Health Information Compliance Alert

HIPAA Compliance:

Physician Faces up to 5 Years in Prison for Sharing Medical Information With Patient's Employer

Here's how you can avoid facing a similar fate.

HIPAA enforcement is still going full-throttle, and you don't want to end up facing jail time over potential  breaches. One Virginia-based physician is looking at just that after spilling a patient's protected health information (PHI), and the government couldn't be more serious about pursuing the case.

The background: A Suffolk, Va.-based physician provided inpatient mental health treatment to a patient in 2007, and documented that the patient was not a danger to others. The following year, however, the physician disclosed PHI about the patient to an agent of the patient's employer on three separate occasions, without authorization, according to a June 21 press release from the U.S. Attorney's office. The physician's defense was that he shared the information because "the patient was a serious and imminent threat to the safety of the public," even though the physician had already documented in his records that this was not the case.

After the FBI investigated the situation, the physician was indicted by a federal grand jury and charged with disclosing PHI. He faces a maximum penalty of five years in prison, the press release notes.

How this affects your practice: Without exception, you should never disclose any PHI without receiving written authorization from the patient. This means that even if a patient's employer contacts you and says that it has authorization from the patient, it's unlawful to send anything to that employer unless you have a signed copy of that authorization.

Example: You receive a fax from a patient's employer that states, "Our employee, Steve Jones, has informed us that you are his physician. As part of his responsibilities as our employee, Steve will be required to lift 300 pounds per day. Please fill out the following form to indicate that Steve is physically cleared to perform these duties." Do you fill out the form and send it back to the employer?

Reality: "Unless the disclosure is otherwise 'required by law' or is part of a workers' compensation claim that has already been filed, the medical provider will need a valid, HIPAA-compliant authorization from Steve Jones in order to lawfully send the completed form back to the employer," says Abner E. Weintraub, president of the HIPAA Group, Inc. "If a valid authorization is used for this, the disclosure would not have to be included in the provider's disclosure accounting log, since the patient/employee would already know about the disclosure from having signed the authorization," he adds.

Although an employer can ask the medical practice for PHI, such requests don't trump HIPAA laws, Weintraub says. "HIPAA does not prohibit employers from conditioning employment on an individual's providing an authorization for such disclosures (but not retroactively and not selectively), and some employers do exactly that."

Keep in mind: "Once Protected Health Information is lawfully disclosed to an employer in this manner, it is no longer 'protected' under HIPAA, but may be protected under other laws," Weintraub adds. "Health information disclosed to an employer may thus be subject to re-disclosure."

To read the complete DOJ release about the case, visit www.justice.gov/usao/vae/news/2011/06/20110621kayenr.html.