N.Y. case illuminates HIPAA basics for fire departments
Who can sue, which fire departments are “covered entities,” and how agency policies impact confidentiality breach cases
A lawsuit recently filed in New York State alleges that a member of a fire department that responded to a medical call breached the confidentiality requirement of HIPAA by disclosing private patient health information at a party. The lawsuit names as defendants the volunteer firefighter accused of disclosing the information as well as the town and the fire department. It is important to note that the fire department provides BLS level of care and does not provide ambulance services.
In addition to violating HIPAA, the plaintiff alleged that, among other things, the defendant firefighter negligently violated the fire department’s internal confidentiality policy, and by disclosing the plaintiff’s private health information, he intentionally caused the plaintiff emotional distress.
Before we dive in too deep, let’s address some basics regarding who can file a lawsuit for violation of HIPAA, which agencies are considered “covered entities,” and how state or department policies apply.
HIPAA basics for fire departments
HIPAA – the Health Insurance Portability and Accountability Act – is a law that protects a patient’s privacy rights regarding their personal health information. HIPAA governs how covered entities protect and secure Protected Health Information (PHI).
It’s important that fire service professionals understand HIPAA’s basic confidentiality and privacy rules. First things first, we turn to whether an individual can file a lawsuit for a violation of HIPAA. The short answer: They can’t. Only the Department of Health and Human Services and state attorneys general have the authority to enforce HIPAA, per Alexander v. Sandoval (532 U.S. 275), and then only against covered entities.
You may be asking, “Are we a covered entity?” The answer for emergency services tends to be, “It depends.” Fortunately, you can use this online decision tool to determine whether your agency is a covered entity under HIPAA.
In the case of the New York agency, the fire department is not a covered entity because it does not electronically transmit private health information. Additionally, in New York, fire districts and independent fire companies are not allowed to bill for EMS.
Further, while a patient cannot sue your agency for a HIPAA privacy violation, there is a caveat – the 14th Amendment. A recent 4th Circuit case, Payne v. Taslimi (998 F.3d 648), leaves open the question of whether a cause of action based on privacy exists under the 14th Amendment.
Why is this important to the fire service? The Constitution provides privacy protections under the 4th Amendment, and the 14th Amendment extends those federal protections to the states. The question then becomes: Does an individual have a cause of action based on a reasonable expectation of privacy in the information that is constitutionally protected? If yes, the next question is whether there exists a compelling government interest in the disclosure and whether the act of disclosure outweighs personal privacy.
Remember, HIPAA is a federal law. Every state has or is crafting healthcare and medical confidentiality regulations. In all reality, your state regulatory system is more likely than HIPAA to trip you up. Why? Although your agency may not be considered a covered entity under HIPAA, state regulations regarding the release of protected health information may apply. In other words, simply complying with HIPAA may not be sufficient to protect you or your agency.
Going back to the New York case, the plaintiff relies on the fire department’s policy governing confidentiality to establish liability. Internal policies may not be admissible as evidence if the policies exceed what is traditionally considered a reasonable standard of care under the circumstances.
The lesson here: Each state has different common law notions of reasonable standard of care. Therefore, our agencies should be aware of what our state considers a reasonable standard of care for privacy issues. For example, in New York, there is no common-law action for violation of privacy. That means any lawsuit for violating a person’s privacy must arise out of a statute. Except for using a person’s likeness for monetary gain, most of New York’s privacy statutes involve physicians, hospitals, schools and the like.
An individual cannot sue for breach of the HIPAA privacy laws. A person may sue for violating their 4th Amendment rights under the 14th Amendment with respect to private health information. But there are no federal decisions that address that issue. A fire department that does not bill for EMS is not likely to be a covered entity, as defined by HIPAA.
Further, privacy laws vary by state in terms of what is protected information. Be careful when discussing emergency incidents – and extra cautious when discussing medical calls. There is world of difference in saying, “I responded to a medical call where things were intense” and “I responded to Tony Smith’s house, and we treated Tony for [fill in your favorite trauma],” without Tony’s permission.
How firefighters unintentionally violate HIPAA and similar policies
Confidentiality as a professional standard is the goal, but firefighters may not realize how simple it is to cross the line