HIPAA requirements may halt bankruptcy case
HIPAA may have just complicated a laboratory company's bankruptcy filing after HHS lawyers argued Laboratory Partners Inc. needed to get permission from former customers before selling their protected health information as part of the bankruptcy auction deal.
Lawyers for HHS filed a protective objection in Delaware bankruptcy court Dec. 18, and if a federal judge in Delaware agrees with the Department of Health and Human Services, HIPAA may get its way.
[See also: Ready or not: HIPAA gets tougher today.]
"HIPAA regulations provide that covered entities who seek to sell their customers' protected health information can only do so with their customers' authorization," federal lawyers wrote, asking the judge to deny the sale motion until the company proves it has former beneficiaries' approval.
Also known as MedLab, Laboratory Partners, a Cincinnati-based clinical laboratory network doing business in eight states, started voluntary chapter 11 bankruptcy proceedings in October, and as part of a restructuring plan is selling its long-term care division and, next year, one of its lab businesses in Indiana.
The long-term care division currently on the market has assets described as: "all consumer lists, machinery and equipment records, quality control records and procedures, employment and personnel records, and display materials."
It's those "customer lists" that HHS is taking issue with. "To the extent the customer lists contain any individually identifiable health information, Debtors’ have not demonstrated that each affected customer has authorized a sale of protected health information," HHS lawyers wrote. The lists “almost certainly contain protected health information whose sale is restricted under HIPAA."
If the buyer of the long-term care division is a HIPAA covered entity, the sale of the PHI in the assets would “not necessarily require the authorization of the beneficiaries as it would be considered a disclosure for the purposes of healthcare operations,” as federal lawyers told Laboratory Partners’ legal team.
"However," the federal lawyers wrote, Laboratory Partners "has been unable to assure the United States that the purchaser will be a 'Covered Entity.'"
[See also: HIPAA security gaffe puts PHI on Google.]
Cases like this and the sale of healthcare businesses raise the issue of the live of PHI, especially in the digital age as customer lists with personal health information would be valuable in their own right to advertisers.
The chair of the Federal Trade Commission, for one, is promising robust regulation of the emerging big data field. Last year the FTC called on data brokers to give consumers access to their information through an easy-to-find, easy-to-use common portal, and is supporting legislation giving consumers the ability to access, dispute or suppress data held by brokers.
In a contentious legal case, the FTC is also seeking a consent agreement with LabMD to have the Atlanta-based diagnostics company implement a comprehensive information security program, after allegations of a data breach. LabMD contends that the FTC doesn’t have the authority to regulate digital privacy.
November 14, 2019
November 13, 2019