Unless there’s a subpoena, no one may review your medical records except the practitioners who treat you and the facilities where they do it, the insurance company that covers you and hospital overseers charged with evaluating doctors’ competency.
It’s federal law-the Health Insurance Portability and Accountability Act (HIPAA). Penalties for breaching medical record privacy are stiff. Civil penalties can reach $50,000 per violation. Criminal penalties for breaches committed for “commercial advantage, personal gain or malicious harm” can cost $250,000 and 10 years in jail. State laws accord patients the right to sue for such breaches of privacy.
You might remember when a UCLA medical clerk went celebrity-record snooping a few years ago, and got caught. We wrote about it, and how the feds slammed the university with an $865,000 fine.
Now another California hospital concern is in trouble for a breach of patient privacy. As described in a story by Los Angeles Times columnist Michael Hiltzik, Prime Healthcare Services and two executives of its Shasta Regional Medical Center showed one patient’s entire medical chart to the editor of her hometown newspaper, and also divulged to Hiltzik some of her examination records, even though he never asked for them.
Prime and its execs claimed the patient had implicitly waived her right to privacy because she gave some of her records to a different news organization. But the law is clear that no one may divulge a patient’s information without written permission specifying exactly who may review exactly what portions of the record for each incidence of sharing.
As Hiltzik notes, Prime is not the sort of enterprise that should get the benefit of the doubt-as the owner of 14 California hospitals, it’s under investigation by state and federal authorities for submitting possibly fraudulent bills to Medicare and Medi-Cal, the state’s health insurance program for the disabled and low-income people.
Here’s what happened, as recounted by Hiltzik.
California Watch, a government media watchdog, compiled a report about government data suggesting that Prime has inflated diagnoses to obtain excessive reimbursements from Medicare and Medicaid. It reported that in 2010, Darlene Courtois sought emergency treatment at Shasta Regional for a fall. But the hospital billed Medicare for treating a severe malnutrition condition typically seen in famine victims, a diagnosis that paid more than twice the fee as that for a fall.
Courtois told California Watch she wasn’t treated for malnutrition; she showed California Watch the file she obtained from the hospital that described her as “well-nourished.”
The Redding Record Searchlight, the local newspaper for Shasta Regional, was interested in running the California Watch report. As good journalists, its editors called Shasta for a response. Two Shasta executives, CEO Randall Hempling and Chief Medical Officer Dr. Marcia McCampbell, brought Courtois’ medical chart to the paper and discussed it in detail. They were trying to prove that Courtois didn’t accurately describe her experience to California Watch. The newspaper opted not to run the article.
Shasta never asked Courtois for permission to make her chart public.
Hempling told Hiltzik that he didn’t need Courtois’ permission. “As far as we’re concerned,” he said, “the patient gave that permission when she gave her records to California Watch and was quoted on the record. That waived her privacy.”
But there’s no such thing as an implied authorization by a patient for disclosure of personal records. The office of civil rights of the U.S. Department of Health and Human Services, which enforces HIPAA, says: “There is no ‘waiver’ that would apply to the release of a chart or medical record to the media without an individual’s written authorization.”
As Hiltzik wrote, “Under the law, patients themselves can divulge anything they wish about their medical conditions and their treatment by a hospital. But a hospital’s obligation is to keep its mouth shut. A desire to deflect bad PR is not an excuse. Even if they think they’re in the right, the law says healthcare providers have to suffer in silence, the experts say.”
One patient advocate mentioned the “chilling precedent” of a hospital company exposing a patient’s personal information just because she criticized the company in public. How many people are going to grant permission for the right reasons to the right people if they believe it’s not only those people who, ultimately, will see the information?
Most HIPAA cases concern stolen laptops containing patient data, or sloppy handling of patient files. No one Hiltzik interviewed could think of a case in which hospital executives deliberately made a patient’s chart public without written authorization.