Counsel's Corner: Hospitalized Medical Staff Members: Reconciling Peer Review and HIPAA

What should you do, as hospital and medical staff leaders, when one of your medical staff members is hospitalized in your facility with signs of impairment? Your justifiable instincts will tell you to investigate and then to take action, if necessary, to protect patients; but what about the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? Can traditional peer review co-exist with that law’s still-evolving but demanding requirements? Fortunately, some answers are emerging, and peer reviewers who are careful can indeed reconcile their patient protection duties with their HIPAA privacy obligations.

Impaired physicians are a significant patient safety concern for hospitals and their medical staffs. Often, these physicians agree to monitored treatment of their condition from an independent provider approved by the medical staff. Occasionally, however, an impaired physician is hospitalized, at the same hospital where he or she holds privileges, in a manner that discloses the impairment to his or her treating physicians who are fellow members of the medical staff. In the past year we have handled two such cases, which presented tricky legal issues for the hospitals and medical staffs involved.

The hospital owes the medical staff member, as its patient, certain privacy rights under HIPAA, which seem to conflict with the medical staff’s duty to investigate the hospitalization and take appropriate peer review action. Our experience taught us some best practices for hospitals presented with this unusual situation.

Imagine this hypothetical: A patient presents to the emergency department (ED) showing signs of severe intoxication requiring emergency intervention. After stabilization in the ED, the patient is transferred to the intensive care unit. The treating physician realizes that the patient is his colleague and a fellow member of the hospital’s medical staff. Based on the patient’s condition, the treating physician has serious concerns about her ability to safely practice medicine. The treating physician reports the member’s hospitalization to the chief of staff. Within a short time the medical executive committee summarily suspends the member pending an investigation into her hospitalization, reports the suspension to the state medical board, and notifies an affiliated hospital where the member also has privileges. The member claims that the hospital has breached her privacy and threatens to file a HIPAA complaint with the federal Office for Civil Rights (OCR). Now the hospital seeks legal advice and wants to know whether its actions were acceptable given its obligations under HIPAA.

Treating Physician Justified in Disclosing the Hospitalization to the Medical Staff

Subject to certain exceptions, HIPAA generally prevents the hospital from using or disclosing any protected health information (PHI) about the medical staff member without her written authorization. The hospital is permitted, however, to use and disclose the minimum amount of PHI necessary for its own health care operations, even without her authorization. ¹45 C.F.R. §§164.502(b), 164.506(a), 164.506(c)(1), 164.514(d). Health care operations include, among other things, reviewing the competence or qualifications of health care professionals and evaluating practitioner and provider performance, i.e. peer review. ²Id. §164.501.

Most medical staff bylaws require or encourage medical staff members to internally report colleagues who have exhibited conduct that is reasonably likely to be detrimental to patient safety. Physicians also have an ethical duty to report possibly incompetent or impaired colleagues to the appropriate peer review body and/or the state medical board, depending on the circumstances. ³See American Medical Association (AMA) Code of Medical Ethics, Principles of Medical Ethics, Principle II, available at http://www.ama-assn.org/ama/pub/physician-resources/medical-ethics/code-medical-ethics/principles-medical-ethics.page; AMA Code of Medical Ethics, Current Opinions of the Council on Ethical and Judicial Affairs (2002-2003), Opinions 9.031, 9.04, available at http://www.ama-assn.org/ama/pub/physician-resources/medical-ethics/code-medical-ethics.page. State law may encourage or even require the treating physician to report his colleague’s impairment to the medical board.

In our hypothetical, the treating physician probably had at least an ethical duty to report the fact of his colleague’s hospitalization to the medical staff for the purposes of protecting patient safety—the principal purpose of peer review. ⁴See Cal. Bus. & Prof. Code §809(a)(6), Stiger v. Flippin, 201 Cal. App. 4th 646, 656 (4th Dist. 2011). In that light, the disclosure was permissible under HIPAA for the hospital’s health care operations.

Peer Review Action Warranted

Upon learning of the member’s hospitalization, the medical staff was legally well-advised to investigate and take appropriate peer review action against the member on the basis that her possible physical or mental impairment may have jeopardized patient safety or care; to do otherwise would expose the hospital to liability to patients harmed as a result. ⁵See Elam v. College Park Hospital, 132 Cal. App. 3d 332 (Cal. App., 1982). In accordance with this legal reality, most medical staff bylaws require each medical staff member to provide information to the medical staff regarding his or her physical and mental health status to demonstrate that he or she is not a threat to patient safety or care.

In our hypothetical case, assuming that the medical staff bylaws contain such a provision, the medical staff can respond to the treating physician’s report straightforwardly, by requiring the member to authorize the hospital in writing to disclose to the medical staff detailed information regarding her hospitalization. Pursuant to HIPAA, the member may refuse to comply. Such noncompliance, however, would violate the medical staff bylaws and in most cases would be grounds for corrective action against her medical staff membership and/or privileges at the hospital. ⁶See, e.g., Webman v. Little Company of Mary Hospital, 39 Cal. App. 4th 592 (1995) (withholding information needed to complete a hospital’s peer review of a physician may be grounds for denying, or revoking, medical staff privileges).

Caution Required if Reporting Member’s PHI to the Medical Board

State law typically requires hospitals to report to the medical board adverse actions against medical staff members, such as summary suspensions of a certain duration, and related information regarding the facts and circumstances meriting the action. Some states also require hospitals to report impaired physicians to the medical board. ⁷California law, for example, provides near-absolute immunity from liability to physicians, hospitals and medical staffs who provide information to the Medical Board or Department of Justice indicating that a licensee may be impaired because of drug or alcohol abuse [Cal. Bus. & Prof. Code §2318]. Other states have laws specifically requiring fellow licensees and/or health care facilities to report to the state medical board any information that indicates a licensee’s impairment [See, e.g., Mont. Code Ann. §37-3-401, Wash. Rev. Code Ann. §18.130.070]. Federal law requires similar reports to the National Practitioner Data Bank (NPDB). ⁸45 C.F.R. Part 60.

Under HIPAA, disclosure of PHI to the medical board and other regulatory agencies like the NPDB is typically permissible (without patient authorization) for health oversight purposes. In the present circumstances, however, the health oversight exception is inapplicable because the patient is the subject of the investigation or activity and such investigation or activity is not related to her receipt of health care or public benefits. ⁹Id. §164.512(d). Even so, HIPAA expressly permits the disclosure of PHI to the extent required by law (including statutes or regulations that require the production of information) if the use or disclosure complies with and is limited to the relevant requirements of such law. ¹⁰Id. §§164.103, 164.512(a).

If state law requires disclosure to the medical board of information related to the adverse action or member’s impairment, as applicable, the hospital can arguably disclose PHI to the medical board that is directly relevant to the action or the impairment. The disclosure of PHI is probably impermissible, however, if it is either not legally required or not directly relevant for the report’s purposes. Hospitals would be wise to err on the side of excluding PHI from the report, if possible, or including the absolute minimum amount of PHI necessary for making the report. If the medical board needs additional PHI, it can issue an administrative subpoena to the hospital.

Interestingly, if the medical staff is informed of the hospitalization directly by the member or her family member, it may disclose such information to the medical board without restriction under HIPAA because the information is not PHI.

It is Permissible to Report the Member’s Hospitalization to Affiliated Hospital

Many states, including California, encourage the sharing of peer review information between peer review bodies for the purpose of public welfare. ¹¹Cal. Bus. & Prof. Code §809.08(a). Within the peer review community, it is a widely accepted practice for peer review bodies to share peer review information if the subject practitioner has signed a written release permitting the disclosure of his or her information. Such releases often authorize the disclosure of any information that relates to the practitioner’s fitness, character or ability to practice safely at the hospital.

In our hypothetical, if the member executed a release permitting disclosure of her information to the affiliated hospital, disclosure of her hospitalization was probably permissible pursuant to HIPAA if: (a) the member is (or was) a member of the medical staff at the hospital and the affiliated hospital; (b) the disclosure pertained to the member’s medical staff membership at the affiliated hospital; and (c) the disclosure was for the purposes of peer review because it related to the member’s ability to practice medicine safely. ¹²45 C.F.R. §§164.501, 164.506(c)(4)(i).

A HIPAA authorization is not legally necessary in this case because the disclosure is permitted pursuant to the release in accordance with peer review law, and thus falls within the health care operations exception. In a recent HIPAA case we handled, OCR affirmed the validity of this interpretation.

Best Practices

Even though the hospital may not technically have violated HIPAA, it is very easy for the member to file a HIPAA complaint with OCR. OCR investigations can be costly and it often takes OCR a couple of years to issue a decision, even in simple cases. Cooperating with OCR and following these best practices can help expedite the process:

• In cases where peer reviewers are seeking health information from you, as an addendum to any peer review release have the medical staff member sign a HIPAA authorization permitting the disclosure of his or her health information. This will avoid any argument by the member that a peer review release is insufficient for the purposes of disclosing his or her PHI.

• Unless the physician has signed a HIPAA authorization, disclose only the absolute minimum amount of PHI necessary. Erring on the side of caution, we suggest limiting most disclosures to the fact of hospitalization and placing the burden on the physician to provide the authorizations necessary to allow the requesting peer review body to gather additional information from you.

• Applicable state privacy laws should be checked to see if they permit the disclosure of health information under the circumstances. More restrictive state laws will usually preempt HIPAA.

• Be aware that alcohol and drug treatment programs are subject to special privacy rules and mental health providers may be subject to strict state privacy law requirements. In each case, the facts should be carefully analyzed to see whether these laws apply and, if so, what special protections they afford the member.

• Proceed carefully when initiating peer review action against a physician who has filed a HIPAA complaint with OCR because she or he may allege that the action was taken in retaliation.

• Consider updating your impaired physician policy to provide guidance on how to handle situations where a medical staff member is treated at the hospital.

Conclusion

Addressing the hospitalization of a medical staff member at the same hospital where she or he has privileges raises challenging issues, because the medical staff’s peer review obligations do not necessarily align with the member’s expectation of privacy under HIPAA. By treading carefully and adopting the best practices outlined above, hospitals and their medical staffs can prepare for these situations by mitigating the risk of violating the member’s privacy rights and easing the burden of dealing with any related OCR investigation.