Comments (0)

By Dissent, September 3, 2010

Dr. Ken Pope mentioned this case on his mail list today, and I thought it might also be of interested to blog readers as it addresses whether the state’s interesting in investigating a psychiatrist trumps psychotherapist-patient privilege.

Here’s the summary of this case from Massachusetts, Board of Registration in Medicine vs. John Doe, as included in the court’s opinion:

This case arises out of an investigation by the Board of Registration in Medicine (board) into the treatment practices of John Doe, a board-certified psychiatrist who specializes in pain management. As part of its investigation, the board subpoenaed the treatment records of twenty-four of Doe’s patients. Doe refused to comply with the subpoena, and pursuant to G.L. c. 233, § 10, [FN2] the board commenced an action to enforce it. A judge in the Superior Court ruled that the records were not protected by the psychotherapist-patient privilege, see G.L. c. 233, § 20B [FN3] (the statute), and ordered Doe to produce them. Doe appealed and we transferred the case on our own motion.

Doe contends that the subpoenaed records are protected by the psychotherapist-patient privilege set out in G.L. c. 233, § 20B. The board argues that the privilege does not apply because Doe does not meet the qualifications of a “psychotherapist” as defined by the statute. The board maintains that Doe devotes most of his time to pain management. Because pain management is not the practice of psychiatry, the argument goes, Doe does not devote a substantial amount of time to the practice of psychiatry as required by the statute. In the alternative, the board contends that, even if Doe is a psychotherapist as defined by the statute, the records must be produced in this case because the board’s compelling need to examine the records in furtherance of its mission to protect the public safety outweighs the confidentiality interests protected by the privilege. The record establishes that pain management is a subspecialty of psychiatry; consequently, Doe devotes a substantial amount of time to the practice of psychiatry. Thus, we conclude that Doe is a psychotherapist within the meaning of the statute. In addition, we conclude that the psychotherapist-patient privilege statute does not permit a weighing of the public interest against the interests protected by the privilege. We therefore vacate the judgment stating that Doe is not a psychotherapist and ordering him to produce the records, and remand to the Superior Court for entry of an order quashing the subpoena.

You can read the entire opinion here.

Comments (0)

By Dissent, August 27, 2010

Jeff D. Gorman reports:

Minnesota did not violate families’ privacy rights by collecting and storing children’s blood samples, the state Court of Appeals ruled.

Alan and Keri Bearder and the parents of 23 other children sued the state and its Department of Health for allegedly collecting blood samples from their infants to test for genetic disorders, and then storing the blood in freezers for use in research.

The parents claimed the state’s actions violated state privacy laws.

Read more on Courthouse News, where you can also read the court’s opinion (pdf). A key part of the opinion was the broad powers of the Commissioner “trump” the state’s genetic privacy act which requires written informed consent before use of the information “unless otherwise expressly provided by law.”

Applying these principles, we conclude that Minn. Stat. § 144.125-.128 and other governing legislation granting the commissioner broad authority to manage the newborn screening program amount to an “express” provision of law that authorizes collection, retention, use and dissemination of blood specimens for the newborn screening program, making the genetic privacy act inapplicable.

Comments (0)

By Dissent, August 27, 2010

Joseph Lazzarotti of Jackson Lewis writes:

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any “information security incident.” This post provides a brief summary of this new requirement.

[...]

What is an “information security incident”?

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

Read more about the new bulletin on Workplace Privacy Data Management & Security Report. The state is now requiring covered entities to provide them with a lot of detailed information to the state within five (5) calendar days after a breach is identified.

Obviously, I’m delighted to see the inclusion of paper records and the absence of a “significant harm” threshold. Without knowing the history of this bulletin, I might guess that it is, at least in part, a reaction to a number of breaches by health insurers where neither the state nor residents were promptly notified of a breach and where the state’s attorney general investigated the breaches and insisted that the insurers offer credit monitoring services, etc.

That said, this situation also highlights the patchwork quality of regulations and statutes even with one state, much less between states. Can you hear me now, Congress?

Cross-posted from databreaches.net

Comments Off

By Dissent, August 24, 2010

Richard L. Santalesa writes:

Recently the Indiana legislature passed, and Indiana’s governor signed into law, Senate Enrolled Act No. 356 (a/k/a Public Law 84 of Second Regular Session 116th General Assembly 2010), a wide-ranging 71-page bill that, in addition to setting out practices and requirements for barbers, cosmetologists, well pump installers, mental health counselors and numerous other state licensed professions, included legislative modifications to add a new chapter to the Indiana Code entitled Health Records and Identifying Information Protection (the “Act”), IC 4-6-14, effective as of July 1, 2010. The new chapter specifies new duties given to the Indiana Attorney General related to the identification, handling, and ultimate transfer, destruction or delivery of abandoned health and other records containing personal information.

Read the FAQ on Information Law Group. Kudos to Indiana for codifying how the state may take charge of abandoned health records.

Comments Off

By Dissent, August 20, 2010

Nebraska Attorney General Jon Bruning announced Wednesday that he has agreed to a permanent injunction of a Nebraska abortion law [LB 594 materials] because he believes there is little chance that the law will withstand a court challenge. The law, known as the Women’s Health Protection Act, would have required physicians to evaluate patients to determine that their choice to have an abortion was voluntary and to inform the patients of all risk factors and complications that have been statistically associated with abortion and published in peer-reviewed journals 12 months prior to the pre-abortion evaluation, as well as earlier studies.

Read more on JURIST.