Nearly every aspect of modern life has a virtual or electronic component.  Today, most of us choose every day to share information online at the click of a button. And for many consumers, sharing health care information is no exception. This alone underscores how significantly things have changed since over the past decade.

We live in an interconnected world of technology and privacy, and nothing about concern over the lack of respecting boundaries is unexpected.  The European Union (EU) enacted the General Data Protection Regulations (GDPR) in 2016 which became effective in May 2018, miles ahead of the US in this space.  The US has yet to enact any over-arching data protection regulations perhaps because of backlash from large companies objecting to complicated mandates or from concern that such regulation would suppress innovation during a time when we are making tremendous strides in research and a positive impact on the delivery of health care as a whole. The GDPR set forth that personal data protection is a “fundamental right”.

Either way, this shift is impacting healthcare in more ways than one. Our traditional notions of how we deliver and receive care, research and predict outcomes is becoming more, and more aligned with technologies such as artificial intelligence and cloud computing.  What’s driving this shift is the realization that by embracing advances in technology, we can improve the quality of care we deliver in areas such as telemedicine and the use of machine learning, predictive analytics, and prescriptive analytics in research to cure and prevent diseases such as cancer. Of course, the Health Insurance Portability and Accountability Act (HIPAA) protections apply in this context. But what about the consumer market where companies not covered by HIPAA are developing products that collect personal information?

Today, companies are developing products for the consumer market that would have been unimaginable just a few years ago. Microsoft filed over 70 patents related to healthcare in the last 5 years. During this time, there has been an explosion of consumer products, apps and devices to which HIPAA protections do not apply, collecting health information (such as fitness and health monitoring devices).  Apple recently launched the Apple Records feature, allowing users to store their medical records on their smart phones. And then there’s Amazon who has impacted the supply chain by offering lower cost medical supplies to hospitals and clinics, and also entered into an agreement to acquire the on-line pharmacy “pill-pack” in June.

These apps, services and connected devices collect, transmit, store, and potentially share vast amounts of consumer data, some of it is highly personal raising new concerns about the nature of privacy and the means by which individual privacy might be compromised or protected.  We’ve entered into a whole new world intersecting the regulated Protected Health Information (PHI) world with non-regulated PHI world. Data from these devices should not be usable by insurers to set health, life, car, or other premiums, impact employment decisions, credit decisions, housing decisions, or other areas of public life. California recently passed a strict data protection regulation and it is anticipated that other states will follow suit and tighten up their rules on data protection as well.

We are in the midst of the fourth Industrial Revolution, a profound shift which is fundamentally altering the way we live, interact, and perform our jobs every day, at a pace far more furious than revolutions of the past, and there doesn’t appear to be any Federal mandate similar to GDPR in the US on the horizon. Unlike the EUs GDPR, the US has fallen short of committing to a similar Federal mandate since the Obama administration.

For more information on health care privacy issues, contact Linda Mancini at 781-272-8001.


In 2017, President Trump issued a call to action that led to the declaration of a nationwide public health emergency regarding the opioid crisis. In response, the Office for Civil Rights (OCR) issued guidance on how HIPAA allows information sharing to address the opioid crisis.

OCR’s guidance, released in October 2017, addresses when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when that patient may be in crisis and incapacitated, such as during an opioid overdose. The guidance supplements existing guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives as a general rule. For example, current HIPAA regulations allow healthcare providers to share information with a patient’s loved ones in certain emergency or dangerous situations. This includes informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.

Sorting out the nuances of the HIPAA privacy rules can be tricky, especially amidst this opioid epidemic. But when an emergency is in progress with a patient in crisis, it becomes vital to ensure that barriers to family support are not created due to misunderstandings about HIPAA.

Healthcare providers must understand when and how they can share information with patients’ family members and friends without violating the HIPAA Privacy Rule.

For more information on HIPAA issues, contact Linda at 781-272-8001.


A brief guide to legal healthcare documents

Guardianship: Appointed when a person becomes incapacitated, the guardian has authority to make decisions pertinent to person’s support, care, education, and healthcare treatment decisions.

Conservatorship: Appointed when a person becomes incapacitated, a conservator has authority to manage real and personal property of an individual.

Healthcare Proxy (HCP): Created before a person becomes incapacitated, it gives authority to a make healthcare treatment decisions. It is invoked upon an individual’s incapacitation.

Durable Power of Attorney (DPOA): Created before a person becomes incapacitated, it grants authority to manage regard to real and personal property of an individual. A durable POA may continue to be in effect after the individual becomes incapacitated. Some DPOA’s include medical care (MDPOA).

Generally speaking, a guardianship is sought when there is no healthcare proxy or medical durable power of attorney in place. Healthcare providers are often in the position of petitioning the court for guardianship when there is no other responsible or willing person available to obtain the guardianship. The need for guardianship must be supported by a licensed clinician or clinical team report that certifies incompetency.

In contrast, a conservatorship is sought when there is no durable power of attorney in place before the individual became incapacitated. Conservatorship requires proof of bond(1) as well as a medical certificate (to certify incapacity) signed by a licensed clinician or clinical team report. In Massachusetts, the medical certificate is a seven page form available on the website.

healthcare proxy

When a healthcare proxy is in place, it trumps a guardianship, so it is important to know whether one exists before seeking a guardianship. If a medical durable power of attorney is in place it will trump any healthcare proxy and a medical durable power of attorney trumps a conservatorship. However, a durable power of attorney and/or HCP can be revoked upon a showing of exceptional circumstances such as fraud or other significant circumstance such as death of proxies.

Footnote 1. A conservatorship bond is a type of court bond that ensures the court-appointed individual will fulfill their obligations. The cost is usually equal to all of the assets of the patient, plus one year of their income. Once the court established the conservatorship, the court typically will reimburse the conservator from the assets of the patient.

For more information on guardianships, contact Linda at 781-272-8001.


Cooperation is a mitigating factor by which a corporation (such as a healthcare organization) can receive credit in a case that is otherwise appropriate for indictment and prosecution. Depending on various factors, an organization might gain cooperation credit when a self-report is made.

The credit itself may be in the form of reduced charges or penalties, deferred prosecution agreements or non-prosecution agreements and even an opportunity to modify certain terms of a settlement agreement. The extent of the cooperation credit earned will depend on all the various factors that have traditionally applied in making this assessment, such as the timeliness of the organization’s cooperation, the diligence, thoroughness and speed of the internal investigation, and the proactive nature of the cooperation.

Source: USAM (U.S. Attorneys’ Manual) 9-28.000 – Principles of Federal Prosecution of Business Organizations.

For more information on cooperation credit, contact Linda at 781-272-8001.


A recent Legal Topics in Healthcare post described the CMS “Patients Over Paperwork” Initiative. One area of documentation impacted by this initiative lessens teaching-physician burden with student documentation that supports a patient’s E/M services.

In February 2018, CMS published CR10412, which allows a teaching physician to simply verify a student’s E/M visit notes rather than re-document components of the E/M services. This is a major change to the requirements prior to CR10412, where a physician was not allowed to refer to the student’s documentation of physical exam findings or medical decision making. In other words, the teaching physician was previously required to re-document E/M services already documented in the medical record by the student. This documentation included the history of present illness, physical exam, and medical decision making activities of the E/M service.

This change was effective February 2, 2018 in an effort to simplify the administrative burden on practitioners under CMS’ paperwork initiative. For more information, please refer to the official instruction, CR10412, issued to MACs regarding this change.

For more information on E/M documentation, please contact Linda at 781-272-8001.


In February 2018, the Centers for Medicare and Medicaid Services (CMS) implemented the Patients Over Paperwork (POP) initiative. This proposal set out to reform certain documentation requirements used currently to support Medicare billing. The goal is to reduce time spent on documentation, thereby increasing the amount of time clinicians spend with their patients, and in turn improve the quality of patient care while continuing to document clinically meaningful information only. The proposal also addresses quality reporting requirements focusing on measures that most significantly impact health outcomes and support interoperability and information sharing among health care providers electronically.

In July 2018, CMS sought comment through a Request for Information asking whether providers and suppliers can and should be required to inform patients about charge and payment information for health care services and out-of-pocket costs, what data elements would be most useful to promote price shopping, and what other changes are needed to empower health care consumers (Proposed Rule).

For more information on Medicare documentation issues, please contact Linda at 781-272-8001.


The 21st Century Cures Act of 2016 (Cures Act) mandated the Department of Health and Human Services (HHS) to simplify the authorization process for individuals who want to release Protected Health Information (PHI) for research purposes. Individual authorization is necessary if the information will be utilized or shared in any format other than aggregate (without patient identifiers, details specific to individual patient).

In June 2018, The HHS Office of Civil Rights (OCR) published the following guidance.

  • Purpose of the Use and/or Disclosure for Future Research Authorizations
    Purpose must be documented in a manner in which it is understood the individual is consenting to release PHI for “future” research (even if “future” studies not determined at the time of authorization).
  • Expiration of Authorizations
    Do not need to provide a specific date. It is sufficient to document “none”, “when research ends” or “when I revoke”.
  • Right to Revoke Authorization
    Authorization forms to release information for research purposes must contain
    documentation pertinent to individual’s “right to revoke” and descriptions of how to invoke the “right to revoke”. Covered entities must provide individuals with a copy of the signed authorization for future reference pertinent to revocation authorization. (Some covered entities also notify individuals of this right on a consistent basis for the reason stated below).
  • Caveat
    It is imperative that the “revocation” be received by all parties who may receive/release the research information to avoid improper disclosure. For example, an individual may send notice of revocation to researcher. Researcher obtains PHI from hospital. Hospital will continue to release PHI unless researcher shares the revocation. The researcher is not obligated to notify the hospital of the revocation and/or may think the same revocation was submitted to the hospital.

See the full law here: Cures Act (Public Law No:114-255(12/13/2016)

For more information on the Cures Act, please contact Linda at 781-272-8001.


Generally speaking, HIPAA does not afford an individual the right to sue for a HIPAA violation. HIPAA does not create a private cause of action for an individual. This means that the government can file an adversary claim against a covered entity (CE) for non-compliance and seek penalties, but an individual cannot use HIPAA as a basis under the federal regulations to sue. However, an individual may seek damages from a CE under state regulations as a “civil action” for negligence (also known as a tort), and state courts may look to HIPPA as the standard by which a negligence cause of action may prevail.

For example, when a state court looks to HIPAA, it will allow the breach of privacy under the HIPAA regulation to be used to show the underlying basis for a breach of duty in a negligence claim for public disclosure of private facts. And duty is one of the four elements required to be shown by the plaintiff, along with the three other elements which are:

  • Breach of duty,
  • Causation, and
  • Damages.

But the analysis does not stop there. Duty of care is pivotal in these types of cases because in order to show there was a duty owed, the plaintiff must show that the incident was foreseeable. Foreseeability is a tricky area and not always completely clear. In addition to public disclosure of private facts, Massachusetts has three other invasion of privacy torts which include:

  1. Intrusion on physical seclusion,
  2. False light, and
  3. Impersonation of the likeness of another for benefit.

A recent case was decided in Connecticut where a HIPAA violation was allowed to show a breach of the duty of care. This was a case where a physician office released records without the proper authorization or order, and the court found that, because it was shown that HIPAA was violated, the case could go forward in state court under a privacy claim. See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 327 Conn. 540. The facts of the case relate to a physician’s release of medical records in response to a subpoena without first obtaining the patient’s consent, identify footnotes obtaining a protective order, or notifying the patient in accordance with the regulatory procedures under HIPAA.

For more information on HIPAA litigation, please contact Linda at 718-272-8001.


There are principles of full disclosure under civil procedure that do not exist in criminal procedure. In the civil setting, the defendant is entitled to notice of the plaintiff’s case, which gives the defendant a stronger opportunity to formulate a defense and win at dismissal. The goal is to maintain even-handedness, so in the civil context, the plaintiff must “plead with particularity” and the defendant must respond to the allegations, and admit or deny each one while setting forth its specific defenses.

In contrast, the criminal context is much different. Only under very limited constitutional circumstances must the prosecutor disclose information about his particular allegations against the defendant. Although the defendant’s defenses are protected, the defendant is equally disadvantaged by not knowing the specific details of the prosecutions allegations. What’s more, the criminal verdict may be used against the defendant whereby sanctions can automatically be attached to felony convictions.(1) For example, let’s look at a defendant who finds herself facing criminal charges in an anti-kick-back suit, where there are both civil and criminal provisions.

Common sense dictates that it would not be beneficial for the defendant to disclose details to the prosecutor that may be used against her and the law protects the information that must be provided by the prosecution. Thus, a criminal case is tried with both parties in the “dark.” One can’t help but wonder about the fairness of this when considering loss of liberty may be at stake.

On the one hand, it seems absurd that a civil defendant with only financial concern would have more notice of the allegations against him than the criminal defendant whose civil liberties are at stake. It seems to be that the law overprotects civil defendants and under protects criminal defendants. So perhaps it goes without saying that the goal of even-handedness is more analogous to a trial by ambush when you really consider the rules. But advocates of restricted discovery in the criminal context contend that the “beyond a reasonable doubt” standard of proof in criminal proceedings would be impossible to reach if the prosecutors were to disclose their information to defendants up front.

It is quite the conundrum. One might argue that it is only fair to ensure that all defendants be provided with the same information as a civil defendant to ensure justice is served.

Footnote 1. A crime that provides a possible incarceration of a year or more in the federal system is a felony, regardless of actual jail time.

For more information on healthcare fraud litigation, please contact Linda at 781-272-8001.


How to respond to patient information requests

A common scene: Law enforcement has entered your building and is demanding lab records on your patient. Common question: Do you release or not release? This issue can come up in just about any healthcare setting. Each situation is so fact specific that simple guidelines do not necessarily apply, but don’t just hand over records to law enforcement. Procedural due process requirements exist that must be met, and law enforcement must show they have the authority to obtain the records. Still, it is not uncommon for a healthcare worker to be threatened with immediate arrest for failure to comply.

Whether you are a covered entity (CE), or a business associate (BA), a clear understanding of when to release and when to deny or require patient consent or a court order is crucial.  This issue continues to be misunderstood by law enforcement agents and can be intimidating to providers despite governing Health Information Portability and Accountability Act of 1996 (“HIPAA”), Federal (alcohol/drug abuse) and State (Mental Health) laws.

Law enforcement’s mission to “investigate/solve” a crime can often cause confusion and obscure the hospital’s need to protect a patient’s protected health information (PHI). Disclosure in these circumstances is hard to contain because the law enforcement agent may go directly to a patient care area and ask the unit staff for access, bypassing health information management staff who know the laws, thereby exposing the organization to an unauthorized disclosure and HIPAA breach.

Under 45 CFR 164.512(f) of the HIPAA Privacy Rule, disclosure to law enforcement agents (police, probation/parole officer, detective) require written patient consent or a court order issued by a judicial officer for access to PHI, except in the following circumstances:

  • A valid court order, warrant, subpoena, or administrative process. (45 CFR § 164.512(f)(1)(ii)).
  • To avert imminent harm that threatens the health or safety of an individual or the public (45 CFR § 164.512(j)(1)(i)).
  • As required by law such as reporting child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult/elder abuse)).
  • To identify a person to help identify or locate a suspect, fugitive, material witness or missing person, but may only disclose limited information (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a “wanted” poster or bulletin.
  • Victim of a crime (45 CFR § 164.512(f)(3)).
  • Death resulting from a crime (45 CFR 164.512(f)(4)).
  • Crime on premises (45 CFR § 164.512(f)(5)).
  • Crime away from Premises (45 CFR § 164.512(f)(6)).
  • Report by victim (45 CFR § 164.502(j)(2)).
  • Admission of violent crime (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  • To locate a known fugitive (45 CFR § 164.512(j)(1)(ii)(B)).
  • Prisoners (45 CFR § 164.512(k)(5)).
  • Medical examiners and coroners (45 CFR § 164.512(g)(1)).

The PHI that may be disclosed in each of these circumstances is limited to the minimum necessary (name/address, DOB, SS#, blood type, type of injury, date/time of treatment or death, description of distinguishing physical characteristics) to address the issue.

The health care entity must exercise due diligence in ensuring both the officer and the request for information are legitimate, and file a copy of all paperwork provided to document all actions taken in compliance with the request in the patient’s medical record. As a best practice, refer such requests for internal legal review to validate proper procedure to follow. Finally, the nuances of this particular issue speak to the need for CEs to provide continuous education for all hospital workers specific to the process for releasing of PHI.

Common requests for PHI without patient consent or court order:
  • Blood/alcohol level
    • (No-need a court order-no material harm to case).
  • Detective brings a subpoena issued/signed by the police chief for access to “alleged perpetrator’s” medical record.
    • Do not release without an order issued by a judicial/court officer or the patient’s consent.
  • State Police want to review behavioral health medical record of patient to determine if the patient was competent at the time of the “alleged” crime before charging for the crime.
    • Do not release – this is a “material issue” that must be decided by the MD and courts (unless a “competent” patient provides consent).

Footnote 1. A CE providing emergency health care in response to a medical emergency, other than such emergency on the premises of the CE, may disclose protected health information to law enforcement if necessary to alert law enforcement to the commission and nature of a crime, the location of such crime or of the victim(s) of such crime and the identity, description, and location of the perpetrator of such crime

For more information on protected health information, please contact Linda at 781-272-8001.