When leaving a medical practice, can you take patient records?
A tale of woe: physician former employee accused of theft of Trade Secrets
We’ve seen a litigation battle where a departing physician wrote to his former patients, proudly announcing his new practice location — and then was sued by his aggrieved former employer for misappropriation (theft) of trade secrets.
The litigation was vicious and costly for the defending physician. It lasted a long time, and sucked the life out of his new venture.
One of the key questions turned out to be whether the departing physician merely fulfilled his duty to not abandon patients, or, went beyond and actively solicited them. There were also questions as to who “owned” patients he had brought to the practice, what files he was able to access, and what were the expectations of confidentiality. As well, the letter he wrote to patients of the practice he was leaving, was carefully read for evidence of intent.
This might have been avoided had the two worked out, in advance, what they would do if the employment relationship soured. A joint notification letter could have been pre-agreed and placed in the employment contract.
The Bottom Line: Watch Your Liability Exposure
Healthcare law is highly regulated, and there are always enforcement authorities ready to nip at your heels even if you escape a lawsuit.
Here, for example, HIPAA requires patient authorization, so even if you don’t have an angry former employer trying to sue you for theft of trade secrets, you also have to satisfy the regulators by honoring your privacy and security obligations.
It Matters How You Leave a Medical Practice
When we advise clients with respect to taking patient records, charts, lists, or databases with them on departing a practice, we are sensitive to the nuances of the outgoing physician’s departure. For example, a physician might:
- Close a medical practice and retire
- Sell a medical practice to a purchasing physician or medical group
- Leave a medical practice where a management company (medical services organization, MSO) or telemedicine company plans to continue marketing to the patients, and/or to try to “swap in” another medical doctor without running afoul of corporate practice of medicine rules
In all these scenarios, there are HIPAA privacy and security concerns, issues under state law, medical ethical considerations, and other legal exposure (such as we’ve seen: in some cases, risks of trade secret litigation).
Transfer of Patient Records During Sale of Medical Practice
The transfer of medical records might be done as part of a sale from the Outgoing MD to the Incoming MD.
In this case, normally the sale document will contain provisions for safe-keeping and/or transfer of the patient’s medical records, so that, among other things, the Incoming MD can access records on-site for those patients who will be under the Incoming MD’s care, and the Outgoing MD can retain records in case patients request access pursuant to HIPAA, or as otherwise needed.
Sometimes the selling and purchasing physician will mutually designate a custodian for the practice’s medical records, and then that custodian will sign a business associate agreement under which the custodian agrees to comply with HIPAA.
With regard to records retention by the Outgoing MD, HIPAA requires retaining policies and procedures, including patient authorizations (discussed further below), for six years (45 CFR 164.530(j)(2)); as well, there are California statutes requiring retention of medical records; and there are reasons for the Outgoing Physician to retain a copy of medical records for review in case of a negligence action.
Transfer of Records Where MD Leaves a Practice Location to an MSO
Where the Outgoing MD leaves a practice location, and in lieu of a sale from Outgoing MD to Incoming MD, there is only a management services organization (“MSO”) or, physician assistant (“PA”) remaining at the practice location (awaiting the arrival on the Incoming MD), this is a difficult situation.
We have counseled clients in this situation, where the remaining MSO or PA desires to build the practice by bringing in another physician. However, the MSO or PA cannot practice medicine. Also, state laws usually prohibit general corporations and LLCs from practicing medicine (this is unlawful corporate practice of medicine).
For example, the California Medical Board states in its webpage on Corporate Practice of Medicine: “Ownership is an indicator of control of a patient’s medical records, including determining the contents thereof, and should be retained by a California licensed physician.” This suggests that any impression that the MSO or PA is in charge of medical records creates enforcement peril.
Navigating HIPAA waters for MSO or telemedicine company (or app, where the app founders have created an LLC, for example, and contract with doctors) in these situations is somewhat tricky. Among other things, the management agreement between the MSO and the professional medical corporation has to carefully specify who owns the medical records, who has access to them, and what happens if and when the relationship dissolves. We do careful drafting in these situations.
We turn from these issues to questions of patient notification and patient authorization which are central to regulatory authorities in any scenario.
A physician terminating a physician-patient relationship must give notice to the patients; otherwise, there is patient abandonment.
The California Medical Board (“CMB”), in Closing Your Medical Practice, provides guidance to physicians regarding the “closure of or departure from a medical practice office.”
To ensure “a smooth transition from the current physician to the new treating physician,” and, to reduce liability of patient abandonment while ensuring a “minimum of disruption in continuity of care,” CMB suggests that the Outgoing MD “notify patients sufficiently in advance.” Specifically, without defining what “sufficiently in advance” means, CMB recommends the following:
- The Outgoing MD should send patients a letter explaining the change in practice, including the final date of the Outgoing MD’s practice. “The California Medical Association (CMA) recommends, if possible, that letters be sent by certified mail, return receipt requested, and that a copy of the letter with the return receipt be kept. To inform inactive patients or those who have moved away, the CMA also recommends placing an advertisement in a local newspaper.”
- Patients must be advised (presumably in the letter) “as to where their medical records will be stored including how they may access them. To facilitate the transfer of medical records to the new treating physician, an authorization form should be included in the letter.”
- Patients should be transitioned to another healthcare provider, which can be the Incoming MD (either the physician who is taking over the practice, or, another physician whom the Outgoing MD can recommend).
CMB does not define “active” nor “inactive” patients. The AMA defines active patients at least those patients who have been seen by the physician within the past two years, as well as patient who have chronic or complicated conditions.
Other associations such as the Oregon Medical Association define “active” patients as those patients who have been seen by the physician within the past 3 years.
In addition to patient notification, we typically recommend that the Outgoing MD have patients sign an authorization form, in which the patient authorizes the release of his or her medical records to either the Incoming MD, or to a physician of the patient’s choice.
This is because of what HIPAA requires, and also because of state law (below, we look briefly at California law).
The next part is a little technical.
Before we get to it, we note that in 2015, the New York Attorney General announced a settlement under HIPAA with the University of Rochester Medical Center arising out of the Center’s release of patient lists to a formerly employed nurse practitioner (NP):
The settlement, reached with University of Rochester Medical Center (“URMC”), requires the medical center to train its workforce on policies and procedures related to protected patient health information, notify the Attorney General of future breaches, and pay a $15,000 penalty…
The settlement is in response to a data breach that occurred in the spring of 2015, when a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients. On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN.
URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients, and the media was alerted
The settlement, among other things, requires the Center to annually certify to the New York Attorney General for the next three years that it has implemented HIPAA training.
With the state AG getting in on regulatory enforcement, the perils of not paying attention to compliance rules regarding medical records have increased.
Notably, this case involved disclosure to a nurse practitioner, not a physician.
HIPAA and Disclosure of Patient Records
How does HIPAA come into play for the departing clinician?
Here is some detail for HIPAA afficionados.
If HIPAA applies, then, we start with 45 CFR 164.508(a)(1), which states that except as otherwise permitted or required, a covered entity (i.e., an MD) “may not use or disclose protected health information [(“PHI”)] without an authorization that is valid under this section.” The authorization must contain the core elements and requirement statements specified in 45 CFR 165.508(c) and must be in plain language, and a copy must be provided to the patient.
However, 45 CFR 164.506 provides that, except with respect to uses or disclosures that require an authorization under 164.508(a)(2)-(4), a covered entity may use or disclose PHI without an authorization, for the purposes of “treatment, payment, or health care operations as set forth in paragraph [164.506](c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.”
(Subsections (2)-(4) deal, respectively, with psychotherapy notes; marketing; and sale of PHI as defined in 164.501. Sale of PHI involves remuneration (164.502(a)(5)(ii)) and does not include treatment and payment purposes pursuant to 164.506(a).)
“Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” 45 CFR 164.501
Section 164.506(c) further provides:
(1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for treatment activities of a health care provider….
(4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
This is a bit ambiguous with respect to transfer of medical records to the Outgoing MD. To the extent the Outgoing MD is not in the same “organized healthcare arrangement” as the Incoming MD, (5) would not apply, and, most likely, (1) and (4) would not apply either. This would mean that disclosure, without a new patient authorization, would not be allowed.
The question is whether 164.506(c)(2) would allow disclosure without a new patient authorization, by the Outgoing MD to the Incoming MD—i.e., whether the Incoming MD would be considered a “healthcare provider.”
Consistent with the view that such disclosure would be allowed, the U.S. Department of Health and Human Services (“HHS”) offers this guidance:
Question: Does a physician need a patient’s written authorization to send a copy of the patient’s medical record to a specialist or other health care provider who will treat the patient?
Answer: No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.
However, 45 CFR 164.506 speaks to use or disclosure of PHI by the covered entity for treatment. This may not necessarily mean, someone in the position of the Outgoing MD (i.e., may not mean, just any covered entity; presumably the Outgoing MD cannot simply transfer patient records, willy-nilly, to any MD, anywhere).
Our brief review of HIPAA leads us to recommend getting a patient authorization executed for transfer of patient medical records (or copies thereof) to the Incoming MD.
Even when HIPAA applies, state law (here we’ll look at California law) must be considered if it is more stringent than HIPAA; and even when HIPAA does not apply, California law must be considered.
Under California Civil Code, Section 56.10(a), which is part of the California Medical Information Act (“CMIA”), a healthcare provider “shall not disclose medical information regarding a patient … without first obtaining an authorization,” with several limited exceptions. One of the exceptions is disclosure to “providers of health care … or other health care professionals or facilities” for purposes of diagnosis or treatment of the patient.” (Cal. Civ. Code, Section 56.10(c)(1)).
Whether or not Section 56.10(c)(1) would allow the Outgoing MD to transfer a patient’s medical records to the Incoming MD without patient authorization, CMB’s position in Closing Your Medical Practice appears to be that an authorization is required.
Further, Section 56.11 provides that any person or entity who wishes to obtain “medical information,” other than a person or entity authorized to receive medical information” pursuant to 56.10(b) or (c), “shall obtain a valid authorization for the release of this information.” Section 56.11 then sets forth requirements for the authorization, including that it must be handwritten by the person who signs it, or in at least 14-point type. Upon demand by the patient or person who signed the authorization, the healthcare provider must furnish a true copy of the authorization (Section 56.12).
Leaving a Medical Group or Practice or Employment situation? Closing a Practice? Questions? Call us.
As you can see, the rules are quite complicated. Tales of woe come from not paying attention to the many arcane rules that can, apparently, trip up even an established medical center that probably has an advanced legal team.
Whether you’re a telemedicine company, a medical management services organization, or a departing physician, nurse, or physician assistant, be cautious before you up and away with patient records. Get legal counsel before departure — and ideally, get legal counsel before you join that medical group or facility.
Contact our healthcare legal team if you’re departing a medical practice.