Protection of Patient Confidentiality in the Bankruptcy Setting

Health care bankruptcies present debtor’s counsel with a whole host of unique issues. Should a patient care ombudsman be appointed? How do you provide notice of the bankruptcy to patients without violating HIPAA[1] or other laws relating to the protection of patient confidentiality? What to do with medical records when there are insufficient funds to store them? Clearly, these questions are only the tip of the iceberg and this article is only going to touch on the issues relating to the protection of patient confidentiality.

Notice Without Disclosure

One of the most daunting issues in a health care bankruptcy case is maintaining patient privacy and confidentiality. On Aug. 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted. Thereafter, the U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to provide a set of standards in connection with the use and disclosure of an individual’s health information, also known as “protected health information.”[2] A discussion and analysis of HIPAA is beyond the scope of this article; however, the protections provided for by HIPAA provide in part the framework for the discussion.

Generally, hospitals and long-term care providers must comply with HIPAA because they, or a retained service provider, electronically transmit health care information for purposes of billing. The Privacy Rule protects all “individually identifiable health information.” 45 C.F.R. §160.103. Individually identifiable health information includes, but is not limited to, the name and address of the individual. Clearly, there is the argument that one’s name and address can be found in a telephone book. However, the issue here is that the name associated with a health care entity divulges that an individual may have sought health care services. Further, in this era of specialization the mere name of the facility could reveal the type of services sought. Thus, the identity of the patient, who potentially could have a claim, must be protected.

The bankruptcy courts are also sensitive to this issue. In the past year, two courts[3] have allowed the debtors to file portions of their schedules and statements under seal. In both cases, the debtors filed motions with the bankruptcy court prior to the date that schedules and statements were due. In these cases the debtors requested authorization essentially to carve out the schedules that related to potential nonpublic patient claims (patient schedules), and permission not to include these names on the published creditors’ matrix. The debtors then filed the patient schedules under seal. Unfortunately, this undertaking then imposes additional burdens on the debtor going forward. For one, the debtor is now responsible for sending out the notice of bankruptcy, which in most jurisdictions is handled by the clerk’s office. Also, any other notices or pleadings that a particular jurisdiction’s clerk’s office would normally distribute, now must be done by the debtor.

Lack of Funds for Medical Records Storage

The storage of medical records is another issue that relates to protecting the confidentiality of the patient, as well as is necessary for purposes of billing. However, this issue becomes quite challenging to the debtor when there is clearly a lack of funds in the case to pay for storage of the records. Most of the states have laws that provide how long a health care facility must retain records. The retention can be 10 years or longer depending on the age of the patient. Some states such as Kansas[4] provide for the appointment of a custodian of records if the facility closes. In Mississippi, the law provides for transferring the records to another facility in the same vicinity.[5] Tennessee and Washington have provisions whereby the department of health becomes involved in the storage of the medical records.[6] It should also be noted that some states impose harsh penalties on individuals who do not comply with retention statutes. In California, if records are abandoned due to dissolution of the license, legal action can be taken against the corporation’s or the partnership’s principal officers.[7] In New Mexico, failure to retain records can result in criminal charges.[8]

The amendments to the Bankruptcy Code attempted to address this issue. According to 11 U.S.C. §351

If a health care business commences a case under chapter 7, 9, or 11, and the trustee does not have a sufficient amount of funds to pay for the storage of patient records in the manner required under applicable federal or state law, the following requirement shall apply:

(1) The trustee shall—

(A) promptly publish notice, in one or more appropriate newspapers, that if patient records are not claimed by the patient or an insurance provider (if applicable law permits the insurance provider to make that claim) by the date that is 365 days after the date of that notification, the trustee will destroy the patient records; and

(B) during the first 180 days of the 365-day period described in subparagraph (A), promptly attempt to notify directly each patient that is the subject of the patient records and appropriate insurance carrier concerning the patient records by mailing to the most recent known address for that patient, or a family member or contact person for that patient, and to the appropriate insurance carrier an appropriate notice regarding the claiming or disposing of patient records.

(2) If, after providing the notification under paragraph (1), patient records are not claimed during the 365-day period described under that paragraph, the trustee shall mail, by certified mail, at the end of such 365-day period a written request to each appropriate federal agency to request permission from that agency to deposit the patient records with that agency, except that no federal agency is required to accept patient records under this paragraph.

(3) If, following the 365-day period described in paragraph (2) and providing the notification under paragraph (1), patient records are not claimed by a patient or insurance provider or request is not granted by a federal agency to deposit such records with that agency, the trustee shall destroy those records by-

(A) if the records are written, shredding or burning the records; or

(B) if the records are magnetic, optical, or other electronic records, by otherwise destroying those records so that those records cannot be retrieved.

Although the Code does provide some guidance on how to address the issue of storage, there is still the issue of funding. The trustee is still going to have to send notice to patients and store the records for a minimum of one year. One alternative that may be considered is entering into a medical records trustee agreement with the previous practitioner. Although the health care facility may not exist, the previous physicians associated with the debtor may have been the treating physicians. Thus, they are often times amenable to taking custody of the records for their patients. The physician taking custody of the records would have been the treating physician, so there would not be HIPAA concerns. If this is the chosen route, there must be a provision that will allow the debtor or trustee reasonable access to the records for purposes of audits and other billing issues. Additionally, there would need to be notice to the patient of the new custodian. Depending on the number of records, seeking authorization to publish the notice in a newspaper of local circulation should be considered.

Also, retention of the medical records can be included as part of the sale of a hospital. The medical records are not sold, but simply remain with the successor hospital. A medical records trustee agreement should be made a part of the transaction. Again, notice must be provided to patients, and in this case, because the medical records are going with another entity, the record should not be accessed without the patient’s consent. If this patient was to return to the health care facility, this would be an opportunity to obtain that consent.

Due to the type of information a health care facility holds about individual’s personal lives, it is critical that bankruptcy practitioners are careful in the dissemination of information. Whereas the disclosure of who might be owed a refund, or who might owe money to the debtor in most bankruptcy cases is public, in health care bankruptcy cases such information could violate an individual’s right to privacy. However, current and past patients are entitled to and should receive notice of the bankruptcy so that their rights are protected. Thus, bankruptcy practitioners should seek the necessary court intervention to ensure that notice to patients is adequate to protect their rights, while also preserving patients’ confidentiality and valuable medical information.