protected health information

For years, law enforcement has bypassed traditional means of securing evidence by informal requests for documents from witnesses of crimes. At some point, that practice bled over into informal requests for healthcare providers’ documents, including documents reflecting protected health information (PHI). Healthcare providers, for the most part, have complied with these informal requests because, as the logic goes, law enforcement couldn’t possibly prosecute me for complying with law enforcement, right? Isn’t that entrapment?

This cooperative, well-intentioned practice by healthcare providers now appears to be drawing scrutiny from Congress. On December 12, 2023, members of Congress sent a letter to Health & Human Services Secretary Xavier Becerra announcing the results of a Congressional inquiry into the practice of pharmacies handing over patient information without legal process. In the face of that new scrutiny, which is sure to extend beyond pharmacies to all healthcare providers, what are healthcare providers to do when asked for PHI through informal means?

The Anthem breach sent alarm waves through the health care industry and the employer health plan community. With 78.8 million affected individuals for Anthem and 11 million for the companion breach of Premera Blue Cross, the combined size ranks among the largest data breaches in history.

The Anthem and Premera breaches signal a sea change in the threat environment for health plans, a new reality that requires a fresh look at data security. Prudent employers with group health plans should take that fresh look now, by strengthening the data security provisions in their business associate agreements (BAAs) with third-party plan administrators, and also by updating their HIPAA-required security risk assessments.