What Is the HIPAA Privacy Rule?

hipaa security

The HIPAA Privacy Rule was first proposed in 1999. Over the decades, it has seen a number of modifications as the interests of patients have evolved over time.

With the COVID-19 pandemic, HIPAA has faced new challenges due to the sometimes conflicting need to protect public health while also protecting the privacy of individual patients.

Often, healthcare providers are caught between maintaining legal standards and providing patients with the best care possible. Sometimes, their choices impact the greater good as well when the public may be at risk of exposure to a viral illness like COVID.

In these times, it is often valuable to go back to the primary source and reconnect with the wording and intent of laws like the HIPAA Privacy Rule rather than make potentially life-altering choices based on hearsay or social convention.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects the confidentiality of all medical records and health information that is individually identifiable. Essentially, the rule limits the use of these records without the consent of the patient, but it also requires the provision of access to all healthcare and medical records for the patient along with the ability of that patient to transmit those documents to a third party and to request corrections if appropriate.

Does COVID Impact the HIPAA Privacy Rule?

COVID does not necessarily change the protections provided by HIPAA because there are already provisions within HIPAA that allow for the sharing of medical information, including identification information, under certain circumstances.

Under HIPAA, the name and other identifying information of a patient who is diagnosed with COVID may be shared by the provider with law enforcement, first responders, and/or public health agencies without patient consent when the following is true:

  • It is necessary to provide treatment.
  • Notification is required by law.
  • Notification is required to prevent or control the spread of the illness.
  • First responders or other medical professionals may be at risk of exposure to the illness.
  • The individual is in custody of law enforcement or a correctional institution.

Essentially, if the care and treatment of the patient, protection of medical providers who are providing treatment to that patient, or the well-being of public health is at risk due to a patient’s diagnosis with any infection or disease, including COVID, sharing of personal information may legally be done by medical providers.

How Can Medical Providers Ensure HIPAA Compliance & Protection From Related Litigation?

Unfortunately, many patients do not understand the nature of HIPAA and/or its intent and bring lawsuits against medical providers who they feel have violated their rights by sharing their COVID diagnosis. If you are facing such litigation and would like help, Florida Healthcare Law Firm can assist you. Call now for a consultation.

The Management Services Organization (MSOs) Role in California

California prohibits the corporate practice of medicine (CPOM), a broad legal doctrine prohibiting non-licensed persons, including individuals and business entities, from practicing medicine. The CPOM doctrine arises from the idea that those with similar values and desire to uphold similar ethical principles should control the business of medicine. In other words, the purpose of the doctrine is to prevent non-licensed persons from influencing medical treatment decisions that could cause a physician to divide his or her loyalty between generating profits and delivering quality care.

The prohibition on CPOM is why, in California, the only permitted corporate form for an entity that practices medicine is a physician-owned Professional Corporation (PC). Per California law, other healthcare professionals, such as RNs or PAs, can collectively own up to 49% of the PC. However, a physician or group of physicians must own at least 51% of the PC.

What does all that mean? Unlicensed persons can never own any part of the PC. So, how can an unlicensed person profit from the PC? They can create a Management Services Organization (MSO) and contract with the PC to manage the administrative and non-clinical operations of the medical practice. For example, the MSO can oversee a non-clinical HR department, the finances of the PC, and marketing efforts. Under such an arrangement, it is critical that the MSO has no control or authority over the PC and that payment to the MSO is not linked to the MSOs referral of patients to the PC. In simpler terms, the PC must only pay the MSO the fair market value for the services it provides.

An MSO can be a valuable tool for a PC and a good way for non-licensed persons to get around California’s prohibition on the CPOM.

Get Help

As a boutique law firm dedicated to supporting the healthcare community, our goal is to help healthcare professionals comply with all laws so that they can be safe in their profession and practices.If you would like to learn more about the corporate practice of medicine in California and MSOs and get advice on how to proceed, contact us at Florida Healthcare Law Firm to set up a consultation today.