Gary Buiso and Susan Edelman report that a revised privacy policy by the Fire Department of New York (FDNY) has got some people concerned.
Find yourself lying in a city ambulance and your personal health information could be sold to the highest bidder.
The FDNY has issued a murky patient-privacy notice that says it may use a patient’s “protected health information (PHI),” including everything from address and phone number to prescriptions and medical history, for fund-raising and marketing — and maybe even for sale.
It’s enough to give patients’ advocates and privacy experts a coronary.
The reporters interview some health lawyers but do not seem to have reached out to HHS to get a definitive answer on whether such use would be legal under HIPAA. Confusing the matter, they report:
Public-health agencies are exempt from a federal law that bars private health-care providers and contractors from releasing patient data.
But that’s not quite the whole story. Under the public health exemption, covered entities who are public health authorities are only allowed to release or disclose patient information for public health reasons, not for marketing or other financial purposes. And with only a few exceptions, “marketing” requires signed consent of the patients. It’s not even clear to me whether FDNY is a “public health authority” under HIPAA. If they are, it would be as a “hybrid” entity, I suspect. In any event, the NY Post (and HealthITSecurity.com, who repeats the misinformation) have just got that part substantially wrong.
Fundraising and sale of PHI are also covered by HIPAA. For fundraising, no authorization may be required as long as certain conditions are met. Bricker & Eckler cite the law in an alert they wrote for their clients:
Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of Sec. 164.508:
- Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth;
- Dates of health care provided to an individual;
- Department of service information;
- Treating physician;
- Outcome information; and
- Health insurance status.
[…]
A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by § 164.520(b)(1)(iii)(A) is included in the covered entity’s notice of privacy practices.
So FDNY might be able to use some information for its own fund-raising purposes without patient signed consent – but only if the patients are first given a notice of privacy practices that explains that. And from what the reporters learned, that generally doesn’t happen. Handing a patient something prior to providing emergency treatment that tells them they have to go to a web site to get more information just won’t fly with HHS. I would also suspect that if the patient is unconscious, FDNY has “implied consent” for treatment but no consent or notice for fund-raising purposes. How they might keep track of which patients can be part of fund-raising and which can’t for failure to provide notice or obtain consent should give everyone a huge headache.
As to the sale of PHI, the law firm of Bricker & Eckler has a nice recap of the provisions, here. They include:
The sale of PHI without a patient authorization was prohibited under the original Privacy Rule. The Final Rule adds an express prohibition on covered entities or business associates receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless the covered entity first obtains patient authorization or an exception applies.
See their article for a summary of the different exceptions.
All in all, FDNY’s lawyers will have their hands full if FDNY should decide to pursue these options because at the scene of an emergency, providing notice and getting consent for marketing, fund-raising, or sale of PHI is the last thing most responders and patients are thinking about.