Tuesday, November 17, 2015

Considering the tension between providing care and contacting law enforcement

A member of the Public Policy and Government Relations Committee shared this article, "Patient's Arrest for False ID Reminds CEs To Review Police, Validation Procedures," found at https://aishealth.com/archive/hipaa1015-01

The first half of the article focuses on a case of a hospital calling law enforcement when a patient presented with a false ID – in this case a fake driver’s license.  The second half of the article discusses broader issues of how providers might respond to such circumstances and highlights requirements under HIPAA and EMTALA.  We have highlighted some of the text below.  This is definitely worth a read.  What are your policies on this issue?

The HHS Office for Civil Rights (OCR) is investigating whether a Texas clinic acted appropriately following the arrest of a patient, RPP has learned. The woman, who is not a U.S. citizen, was taken into custody while waiting to see her doctor for allegedly presenting a fabricated driver’s license; she has not been charged with violating immigration laws.

OCR spokeswoman Rachel Seeger told RPP the agency is “reviewing the news report(s) to determine our authority under both HIPAA and civil rights laws to take action in the matter.”

The incident involves Blanca Borrego, 44, who was handcuffed and removed from an obstetrician-gynecologist’s office, part of Memorial Herman Health System of Houston, in front of her two daughters. Court documents show Borrego, a native of Mexico, spent 12 days in jail charged with a felony prior to her release on $35,000 bail.

To date, officials with Memorial Hermann, a nonprofit organization that includes 13 hospitals, have not admitted to any wrong-doing nor apologized. They stated that while they did call the local sheriff’s office, they “did not ask” for Borrego to be arrested.

The officials acknowledged that “what happened to the patient is unfortunate” and that the Sept. 4 incident, which caused a national furor among immigration rights organizations and others, provides them “an opportunity to evaluate our processes.”

Law Enforcement Issues Are Tricky

Other HIPAA covered entities (CEs) may wish to do the same in light of this situation, which pits policies for working with law enforcement and for thwarting identity fraud against the need to render care while complying with HIPAA, other federal laws and state regulations.

Memorial Hermann officials have not commented beyond a statement issued on Sept. 15 that described the actions that occurred prior to the arrest and referred to the situation as “a unique event in Memorial Hermann’s history.” They also would not answer any questions submitted by RPP.

The statement refers to Borrego by name. Among the questions Memorial Hermann did not answer was whether it had Borrego’s permission to discuss her situation. Failure to obtain consent to discuss a patient by name led to the imposition of a corrective action plan and a $275,000 payment by the owners of Shasta Regional Medical Center two years ago (RPP 7/13, p. 1).

According to Memorial Hermann’s statement, the arrest was at the discretion of “local law enforcement,” which became involved only after Borrego “presented potentially false identification” at the clinic.

Borrego “was unable to provide another valid form of identification and in an effort to verify the authenticity of the suspicious driver’s license, the office then called the licensing bureau of the Texas Department of Public Safety (DPS),” Memorial Hermann officials say in the statement. “DPS instructed our staff to contact local law enforcement to validate the driver’s license number. This inquiry confirmed a false identification. Local law enforcement took this information and made the decision to arrest the patient.”

The statement adds that clinic officials “did not ask for this individual to be arrested” and “did not press charges.”

Memorial Herman does not “ask patients about residency or immigration status nor do we report an undocumented patient to law enforcement. To be clear, this incident has nothing to do with immigration or residency status,” the statement says.

“What happened to the patient is unfortunate,” the statement concludes. “We also appreciate the sensitivity of this matter. As such, we consider this an opportunity to evaluate our processes.” Which processes are at issue was not addressed, and, as noted, the system would not respond to any of RPP’s queries.

 ‘Medical Care Should Take Precedence’

 In an interview, Clarissa Guajardo, Borrego’s attorney, tells RPP her client never got to see her doctor and that if the medical staff had problems with the materials she provided to prove her identity,that should have been dealt with afterward.

 Guajardo says she has not seen what Borrego presented and thus could not say whether falsification or fabrication was involved. But she stresses that she believes Borrego was mistreated by the clinic staff, who she says were instructed to keep Borrego waiting until arresting officers could arrive.

“Certainly her medical care should have taken precedence over law enforcement activities,” Guajardo says. She is exploring whether staff were permitted under HIPAA to contact law enforcement in this situation and whether they violated any Texas privacy laws.

Borrego’s arraignment is scheduled for Oct. 20. Guajardo is hoping a grand jury declines to indict her client or that any charges, if they are brought, will be of a lesser nature. Borrego’s visa expired a dozen years ago, according to numerous reports.

RPP spoke to several health care experts to get their take on the incident and, generally, to clarify how HIPAA’s provisions related to law enforcement apply to a case of this nature.

Even years after the privacy rule went into effect, sharing information with law enforcement remains a complicated area for hospitals and other CEs because of the interplay of state laws and the fact that some types of reporting is voluntary, meaning the protected health information (PHI) can be shared, while in some cases under state law it must.

In addition, providers may feel intimidated or threatened into providing more information or assistance than they’re comfortable with, or than is allowed.

In 2013, a New Mexico jury awarded a man $1.6 million in compensation for having been forced to undergo a colonoscopy and other medically unnecessary procedures ordered by judicial officials; local police suspected the man was hiding drugs in his body but none were found (RPP 12/13, p. 1).

Hoping to clarify some of these issues for both health care providers and law enforcement officials as they have a “shared responsibility,” the Oregon Association of Hospitals and Health Systems developed a 27-page report, “HIPAA and Law Enforcement: Guidelines for Release of Protected Health Information.” This was published in 2012 and updated in 2013.

While this provides information related to Oregon state law as well as HIPAA, CEs regardless of their location may find it useful because it contains three flow charts to help providers know how to respond when law enforcement officials request PHI, when disclosures are mandatory, and when they are voluntary. It also has a series of questions and answers that address situations CEs face. (See https://tinyurl.com/ob7c8oj.).

“A hospital’s first obligation to all patients is caring for their medical needs. When a patient is also involved in a criminal investigation, either as a suspect, witness or victim, that obligation remains the priority,” the Oregon guide states. “Law enforcement officials, however, also have an important job to do that often involves seeking access to patients, their medical information or other evidence held by the hospital.”

CEs will not find much to go on under HIPAA as to whether they are asking for too much information when trying to validate a patient’s identity. “HIPAA generally is silent about specifically requesting identification from patients,” says Becky Williams, a former nurse who chairs the Health Information Technology/HIPAA Practice Group at Davis Wright Tremaine LLP. But “[v]erification of identity is consistent [with] best practices to prevent medical identity theft,” adds Williams, who is based in Seattle.

Conversely, HIPAA does “recognize the need to verify the identity of a person requesting protected health information,” Williams says. She recommends that providers who have a question about the identity of a patient they’re treating “keep records of the patient separate until it can be confirmed that the patient presenting actually is the individual he or she claims to be.”

“This may help avoid ‘polluting’ the medical records of an identity theft victim,” Williams points out.

Among the factors to consider are whether –– and when –– CEs should contact law enforcement. One relevant provision in HIPAA is §164.512(f)(5) Permitted disclosure: Crime on premises, which states that a CE “may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises” of the CE.

“Some folks take the position that if someone is knowingly presenting false documents that may result in fraud or identity theft, this represents a crime on premises,” says Frank Ruelas, principal and founder of the consulting firm HIPAA College. “As such they use this as a basis for a disclosure –– using minimum necessary –– to law enforcement.”

It also would not be unthinkable to conclude that patients who are undocumented and admit to being in the United States illegally are committing a crime on premises. But CEs making such a call need to be aware of how this scenario would play out, particularly if it went public.

In addition, health care providers who are providing any services with federal dollars –– such as through Medicare or Medicaid, which is virtually all of them –– are not permitted to discriminate against individuals based on their ethnicity, gender and other characteristics.

This is specified in the Civil Rights Act, which OCR enforces for health care purposes, and in the Affordable Care Act. A Brooklyn hospital recently agreed to a settlement with OCR over allegations it violated the civil rights and the ACA, following a discrimination complaint filed by a transgender patient (RPP 8/15, p. 1).

Emergency Care Cannot Be ‘Interrupted’

Faced with a patient who may be committing a crime or meet other categories for which HIPAA permits notification to law enforcement, CEs must consider timing and whether care should be interrupted.

For example, the federal Emergency Medical Treatment and Active Labor Act (EMTALA) regulation, applicable to emergency services, “requires that individuals be provided a medical screening exam,” Ruelas explains. But, he adds, “EMTALA is clear that no processes, such as insurance verification, eligibility, etc., should delay the receipt of care by an individual who presents at the dedicated emergency department.”

However, EMTALA does not apply to the provision of non-emergency care.

“A regular medical practice [is] not required to work for free, and if the patient is engaging in medical identity theft, for example, then the practice probably won’t get paid,” says Jeff Drummond, a partner with Jackson Walker, LLP, in Dallas. Drummond stresses that he is not commenting on this case in particular.

One option if the patient is in an outpatient setting is to refer him or her to a free clinic or other provider. Ruelas says staff could ask if the patient “feels he or she has an ‘emergent condition,’ then we can call 911 and have them taken to an emergency department.”

This is not an ideal situation, Ruelas acknowledges, but says “this has worked in the past” and makes sense “[g]iven all of the moving pieces that are involved with people without insurance, the use of false IDs, the need to try to obtain information for payment of services, the need to create correctly documented records of care, and that undocumented workers in these situations may not have coverage.”

OCR issued a short guide regarding law enforcement (see box, p. 9). It is important to note that, in addition to HIPAA’s federal requirements, under many state laws “mandatory reporting is triggered,” Ruelas says. Often this relates to “injuries as a result of a crime or injuries related to gunshot wounds, knife wounds, etc.,” he says.

If the patient is suspected, or confirmed, of being under the influence of an illegal substance, providers may contact law enforcement. “Typically if a person is suspected of being a danger to self or others, a report can be made” to law enforcement, adds Ruelas. “Many hospitals use this to alert police when a patient decides to leave against medical advice [and] is intoxicated. Because of the possibility that this person may try to operate a motor vehicle, this presents that basis for possible risk to others.”

Suspected or confirmed abuse can also trigger reporting to law enforcement, says Williams.

I have worked as a pediatric nurse for years, so I will emphatically say all child abuse should be reported immediately,” Williams says. “HIPAA permits reporting of child abuse and state law generally requires –– or at least permits –– good faith reporting of child abuse.”

Regarding adult abuse, neglect, or domestic violence situations under HIPAA, “a provider may report good faith beliefs of abuse to government authorities that are in a position to address the issue,” Williams says.

Reporting also occurs when required by state law, when a potential victim approves or is incapacitated and “the provider believes it is necessary to prevent harm.” The government agency accepting the report is required to attest that “the information will not be used against the patient” and “that immediate enforcement activity depends on [obtaining] the information,” she says.

Disclosures Must Be Entered in Logs

In addition, Ruelas reminds CEs that their “policies on how the staff is to respond” when law enforcement is involved should include “how this is to be reported both to authorities but also internally as well, such as to risk management or administration.”

And, as the Oregon law enforcement guide notes, disclosures need to be logged for the patient to obtain later. “The HIPAA Privacy Regulations require a hospital to give an accounting of certain disclosures, including disclosures to law enforcement made without patient authorization, upon the request of the patient,” it states.

However, there are also provisions that allow law enforcement to request a suspension of this “[a]ccounting for a time period specified by law enforcement if they provide a written statement that an [a]ccounting would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required.”


Kentucky looks at mobile driver licenses

We have reported on state initiatives on improved or modernized driver licenses. 

A NAHAM member of the Public Policy and Government Relations Committee shared this article, "Kentucky Holds Hearing on Mobile Driver Licenses," from SecureID News.  We note that because many in Patient Access use the driver license as the patient ID, this could have big implications.  What will you do if the driver license is electronic only - on a patient's smart phone?

The article may be found at --

Two states have started piloting mobile driver licenses and at least five others want to explore putting the credentials on smartphones. Kentucky proposed legislation that would study the feasibility of mobile driver licenses this year but the bill died in committee. That didn’t stop legislators and other government officials from hosting a Joint Committee on Transportation hearing that discussed mobile driver licenses.
“The goal is to give the Commonwealth a background on the issue and the progress in other states,” says Chad Grant, vice president at Grant Consulting Group. HID Global executives testified at the hearing, giving officials information on the latest developments with placing the credentials on mobile devices.
The company talked about its proof of concept for a mobile driver license and what is involved with such a project, says Kathleen Carroll, vice president of corporate affairs at HID Global. Officials from the company also met with the Kentucky State Police to get some feedback on the idea of mobile driver licenses.
“When discussing a mobile driver’s license, there are four key stakeholders that should have significant input into any solution: citizens, law enforcement, federal authorities and state licensing authorities,” Carroll says.
States are looking at mobile driver licenses to increase security and convenience, Carroll says. Individuals have to carry around multiple IDs for different purposes – driver license, health care, work, etc. By placing identity on a mobile device individuals will only have to carry the smartphone.
“Because there is a secure trusted relationship between the state licensing authority and the citizen’s smartphone, new services can be added and the need to stand in long lines can be eliminated,” Carroll says. “Additionally, driver’s licenses built on a secure mobile technology platform will give citizens more control over their personal information allowing them to choose when and with whom they share their information, and as importantly, how much information they share.”
Law enforcement has concerns over mobile driver licenses, but Carroll explains how the system can make their jobs easier. “When appropriate, a secure mobile driver’s license platform would allow the authentication of a person’s ID from a safe distance by using Bluetooth technology to give law enforcement officers more time to determine if a traffic stop is routine or more complex,” she says.
The system could also help alleviate problems with counterfeiting licenses. During provisioning of the license to the smartphone, the system would establish a mutually authenticated channel between the provisioning service and the mobile device that ensures safe delivery of data. “A mobile credential would only be sent to a mobile device through a secure service by an authorized state licensing authority,” Carroll explains. “Likewise, during use of the credential, a mutually authenticated channel is established between the mobile device and the relying party application. This ensures a secure private transaction independent of Bluetooth, NFC or any other transport protocol.” -