LITIGATION SUPPORT TIP OF THE NIGHT

The Department of Health and Human Services maintains the National Practitioner Data Bank (NPDB), a database which records restrictions placed on physicians' privileges to practice, payments made for malpractice, and a rescinding of their licenses.

A public version of the data in the NPDB is available online, but it does not use the names and addresses of doctors, or the bodies that file reports on them. Hospitals, medical boards, and other healthcare organizations can access information about specific practitioners, and any physician can access his or her own records in the data bank. The publicly available information includes data on report types; a doctor's field; malpractice allegation types; the severity of injuries; and adverse action classifications.

There is a data analysis tool on the NPDB's site which can be used to help review the data.

The Department of Health and Human Services states that information from the NPDB can only be used in a legal claim against a hospital, not against a practitioner. Attorneys who violate this rule can be fined up to $22,363 per incident. See this post. An attorney requesting NPDB information must present evidence that a hospital did not make the mandatory query of the NPDB about a practitioner that is named in an action.

The guidebook for the NPDB suggests that a deposition, interrogatory response, or response to a request for admissions may provide the needed evidence. The attorney will only be able to obtain the information available in the NPDB at the time when the hospital was obligated to run a query, or reports against a physician that were subsequently voided.

LabCorp is one of a few large companies that conduct most of the clinical lab testing in the United States. On its website, it has posted a notice of privacy practices under the Healthcare Insurance Portability and Accountability Act of 1996.

In addition to acknowledging that it may disclose protected health information (PHI) for treatment and healthcare operations, it will also may also disclose PHI to its business associates; to law enforcement for the identification of a suspect or victim of a crime; and to authorities for public health reasons.

LabCorp also reserves the right to anonymize patient information:

"De-identified Information and Limited Data Sets: LabCorp may use and disclose health information that has been 'de-identified' by removing certain identifiers making it unlikely that you could be identified. LabCorp also may disclose limited health information, contained in a 'limited data set'.  The limited data set does not contain any information that can directly identify you.  For example, a limited data set may include your city, county and zip code, but not your name or street address."

LabCorp states that it will consider requests by patients to limit the use and disclosure of their PHI. LabCorp honors requests by patients for a full accounting of all disclosures of their PHI over the past six years.

LabCorp also responds to individuals who ask to update their PHI.

The Security Rule for the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), does not require that Electronic Protected Health Information (EPHI) be encrypted. Encryption of personal health is not mandatory, but may be an addressable specification - meaning that an entity must assess if it's a reasonably required in particular circumstances. The HIPAA Security Rule is codified under 45 CFR 164.312, which sets down four guidelines for the security of patient data.

1. User IDs must track who accesses EPHI. Implementing this measure is required.

2. There must be a way to access EPHI in an emergency. Implementing this measure is required.

3. Automatic logoffs can terminate access to EPHI. Entities must address whether or not this measure is necessary.

4. Encryption is an addressable measure.

It also necessary to address if security audits are needed to detect the improper alteration or disposal of EPHI.