How “Personal” is your PHI? Ohio Supreme Court Weighs In Thumbnail

How “Personal” is your PHI? Ohio Supreme Court Weighs In

In our electronic age, the privacy of one’s personal health information, or “PHI,” continues to be a hot button topic. In Ohio, protections from disclosure have long existed under both federal law – the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) – and under state law, which allows a person to sue for damages if someone makes an unauthorized disclosure of PHI. Biddle v. Warren Gen. Hosp., 86 Ohio St. 3d 395 (1999) (known as a “Biddle Claim”).  Questions remain as to; (a) whether HIPAA affects the right to bring those Biddle Claims and (b) the circumstances under which someone may disclose PHI without being subject to liability for a Biddle Claim.

The Ohio Supreme Court just answered those questions in Menorah Park Center for Senior Living v. Rolston, 2020-Ohio-6658. Menorah Park had sued Irene Rolston for her failure to pay for certain medical treatment. To comply with pleading rules, Menorah Park attached to its complaint two billing statements that included Rolston’s name, address, medical procedure codes, brief descriptions of the services provided, and the amounts charged, credited and owed.  Ms. Rolston counter-claimed against Menorah Park, making a Biddle Claim that the inclusion of these bills in a public pleading violated Menorah Park’s obligation to keep her PHI confidential.

Rolston’s claims were dismissed by the trial court, but her Biddle Claim was revived on appeal.  The Supreme Court was asked to consider whether Biddle Claims in Ohio were preempted by HIPAA, which does not recognize a private right of action. And, if not, whether Menorah Park was justified in making the disclosure for purposes of bill-collecting.

The Court first concluded that Biddle Claims are alive and well in Ohio. It noted that, while HIPAA certainly created protections for PHI, the statute does not preclude states from providing even stricter protections. As such, whether or not a health care provider formally complies with HIPAA has no bearing on whether that provider might be subject to liability for a Biddle Claim.

But, while the Court giveth, it also taketh away. Menorah Park argued it was entitled to make the “minimal” PHI disclosures in this instance because an exception, or “privilege,” exists that allowed Menorah Park to make the disclosure it made. Since Menorah Park was legally obligated to reasonably identify the basis for its claims, it argued that it should be allowed to make disclosures to the extent necessary to satisfy that standard.

The Supreme Court agreed, both formally recognizing this exception to a Biddle Claim and putting its stamp of approval on the type of information Menorah Park had disclosed. The Court concluded that a provider can disclose PHI in such circumstances as long as it makes “reasonable efforts” to minimize the PHI disclosed, and that Menorah Park met this standard.

Not all of the justices agreed on the latter point, however. Three justices variously contended that Menorah Park revealed too much, there was no evidence of “reasonable efforts” to minimize disclosure, and that, at the least, this presented a fact question that required further consideration at the trial court level.

Based on the majority decision, however, it appears providers are now free to use their billing statements to pursue collections without worrying about having to defend against a Biddle Claim.

Related professionals

Related practices