Where Is the HIPAA Right to Defend One’s Self?
When a patient publicly disparages a health care provider, HIPAA leaves the health care provider in a seemingly impossible situation. If the health care provider does not respond and dispute the allegation, then its reputation – a precious commodity to an organization that relies on patients to trust it with their lives – may take a significant hit. But the HIPAA Privacy Rule seemingly does not provide permission for a covered entity to disclose protected health information to defend itself – even though the patient may have already made the protected health information public. And the HHS Office for Civil Rights (OCR) has now brought financial enforcement actions against a number of different covered entities that have released protected health information to defend themselves against public allegations. I am not suggesting that health care providers should have a right to release full medical records any time a patient matter receives publicity. But HIPAA should afford some avenue for health care providers to reasonably defend themselves.
On November 26, 2018, OCR announced a $125,000 settlement with Allergy Associates of Hartford over allegations that it violated HIPAA when responding to a reporter with information about a patient. According to the settlement, the patient had contacted a local television station alleging that she was turned away from the health care provider over her use of a service animal. The reporter contacted the health care provider for a comment. According to OCR’s press release, despite instructions from the provider’s privacy officer, a doctor responded to the reporter with protected health information. Neither the press release nor the resolution agreement indicate the nature of the protected health information that was disclosed. It is worth keeping in mind that “protected health information” can range from details about treatment to merely confirming that an individual sought health care from the provider. This case joins at least two other resolution agreements in which OCR financially settled with health care providers for responding to public allegations.
These cases highlight a particularly vexing area of HIPAA. While the Privacy Rule includes a wide range of permissions for disclosing protected health information, it does not seem to include a mechanism for navigating situations in which a provider’s reputation is at issue and where the patient has publicly disclosed the protected health information. This problem may arise in a range of circumstances – from responding to high-profile stories in the press, to merely responding to negative reviews on social media. There seemingly is not a reasonable way for a health care provider to defend itself against public patient allegations.
The Privacy Rule permits disclosures for “health care operations,” which includes “customer service” and “business management and general administrative activities of the entity.” But the risk seems high, especially in light of the enforcement actions referenced above, that a regulator might find that publicly responding to negative patient allegations falls outside “health care operations.”
The Privacy Rule permits a covered entity to respond to the press if the patient provides a HIPAA-compliant authorization. But an angry patient may be reluctant or unlikely to provide such an authorization. A health care provider can supply the reporter with an authorization form, and indicate that the provider only can provide comment if the reporter obtains the patient’s authorization. But reporters may be unwilling or unable to seek the patient’s written authorization on the provider’s behalf.
Where this leaves health care providers is that they seem to be completely hamstrung. They might be accused of poor patient care, fraud, or discrimination, but their only permitted response under HIPAA may be “no comment” or trying to walk a tightrope of speaking in general terms about their practices without referencing the accuser’s case specifically. The result of strict HIPAA compliance is possibly adverse media reports that, thanks to the Internet, will live on indefinitely.
This challenge appears on social media every day. A smaller practice’s livelihood may be jeopardized by a single negative review online. But HIPAA may not permit the practice to specifically refute the matter without a patient’s written authorization.
This problem does not lend itself to easy solutions. A patient’s privacy is of paramount importance, and a patient’s single public disclosure of limited medical information should not be seen as a waiver of all of the patient’s HIPAA rights. But health care providers, both big and small, should have some mechanism to defend themselves against allegations that may be unfounded, misleading, or false. Adding to the complexity is whether a provider’s First Amendment speech is unconstitutionally silenced by HIPAA regulations once HIPAA’s purpose to protect patient confidentiality has been defeated by the patient’s own conduct.
At a minimum, HHS should closely scrutinize this issue and consider whether there is any way to balance these competing interests and allow health care providers some narrowly-tailored means to defend themselves. For example, the Privacy Rule includes several circumstances (patient directories, fundraising, identifying suspects and fugitives) where a defined amount of information is permitted to be disclosed. HHS could add a similar permission where certain limited information, clearly defined in the regulations, could be released in response to public statements that contain protected health information. Alternatively, HHS could amend the regulation to at least permit health care providers to discuss protected health information that has already been publicly disclosed by the patient.
Patient privacy is a right, and it is one that must be protected. But it is one that should be balanced against other interests so that health care providers also have some right to defend themselves in the court of public opinion. It is time to find a solution that both balances and protects patient and provider interests in this regard.