What HIPAA Rules Were Broken During the Bornstein “Raid”?
May 14, 2018
Have Dr. Harold Bornstein’s actions as President Trump’s former physician potentially violated HIPAA? Were there potential violations from the ‘raid’ that followed? Based on the information reported in the media, HIPAA rules were breached.
HIPAA Authorization Release Form
Bornstein, who has served as Trump’s doctor for more than 30 years, stated that last February, three men claiming to represent Mr. Trump came into his office and forced him to surrender all of Trump’s medical records. While the seizure did come with a letter to Bornstein from Ronny Jackson, the White House doctor, we don’t know if a HIPAA release form was included in that letter. Health care providers are prohibited from discussing or releasing any aspect of your medical information with anyone who is not directly involved in your care unless a signed authorization is presented. If there was no release signed by President Trump, this is a HIPAA violation.1
Refraining From Intimidation or Retaliation Tactics
How did the “raid,” as Bornstein reported, go down? If it was as the doctor claims that he was intimidated by the intruders to release the records, that is a HIPAA violation. HIPAA law (45 CFR§160.316) states that a Covered Entity or Business Associate – in this case, potentially the White House doctor’s posse – may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual.2
Copies of Medical Records
Bornstein reported that the White House crew left with his original medical records. If that’s the case, another HIPAA rule was violated. Under New York State law, physicians must keep patient records for six years after the last visit, which means that copies of Trump’s records should have been given to the intruders, not the originals.3
The theft of the original documents could’ve been avoided if Bornstein had transferred the paper medical records into a digital format and stored the information in an EMR/EHR program. A doctor can safeguard medical records more efficiently through the use of EMR/EHR software. Bornstein did not take advantage of the significant financial incentive provided through the American Recovery and Reinvestment Act to help medical providers adopt EMR/EHR in their practices. HIPAA’s security requirements would have required the information to be encrypted and thus protected.
HIPAA rules will not likely be applied to this incident since it is likely that President Trump and his handlers do not want health information about the President leaked to the public. The irony is HIPAA already protected Trump’s medical information, but the heavy-handed tactics could result in some of the information being revealed by a detractor of the President. As the saying goes, “Let sleeping dogs lie.”