by Andrea I. Schwab, JD, CPA and
John Southrey, CIC, CRM, Manager, Consulting Services, TMLT
Texas House Bill (HB) 2641, which was passed into law in June 2015, provides physicians with some liability protections when using an HIE. While it is advisable to be vigilant in addressing potential liability exposures, HB 2641 has taken some steps to protect providers. HB 2641 states that a provider who sends information to an HIE without malice or gross negligence is not liable for damages if that information is used in violation of federal or state privacy and security laws by the HIE or another provider. It also states that use of an HIE does not create a standard of care for health care providers.
HB 2641’s limitation of liability language is as follows:
- Unless the health care provider acts with malice or gross negligence, a health care provider who provides patient information to a health information exchange is not liable for any damages, penalties, or other relief related to the obtainment, use, or disclosure of that information in violation of federal or state privacy laws by a health information exchange, another health care provider, or any other person.
- Nothing in this section may be construed to create a cause of action or to create a standard of care, obligation, or duty that forms the basis for a cause of action.
HB 2641 does not modify a physician’s responsibility for complying with HIPAA nor protect them from liability for damages, penalties, or other relief resulting from such violations. State laws that are contrary to the HIPAA Privacy Rule are preempted by the federal requirements, unless the state law is more stringent and/ or unless specific exceptions apply.1 2
Physicians remain responsible for ensuring that individuals, the media, and the Secretary of the Department of Health and Human Services are notified of breaches of protected health information (PHI) and of the costs incurred by the breaches, even if an HIE is the source of the breach.3 4 But physicians and HIEs can sometimes contractually agree on how they will provide notice to affected patients. The United States Department of Health and Human Services (HHS) states, “With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.”5
Even if an HIE is compromised in some way, physicians are not relieved of their responsibility to comply with appropriate standards of medical care and the Texas Medical Board (TMB) rules. For example, physicians’ duties of making timely and accurate diagnoses, maintaining accurate medical records, and providing the patient with copies of his or her records, could all be affected if an HIE is compromised.
The Office of Civil Rights and HIEs
The Office of Civil Rights (OCR), the federal agency that enforces HIPAA compliance, states that “trust in electronic health information exchange can only be achieved if reasonable administrative, technical, and physical safeguards are in place” and the HIPAA Privacy Rule requires covered entities to implement such safeguards.6
The OCR suggests that when covered entities participate in an HIE, the covered entity can agree with the HIE (as its business associate) on appropriate safeguards that would apply to their electronic exchange of information.7 These procedures should be formalized through a business associate agreement, data sharing agreement, or other contract, and may include enforcement mechanisms and penalties for breaches and violations.
A physician should always review a business associate agreement carefully with an attorney, and require the HIE to have appropriate administrative, technical, and physical safeguards in place. The physician should determine the HIE’s procedures for verifying the identity and authority of anyone requesting PHI; the safeguards that are in place to appropriately protect PHI; and procedures to follow in case of a breach.
For more information, please contact John Southrey at firstname.lastname@example.org.
Andrea Schwab may be contacted at email@example.com.
Part one: cyber crime and liability
Part two: health information exchange – benefits and liability
1 U.S. Department of Health & Human Services. HIPAA Privacy Rule. Code of Federal Regulations, Title 45 – Public Welfare. Section 160.202 – Definitions. Available at: http://www.gpo.gov/fdsys/pkg/CFR-2002-title45-vol1/xml/CFR-2002-title45-vol1-sec160-202.xml. Accessed October 14, 2015.
2 U.S. Department of Health & Human Services. Health Information Privacy. Does the HIPAA Privacy Rule preempt State laws? Available at: http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption_of_state_law/399.html. Accessed October 14, 2015.
3U.S. Department of Health & Human Services. Health Information Privacy. Breach Notification Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/. Accessd October 15, 2015.
4U.S. Department of Health & Human Services. Health Information Privacy. Breach Notification Rule. Breach Notification Requirements. Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/. Accessed October 15, 2015.
5 See 45 C.F.R. section 164.530(c); HIPAA Security Rule at 45 .F.R. sections 164.308, 164.310, and 164.312.
6U.S. Department of Health & Human Services. HIPAA Administrative Simplification. Regulation Text. 45 CFR Part 164, Sections 164.308, 164.310, 164.312. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. Accessed October 15, 2015.
7U.S. Department of Health & Human Services. Health Information Privacy. Privacy and Security Framework: Safeguards Principle and FAQs. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/. Accessed on October 15, 2015.
This article is purely informational and not intended to be legal advice and should not be construed as such.