HIPAA compliance is security awareness training and there’s really no excuse for this. There are actually hundreds of free and cost-effective solutions online, but time and time again, I see Covered Entities and Business Associates failing to implement basic training. As a HIPAA security specialist, it’s somewhat upsetting to see this because something that’s so vital to an organization and that is so easy and cost-effective to obtain is many times never done. C’mon folks, train your employees about ensuring the safety and security of PHI, it’s not that difficult. Think about it, healthcare companies spend massive amounts of money on new hardware and software products for security, but the true front line for defense for protecting PHI is well-trained and educated employees, something that’s so easy to do!