HIPAA access reports could be used in med mal

If a proposed rule is enacted by the federal government, patients will be able to request an accounting of who accessed their electronic health records, a development that some legal experts say could put hospitals and other providers at risk.

The right to request an "access report" as outlined in the Office for Civil Rights' proposed Health Insurance Portability and Accountability Act (HIPAA) accounting of disclosures rule could be an asset to attorneys in HIPAA civil suits and malpractice cases, some privacy experts say. Others disagree, saying the access reports only open small windows of opportunity for plaintiffs.

Under the proposed accounting of disclosures rule, patients could request an accounting of who accessed their electronic health information in a designated record set, for any reason.

HIPAA access reports could be used against hospitals and other providers, but more as leverage to obtain the sought-after results says Lisa L. Dahm, JD, LLM-Health, director of continuing legal education and adjunct professor at South Texas College of Law in Houston.

"The reputational damage that could result from the public knowing that the provider disclosed the information without permission might make the provider more willing to settle a lawsuit alleging some other cause of action than going to trial and risking the public's learning the provider breached patient confidentiality," Dahm says.

If you have a state statute that allows for damages for unauthorized disclosures of private health information, there is a direct risk of being fined for each instance, Dahm says. Patients also may take their case to the Office of Civil rights, which could impose penalties of more than $1.5 million.

Although a patient cannot sue the hospital under HIPAA, Dahm notes that there is case history suggesting an unauthorized disclosure could be used to sue a hospital for substantial damages. "One of the challenges for the risk manager is to make others in the organization are aware that you have to treat records as confidential," Dahm says. "I strongly suggest going to the chief information officer and have them run routine audits by picking a few patients and looking at how records are used. That sometimes is the only to discover those pathways through which personal health information is accessed improperly."

One attorney sees a major malpractice risk from HIPAA access reports. Nathan A. Kottkamp, JD, a partner with the law firm of McGuireWoods in Richmond, VA, says the information in an access report could be a goldmine for plaintiff's attorneys.Even if a caregiver listed in the access report had a legitimate reason to view the record, Kottkamp says, the report could be helpful in listing every potential defendant. The plaintiff's attorney might go through the list, ask why each person looked at the record, and explore each of those people as being potentially negligent, he says.

"From a litigation perspective, it really is very scary. If I'm a healthcare provider, this potential rule really does scare me," Kottkamp says. "The access report would provide a road map for potential litigants."

There is an increasing effort to use HIPAA violations as the basis for other torts and negligence actions, Kottkamp notes. An attorney could point to HIPAA as the standard of care and say that if you're not in compliance with HIPAA, you have de facto violated the standard of care, he explains.

A plaintiff's attorney might see the access report as a list of potential defendants with deep pockets, Kottkamp says. In addition to the question of how access reports might be used against you, providers also have to worry about whether they can even comply with the demand for access reports, Kottkamp notes. Regulators apparently thought such information would be easy to compile, but Kottkamp is hearing from providers that compiling an access report is much harder than it sounds. Vendors of electronic health records (EHRs) will have to develop ways to produce such reports if the rule is not changed, he says.

"It also will make it that much easier for regulators to know when there is a violation," Kottkamp says. "We could see people routinely asking for their access reports, and then it's a short step to regulators finding out that people were looking in records that they shouldn't have. Particularly if you treat celebrity patients, the access report can be a smoking gun.


• Lisa L. Dahm, JD, LLM-Health, Director of Continuing Legal Education and Adjunct Professor, South Texas College of Law in Houston. Telephone: (713) 646-1873. E-mail: ldahm@stcl.edu.

• Nathan A. Kottkamp, JD, Partner, McGuireWoods, Richmond, VA. Telephone: (804) 775-1092. E-mail: nkottkamp@mcguirewoods.com.