Healthcare privacy and security issues arise every single day as information becomes less secure and enforcement grows more stringent. In fact, data breaches have risen drastically in recent years. A whopping 92 percent of all healthcare institutions have experienced one in the past few years, costing an average of $2.2 million.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was intended to streamline healthcare processes by establishing standards for electronic technology to process billing and insurance transactions. Although HIPAA has a mechanism by which healthcare providers can be subject to federal civil and criminal penalties for violations, HIPAA does not allow for a “private cause of action,” meaning a private individual cannot sue a health care provider for breaching his or her medical privacy. So it is very important to pay close attention to the way each state’s courts interpret HIPAA compliance relating to individual lawsuits.
Last week, the Tennessee Supreme Court completely dismissed one woman’s lawsuit because she failed to comply with HIPAA’s medical release requirements. According to the Supreme Court decision filed on November 25, Christine Stevens filed the suit after the 2010 death of her husband, Mark Stevens, who had looked for treatment at the Hickman Community Hospital emergency room.
Interestingly, there was a big difference between how the Tennessee trial judge and the state Supreme Court Justice Sharon G. Lee, who wrote for the majority, viewed Christine Stevens’ responsibility in providing a HIPAA-compliant release to the defendant, Hickman Community Health Care Services. The trial court said that Stevens was excused from offering the release because of “extraordinary circumstances.” Meanwhile, the Supreme Court said that a medical release requirement provides a means for the defendant to evaluate the merits of a plaintiff’s claim by giving the defendant early access to a plaintiff’s medical records.
So, the Supreme Court overruled the trial court’s decision saying that Stevens’s suit was invalid as the errors were numerous and significant. Due to Plaintiff’s material non-compliance, Defendants were not authorized to receive any of the Plaintiff’s records. As a result of multiple errors, Plaintiff failed to substantially comply with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).
Chief Justice Gary R. Wade’s said that though the medical authorization form problems were significant, Stevens had substantially complied with HIPAA. Additionally, he argued that the inadequate medical authorization form didn’t prevent access to the medical records, all of which he said were in the defendant’s hands. Because the defendant failed to take minimal steps toward obtaining a proper medical authorization, Wade said they forfeited any claim of prejudice.
A HIPAA-compliant medical release must include:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
For more news on HIPAA and compliance, check out the following: