Whether a litigant’s right to conduct informal ex parte interviews with fact witnesses extends to the plaintiffs’ treating physicians, given the confidentiality provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a question of considerable practical importance. This question has recently received a positive answer from the Kentucky Supreme Court in Caldwell v. Chauvin, — S.W.3d —-, 2015 WL 3653447, (Ky. 2015), after “percolating through state courts, federal district courts, and academic circles for a decade.” Id. at *5. Continue reading →
As the nation braces for possibly more Ebola cases, civil liberties should be considered, including patient privacy. As news media feature headline-grabbing stories about quarantines, let’s think about the laws governing privacy in healthcare. Despite federal laws enacted to protect patient privacy, the Ebola scare brings the vulnerability of individuals and the regulations intended to help them into sharp relief.
In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy. Specifically, HIPAA’s Privacy Rule requires that healthcare providers and their business associates restrict access to patients’ health care information. For many years, the law has been regarded as the strongest federal statement regarding patient privacy. But it may be tested in the wake of the Ebola scare with patients’ names, photographs, and even family information entering the public sphere.
Ebola hysteria raises questions not only about how to contain the disease, but also to what extent Americans value their healthcare privacy. What liberties are Americans willing to sacrifice to calm their fears? How to balance the concern for public welfare with legal and ethical privacy principles? For example, will Americans tolerate profiling travelers based on their race or national origin as precautionary measures? What type of reporting norms should govern Ebola cases? Should reporting the existence of an Ebola case also include disclosing the name of the patient? I don’t think so, but the jury appears out for many.
On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.
What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.
But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading →