It may not be a big dollar amount ($15,000), but a recent New York Attorney General settlement represents a big issue—interpreting that HIPAA prohibits a health care professional who is changing practices from taking a patient list without the patients’ authorizations. Health care providers should review their procedures surrounding departing physicians and how the provider balances patient continuity of care with HIPAA’s limitations. While health care professionals often believe they are entitled to retain the contact information of the patients who they treated, doing so requires careful navigation of HIPAA.
On Dec. 2, 2015, the New York Attorney General announced its first settlement under HIPAA. The Attorney General reached a settlementwith the University of Rochester Medical Center over the Medical Center providing to a departing nurse practitioner a list of 3,403 patients who she had previously treated, which resulted in the nurse practitioner’s future employer contacting the patients and providing them with news that the nurse practitioner was joining their practice. A number of patients called the Medical Center and complained about the letter they received. The Medical Center suspended and ultimately terminated the nurse practitioner and treated the incident as a reportable breach. The settlement requires the Medical Center to:
- Pay $15,000 to the New York Attorney General;
- Report to the Attorney General the recommendations of the internal task force that the Medical Center convened to address the issue going forward;
- Disclose to the Attorney General relevant privacy and security policies and procedures;
- Train its workforce on any changes implemented in response to the incident;
- Annually certify to the Attorney General for the next three years that it has provided this training; and
- Report to the Attorney General (for the next three years) and breaches affecting 15 or more individuals.
What is particularly noteworthy about this settlement is that it addresses an area of significant legal ambiguity with respect to HIPAA. Many health care providers struggle with balancing the importance of patient continuity of care (or the avoidance of patient abandonment) with HIPAA’s limitations. For example, the American Medical Association provides the following guidance regarding leaving a practice:
I'm leaving the employment of a physician group practice, can I take my patients and patient records with me? Can I notify patients I am leaving?
The records belong to the practice. Unless your employment agreement provides otherwise, you may be able to notify patients that you are leaving the practice and notify them of your new address. However, you should be very clear about what you are allowed to do regarding notification of patients when leaving the practice. It is recommended that you discuss/negotiate the process by which you will exit the practice. Request the right to notify your patients of your new address of your departure and information on how to contact you at your new location.
Patients are not prohibited from requesting that their medical record be forwarded to another physician, however, a physician should be very careful to avoid breach of an employment agreement, breach of privacy or patient confidentiality in accessing, copying, or taking patient records.
Although the AMA guidance indicates that a departing health care professional may be able to notify patients that they are leaving a practice and of their new address, the New York settlement raises the question as to whether doing so violates HIPAA.
To address the need to maintain patient continuity of care and HIPAA, health care providers may consider some of the following strategies:
- When a health care professional is going to leave a covered entity (Covered Entity A) for a new provider (Covered Entity B), Covered Entity A may wish to inform patients of the change as part of its health care operations, rather than disclosing the patient list to the departing health care professional or to Covered Entity B;
- If the health care professional and Covered Entity B wish to inform patients who the health care professional previously treated, they could enter into a business associate agreement with Covered Entity A to notify patients on Covered Entity A’s behalf that the health care professional changed practices (although there remains some risk that a regulator would find that the notification is not truly for Covered Entity A’s health care operations because it really is to benefit Covered Entity B);
- The health care professional and Covered Entity B can avoid using protected health information to communicate the change of practice, such as only announcing the change through posting on a website or by sending notice to community members through a mailing that does not rely on a patient list;
- While often impractical, the health care professional or the covered entities may obtain patients’ authorizations before notifying them of the change of practice; or
- Neither covered entity announces the health care professional’s change of practice (which is the safest course under HIPAA, but may not serve patients well who wish to continue seeing the health care professional and expect to receive notice of that professional’s departure).
And, of course, it is best to consider these issues early on, such as during initial employment contracts, rather than trying to navigate HIPAA and patient issues during a heated battle over a health care professional’s departure.