HIPAA, COVID-19 and jail

Dr. Derm had been an associate in a large multi-physician dermatology practice for over a decade. Ultimately, he and his other physician associates decided that it is in the best interest of the practice if he leaves the practice. There are no contractile issues of concern. Dr. Derm was to leave as of Jan. 1. He is upset about his termination but simply finishes his days seeing patients and fulfilling his duties.

The dermatology group has a sophisticated electronic medical record (EMR) system. There is full access to all relevant o­nce materials from any computer anywhere in the world. Dr. Derm’s access should have been terminated on Jan. 1 but was not terminated until Feb. 1.

During the month after that, he should not have had access to any medical records. Out of curiosity, Dr. Derm signs into the system and downloads medical records of some of his former associates. He finds out that one of his former associates tested positive for COVID-19 (albeit he was asymptomatic) and continued to work without notifying anybody in the o­ffice. Dr. Derm is perplexed as to whether to report his associate to both the state medical board and/or a variety of legal entities. He is not aware that anybody contracted COVID-19 from the associate.

Three months later, his former associates become aware of what Dr. Derm did and wish to sue Dr. Derm for a Health Insurance Portability and Accountability Act (HIPAA) violation. He contends that he did nothing improper. Now he decides to report the former o­ffice for potentially exposing patients to COVID-19.

Where does Dr. Derm legally stand? The former associates contend that the medical records are part of a HIPAA-protected environment and information is only available on a need-to-know basis. If Dr. Derm had no o­fficial business pertaining to a file (he was no longer a practice associate), then he did not “need to know”. Healthcare professionals must consider HIPAA to be such a protected environment.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, originally passed in 2009, was a regulatory measure introduced in anticipation of the sudden rise in the volume of healthcare practices adopting electronic health records (EHR). Violations of the HITECH regulations can lead to civil or criminal liabilities. The simple explanation for these rules is to understand that the HIPAA Privacy Rules lay down the standards that should be followed to become HIPAA-compliant. But it is the HITECH Act Rules that elaborate on the criticality of following these norms and lay down enforcement, accountability, penalty and persecution-related guidelines for those involved in sharing or accessing personal health information.

The purpose of HITECH is to:

1. Define penalties imposed on healthcare professionals found guilty of HIPAA Privacy Rule violations.
2. Ensure that access to medical data in the form of EHRs becomes a national standard for storing/accessing patient information.
3. Lay down accountability clauses and define penalties incurred on HIPAA violating business associates.
4. Introduce strict standards related to the notifications of patients whose personal health information has been violated.

HITECH stipulates that unauthorized access to patient records can lead to jail-time. This has already happened. File snooping out of curiosity is not considered authorized access. There was no “need to know” for Dr. Derm. Accessing records of a neighbor, child’s teacher or friends without authorization can lead to legal difficulties for a physician or any provider within that practice. The COVID-19 information, although certainly a major issue for the practice, is a distraction in this HIPAA-associated case. Dr. Derm is guilty of a HIPAA violation.