Share this article on:
The Health Insurance Portability and Accountability Act (HIPAA) prohibits the sharing of protected health information with third parties without first obtaining consent from patients. That has led some patients and healthcare officials to believe the City of Portland violated HIPAA by sharing information on HIV-positive patients with the University of Southern Maine without first obtaining consent.
Portland runs a HIV-positive health program and individuals enrolled in that program were not informed that some of their information – their name, address, phone number and HIV positive status – would be shared with USM’s Muskie School of Public Service (MSPS).
The information was shared in order for MSPS to conduct a survey on behalf of the city. When that survey was conducted, it became clear to patients that some of their PHI had been shared without their knowledge. Two patients complained that their privacy had been violated. Following receipt of the complaints, the city suspended its survey and conducted an investigation into the alleged privacy violation.
While the HIPAA Privacy Rule does restrict the sharing of PHI with third parties, there are exceptions. Officials at the City of Portland maintain that HIPAA Rules were not violated. HIPAA does permit healthcare organizations to share PHI with third parties for research programs, and in such cases, consent from patients is not a requirement, provided certain conditions are met.
While HIPAA Rules may not have been violated, the City of Portland will be issuing a written apology to all affected patients – which number more than 200 – about the privacy violation. The letter, written by Portland’s public health director, Dr. Kolawole Bankole, said, “We have learned important lessons from this experience and are implementing new and updated policies and procedures for ensuring that our health care entities and programs better communicate with patients regarding uses and disclosures of their patient’s [PHI] for these types of research, program evaluation and business associate-related purposes going forward.”
While some city officials do not believe HIPAA Rules have been violated, that view is not shared by all. Dr. Ann Lemire, a former director of Portland’s India Street clinic had previously warned the city not to share the list of patients with USM researchers as doing so would be a violation of HIPAA. Lemire told the Press Herald, “I feel our patients have been violated and continue to be treated poorly and without respect.”
While HIPAA Rules may allow Portland to share PHI in this instance, information appears to have been shared before both parties entered into a business associate agreement. According to USM’s assistant provost for research, Ross Hickey, the list of patients was shared before a business associate agreement was obtained. After receiving the list, USM requested a BAA. That BAA was subsequently provided, in which the responsibilities USM had with respect to PHI were detailed.
In this case, the BAA made no difference to how USM secured the list and restricted access to the shared PHI, as strict privacy and security policies were already in place. However, the sharing of the list before entering into a BAA is something the Department of Health and Human Services’ Office for Civil Rights may choose to investigate, in addition to determining whether consent should have been obtained from patients before the information was shared.
If it is discovered that HIPAA Rules were violated there is potential for a financial penalty, either from OCR or the Maine attorney general, who since the HITECH Act was passed, is also permitted to take action against organizations discovered to have violated HIPAA Rules.