Madison - St. Clair Record

Friday, April 3, 2020

HIPAA 'not extraordinarily' protective of personal info, law professor says; Prosecutions rarely occur

By Amanda Robert | Feb 18, 2015


In recent weeks, it has been widely reported that Dr. Robert Taub will testify in the corruption case against New York State Assembly Speaker Sheldon Silver.

According to the Jan. 21 federal complaint, Taub referred his patients from the Columbia University Mesothelioma Center to the high-profile asbestos cancer law firm Weitz & Luxenberg, which employed Silver. These patients and their cases generated millions in referral fees for Silver, who in exchange, the complaint says, secretly directed state funding to Taub’s cancer center.

While it seems that Taub’s role as a government witness may have helped him avoid criminal charges, should he be held to standards agreed to by all medical professionals, particularly the Health Insurance Portability and Accountability Act, or HIPAA?

Karen Porter, an associate professor of clinical law at Brooklyn Law School, who also serves as executive director of its Center for Health, Science and Public Policy, points out that HIPAA isn’t “extraordinarily protective of people’s information.”

She explains that its Privacy Rule, which was enacted in 2000 and then modified in 2002, does protect “individually identifiable health information,” including names, addresses, birth dates and Social Security numbers.

However, Porter says, it sets a minimum standard of privacy, because even though it applies to health-care providers, health plans and health-care clearinghouses, it also allows these covered entities to share patients’ protected health information in many cases.

“An individual can agree to have their information shared,” Porter said. “So in this case, if the doctor in question had a conversation with an individual and said, ‘You could consult an attorney,’ and then the patient said, ‘You are probably right,’ and the doctor volunteered an attorney and even asked whether they wanted the information sent to the attorney, and the patient agreed to that, there is no real HIPAA violation.”

Thomas Miller, a resident fellow at the American Enterprise Institute, where he studies health care policy, agrees that if Taub recommended that his patients contact Weitz & Luxenberg, it was permissible under the HIPAA Privacy Rule. However, he says, other situations may have spelled trouble for the doctor.

“If he on his own just said, ‘Here’s the name, here’s the address, here’s the condition,’ without running it through the patient, that on its face would seem to be breaching the health privacy rules,” Miller said.

He contends that historically, even if an action is not proper under HIPAA, it doesn’t mean that the government will target or police that action. For example, he says, plaintiff lawyers have been in the business of recruiting patients as clients for many years, but there has never been a large-scale HIPAA prosecution brought against any of their doctors.

“It might be that they’ve gone through it in a way that skirts the edges of the law, such as I discussed, where the doctor can just be helpful, but it’s still the patients going forward and making their information available to the firm,” Miller said.

Miller adds that because doctors and other health-care groups don’t often blatantly violate HIPAA, only a small number of actual HIPAA prosecutions have been documented in the past decade.

Porter points out that even if one of the covered entities that must comply with the HIPAA Privacy Rule – health-care providers, health plans or health-care clearinghouses – is prosecuted for a HIPAA violation, they typically will not face harsh penalties.

According to the Privacy Rule, the U.S. Department of Health and Human Services “may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year.”

However, Porter adds, HIPAA’s Privacy Rule also mandates that covered entities will face criminal penalties if they knowingly obtain or disclose protected information for commercial advantage or personal gain. In this scenario, they could face a minimum fine of $50,000 and at least one year in prison.

“That seems to be a little bit about what might be contemplated here — for example, if there was a kickback,” Porter said. “The patient [who granted consent] may not understand that the doctor is going to gain financially from providing this information. It seems to suggest that there may be some recourse under HIPAA, but it would have to be prosecuted by the federal government.”

Want to get notified whenever we write about any of these organizations ?

Sign-up Next time we write about any of these organizations, we'll email you a link to the story. You may edit your settings or unsubscribe at any time.

Organizations in this Story

New York State AssemblyAmerican Enterprise Institute