HIPAA Dispute After Marathon BombingBoston Public Health Agency, Police Argue About Privacy
A HIPAA privacy dispute has erupted between Boston public health officials and first responders in the aftermath of last month's marathon bombing.
The Boston Police Patrolmen's Association is sending letters to about 40 area hospitals and clinics threatening to sue if the healthcare providers comply with a recent request from the Boston Public Health Commission that asks for medical information about victims treated in the aftermath of the April 15 bombing, says Thomas Nee, the association's president. The police association is alleging the public health commission's request is a violation of the HIPAA Privacy Rule.
In addition, attorneys for the patrolmen's association are sending a "cease and desist" letter to the Boston Public Health Commission that also demands that any medical information collected so far by the commission about marathon victims be destroyed.
Request for Information
At the heart of the matter is a request the Public Health Commission sent in late April to local hospitals and clinics seeking information about bombing victims seeking care. That includes names, contact information, chief complaint and diagnoses.
The commission is collecting the information for disaster preparedness and response planning and also to assist in providing outreach services to victims, says spokesman Nick Martin. The commission sought legal counsel that interpreted its information request as being HIPAA compliant, he adds.
"A lot of support is available for victims and their families, but healthcare providers might not know about it," Martin says. For instance, that could include resources to address the mobility issues of "a new amputee who lives in a third-floor, walk-up apartment," he explains.
But some unions representing first responders, including the Patrolmen's Association, allege that the release of such information without patients' consent is a HIPAA violation, especially because it might include mental health information about police, firefighters and emergency medical technicians who sought treatment for post-traumatic stress.
"Thirty days after the bombing, there is no public safety issue, there is no anthrax, there is no small pox, there is no public emergency," Nee says. As a result, he argues, public health officials "have no business seeking our members' personal information, including whether they are seeking counseling because of the horrible visuals from that day [of the bombing]."
HIPAA Privacy Rule
Under the HIPAA Privacy Rule, covered entities, such as hospitals and other healthcare providers, are permitted to disclose protected health information to pubic health authorities without patient authorization for a number of activities, including "conducting public health surveillance, investigations or interventions," according to the Department of Health and Human Services' Office of Civil Rights' website.
The commission's April 30 request was sent to more than two dozen Boston area hospitals and clinics, and so far, mainly hospitals have responded to the letter, Martin says. Information about people who sought care from outpatient clinics is more difficult to gather because many of those providers have multiple locations and no one collects data centrally, he says.
In addition to the three victims killed in the blast, about 275 people sought care from area hospitals in the aftermath of the bombing, Martin says.
"We respect people's confidentiality and privacy," Martin says. "We don't want people to think we're not keeping their information private, it's kept in a secure database that's accessed by only a handful of preparedness staff." Martin could not provide details about how the data is being secured, such as whether the information is encrypted during transmission from providers or when stored in the public health agency's database.
While Martin says the commission is collecting the information "electronically," Nee contends that some of the commission's requests - and the response information from healthcare organizations - are being sent via fax. "Public faxes end up in the wrong hands," Nee says. The commission "is casting a big net for personal information that's none of their business. They're being busy bodies."
The collection of patient information by government agencies after a disaster isn't unprecedented. After the 9/11 terrorist attacks, New York City launched a voluntary registry "for people who lived, worked or went to school in the area of the World Trade Center disaster, or were involved in rescue and recovery efforts," according to the registry's website.
Each enrollee answered a series of questions in a "confidential" online survey about where they were on 9/11, their experiences and their health. "This initial data allowed health professionals to compare the health of those directly exposed to the WTC disaster to the health of the general population. No blood tests or medical exams were required to enroll," the website states.