Posts Tagged ‘privacy’

Privacy Concerns Loom Large in Probate Court

JANUARY 16, 2017 VOLUME 24 NUMBER 3
Things change. This is our twenty-fourth year of publishing Elder Law Issues, and one thing we frankly didn’t think much about a quarter-century ago was privacy. Today it’s a big concern, and central to a lot of our thinking.

When Fleming & Curti, PLC, first formed in 1994, partners Tom Curti and Robert Fleming each already had nearly twenty years of professional practice. During those early years, we commonly included client’s Social Security numbers in estate planning documents, as did most practitioners. We all routinely provided detailed financial information in court filings — both in probate cases and in guardianship and conservatorship matters.

Yes, “identity theft” was an issue, even in the 1970s and 1980s. But most cases of identity theft in those days involved bad people looking for the names of people who had died in their teens, or even before, and applying for credit and entering into transactions using those names. Even if information was filed in the County courthouse, it was only theoretically vulnerable — few people knew how to get into court files, and one would have to physically travel to the courthouse to look up information. While nominally public, information filed in public records did not seem very vulnerable.

That is simply not the case any longer. Many county courts (not — yet — including the Pima County Superior Court in Tucson) have all of their court files available online. Regional and national aggregators — and even search engines — can list your name, or your parents’ names, for easy retrieval. Identity thieves can look up that information from the comfortable anonymity of their own computers, and from anywhere in the world.

At the same time, public information is generally, well, public. The community has a right to know who has been sued, who has brought suit, and who is involved in court cases. But how to balance that open disclosure with the need for privacy?

That’s the problem faced this month by the Maine Supreme Court — in a request by a single participant in the Maine guardianship/conservatorship system. “Emma” (not her real name — the Supreme Court itself agreed to “de-identify” Emma by giving her a false name) sought to have her financial records removed from the publicly available records. She alleged that the court was involved in disclosing her personal information, and that the practice should change. She also argued that removing the public information would be an appropriate accommodation under the Americans With Disabilities Act, and that failure to do so was discriminatory against individuals whose disabilities resulted in court-ordered guardianships and conservatorships.

The probate judge in Maine recognized that there was a legitimate concern. In an unusual request, he asked the state Supreme Court to tell him: should such records be completely hidden from view, referred to but not made available, summarized but not actually put online, or made completely available online?

The Maine Supreme Court punted. It observed that it might be appropriate to set a statewide rule, but not in an individual case. It ruled that Emma might well have a method of making her case, using her ADA argument. And, it reasoned, it wasn’t particularly good at giving general advice — its job was to decide individual cases, and not so much to review rules and procedures. They declined to answer the judge’s questions. Conservatorship of Emma, 2017 ME 1, January 5, 2017,

This problem faces every court, not just those in Maine. In Arizona, for instance, our Supreme Court has adopted extensive rules attempting to maintain privacy of items like Social Security numbers, bank records and balances, medical diagnoses and information. Today much of the contents of a guardianship or conservatorship file will be sealed, made available only on specific court order and then only to individuals who have some reasonable basis for getting access.

There are several other ironies in the Maine Supreme Court’s review of confidentiality. One involves Emma herself — though the Court changed her name, it left enough detail that it was frankly child’s play to look her up, learn her name and address, and the approximate value of her assets — without setting a foot in Maine. It took about fifteen minutes of online searching; we did not seek to learn anything about Emma, but only to see how easy it might actually be.

We sympathize with the Maine courts’ concern about how to balance information with privacy. We have been wrestling with the same problem in this weekly blog-based newsletter for several years. Regular readers will see that we, like the Court, anonymize names of litigants on a regular basis. We do that despite the reality that their names are usually public records (usually included in the name of the case itself — though not in Emma’s case). Why bother? At least we hope that a search for a grandmother or uncle by name will not list their legal troubles — and our newsletter article about them — at the top of the list. But in order to give readers the ability to follow up on the details of court opinions, we still have to include the name of the case.

It seems likely that the County court handling Emma’s case will continue to work on how to protect privacy issues. The judge who entered orders in her case — and who helped seal much of the public record about her — died in September last year. His elected successor: his wife, who presumably will have similar plans for protecting personal information in probate proceedings.

Privacy and Medical Records: A Few Words About HIPAA

JUNE 3, 2013 VOLUME 20 NUMBER 22
A delightful, intelligent and witty client of ours (nearly all our clients are delightful, intelligent and witty) visited her podiatrist’s office. Our client has always battled problems with her weight, so when an assistant insisted that she step onto an office scale she declined. I’m pretty sure, she said, that my podiatrist doesn’t really need to know my weight, and I just don’t like scales. The podiatrist’s assistant smiled understandingly but insisted. “I’m sorry,” she said, “but we have to take your weight on each visit. It’s required by HIPAA.”

Experienced elder law attorneys and people working in the medical field will likely have laughed out loud at that story. It is a good illustration of just how misunderstood HIPAA really is.

HIPAA, for those less familiar with acronym-speak, is the Health Insurance Portability and Accountability Act of 1996. As the name of the law indicates, it has been around for nearly twenty years, though it came to more prominence in 2003, when the first round of regulations implementing the law became effective. HIPAA has since been blamed for all manner of silliness — including the mandatory weigh-in at our client’s podiatry office, the “please stand behind this line” sign at your local pharmacy counter, and (our personal favorite) the sign-in sheet at your doctor’s office that variously requires either your first (only) or last (only) name — apparently on the theory that your privacy is better protected when the receptionist shouts out “Mr. Johnson?” or, in another office, “Dave?”

What does HIPAA actually provide? It mandates that your health care providers — pretty much all of them — keep your records and data confidential. It is an attempt to prevent sale and recirculation of identifiable data. You would probably not want your name added to a list of people diagnosed with a given condition, and then sold to an insurance company, or a medical supplier. HIPAA is on your side.

But here’s the more difficult part. HIPAA doesn’t mandate that doctor’s offices treat you like (or actually issue you) a number to hide your name. It doesn’t require that you weigh in at your podiatrist’s. It doesn’t prevent the hospital where you are being treated from communicating with your doctor’s office or your pharmacy. It also doesn’t give you the right to sue your doctor, hospital or pharmacist for violating your privacy.

What does get prosecuted under HIPAA? Not much. Last year, according to the US Department of Health and Human Services, there were about 10,000 HIPAA complaints received. About two-thirds of those were dealt with summarily, and another large segment are deemed to involve no violation at all. That leaves about a quarter of all cases in which some sort of corrective action is mandated — which does not mean fines, or criminal prosecution, or even public disclosure of offending offices or providers.

From time to time there are serious fines levied. Just last month, for instance, Idaho State University paid a $400,000 settlement for disabling its firewall protection on servers housing patient data on almost 20,000 individuals cared for in its clinics. And just a few months earlier, Hospice of Northern Idaho agreed to pay $50,000 to resolve violations centering on the theft of an unencrypted laptop containing records of 441 hospice patients. The Hospice of Northern Idaho case was a landmark, according to the Department of Health and Human Services: it was the first time the agency had entered into a settlement involving security breaches involving fewer than 500 patients.

Obviously, the privacy regulations governing health care providers have a big impact on the provision of services and on patients. But what does this have to do with lawyers — especially since lawyers can not file lawsuits on behalf of clients who believe that their HIPAA privacy rights have been violated? It is the doctrine of unintended consequences writ large: lawyers who draft estate planning documents for clients want to be sure that they will be effective at a later time when the client may not be able to give consent. But there is concern that doctors, hospitals and other health care providers will not deal with family members, even if they have been named as agent in a properly drawn power of attorney.

We should not have to worry. The Department of Health and Human Services has made clear that it permissible for medical providers — including doctors, pharmacists, nurses and social workers — to talk with family members unless the patient has expressly forbidden such conversations. Among the frequently asked questions prominently listed on the DHHS website is this one:

“If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?”

The answer, in a word, is “yes.” Read the DHHS answer for more detail.

Much of the hyperbole about the reach of HIPAA, and the difficulty in complying, is just silly. Your doctor is supposed to have a plan for protecting your health records, and not to share them inappropriately. That should not preclude talking with either your family or your other health providers (hospital, pharmacist, social worker). But to be safe, your health care power of attorney, your financial power of attorney and even your revocable living trust could include a provision expressly authorizing your agent and trustee to talk with your doctor when it is necessary to get updated medical information.

And our client with the anxiety about stepping on the podiatrist’s scale? We explained the law to her. “That’s just silly,” we said. “HIPAA doesn’t mandate that they weigh you at every visit. That’s the Patriot Act.”

©2017 Fleming & Curti, PLC