The role of state laws in governing confidential medical information were highlighted again last week when a massive lawsuit against Sutter Health was dismissed. A state appeals court acted on an appeal from Sutter Health, dismissing the $4 billion class action suit on the grounds that there was no indication that the confidential medical information on stolen computers was accessed.
HIPAA is not the only legal or regulatory framework governing confidential medical information
We tend to think first and foremost of the HIPAA Privacy Rule as the main regulation governing confidential medical information. But state laws and regulations in most states also address confidential medical information, and may contain separate penalties for unauthorized disclosure.
In the case of Sutter Health, computers were stolen from one of its offices in the Natomas area of Sacramento, CA. One of the computers contained confidential medical information on 4 million Sutter members. Several Sutter members filed suit claiming damages due to the potential unauthorized disclosure of their confidential medical information under the California statute providing for $1,000 in compensation to any patient whose confidential medical information is disclosed without authorization.
The state appeals court panel agreed that even though the computer was definitely stolen, and it contained confidential medical information, there was no indication the information had been accessed or disseminated by the thief or thieves. A violation of the California Confidentiality of Medical Information Act must include evidence that the confidential medical information was actually viewed by someone not authorized to see it.
State laws and regulations on confidential medical information
The Sutter case provided an important finding on how the California statute will be interpreted, and it also highlights the role state laws and regulations play in protecting confidential medical information. Penalties under HIPAA can be extensive and expensive, and penalties under state laws and regulations may be waiting in the wings before or after a federal case is settled.
State laws vary widely, and may contain restrictions on disclosing a wide rage of particular confidential medical information. Some of the confidential medical information whose disclosure is more tightly controlled under state laws inlcudes:
- HIV Lab Test Results
- Mental Health treatment records, and
- Genetic medical information
Providers in each state who develop or maintain confidential medical information policies should be very aware of the specific disclosure requirements for such categories, and ensure they are obtaining the required authorization whenever necessary.
In some states, so-called “willful” disclosures of certain confidential medical information may even be a criminal violation, making providers subject to fines or jail time.
Millions of records with confidential medical information can be stolen just by stealing one computer
Many times, we read about unauthorized disclosures of confidential medical information due to lost or stolen laptop computers. In this case, the device was a desktop computer, but the real issue is: why would any organization store confidential medical information of 4 million people on any individual computer – desktop or laptop? Many of the fines levied by the Office of Civil Rights for breaches involving confidential medical information came about due to files containing large amounts of medical information being left or maintained on individual computing devices – instead of on servers whose physical and digital access is tightly controlled.
This capability – or even the requirement to maintain such files locally – should be evaluated by means of an original or updated HIPAA Security Rule assessment. And of course when there is a bona fide need to keep large files with confidential medical information on one device, such devices may need to be physically secured from casual burglars and thieves.
Sutter Health may have dodged a $4 billion bullet this time, but will your healthcare organization be so lucky in the future? Securing confidential medical information requires continuous vigilance, and the application of that old saying: hope for the best, but prepare for the worst.