HIPAA's Broad Reach - What You Don't Know Can Hurt You

Monday, November 1, 2004 - 01:00
Jeffrey M. Pollock

HIPAA1 starts out with the seemingly simple concept that a covered entity may not use or disclose an individual's protected health information (PHI) except as otherwise permitted.2 Unfortunately, determining what businesses are covered by HIPAA and what to do if there is a potential loss of information is far from clear. The purpose of this article is to share two thoughts. First, that the scope of HIPAA is probably broader than you may have believed, i.e., it is not a statute for hospitals and doctors. Rather, HIPAA impacts every employer with a self-insured or self-funded benefits program. Second, investigating and resolving a potential breach of the duty to maintain PHI's confidentiality is an issue to be considered beforehand. Planning ahead is not only good business sense but will prove essential to maintaining the attorney-client privilege in the face of an increased number of civil and criminal HIPAA complaints.

HIPAA Background

HIPAA was designed to accomplish several different goals, including combating health care fraud, assisting patients in the transport of their medical information,3 and protecting the health insurance rights of individuals who had lost their jobs. One of HIPAA's core goals is to protect PHI individuals from wrongful disclosure. Because many states already had laws protecting an individual's right to privacy in their medical information, HIPAA was designed to create a regulatory floor to the right of privacy of personal medical information.

In addition to trying to reach the goals above, HIPAA contains a complicated provision ironically entitled Title II of HIPAA (Administrative Simplification). This "Administrative Simplification" is a misnomer entailing extensive privacy and security standards and requirements. Meeting the privacy and security standards and requirements has been and will continue to be an arduous task. Even though it imposes a number of legal obligations upon covered entities, HIPAA carries no personal cause of action for individuals whose rights are violated but does carry the threat of criminal prosecution for those that knowingly use PHI.4 HIPAA also fails5 to state clearly what a covered entity is required to do if it suspect that PHI may have been "leaked" or wrongfully disclosed. That is, how do you investigate the loss of PHI? Following are some concerns you may wish to consider if your company faces that question.

HIPAA's Reach May Be Broader Than You Thought

HIPAA does not merely apply to hospitals, doctors, and direct providers of medical care. Although HIPAA is intended to apply only to covered entities (health plans, health-care clearing houses, and health care providers transmitting confidential health information electronically), HIPAA's extensive reach arises from the definition of a "health plan," which is defined as an "individual or group plan that provides, or pays the costs of, medical care." HIPAA may apply to law firms, non-health care related companies, and other business entities depending upon how they obtain confidential health information regarding their employees as well as the level of information obtained. To determine whether your company or firm is covered by some or all of HIPAA's obligations, evaluate the degree to which your company is self-insured or provides self-funded benefits (such as flexible spending accounts).

As you consider whether your company has HIPAA obligations, evaluate in particular the following: (1) how your employer conducts reference and background checks, (2) how your company monitors employee email/internet usage and how it searches what may be employee property, and (3) how your employer obtains, secures, and discloses both employee and potential employee health and drug/alcohol testing information. Each of these areas may contain significant PHI. The wrongful use or disclosure of PHI can subject your employer to both civil and criminal liability under HIPAA. PHI includes all identifiable health information received by a health care plan or health care provider. Thus enrollment forms, claims forms, as well as medical supply applications all may be protected PHI under HIPAA.

Similarly, testing of both job candidates as well as of existing employees for drugs or alcohol must be undertaken with great care. The resultant information may be PHI even if it is otherwise legal for your company to obtain. Any testing should be obtained only when necessary, the testing used should be as narrow as possible to accomplish your objective, and the test results must be secured. It should go without saying that disclosure is also particularly sensitive and must be both HIPAA and State law compliant.

Even if you are not a covered entity, you may find your company or firm ensnared in HIPAA's regulatory scheme as a "business associate."6 Lawyers for covered entities are business associates.7 A business associate is a person or entity who performs a function or activity on behalf of a covered entity that involves use or disclosure of PHI. Prudence requires that counsel train both their legal and support staff on HIPAA's privacy requirements. PHI is quite broad and includes both oral or recorded individually identifiable health information relating to the individual's past, present or future health condition or treatment.

HIPAA's impact upon lawyers whose practice relies upon PHI may be immediate. First, several courts have ruled that HIPAA bans all ex parte interviews with treating physicians.8 In-house counsel may need to monitor outside counsel's actions because outside counsel's actions are likely to be imputed to the Company. Even though HIPAA itself provides no private right of action,9 an individual whose rights are allegedly violated, may file a complaint with the Office of Civil Rights and may also try to persuade the United States Attorney's Office to take action.

Honoring Your Obligation To Investigate - How Far Do You Have To Go?

What do you do if a covered entity or a business associate has reason to believe that PHI has been wrongfully released? The current standard of practice for most health care providers is to have a privacy policy and procedure in place, part of which addresses the question of how to conduct an internal investigation in the event of a suspected breach of patient privacy rights. From counsel's perspective, there are a number of concerns to be addressed immediately as they frame the nature of any investigation. These issues include the following at a minimum:

1. Wear Your Litigation Hat. Before commencing an internal investigation it is essential that legal counsel be involved, and further, that legal counsel be serving in a legal (i.e., not a business) capacity. In-house counsel routinely face this issue because they often serve in a business capacity and yet are within the legal department. While it may not seem important whether you are wearing your legal or business hat at a particular point in time, if you are involved in an investigation pertaining to lost or misappropriated PHI, make sure to establish that you are functioning in the capacity as legal counsel and for the purposes of providing legal advice to the company.

How do you prove that you were acting in your capacity as legal counsel and not in the role of Privacy Officer? Perhaps the easiest way to look at this problem is to imagine that a suit is brought in two months against the company due to the alleged loss of PHI. A discovery demand is made for the company's internal investigation. Is it a business record prepared in the ordinary course of business? Or is this a document that was (1) prepared with the expectation and understanding of confidentiality, and (2) created for the purpose of assisting in-house or outside counsel in providing legal advice to the company. You may improve your chances of establishing that the information learned during the course of the investigation is privileged by retaining outside counsel whose sole function is to assist you in providing legal advice regarding the alleged loss of PHI. Similarly, every witness and every email, memorandum, or presentation to the Board should commence with the following phrase (or its equivalent): PRIVILEGED & CONFIDENTIAL (This document/ interview/presentation is protected from disclosure by virtue of the attorney-client privilege and the work product doctrine).10

2. Who Is Your Client? In conducting your investigation and in providing legal advice, bear in mind the question "who is your client?" In a hospital or health care setting the physicians, file room, staff clinicians, nurses, and the Board of Directors all believe that you are their lawyer. This belief is usually confirmed to some degree by the manner in which investigatory interviews are conducted. In particular, at one point or another counsel typically states that "our conversations are covered under the attorney-client privilege." A logical conclusion from this statement is that the interviewee is your client. He or she is not. Rather, typically the institution is your client and that is the entity to whom your duty of loyalty lies. Although the question "who is your client" seems simple enough, consider it carefully as you embark upon an internal investigation so that you are protecting not only the interest of the institution but also are protecting the legal rights of those whom you interview during the investigatory process.

3. How Far Do You Have To Go? Assume that you have formed the belief that PHI has been misappropriated or mishandled - how detailed and extensive an investigation must you conduct to determine the culprit or cause? HIPAA does not say. Rather, one way of looking at this problem is to recognize that a covered entity has characteristics of both a private and a public entity. Although a covered entity or business associate may be privately owned, it also has many of the characteristics of a regulated public utility. Because of this "hybrid" status, covered entities and business associates may argue that they are entitled to discretion in how they conduct an internal investigation of the alleged loss of PHI. The Courts are likely to be extremely reluctant to enter into the morass of how much investigation is enough.

In documenting your internal investigation, give serious thought to the precedent you may set for future investigations. Not all potential breaches of PHI are alike and it may be appropriate to end some internal investigations after a phone call or two. In other cases, it may be appropriate to hire outside counsel, retain an investigator, commence legal proceedings against the party believed to have purloined PHI in its possession, etc. It is recommended that the corporate record reflect clearly that every investigation was conducted based upon the facts and applicable law in that case so that it is clear that the decision in a particular case was unique (and therefore should not be precedent for the level of investigation in another matter).


Due to the broad definitions within HIPAA, many employers who consider themselves neither "covered entities" nor "business associates" are going to find to their dismay that they in fact had HIPAA obligations that they were simply unaware of. One of the duties that employers have under both HIPAA and many State laws is the duty to protect PHI from wrongful disclosure. Because of HIPAA's focus on the right of privacy, it is a foregone conclusion that individuals whose PHI has been inadvertently or negligently disclosed will seek to recover for the loss of their privacy rights. Further complicating this picture is the fact that the United States Attorney's Office has commenced filing actions against individuals who obtain and use PHI for their own benefit. It is well worth investing the time to determine if your company is covered by HIPAA and to ensure that your employer is taking appropriate steps to protect against the wrongful disclosure of PHI.

1 The Health Information Portability and Privacy Act of 1996, Public Law 104-191.
2 45 C.F.R. 164.502(a).
3 Nahra, Kirk J., Financial Institutions and the New HIPAA Rules, Standard & Poors Review of Banking and Financial Services, Vol. 20, No. 8 (June 1, 2004).
4 The U.S. Department of Justice recently announced a guilty plea agreement marking the first criminal conviction under the health information privacy provisions of HIPAA. The defendant, a former employee of a health care provider, pled guilty to wrongful disclosure of individually identifiable health information for economic gain in violation of Title 42, United States Code, Sections 1320d-6(a)(3)and 1320d-6(b)(3). United States of America v. Gibson, No. CR04-374 RSM (W.D. Wash. August 2004). A copy of the plea agreement is available on the Department of Justice Web site at www.usdoj.gov/usao/waw.
5 45 CFR 164.501.
6 45 CFR 162.923(c) (2003); Nagel, Meredith, Litigation After HIPAA's Patient Privacy Regulations, 15 The Health Lawyer August, 2003.
7 Bernabe, Lynne, 40 Sept. JTLATRIAL 32 (September 2004).
8 Northwestern Mem. Hosp. v. Village of South Chicago Health and Welfare Fund, No. 03 C 4006, 2004 WL 1687057 (N.D. Ill. July 27, 2004).
9 Kescheck v. St. Vincents Medical Center, No. 19887101, 2004 WL 2187164 (N.Y.Sup. Sept. 24, 2004).
10 If your state recognizes the deliberative process privilege, you may wish to claim that as well.

Jeffrey M. Pollock is a Partner at Fox Rothschild and can be reached at JMPollock@FoxRothschild.com. This article reflects the thoughts of the author and is not attributable to Fox Rothschild nor to the firm's clients. Mr. Pollock engages in complex litigation. Mr. Pollock has both counseled and represented hospital and other health-care related clients on matters involving patient privacy rights under HIPAA as well as under state law.