Healthcare Law Blog
Kalamazoo - Healthcare Law and Regulations Blog

The Legal System and Your Healthcare Information under HIPAA:

Posted January 4, 2017

Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions:

  • as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests;
  • to identify or locate a suspect, fugitive, material witness, or missing person;
  • in response to a law enforcement official’s request for information about a victim or suspected victim of a crime;
  • to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and
  • by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.


Medical Malpractice

Posted December 19, 2016

Medical malpractice is a subspecialty of tort law that analyzes the professional conduct of licensed health care practitioners and facilities. The phrase licensed health care providers includes the following occupations: chiropractic, dentistry, medicine, nursing, optometry, osteopathic medicine, pharmacy, physical therapy, podiatry, and psychology. MCL 333.16101 et seq.

To prevail in a malpractice lawsuit against any of these professionals, the plaintiff must prove the elements of duty, breach, causation, and damages. The malpractice of the professional is the professional’s deviation from the standard of care that would be followed by a reasonably prudent professional of similar training under the same or similar circumstances. There must be a provider-patient relationship established for liability to attach

A recent medical malpractice case illustrates the distinguishing factor of the provider-patient relationship. The plaintiff was attacked by a psychiatric patient while she was a patient at defendant hospital. Plaintiff filed an ordinary negligence claim against defendant, alleging that defendant did not have sufficient staff to monitor its patients and should not have allowed patients with violent propensities to roam around the hospital and enter patients’ rooms. The Michigan Supreme Court held that the trial court had erred in concluding that the correct theory was ordinary negligence because the ordinary layperson does not know the type of supervision or monitoring that is required for psychiatric patients in a psychiatric ward. Similarly, the court held that an assault claim against hospital employees administering a drug despite a patient’s refusal falls under the medical malpractice act requiring plaintiff to provide a notice of intent to sue and affidavit of merit.


HIPAA's Security Rule:

Posted November 15, 2016

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.

Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.


Office for Civil Rights within HIPAA:

Posted October 12, 2016

Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.

OCR may only take action on certain complaints. If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation. OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement.

Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.

If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.