Wednesday, June 19, 2024

HIPAA Violation Alleged Against Texas Physician

We all know HIPAA, the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), because seemingly every visit to every doctor starts with an HIPAA authorization form that allows patients to designate persons with whom personal health information (PHI) can be shared. The statute is pretty bare-bones, but it authorizes HHS to issue rules, which it did from 2000 to 2013 (summarized at the bottom of this post*). 

The cardinal rule for health care professionals is pretty simple: Don't access or spread the PHI of patients unless there's a need to know (with respect to the person accessing the PHI and the person on the receiving end). There are a gazillion technical aspects to the rule, but my version will cover the vast majority of situations in which a person who is covered by the rule (including health care professionals) seeks access to PHI.

A violator of HIPAA faces civil and criminal prosecution that may result in fines or even jail time. A medical resident at Baylor College of Medicine has been indicted for alleged HIPAA violations and if convicted faces the possibility of a $250,000 penalty and up to ten years in prison. Here's DOJ's summary of the case:

A Houston doctor has been indicted for obtaining protected individual health information for patients that were not under his care and without authorization, announced Alamdar S. Hamdani.

The four-count indictment alleges [Ethan] Haim[, Dallas,] obtained personal information including patient names, treatment codes and the attending physician from Texas Children’s Hospital’s (TCH) electronic system without authorization. He allegedly obtained this information under false pretenses and with intent to cause malicious harm to TCH.

 According to the indictment, Haim was a resident at Baylor College of Medicine and had previous rotations at TCH as part of his residency.

In April 2023, Haim allegedly requested to re-activate his login access at TCH to access pediatric patients not under his care. The indictment alleges he obtained unauthorized access to personal information of pediatric patients under false pretenses and later disclosed it to a media contact.

According to Becker's Hospital Review (June 17),  

[Haim] is accused of violating HIPAA by leaking internal documents from Houston-based Texas Children's Hospital concerning gender-affirming services. . . . 

This unauthorized access allegedly allowed him to obtain patients' personal health information, including names, treatment codes and details of the attending physicians. . . . 

In May 2023, Dr. Haim shared these internal documents with Christopher Rufo, a senior fellow at the Manhattan Institute in New York City. . . .

Although a HIPAA violation is a violation, not all violations are created equal. Inadvertence, carelessness, a desire to be helpful -- none of these excuses a violation of HIPAA, but the key to this case is likely to be the apparently political nature of Dr. Haim's alleged breach and this sentence in the DOJ press releasee: "He allegedly obtained this information under false pretenses and with intent to cause malicious harm to TCH." If true, not a good way to start a career in medicine!
____________________________

*HHS's HIPAA rules (source):

  • HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.  Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
  • HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
  • The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
  • HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.
  • View the Combined Regulation Text - PDF (as of March 2013). This is an unofficial version that presents all the HIPAA regulatory standards in one document. The official version of all federal regulations is published in the Code of Federal Regulations (CFR). View the official versions at 45 C.F.R. Part 160 - PDF, Part 162 - PDF, and Part 164 - PDF.

No comments: