Pierce & Mandell, P.C.

11 Beacon Street, Suite 800
Boston, Massachusetts 02108-3002

Phone: (617) 720-2444
Fax: (617) 720-3693

Facebook Twitter

Health and Dental Law

RSS Grab Health and Dental Law RSS Feed

HIPAA Laws And Dangerousness Disclosure

Tuesday, January 29, 2013
by William M. Mandell

In his January 15, 2013 letter to “our Nation’s Health Care Providers” United States Department of Health and Human Services Office of Civil Rights Director,  Leon Rodriquez, highlights that HIPAA does not prohibit the disclosure of health information consistent with applicable ethical standards and state law if a patient presents a serious danger to themselves or others in order to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat.

Massachusetts HIPPA laws also allows for such warnings and reasonable precautions in such instances, and even imposes under Mass. Gen. L. c. 123, §36B a duty on licensed mental health professionals to warn or protect potential victims if a patient (i) has communicated an explicit threat to kill or inflict serious bodily injury upon a reasonably identified victim or victims and the patient has an apparent intent and ability to carry out the threat or (ii) has a history of physical violence which is known to the practitioner and the practitioner has a reasonable basis to believe that there is a clear and present danger that the patient will attempt to kill or inflict serious bodily injury against a reasonably identifiable victim or victims.

In such instances, licensed mental health professionals are authorized to disclose confidential communications when taking one or more of the following required reasonable precautions as defined in Mass. Gen. L. c. 123:

  • Communicate the threat to the reasonably identified victim or victims,
  • Notify the appropriate law enforcement agency in the vicinity where the patient or potential victim resides, or,
  • Arrange for voluntary hospitalization, or initiate proceedings for involuntary commitment.  
Given the focus of our national dialogue on safety from tragedy, this is a good teaching moment to make sure your clinical, social work and health information staffs understand these parameters.

Please do not hesitate to contact Pierce and Mandell, P.C. if you have any questions, or you may contact Bill Mandell directly at bill@piercemandell.com

Pierce & Mandell to Participate in Yankee Dental Congress 2013

Thursday, January 17, 2013

For the fourth consecutive year, Pierce & Mandell, P.C. is proud to be part of the Yankee Dental Congress, to be held January 30th through February 3rd at the Boston Convention & Exhibition Center.  

Yankee Dental Congress is a trade show and convention that draws thousands of dental professionals each year.  Pierce & Mandell attorneys William M. Mandell, Kate L. Auerbach and Rebecca Merrill will be available at Booth 818 to meet with dental professionals interested in legal advice on all dental law and ethics, including dental practice transitions and sales, associate buy-ins, leases, employment and service agreements, and staff employment issues.

Click here for more information on Yankee Dental Congress.

HIPAA “De-Identification Process” is Clarified by Department of Health and Human Services

Thursday, January 10, 2013
By: Rebecca Merrill

Guidance from the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) provides clarity on the available methods of de-identification of protected health information (PHI) as well as the federal government’s scrutiny of such procedures.

The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established two methods of de-identification: (1) Expert Determination Method and (2) Safe Harbor Method. 45 C.F.R. § 164.514(a).  These de-identification methods are applied to PHI to enable the use of health information for non-treatment purposes (e.g., research and policy development), while protecting the individual’s right to privacy by removing identifiers from the PHI prior to utilizing the data for secondary purposes.

Applying the expert determination method, a covered entity may determine that health information is not identifiable if a qualified expert, applying generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable, (i) “determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) documents the methods and results of the analysis that justify such determination.”  45 C.F.R. § 164.514(b).

The HHS guidance sets forth factors that the agency will apply when scrutinizing expert qualifications for the purpose of expert de-identification.  These factors will be helpful to health care providers, health plans and business associates in assessing the qualifications of an expert and understanding the de-identification process and risk assessment.  

The HHS guidance also details three primary principles that should guide expert risk assessment.  The first principle, replicability, involves the prioritization of “health information features into levels of risk according to the chance it will consistently occur in relation to the individual.”  For example, low risk replicability would occur when the “results of a patient’s blood glucose level test will vary”; whereas, high risk replicability would exists when the “[d]emographics of a patient (e.g., birth date) are relatively stable.” Id.  Second, the principle of data source availability examines “which external data sources contain the patients’ identifiers and the replicable features in health information, as well as who is permitted access to the data source.” Id.   In it Guidance, HHS indicates that lab reports with identifying information that are often limited to healthcare environments are low risk, while patient name and demographic information often in public sources (e.g., vital records) are high risk.  Third, the principle of distinguishability requires a determination of “the extent to which the subject’s data can be distinguished in the health information.”  Id.

Finally, the HHS guidance addresses the Safe Harbor Method, pursuant to which a covered entity can de-identify PHI by adhering to a de-identification framework that mandates removal of at least 18 identifiers from the health information and requires that the covered entity.  In addition, the Safe Harbor requires that the covered entity have no actual knowledge of potential for an individual to be identified by the de-identified information alone or in combination with other information. 45 C.F.R. § 164.514(b).  The HHS guidance offers clarification on several of these factors, enabling the covered entity to better navigate the de-identification process.  In addition, the guidance provides examples of what constitutes “actual knowledge.”   Finally, the guidance explains that once data is de-identified in accordance with the Safe Harbor, covered entities are not required to enter into data use agreements when sharing the information with third-parties.  

Pierce & Mandell’s health care lawyers can assist in all phases of HIPAA compliance for medical and dental professionals.  Contact us.

Enter your e-mail address below to receive updates on new blog posts!

Recent Posts