Quote:
Originally Posted by sebastian_dangerfield
Hospitals leak that info to plaintiff's counsel? That's a straight up violation of HIPAA (and probably several other statutes and common law torts).
Aren't firms afraid of using that info? I could see a criminal investigator looking into that sort of leaking. One would assume the firm was somehow paying off people in the hospital for the info. Why else would someone in health care risk their job and possible civil or maybe criminal sanction?
|
It's not the hospitals. It's the aide in the ER or on the wards who overhears something and has a buddy that will pay for any info that could lead to a suit.
And so long as the subpoena includes a letter of assurance (that they've notified the patient and there's been enough time to object), then covered entities are more than able to release medical records for third parties.
Also, HIPAA does include a whistleblower provision which may or may not apply in this case. It's very specific (and most idiots in healthcare facilities looking to sell patient data aren't going to understand it), but since it was designed for Qui Tam cases, it absolutely allows a healthcare employee to give PHI to a lawyer (who the employee has retained). I'm not sure if OCR is going to interpret this provision to apply to the Texas law, but it does make me pause in saying that HIPAA absoltuely does not allow employees/covered entities from using PHI to claim a fucking bounty:
Quote:
(1) Disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that:
(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
|
That said, the only criminal sanctions that OCR has imposed on individuals has been for selling PHI for personal gain, and I'm very, very hopeful that they're aware of this law and slam hard anyone found to have sold out their patient's information for this travesty.
