Month: September 2015

HIPPA Interferes with Parental Rights – a HIPAA Train Wreck


A few months ago, I came across a number of articles regarding Washington state schools placing IUDs in girls as young as the sixth grade without their parents’ knowledge through a Medicaid program known as “Take Charge.” The story received considerable media play. I do not wish to get into either the necessity or the propriety of this story, although it is ironic that Middle and High school students can’t get a Coca Cola or candy bar at local public schools. My interest was (and still is) how this situation plays out with respect to both the Federal and State laws.

I believe that in the final analysis, based on prevailing law, not only was the IUD placement without parental knowledge or consent within the law, the startling part is that if this issue was disclosed to a parent without the consent of the minor (child) it might very well be in violation of the law. The analysis is somewhat complicated but I will try to break it down into human bites.

The first step is the Federal law regarding the privacy of patient records. Typically, Federal law supersedes State law, and therefore, we would only have to address the Federal law. The Omnibus Rule, however, allows for the stricter of Federal or State law with respect to patient privacy.

Under § 160.203 (“General rule and exceptions”), the protections afforded under the HIPAA Privacy Rule preempt the provisions of State law, except if certain conditions are met.  One of those conditions, as set forth in § 160.203(b), is that “[t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [the Privacy Rule]”.

Under § 160.202 (“Definitions”), the term “more stringent” means, in comparing the State law and a provision of the Privacy Rule, a State law that meets one or more of certain criteria, which includes, a State law that, “[w]ith respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.  (See, § 160.202(6)).

We have established that to the extent that State law is more stringent with respect to protecting the privacy rights of the patient, the State law of Washington comes into play.

The general age of  majority in the state of Washington is 18 (as set forth in RCW 26.28.010), however there are specific exceptions, one of which is birth control services in which case, a minor’s consent is sufficient for confidential care, and the parent/guardian’s consent is not required, nor must the parent/guardian be notified. In fact, this rule holds true at any age. (RCW9.02.100(2)

It is apparent that Washington State law (at least as understood by the schools) interprets the reproductive privacy law to mean that anyone, including the child, has a fundamental right to choose or refuse birth control.

To round out the picture totally, the law further states that “if the patient is a minor and is authorized to consent to healthcare without parental consent under Federal and State law, only the minor may exercise the rights of the patient under this chapter as the information pertaining to healthcare to which the minor lawfully consented.” (RCW 70.02.130 (1))

The sum total of all of this information is that arguably in the state of Washington, a child of any age can allow for the placement of an IUD without parental knowledge or consent, and it is only the child that can consent to the release of that information from the medical practitioner to the parent/guardian. Presumably, a parent might ask for the child’s medical records, or the child might be brought to the doctor because of bleeding or any other symptom that is a consequence of an IUD, and the medical practice is prohibited from releasing this information to the parent without the consent of the child.  One can only wonder what the medical staff is supposed to tell the parents of an 11-year- old.

It would logically follow that if the medical provider, or his/her staff, in fact communicated the fact that the child had an IUD, it would be a breach under HIPAA.

I will leave it to the readers to decide if this situation makes any sense, what goals are achieved, and if this is just another example of the effects of unintended consequences.

Irrespective of anyone’s personal belief, this situation, at a minimum, underscores the fact that even when emphasis is placed on compliance with HIPAA, individual State laws must be complied with and both doctors and their staffs (as well as business associates) must be aware of operative State laws.


What do you think?


DISCLAIMER – This post and the analysis submitted are not a legal conclusion and should not be construed as such but are presented for discussion and informational purposes.

I am not admitted to practice in the state of Washington, I am not certain that my analysis is correct under Washington law, and invite any practitioners who disagree with my analysis to comment and explain why this analysis is incorrect. As always, legal advice and training should be obtained from licensed professionals within the jurisdiction. This post and the analysis submitted are not legal conclusions and should not be construed as such but are presented for discussion and informational purposes.

Encryption – Govt. double standard – or not

Data Encryption

The medical community is subject to unprecedented governmental requirements to protect the privacy of patient data – the governmental interest and incentives for digital storage and transmission of ePHI are clear – the safe harbor of encryption has pushed the medical community, and thereby their business Associates to achieve the highest levels of encryption.

On the other hand, the United States government stands firm in its opposition to “strong” encryption.

I believe that there are two competing interests, privacy and security. HIPPA and the associated rules and regulations are firmly grounded in a patient’s right to privacy and therefore the balance is firmly tipped in favor of privacy. Moreover, the encryption safe harbor is somewhat illusory, if encrypted data can be accessed. While it is possible that the covered entity or business associate may not be subject to fines, they will have to notify those who are affected, and suffer the reputational loss associated with a breach.

On the other hand, the government must prevent crime, terrorism and other misdeeds, and to that end they are opposing “strong” encryption. However, in the final analysis I do not think that demands can be made on the medical community – and the business community at large which are being pushed toward impregnable encryption and functionally zero tolerance for breaches of information, while on the other hand insisting on “back doors” to make encrypted data accessible.

I believe that in the final analysis is a zero-sum game. If encryption will be “strong” enough that governments may not be able to access it through the service providers, and there will be end to end encryption, with service providers rendered unable to access the information, we will be protecting information like ePHI, sensitive personal financial information, and information that should be private. Conversely, if we allow governments the ability to access information, the privacy of law abiding citizens and the protection of ePHI etc. may be compromised.

The Basic Arguments are :

Government  – we need the ability to monitor information passing through US computer networks. This is the position of Admiral  Mike Rogers, director of the NSA.

Counterargument – if the United States has the right to have back doors for the US government (as a governmental right) other governments should have that right as well, e.g. China, Russia etc. This position was articulated by Alex Stamos, the then current security engineer at Yahoo. As an aside, Yahoo and Google are currently working on an end to end email encryption system that may be ready by the end of the year.

Government – The rise in encryption has rendered significant part of the Internet “dark” making it harder to track terrorists and other criminals.

Counterpoint- Skype seems to have end to end encryption using the Skype video service (as opposed to making phone calls on it) and therefore with respect to the criminal element all you need is one service through which criminal information is inaccessible.

Furthermore, the companies that handle the transmission of emails and other digital information say that providing any backdoor weakens encryption. Whit Diffie, A 71 year old pioneer and co-inventor of the basic approach used in most modern encryption systems seems to believe that it is counterproductive to try to build the special access governments or seeking.

It is interesting to note that the French intelligence services have been the beneficiaries of a bill that was passed in May legalizing phone tapping and email interception. With respect to England, David Cameron has proposed a ban on “strong” Encryption to ensure the terrorists do not have a safe space in which to communicate.

There are over a billion email users around the world, the use of email and digital transmission of private information is rising, as is the incidence of cyber crime, hacking by rouge nations and the need for secure digital information and transmission.

In the final analysis it is difficult to find the exact intersection/equilibrium of crime prevention (with respect to criminals and terrorists) and the rights of privacy of law-abiding citizens.  This issue is only made more complex when the government is encouraging digital storage and transmission of the very information it rightfully demands to be held private.

What do you think.

The Falling Star of Nursing Homes – or Maybe Not

Falling Star of Nursing Homes

How accurate is the Five Star rating system in assisting the general public to determine which nursing home to select?

The Government Accounting Office (GAO) has accepted a request to investigate the rating system used on the Nursing Home compare website.

This request stems from a request by Senators Bob Casey (D-PA) and Ron Wyden  (D-OR) after CMS (this past February) added quality measures on antipsychotic medication use and staffing levels to the ratings displayed on the website. Apparently, the estimate was that 4,777 out of 15,500 nursing homes would see a drop of at least one star. Obviously, in a five-star rating system, the drop of one star is very significant.

Similarly, Rep. Elijah E. Cummings (D-MD) has asked for a briefing with the Centers for Medicare & Medicaid services on the website’s rating system.

As I understand it, the American Health Care Association (ACHA) has taken issue with the rating system, as it does not give proper weight to residents seeking nursing home care on a short-term basis for rehabilitation or therapy, and is heavily weighted toward long-term care.

Furthermore, there are concerns that the February changes do not really affect how well the residents will fare during their nursing home stay.

It is interesting that while the five-star system will come under review, there is no current roadmap with respect to the metrics (and relative weight) that should be employed to give an accurate five-star rating.

Obviously, HIPAA, or people’s interest in maintaining their privacy, would preclude (or at least severely limit) reviews by residents or their families in which they could give details regarding their ratings.

To the extent that we have become accustomed to rely on five-star rating systems, e.g. Amazon or eBay, which are becoming more widely accepted, and in my experience, with a little due diligence are highly accurate and predictive, it is important that five-star rating systems which DO NOT have detailed/descriptive ratings by the residents or their families,  have accurate metrics and weight, as they will be relied on for  very important decisions –  clearly more important than the average purchase on Amazon or eBay.

© 2019

Theme by Anders NorenUp ↑

Enjoy this blog? Please spread the word :)