Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
E-mailing and Texting PHI: Beware HIPAA
/in HIPAABy Kim Stanger
The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to protect patient information stored or transmitted electronically, including protected health information (“PHI”) sent in unsecure texts or e-mails.
E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient (see 45 CFR § 164.522(b)), but the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients. The Office for Civil Rights (“OCR”) explained:
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR § 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.
(OCR FAQ dated 12/15/08, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html). Read more
Police-Ordered Blood Draws In Idaho
/in Idaho Healthcare LawBy Kim Stanger
Law enforcement officers often request or demand that Idaho hospitals draw blood or conduct other tests on patients for law enforcement purposes; nevertheless, the general rule remains that patients (including persons in custody of the police) have the right to consent to or refuse their own healthcare, including blood draws or tests. (See I.C. § 39-4503). In addition, HIPAA limits the ability of healthcare providers to disclose information to police unless a HIPAA exception applies. (45 C.F.R. § 164.502). Accordingly, tests generally should not be performed and test results should not be disclosed to the police without the patient’s consent absent a court order or statutory authority. In the case of minors or incompetent patients, the healthcare provider must generally obtain the consent of the minor’s parent or other legally authorized representative. (See I.C. §§ 32-10151 and 39-4504). Read more
“Firing” Patients: Avoiding Patient Abandonment
/in Healthcare LawBy Kim Stanger
Physicians and other healthcare providers often find themselves in situations in which they no longer want to care for a patient. It may be that the patient is disruptive, noncompliant, or is unable or refuses to pay for his or her care. It may be that the patient requires services outside the expertise or capability of the provider. Regardless of the reason, the provider must take care when “firing” or discharging the patient from the practice. By accepting the person as a patient, the provider assumes the duty to care for the patient unless and until the provider-patient relationship is properly terminated. If the provider fails to render care consistent with the applicable standard of care, the patient may sue for malpractice. If the provider fails or refuses to care for the patient before the patient is able to transfer their care elsewhere, the patient may also sue the provider under the common law theory of patient abandonment. (See, e.g., 1 Am. Law Med. Malpractice § 3:15 (2017)). As one court explained:
[I]t “is well settled that a physician or surgeon, upon undertaking an operation or other case, is under the duty, in the absence of an agreement limiting the service, of continuing his [or her] attention, after the first treatment, so long as the case requires attention.” Ricks v. Budge, 91 Utah 307, 64 P.2d 208, 211 (1937) (emphasis added). “A physician has the right to withdraw from a case, but if the case is such as to still require further medical or surgical attention, he must, before withdrawing from the case, give the patient sufficient notice so the patient can procure other medical attention if he desires.” Id. at 212. Accordingly, a medical provider “‘is bound to exercise reasonable and ordinary care and skill in determining when he [or she] should discontinue his [or her] treatment and services.’” Id. (quoting Mucci v. Houghton, 89 Iowa 608, 57 N.W. 305, 306 (Iowa 1894)).
Newman v. Sonnenberg, 81 P.3d 808, 811 (Utah App. 2003). In addition, state licensing statutes or regulations often prohibit providers from “abandonment of a patient”; violations may result in administrative penalties and adverse licensure action. (See, e.g., Idaho Code § 54-1814(15)). To avoid liability for patient abandonment, the provider generally must take certain steps to ensure the patient is not harmed while care is transferred to another provider. Read more
The New HIPAA Reproductive Health Rule: What You Need to Know
/in HIPAABy Kim Stanger
Healthcare providers must comply with the new HIPAA Reproductive Health Rule (the “Rule”) by December 23, 2024.1 Here is what you need to know and do before then.
Overview. In the wake of Dobbs v. Jackson Women’s Health Organization, the Biden Administration has been concerned about situations in which states that prohibit abortion try to investigate or prosecute their citizens who obtain abortions in other states where abortion is legal. The Rule generally prohibits providers from disclosing protected health information about reproductive healthcare (“RPHI” in this article) for investigative purposes if the reproductive care was legal in the state in which it was rendered.
The Rule faces an uncertain future. Texas has sued HHS to block the Rule.2 Although no substantive decision has yet been issued, federal courts in Texas have been willing to limit federal regulations concerning reproductive health. Perhaps more importantly, it is not clear whether the Trump administration will maintain the Rule. In the meantime, however, the regulation is on the books and providers should comply. Read more
CMS Updates EMTALA Signage for Hospitals
/in EMTALABy Jay DeVoy
On August 13, 2024, the Centers for Medicare and Medicaid Services (CMS) and its Center for Clinical Standards and Quality / Quality, Safety & Oversight Group issued its memorandum QSO-24-17-EMTALA (the “Memorandum”), providing updated model signage for hospital emergency departments to use to help comply with the Emergency Medical Treatment and Labor Act (EMTALA).
EMTALA is a federal law that requires hospitals with emergency departments to screen incoming patients for emergency medical conditions and, if necessary, stabilize patients regardless of their ability to pay for treatment.1 Generally, emergency departments must screen patients who present for emergency treatment to determine whether an emergency medical condition exists and, if so, must provide further examination and treatment until the patient’s emergency medical condition is stabilized or until the patient may be transferred to another facility (such as when a higher level of care is required).2 EMTALA has received much attention in recent years, especially as it relates to the use of abortion procedures as a method of stabilizing emergency care and in relation to the laws of certain states that enacted partial or total abortion bans in the wake of the US Supreme Court’s Dobbs decision. Read more