A member of the Public Policy and Government Relations Committee shared
this article, "Patient's Arrest for False ID Reminds CEs To Review Police,
Validation Procedures," found at https://aishealth.com/archive/hipaa1015-01.
The first half of the article focuses on a case of a hospital calling law
enforcement when a patient presented with a false ID – in this case a fake
driver’s license. The second half of the
article discusses broader issues of how providers might respond to such
circumstances and highlights requirements under HIPAA and EMTALA. We have highlighted some of the text
below. This is definitely worth a
read. What are your policies on this
issue?
The HHS Office for Civil Rights (OCR) is investigating whether a Texas
clinic acted appropriately following the arrest of a patient, RPP has
learned. The woman, who is not a U.S. citizen, was taken into custody while
waiting to see her doctor for allegedly presenting a fabricated driver’s
license; she has not been charged with violating immigration laws.
OCR spokeswoman Rachel Seeger told RPP the agency is “reviewing the
news report(s) to determine our authority under both HIPAA and civil rights
laws to take action in the matter.”
The incident involves Blanca Borrego, 44, who was handcuffed and removed
from an obstetrician-gynecologist’s office, part of Memorial Herman Health
System of Houston, in front of her two daughters. Court documents show Borrego,
a native of Mexico, spent 12 days in jail charged with a felony prior to her
release on $35,000 bail.
To date, officials with Memorial Hermann, a nonprofit organization that
includes 13 hospitals, have not admitted to any wrong-doing nor apologized.
They stated that while they did call the local sheriff’s office, they “did not
ask” for Borrego to be arrested.
The officials acknowledged that “what happened to the patient is
unfortunate” and that the Sept. 4 incident, which caused a national furor among
immigration rights organizations and others, provides them “an opportunity to
evaluate our processes.”
Law Enforcement Issues Are Tricky
Other HIPAA covered entities (CEs) may wish to do the same in light of this
situation, which pits policies for working with law enforcement and for
thwarting identity fraud against the need to render care while complying with
HIPAA, other federal laws and state regulations.
Memorial Hermann officials have not commented beyond a statement issued on
Sept. 15 that described the actions that occurred prior to the arrest and
referred to the situation as “a unique event in Memorial Hermann’s history.”
They also would not answer any questions submitted by RPP.
The statement refers to Borrego by name. Among the questions Memorial
Hermann did not answer was whether it had Borrego’s permission to discuss her
situation. Failure to obtain consent to discuss a patient by name led to the imposition
of a corrective action plan and a $275,000 payment by the owners of Shasta
Regional Medical Center two years ago (RPP 7/13, p. 1).
According to Memorial Hermann’s statement, the arrest was at the discretion
of “local law enforcement,” which became involved only after Borrego “presented
potentially false identification” at the clinic.
Borrego “was unable to provide another valid form of identification and in
an effort to verify the authenticity of the suspicious driver’s license, the
office then called the licensing bureau of the Texas Department of Public
Safety (DPS),” Memorial Hermann officials say in the statement. “DPS instructed
our staff to contact local law enforcement to validate the driver’s license
number. This inquiry confirmed a false identification. Local law enforcement
took this information and made the decision to arrest the patient.”
The statement adds that clinic officials “did not ask for this individual
to be arrested” and “did not press charges.”
Memorial Herman does not “ask patients about residency or immigration
status nor do we report an undocumented patient to law enforcement. To be
clear, this incident has nothing to do with immigration or residency status,”
the statement says.
“What happened to the patient is unfortunate,” the statement concludes. “We
also appreciate the sensitivity of this matter. As such, we consider this an
opportunity to evaluate our processes.” Which processes are at issue was not
addressed, and, as noted, the system would not respond to any of RPP’s
queries.
“Certainly her medical care should have taken precedence over law
enforcement activities,” Guajardo says. She is exploring whether staff were
permitted under HIPAA to contact law enforcement in this situation and whether
they violated any Texas privacy laws.
Borrego’s arraignment is scheduled for Oct. 20. Guajardo is hoping a grand
jury declines to indict her client or that any charges, if they are brought,
will be of a lesser nature. Borrego’s visa expired a dozen years ago, according
to numerous reports.
RPP spoke to
several health care experts to get their take on the incident and, generally,
to clarify how HIPAA’s provisions related to law enforcement apply to a case of
this nature.
Even years after the privacy rule went into effect, sharing information
with law enforcement remains a complicated area for hospitals and other CEs
because of the interplay of state laws and the fact that some types of
reporting is voluntary, meaning the protected health information (PHI) can
be shared, while in some cases under state law it must.
In addition, providers may feel intimidated or threatened into providing
more information or assistance than they’re comfortable with, or than is
allowed.
In 2013, a New Mexico jury awarded a man $1.6 million in compensation for
having been forced to undergo a colonoscopy and other medically unnecessary
procedures ordered by judicial officials; local police suspected the man was
hiding drugs in his body but none were found (RPP 12/13, p. 1).
Hoping to clarify some of these issues for both health care providers and
law enforcement officials as they have a “shared responsibility,” the Oregon
Association of Hospitals and Health Systems developed a 27-page report, “HIPAA
and Law Enforcement: Guidelines for Release of Protected Health Information.”
This was published in 2012 and updated in 2013.
While this provides information related to Oregon state law as well as
HIPAA, CEs regardless of their location may find it useful because it contains
three flow charts to help providers know how to respond when law enforcement
officials request PHI, when disclosures are mandatory, and when they are
voluntary. It also has a series of questions and answers that address
situations CEs face. (See https://tinyurl.com/ob7c8oj.).
“A hospital’s first obligation to all
patients is caring for their medical needs. When a patient is also involved in
a criminal investigation, either as a suspect, witness or victim, that
obligation remains the priority,” the Oregon guide states. “Law enforcement
officials, however, also have an important job to do that often involves
seeking access to patients, their medical information or other evidence held by
the hospital.”
CEs will not find much to go on under HIPAA as to whether they are asking
for too much information when trying to validate a patient’s identity. “HIPAA
generally is silent about specifically requesting identification from
patients,” says Becky Williams, a former nurse who chairs the Health
Information Technology/HIPAA Practice Group at Davis Wright Tremaine LLP. But
“[v]erification of identity is consistent [with] best practices to prevent
medical identity theft,” adds Williams, who is based in Seattle.
Conversely, HIPAA does “recognize the need to verify the identity of a
person requesting protected health information,” Williams says. She recommends
that providers who have a question about the identity of a patient they’re
treating “keep records of the patient separate until it can be confirmed that
the patient presenting actually is the individual he or she claims to be.”
“This may help avoid ‘polluting’ the medical records of an identity theft
victim,” Williams points out.
Among the factors to consider are
whether –– and when –– CEs should contact law enforcement. One relevant
provision in HIPAA is §164.512(f)(5) Permitted disclosure: Crime on
premises, which states that a CE “may disclose to a law enforcement
official protected health information that the covered entity believes in good
faith constitutes evidence of criminal conduct that occurred on the premises”
of the CE.
“Some folks take the position that if someone is knowingly presenting false
documents that may result in fraud or identity theft, this represents a crime
on premises,” says Frank Ruelas, principal and founder of the consulting firm
HIPAA College. “As such they use this as a basis for a disclosure –– using
minimum necessary –– to law enforcement.”
It also would not be unthinkable to conclude that patients who are
undocumented and admit to being in the United States illegally are committing a
crime on premises. But CEs making such a call need to be aware of how this
scenario would play out, particularly if it went public.
In addition, health care providers who
are providing any services with federal dollars –– such as through Medicare or
Medicaid, which is virtually all of them –– are not permitted to discriminate
against individuals based on their ethnicity, gender and other characteristics.
This is specified in the Civil Rights Act, which OCR enforces for health
care purposes, and in the Affordable Care Act. A Brooklyn hospital recently
agreed to a settlement with OCR over allegations it violated the civil rights
and the ACA, following a discrimination complaint filed by a transgender
patient (RPP 8/15, p. 1).
Emergency Care Cannot Be ‘Interrupted’
Faced with a patient who may be committing a crime or meet other categories
for which HIPAA permits notification to law enforcement, CEs must consider
timing and whether care should be interrupted.
For example, the federal Emergency
Medical Treatment and Active Labor Act (EMTALA) regulation, applicable to
emergency services, “requires that individuals be provided a medical screening
exam,” Ruelas explains. But, he adds, “EMTALA is clear that no processes, such
as insurance verification, eligibility, etc., should delay the receipt of care
by an individual who presents at the dedicated emergency department.”
However, EMTALA does not apply to the provision of non-emergency care.
“A regular medical practice [is] not required to work for free, and if the
patient is engaging in medical identity theft, for example, then the practice
probably won’t get paid,” says Jeff Drummond, a partner with Jackson Walker,
LLP, in Dallas. Drummond stresses that he is not commenting on this case in
particular.
One option if the patient is in an outpatient setting is to refer him or
her to a free clinic or other provider. Ruelas says staff could ask if the
patient “feels he or she has an ‘emergent condition,’ then we can call 911 and
have them taken to an emergency department.”
This is not an ideal situation, Ruelas acknowledges, but says “this has
worked in the past” and makes sense “[g]iven all of the moving pieces that are
involved with people without insurance, the use of false IDs, the need to try
to obtain information for payment of services, the need to create correctly
documented records of care, and that undocumented workers in these situations
may not have coverage.”
OCR issued a short guide regarding law enforcement (see box, p. 9). It is
important to note that, in addition to HIPAA’s federal requirements, under many
state laws “mandatory reporting is triggered,” Ruelas says. Often this relates
to “injuries as a result of a crime or injuries related to gunshot wounds,
knife wounds, etc.,” he says.
If the patient is suspected, or
confirmed, of being under the influence of an illegal substance, providers may
contact law enforcement. “Typically if a person is suspected of being a danger to
self or others, a report can be made” to law enforcement, adds Ruelas. “Many
hospitals use this to alert police when a patient decides to leave against
medical advice [and] is intoxicated. Because of the possibility that this
person may try to operate a motor vehicle, this presents that basis for
possible risk to others.”
Suspected or confirmed abuse can also
trigger reporting to law enforcement, says Williams.
I have worked as a pediatric nurse for years, so I will emphatically say
all child abuse should be reported immediately,” Williams says. “HIPAA permits
reporting of child abuse and state law generally requires –– or at least
permits –– good faith reporting of child abuse.”
Regarding adult abuse, neglect, or domestic violence situations under
HIPAA, “a provider may report good faith beliefs of abuse to government
authorities that are in a position to address the issue,” Williams says.
Reporting also occurs when required by state law, when a potential victim
approves or is incapacitated and “the provider believes it is necessary to
prevent harm.” The government agency accepting the report is required to attest
that “the information will not be used against the patient” and “that immediate
enforcement activity depends on [obtaining] the information,” she says.
Disclosures Must Be Entered in Logs
In addition, Ruelas reminds CEs that
their “policies on how the staff is to respond” when law enforcement is involved
should include “how this is to be reported both to authorities but also
internally as well, such as to risk management or administration.”
And, as the Oregon law enforcement guide notes, disclosures need to be
logged for the patient to obtain later. “The HIPAA Privacy Regulations require
a hospital to give an accounting of certain disclosures, including disclosures
to law enforcement made without patient authorization, upon the request of the
patient,” it states.
However, there are also provisions that allow law enforcement to request a
suspension of this “[a]ccounting for a time period specified by law enforcement
if they provide a written statement that an [a]ccounting would be reasonably
likely to impede the agency’s activities and specifying the time for which such
a suspension is required.”
