I WANT SOMBODY ELSE’S MEDICAL RECORDS
What happens when someone asks your office or hospital for medical records not their own? This can happen either through governmental investigations or when someone presents a power of attorney or Healthcare Directive form.
Government investigations, including subpoenas or Requests for Production of Documents, should be referred to your counsel immediately. Proper response to investigative subpoenas or a request for records requires immediate and thoughtful review.
On a daily basis, it may be more common for you to be dealing with persons requesting or demanding medical records of others and claiming to act as a healthcare power holder or under a power of attorney. Are these requests valid?
The rise of internet legal providers has resulted in many persons having ineffective or inadequate powers of attorney or Healthcare Directives. When these are referred to me for review, I often find them incomplete, misdrawn (limited in scope or not applicable to the current status of the person for whom the power is prepared) or prepared under the wrong state law.
The problem with these inadequate and defective healthcare powers is that if you provide information based upon an improperly drawn power, you face not only liability to the person whose records you’ve improperly released, but also HIPAA and other privacy law violations.
HOW DID HE EVER GET CAUGHT?
Texas anesthesiologist, Richard Toussaint, Jr. was recently convicted in Texas on seven counts of fraud for false claims from 2009 – 2010. The amount involved was approximately $10 Million. Apparently, Dr. Toussaint falsely claimed personal supervision of anesthesia by CNA’s on occasions when he was:
- Out of state;
- On his private jet; and
- While he was undergoing surgery himself.
Reportedly, Dr. Toussaint faces ten years in prison, millions in fines, and his collection of Bentleys and Rolls-Royces are at risk for seizure.
HOW MUCH SECURITY IS ENOUGH?
HIPAA, and some state laws, require you to implement security safeguards to protect PHI. Sounds reasonable, but what is a reasonable amount of data security?
Usually, this question is raised when there has been a breach and CMS, or some state regulator, is considering how much to fine your organization because you did not have reasonable security. California, and other states, are beginning to address this question. California suggests that there are twenty security controls that represent the minimum level of security that organizations with PHI should meet. California’s approach is that you must have all twenty to meet the minimum standard. The list of the twenty controls are:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browsing Protection
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capability
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Do you have all 20 controls listed? Should you?
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or email@example.com.