Healthcare Providers Should Be Proactive by Reviewing Their HIPAA Compliance Programs

HIGHLIGHTS:

  • On Oct. 10, 2014, the 11th Circuit opinion in Murphy v. Dulay provides significant guidance regarding HIPAA authorization forms. One of the most important provisions of the opinion focuses on the fact that HIPAA authorizations need not be signed voluntarily to be valid.
  • Another opinion by the 11th Circuit on Sept. 29, 2014, stated that the Notice of Privacy Practices referred to "health information" as the contents of the patient's record, including not only treatment records and test results, but also "billing-related information." Mais v. Gulf Coast Collection Bureau, Inc. also confirms that, when a patient, or someone on the patient's behalf, agrees to the provisions in those documents, that agreement will be binding.

On Oct. 10, 2014, the 11th Circuit issued an opinion in Murphy v. Dulay that provides significant guidance regarding HIPAA authorization forms. The appeal involved a challenge to a Florida medical malpractice law requiring a plaintiff, as a pre-condition to filing suit, to sign a HIPAA-compliant authorization form allowing the defendant to obtain medical information and conduct interviews of the plaintiff's medical providers outside the presence of the plaintiff or his or her lawyers. Section 766.106, Florida Statutes, requires a potential medical negligence plaintiff to notify each prospective defendant of the intent to litigate. The notice must be provided at least 90 days prior to filing a lawsuit, and must consist of a number of items, including an executed authorization form. Section 766.1065, Florida Statutes, sets out the required provisions of the authorization form. If the plaintiff later revokes the authorization, the presuit notice filed under Section 766.106 becomes retroactively void, and may prevent the plaintiff from filing suit if the relevant statute of limitations period has run.

The lower court had concluded that, because the Section 766.1065 form was not voluntary, it would result in the disclosure of information protected by HIPAA without the patient's consent, and without the protection of other HIPAA regulations. The appellate court discussed HIPAA's authorization form requirements at length and found that, in this case, HIPAA was not contrary to state law. The court also found that the Section 766.1065 form complied with HIPAA's detailed requirements for authorizations.

Voluntary Signing of HIPAA Forms Not Required for Validity

One of the most important provisions of the opinion focuses on the fact that HIPAA authorizations need not be signed voluntarily to be valid. The court observed that the Secretary of the Department of Health and Human Services, in responding to public comments on the HIPAA regulations, noted that the Secretary could not prevent individuals from being coerced into signing authorization forms in all circumstances. For example, the Secretary does not have the authority to prohibit an employer from requiring employees to sign a HIPAA authorization in order to get a job. Also, individuals can be required to sign authorizations to obtain financial benefits. The court found that neither the HIPAA statute nor the regulations explicitly require authorization forms to be signed voluntarily. Since plaintiffs do have a choice about whether to bring a medical malpractice suit in the first place, they also ultimately have a choice about whether or not to sign the forms.

Had the lower court's decision been upheld, healthcare providers and health plans that disclose protected health information based on a HIPAA-compliant authorization would run the risk that the form could later be found to be invalid because the patient did not sign voluntarily. Providers may have had a duty to go behind the form and investigate the circumstances under which it was signed, but this would be impractical, if not impossible, in most cases. This opinion provides useful guidance and greater certainty regarding the validity of authorization forms that comply with HIPAA.

Terms of Patient Admission Documents Need to Be Read Carefully by Signers

Murphy v. Dulay is not the only decision relevant to HIPAA issued recently by the 11th Circuit. Mais v. Gulf Coast Collection Bureau, Inc., released on Sept. 29, 2014, involved a claim by a patient against a collection agency and a hospital-based radiology provider. The plaintiff alleged that the debt collector made autodialed prerecorded calls in violation of the Telephone Consumer Protection Act of 1991 (TCPA). There is a private right of action for an individual to seek monetary damages based on a violation of the TCPA. When the patient was admitted to the hospital, the patient's wife listed his cell phone number on the hospital admissions form. She also received the hospital's HIPAA Notice of Privacy Practices and agreed to the disclosure of the patient's health information for purposes of "treatment, payment or healthcare operations," including releases "related to benefit payment." The Notice of Privacy Practices also indicated that the hospital could disclose health information to bill and collect payment. One of the admission documents also specifically indicated that the services of radiologists will be billed for separately by the physicians' billing company.

Providing Cell Number Determined to Be Consent for Being Contacted

The Federal Communications Commission (FCC) issued a 2008 declaratory ruling (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, 23 FCC Rcd. 559, 564), indicating that providing a cell phone number to a creditor is evidence that the individual has expressly consented to being contacted at that number regarding the debt. The 11th Circuit held that the TCPA exception for express consent, as interpreted by the FCC in its 2008 ruling, entitled the defendant to judgment as a matter of law.

The Mais case is interesting for a number of reasons. First, the patient's wife, rather than the patient, signed the admission forms. The court observed that, by signing the admission forms, the patient's wife agreed to let the hospital transmit health information for billing purposes. The court disagreed with the plaintiff's argument that a cell phone number is not "health information" as contemplated by the admission forms. The court disagreed, and stated that the Notice of Privacy Practices referred to "health information" as the contents of the patient's record, including not only treatment records and test results, but also "billing-related information." The court also noted that the "[s]tatutory definitions found in HIPAA also support this interpretation."

Healthcare Providers: Be Proactive by Reviewing Your HIPAA Compliance Program

Both of these cases provide useful clarity for entities working to comply with HIPAA:

  • Dulay affirms the validity of authorization forms that comply with each of the requirements listed in the HIPAA regulations.
  • Mais emphasizes the importance of drafting admission documents and the HIPAA Notice of Privacy Practices carefully, and confirms that, when a patient, or someone on the patient's behalf, agrees to the provisions in those documents, that agreement will be binding.

Healthcare providers should review their HIPAA compliance programs in light of these recent decisions.