Medical Justice provides consultations to doctors facing medico-legal obstacles. We have solutions for doctor-patient conflicts, unwarranted demands for refunds, online defamation (patient review mischief), meritless litigation, and a gazillion other issues. If you are navigating a medico-legal obstacle, visit our booking page to schedule a consultation – or use the tool shared below.
“Can Medical Justice solve my problem?” Click here to review recent consultations…
all. Here’s a sample of typical recent consultation discussions…- Former employee stole patient list. Now a competitor…
- Patient suing doctor in small claims court…
- Just received board complaint…
- Allegations of sexual harassment by employee…
- Patient filed police complaint doctor inappropriately touched her…
- DEA showed up to my office…
- Patient “extorting” me. “Pay me or I’ll slam you online.”
- My carrier wants me to settle. My case is fully defensible…
- My patient is demanding an unwarranted refund…
- How do I safely terminate doctor-patient relationship?
- How to avoid reporting to Data Bank…
- I want my day in court. But don’t want to risk my nest egg…
- Hospital wants to fire me…
- Sham peer review inappropriately limiting privileges…
- Can I safely use stem cells in my practice?
- Patient’s results are not what was expected…
- Just received request for medical records from an attorney…
- Just received notice of intent to sue…
- Just received summons for meritless case…
- Safely responding to negative online reviews…
We receive all types of HIPAA questions from our members. Answers to such questions are not all that easy to identify. Anyway, we present answers to several of these below.
(Q) I have heard that HIPAA does not allow you to have a Business Associate relationship with a vendor overseas. Is that correct?
(A) On first blush, it would seem that one might be foreclosed from storing data on an overseas cloud server, as US authorities would have limited to no jurisdiction over the overseas entity. But, HHS clarifies otherwise. It’s cool.
Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Answer:
Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to the protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location. In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to the enforceability of privacy and security protections over the data.
(Q) Can I store protected health information (PHI) on my personal Google Drive account?
(A) Generally, no. If you are storing PHI on Google Drive, you will need to have a Business Associate Agreement with Google. And, yes, Google does provide such agreements for Google Apps for Business, Education, or Government accounts. These are paid accounts. You have to shell out checks to Google for the document. Meaning, you have to have a paid account.
Most personal Google accounts are free, and they do not come with Business Associate Agreements.
BTW, if you encrypt a document prior to uploading it to your personal Google account, you should not need a Business Associate Agreement. Why? Because you rendered the document secure before uploading it to the cloud. Meaning, the document is secure anywhere it finds itself.
(Q) I hear about HIPAA authorization. I also hear about HIPAA consent. Aren’t they the same thing?
(A) Well, they are not precisely the same thing.
Authorization is what you HAVE to secure from a patient before disclosing protected health information unless there’s a named exception to disclosure.
For example, you must obtain a patient’s prior authorization to send protected health information to their designated attorney. Before sending the records, you want to confirm the patient has signed the authorization. And send only the records identified by that authorization.
In contrast, the Privacy Rule permits a covered entity but does not require it, to voluntarily obtain patient consent for disclosures of protected health information related to treatment, payment, and healthcare operations. As an example, if a patient asks you verbally to submit an insurance form so you can get paid, in theory, you do not need their written authorization. That’s an exception. But, you are allowed to have processes in place to obtain their “consent.”
Become a member to receive ongoing support and protection from our experts
Automate a review collection & posting workflow to shield your online reputation
(Q) Can an individual revoke their authorization?
(A) Yes. Patients can revoke their authorization at any time. The revocation must be in writing. It is effective when the covered entity receives the written request.
The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke, and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it since the revocation is not effective until a covered entity that had previously been authorized to make the disclosure receives it.
If a patient has given you authorization to post before-and-after photos on your website, and later they demand you take them down, just do it. It is their right to make that demand. Obviously, once protected information has been released into the internet ether, it may be impossible to “protect” that information down the road. You can only do what you can do.
(Q) If a vendor is storing electronic medical records and the subscription terminates, does that vendor have to maintain the records, give them to the provider, or something else?
(A) Here, the vendor is a Business Associate. The Dept of Health and Human Services posed the question and answer as follows:
Do the HIPAA Rules require a Cloud Service Provider (CSP) to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
Answer:
No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate. The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible. 45 CFR § 164.504(e)(2)(J).
If such return or destruction is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. For example, return or destruction would be considered ‘‘infeasible’’ if other law requires the business associate CSP to retain ePHI for a period of time beyond the termination of the business associate contract.
And there may be state laws about retaining medical records.
OK, that’s all for today. What do you think?
Medical Justice provides consultations to doctors facing medico-legal obstacles. We have solutions for doctor-patient conflicts, unwarranted demands for refunds, online defamation (patient review mischief), meritless litigation, and a gazillion other issues. If you are navigating a medico-legal obstacle, visit our booking page to schedule a consultation – or use the tool shared below.
“Can Medical Justice solve my problem?” Click here to review recent consultations…
all. Here’s a sample of typical recent consultation discussions…- Former employee stole patient list. Now a competitor…
- Patient suing doctor in small claims court…
- Just received board complaint…
- Allegations of sexual harassment by employee…
- Patient filed police complaint doctor inappropriately touched her…
- DEA showed up to my office…
- Patient “extorting” me. “Pay me or I’ll slam you online.”
- My carrier wants me to settle. My case is fully defensible…
- My patient is demanding an unwarranted refund…
- How do I safely terminate doctor-patient relationship?
- How to avoid reporting to Data Bank…
- I want my day in court. But don’t want to risk my nest egg…
- Hospital wants to fire me…
- Sham peer review inappropriately limiting privileges…
- Can I safely use stem cells in my practice?
- Patient’s results are not what was expected…
- Just received request for medical records from an attorney…
- Just received notice of intent to sue…
- Just received summons for meritless case…
- Safely responding to negative online reviews…
Jeffrey Segal, MD, JD
Chief Executive Officer and Founder
Dr. Jeffrey Segal, Chief Executive Officer and Founder of Medical Justice, is a board-certified neurosurgeon. Dr. Segal is a Fellow of the American College of Surgeons; the American College of Legal Medicine; and the American Association of Neurological Surgeons. He is also a member of the North American Spine Society. In the process of conceiving, funding, developing, and growing Medical Justice, Dr. Segal has established himself as one of the country’s leading authorities on medical malpractice issues, counterclaims, and internet-based assaults on reputation.
Dr. Segal was a practicing neurosurgeon for approximately ten years, during which time he also played an active role as a participant on various state-sanctioned medical review panels designed to decrease the incidence of meritless medical malpractice cases.
Dr. Segal holds a M.D. from Baylor College of Medicine, where he also completed a neurosurgical residency. Dr. Segal served as a Spinal Surgery Fellow at The University of South Florida Medical School. He is a member of Phi Beta Kappa as well as the AOA Medical Honor Society. Dr. Segal received his B.A. from the University of Texas and graduated with a J.D. from Concord Law School with highest honors.
In 2000, he co-founded and served as CEO of DarPharma, Inc, a biotechnology company in Chapel Hill, NC, focused on the discovery and development of first-of-class pharmaceuticals for neuropsychiatric disorders.
Dr. Segal is also a partner at Byrd Adatto, a national business and health care law firm. Byrd Adatto was selected as a Best Law Firm in the 2023 edition of the “Best Law Firms” list by U.S. News – Best Lawyers. With decades of combined experience in serving doctors, dentists, and other providers, Byrd Adatto has a national pedigree to address most legal issues that arise in the business and practice of medicine.
Understand that data is simply a commodity and as such, it will reside in the cheapest place or places for back-up. Your data could reside in the huge data farms in Virginia where is is same and subject to the laws of the United States, or it could reside in some third world country where the legal system is nothing like what we expect it to be. I guess the psychiatrists call “projection”, but, realize that it can take decades to get litigation to get to a Court. So, it is best to make sure you know where your data is. The “cloud” is simply a computer. Nothing magical about it.
The best concept, in my opinion, is to keep your important data in the possession of your own organization and to hire the best most experienced IT professionals to provide as many safeguards as humanly possible. And, if you have your own practice, it might be a great idea to outlaw thumb drives for all employees. They hold lots of info and they can easily be lost and then the practice will be in a whole lotta grief that is preventable. And maybe, preventing you USB data ports to be unusable by use of superglue might prevent an employee to download all of your data without permission And then make sure you buy an abundance of cyber insurance. The limits of your personal coverage will not be enough. Buy much more as the costs of a breech is astronomical. And, have a robust Compliance Plan and Disaster Plan in place. Would be great to have the media professionals identified so they can respond ASAP.
The HIPAA law is all over the place and therefore it it hard to find:
August1996 HIPAA signed into law by Clinton
Dec 2020 HIPAA final privacy rule issued. Modifications are added
Feb 2003 HIPAA Security standards final rule issued. ( HIPAA is more than privacy, Note the security rule
Apr 2003 Compliance deadline for the HIPAA privacy rule. ( This is 20 years ago!!)
Apr 2003 Security compliance deadlne
Feb 2006 HIPAA enforcement rule issued
March 2006 HIPAA Breech enforcement rule goes into effect
Feb 2009 HITECH Act signed
Aug 2009 HITECH breech notification final rule
Feb 2010 HITECH new civil monetary damages goes into effect
Jan 2013 HIPAA Omnibus final rule issued
March 2013 Final Omnibus rule. 6 months until enforcement
Sept 2013 Omnibus rule enforced against covered entities and business Associates
Add to all of this the state HIPAA laws.
So, the bottom line is that the HIPAA law is very hard to learn, understand and follow.
And, it is another Administrative burden on the physician who is already overworked and under respected
Richard B Willner
The Center for Peer Review Justice