|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story May 14, 2008 Hospitals Face Tricky Patient Privacy Scenarios When Law Enforcement Officials Request Patient DNAReprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions. To catch the notorious "BTK" killer, police collected the DNA of more than 1,300 men. In the end, it was the DNA of just one person — a woman, his daughter — that led to the arrest of the man and his subsequent confession. Without her knowledge or consent, the woman's medical providers gave her DNA, collected years earlier during a gynecological screening test, to the police. Investigators then were able to make a close enough match to DNA found at crime scenes to identify the man as the killer of 10 people. DNA is considered protected health information (PHI) under the privacy rule. Yet, as with many aspects of the privacy rule, its treatment of DNA is complicated, and interpretations are being challenged by new developments in investigative techniques, such as the use of a family member's DNA. Eyed by some law enforcement officials as a treasure trove of DNA, hospitals and other covered entities (CEs) are increasingly finding themselves on the front lines when it comes to disclosure of their patients' DNA. Privacy experts warn that compliance officers need to be prepared and know how to handle DNA requests from law enforcement officials, be aware of what they are permitted to release and under what circumstances, and whether patients must be notified. Others are also concerned that current protections for DNA that leaves a CE's hands are inadequate. It is important for hospitals to understand "you are not the police forces' data evidence warehouse," says Jeff Drummond, a partner in the health care section of law firm Jackson Walker in Dallas. "We need to be careful about this," adds Sonia Suter, an associate professor of law at the George Washington University School of Law and an expert on genetic privacy issues. "There are conflicting issues here...the good of privacy and the good of law enforcement." Killer Was Loose for Decades Dennis Rader, a Wichita, Kan., resident now serving 175 years in prison, called himself BTK for his preferred method of ending his victims' lives: bind, torture, kill. His crimes were committed from 1974 to 1991, but he was not arrested until February 2005; he offered a confession on the first day of his trial and was sentenced in August of that year. It was his daughter's DNA sample that provided the final identifying link to him. His identity as the BTK killer had been strongly suggested by an e-mail he had sent that was traced back to church, where he had just been elected church council president. Police wanted to get Rader's DNA but did not want to tip him off, and theorized that his daughter had probably been seen at a university health clinic when she was a student. The retrieval of Rader's daughter's DNA would have had to follow several steps, privacy experts say. First, the health care provider, in this case a university health clinic, would have had to acknowledge that she had been a patient there and whether there was any DNA available to disclose to the police. Drummond says the privacy rule probably allows a hospital or other CE to release this information without a subpoena or other court order. But to actually retrieve a tissue sample would be a more difficult matter. In this case BTK's daughter still had her privacy rights intact as she was not a crime suspect or a victim. Privacy Rule Limits DNA Disclosure DNA has extra protections under HIPAA because the potential for harm or misuse is so great. There is not yet a federal law prohibiting job or insurance discrimination (except in group health plans) based on genetic information, although it appears there could be one soon. "The police can't just walk in and say 'give me a DNA sample,'" says Drummond. "Well, they can, but the hospital doesn't have to give it to them without a proper subpoena or other court order." "This was a highly unusual case, especially because it was the daughter's specimen that was sought," Mark Rothstein, chairman of the privacy and confidentiality subcommittee of the National Committee on Vital and Health Statistics, the leading government advisory panel on privacy issues, tells RPP. How the privacy rule treats DNA "is very complicated," explains Rothstein, who is also director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine. As described in an FAQ, the HHS Office for Civil Rights, which enforces the privacy rule, set out these circumstances for the release of PHI to law enforcement officials:
This same limited information may be reported to law enforcement:
To respond to a request for PHI about a victim of a crime, [when] the victim agrees. If, because of an emergency or the person's incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested (45 CFR 164.512(f)(3))." Disclosure Need Not Be Automatic With regard to crime victims who may be brought to a hospital unconscious, "you don't have to wait until the person wakes up" to ask if you can retrieve DNA," Drummond says. "You are helping that person by tracking down the person who victimized them." Case law — and some state laws — have held that some convicted criminals have reduced privacy rights. In addition, some states allow the collection of DNA without certain authorization from an arrested individual if he or she is a crime suspect and has already been arrested or is being held, Suter says. Most states protect against the collection of an innocent person's DNA without a court order. The issue is also not clear when it is a family member's DNA that is being sought, she says. "If there had not been a proper subpoena, grand jury summons, etc., the health clinic could not have provided the information, except in some really limited circumstances where the daughter, or person's whose PHI is surrendered, is thought to be a victim of a crime," adds Drummond. "DNA is specifically excluded from the information a covered entity can give for identification purposes, unless there is a subpoena." Drummond also notes that releasing this information may, in fact, be optional. "The rule says this may be disclosed, not must," he says. When faced with a law-enforcement request for PHI and when you are unsure of what to do, there is no harm in insisting on a court order to produce a requested specimen, Rothstein says. "In general, my advice to a hospital would be that, in any doubtful, non-emergency case, require a warrant. The process of adjudicating the factual claim of the need for the information will protect all relevant parties," Rothstein says. If when a subpoena has been produced, compliance need not be automatic, since there may be grounds to contest it, says Suter. "The hospital is not going to get wind [of a court order or subpoena] in advance. Maybe after the fact they could try to quash the subpoena," she says. For example, in the Rader case, Suter says she would want to know that officials had tried "every other possible way" to get her father's DNA or other evidence before they came looking for his daughter's DNA. Could the police instead have requested a search warrant and taken a comb or brush from the woman's house, and tested a strand of hair to match her DNA with her father's? "The best advice that I can give is to try and make sure the [disclosure] request is specific and limited in scope. Is it relevant and material? There could be a challenge if the scope is overly broad," according to Suter. "We have to think about safeguards and limits," she adds. Once you do comply, the patient likely will never know - at least from the CE. "If they have a subpoena issued by a judicial officer, there is not a notice requirement" to the patient, Suter says. CE, Patient Can't Protect Sample Suter says what worries her most is what happens to a sample once it has left a CE. The patient, unaware, cannot ensure it is protected, and neither can the CE itself. This could present a tricky legal challenge if the patient felt he or she had come to some harm as a result of the DNA sample being disclosed. Given that it was obtained by the CE with the patient's understanding that it would be protected, would the CE have any liability? This is unclear today. There is a growing push to ensure that once PHI leaves a CE and undergoes a "secondary use," it retains the same stringent requirements that HIPAA imposes. Rothstein's committee made the case that it should, in a letter to HHS sent at the end of last year. But at least for now there is no such requirement. "What is most troubling to me is that there may not be sufficient safeguards once the DNA is collected. What happens to the samples? Are they retained — formally or informally? What are the protections," Suter asks. Under some state laws, "an innocent individual has a right to have the sample expunged, but the onus is on the individual to request that," she says. "I think it should be on law enforcement." Some would argue that PHI can be deidentified to provide protection to individuals, but Suter takes no comfort in that argument when it comes to DNA. "It would be
nearly impossible to completely deidentify genetic data once you have
used it to identify someone," she says.
|
| ||||||||
