This is a damned soap opera. If a patient “raids” his own doctor and steals his own medical records, is that a reportable breach under HIPAA and HITECH if the doctor is a HIPAA-covered entity?
I think it is. Even if it is some kind of standard practice for the White House to obtain a president’s medical records, I’d want to know if that means obtaining a copy of the medical records (which Trump could have just requested anyway) or actually obtaining all of the records, because although the records are about the patient, they are not the patient’s records or property. The records belong to the doctor and if he wanted to press charges for theft, I’m guessing he could. But would he press charges against his famous former patient? Or is he more interested in securing some settlement? Time will tell, I guess. Is Michael Cohen available to fix this for the President? Oh right… never mind.
And did Trump’s people take just the president’s records or did they also appropriate/steal/take charge of the records of other members of Trump’s family and circle?
As to the doctor’s claim that telling the world your patient takes Propecia is not a breach, well, he needs to go back to school, as revealing the use of a prescription drug is certainly a breach of confidentiality unless the patient has authorized you to reveal that.
So to review: I think a crime was committed. I think there was a reportable breach under HIPAA if the doctor is covered by HIPAA and HITECH. I think there were actually two breaches under HIPAA: the theft of the records and the disclosure by the doctor of the propecia use.
Will anyone be penalized or face consequences? Well, the NYS licensing board could take action even if HHS/OCR doesn’t. But will they?
Update: Read Jeff Drummond’s analysis of these issues. As always, I learn from Jeff.