The
magnitude of the crime does not trigger a change in legal treatment. 45 CFR
164.512(f)(5) permits CEs to disclose PHI to law enforcement if the CE
"believes in good faith constitutes evidence of criminal conduct that occurred
on the premises of the covered entity," and sub (6) permits providers to
disclose PHI to law enforcement under certain conditions when providing health
care in an emergency. So sub (5) would provide coverage for a report to the
copes if e.g. a pharmacist were handed a prescription slip with a forged
signature (assuming he had reason to believe it was forged), but still wouldn't
allow for the kind of letter to other pharmacists described in the original
example, even if he had received such a forgery.
While
narcotics are given heightened scrutiny under a number of legal regime, the
wrath of the law comes down only for their illegal possession or
distribution. If you succeed in getting a prescription, your possession
is legal. If you succeed in getting multiple prescriptions and the
pharmacist filling them knows it, the pharmacist may be in trouble, and
certainly if the doctor writing the prescriptions knows it he might be very
likely to get in trouble with both law enforcement and licensing
authorities.
The
pharmacist may (better) know whether the drug in question is a
controlled substance, but if he has a question about the validity of a given
prescription his recourse should be to check with the prescribing doctor to
confirm the signature, and if the pharmacist has information indicating (for
example) that he just filled two other prescriptions for the same drug for the
same individual from two other doctors in the last week he can properly advise
the doctor (under the "treatment" exception for PHI disclosures) of this fact
which is relevant to the care the doctor is providing to the
individual.
A
decision to take the law into your own hands, as by sending a "drug seeking
behavior warning" letter to others in the community, is vigilantism, and whether
or not a vigilante is proven to have done the morally or practically right thing
in any given situation, he is always at risk of breaking the law and having
to take the consequences himself. So, if a pharmacist in this situation felt
that the potential evil of the drug-seeking behavior was great enough to
warrant a letter to his fellow pharmacists, he should only do so with the
acceptance that his action might bring consequences on him such as OCR
investigation, potential criminal charges, potential civil action by the
individual, and potential for disciplinary action by licensing
authorities.
The
point is that there are ways of dealing with this, but they are being formalized
with the intent of adding protections for individuals. This presents obstacles
to the pursuit of potential evil-doers - bad guys always take advantage
of their legal rights - but I am not sure it is a bad thing to have to make
considered decisions before taking actions that might erroneously harm affect
the rights or reputations of others.
-----Original Message-----John:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 3:18 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Here is a good Privacy Issue that will cause problems
Thank you so much for your detailed reply, though I am afraid I do not concur with your answer. The point in discussion was an obvious abuse of the system; any other drug would not detain the wrath of the law BUT NARCOTICS DOES.
Reference to rights was only associated with this particular crime.
Sorry to disagree. Furthermore, the pharmacy of PBM is not making the judgment, the law does that. A doctor in Florida was charged with this very same example.
I will look up other examples for you.
Regards, Robert
In a message dated 1/16/2003 3:00:30 PM Central Standard Time, [EMAIL PROTECTED] writes:
Subj: RE: Here is a good Privacy Issue that will cause problems
Date: 1/16/2003 3:00:30 PM Central Standard Time
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Robert -
I think I need to question one of your assumptions, and your approach to this kind of problem.
#1 the assumption that: <the individual has lost the right to privacy once they break the law> is not correct, and is in fact dangerously incorrect.
HIPAA does not state that principle anywhere. It does list a number of conditions under which PHI may be disclosed: for TPO, under an authorization, and under the conditions listed in 45 CFR 164.512 (uses and disclosures not for TPO for which no authorization is required). If you read that regulation you will see that subsection (a) does permit a disclosure required by law, while subsection (f) sets out the specific requirements for disclosures for law enforcement purposes. (The other exceptions in this regulation don't appear likely ever to apply to this kind of situation). If there is a law on the books requiring disclosure of drug-seeking behavior, exception (a) would apply; but I am not aware of any such laws (doesn't mean there aren't any, I just don't know of any).
This is a very different approach to privacy from the assumption that "if you break the law you lose your privacy." While the U.S. Constitution does not explicitly state a privacy right (there are theories that it does so implicitly, but that's another set of questions), HIPAA does create a statutory/regulatory set of privacy obligations on the part of CEs and entitlements on the part of individuals. I frankly don't think that a pharmacist's judgment that he thinks someone has broken the law by improperly seeking drugs (by the way, *is* drug-seeking behavior a crime? or just a basis for suspicion of a crime? or are we using an alert of this kind to prevent health problems and over-prescription?) will suffice to eliminate this entitlement (as a matter of law) or relieve the pharmacist, as a CE, of his or her obligation to respect these privacy entitlements by complying with the regulations. (By the way, what if he's wrong? In addition to breach of privacy there might well be a suit for libel available.)
This is not to say something can't be done to communicate about this kind of problem - we have discussed it quite a bit and there have been a number of good postings on the subject - but the way to approach a solution it is to start with the regulations and read them carefully. (Also any applicable business associate contracts; for example, in your example of the PBM, has the PBM checked to make sure any BAC it has with a CE that provided some of the PHI which describes the prescriptions written permits that kind of disclosure? There are some badly drafted documents out there, not all of which might allow for everything you would like to assume they do.)
The underlying point being that with HIPAA coming into effect decisions like these have to be made in a more formal way, with actual reference to regs and contracts and not in reliance on what you assume should be the right result.
John R. Christiansen
Preston | Gates | Ellis LLP
701 Fifth Avenue, Seattle, Washington 98104
(Direct: 206.613.7118 - (Cell: 206.683.9125
* [EMAIL PROTECTED]
Confidentiality Note:
The information contained in this email message is legally privileged and confidential, intended only for the use of the individual or entity named above. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copy of this
email message is strictly prohibited.
Robert Blinch-Edwards
Executive Director
Healthcare Sarasota, Inc.
1991 Main Street, Suite 148
Sarasota, FL 34236
Tel: 941-917-7995
Fax: 941-917-1930
email: [EMAIL PROTECTED]
Web: www.hcsrq.com
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [email protected]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
