With cyberattacks becoming more common in the healthcare industry, healthcare providers' likelihood of bankruptcy increases. This can raise some red flags for patient privacy and questions about the integrity of protected health information (PHI) after filing for Chapter 11 bankruptcy protection.
Chapter 11 bankruptcy is a federal process that allows businesses, including health care providers, to restructure debts and remain open while creating a plan for repayment to creditors over time.
It differs from Chapter 7, where liquidation of assets is done to pay off debts; under Chapter 11, companies can restructure and propose a repayment plan while retaining control of their company.
The process can take several months or even years and, in most instances, requires creditors' and the court's approval. Chapter 11 is usually filed by businesses that want to remain afloat but are experiencing financial difficulty, especially in industries with ongoing obligations like healthcare.
Bankruptcy rules often require disclosing personally identifiable health information (PII). These documents, which were once difficult to access, are now instantly available in electronic form on the internet via resources like PACER, leading to potential privacy concerns.
As Sophie R. Rogers Churchill in ‘The Conflict Between Bankruptcy Rules and HIPAA compliance’ explains, "Court filings often contain deeply personal identifying information, which raises privacy concerns.”
In each Chapter 11 filing, healthcare organizations, like clinics, are forced to disclose the personal and financial information of their creditors, which could include former patients.
Churchill also comments, "When the Clinic files for bankruptcy, it may temporarily cease its operations. But fertility services are often pre-paid and/or out-of-pocket. Any patient who had pre-paid for services that were not performed will become a creditor in the Clinic's bankruptcy case."
Therefore, disclosing this information before informing the patient will violate their confidentiality.
Attorneys must comply with the Bankruptcy Code and HIPAA, neither allowing the release of private information without informed consent.
However, “the absurdity of this recommendation [presumes] that all the patients whose privacy is at risk...can and have retained attorneys,” especially since bankruptcies often occur in economically strained regions. So, affected patients usually cannot afford to retain an attorney. Consequently, the burden falls on attorneys to address compliance with the two separate regulations.
Obtaining patient consent to release PHI seems like an easy solution during bankruptcy filings, however, as Churchill points out, "patient authorization may not always be the perfect solution." In many cases, patients are unaware of the bankruptcy until after their information has already been disclosed, making it difficult or impossible to obtain consent in time.
Another approach is anonymization, where, instead of the patients' names, numbers are used in public filings. Though this seems like a good approach, it is not perfect either.
As Churchill discloses, without naming names, "Including a patient on a schedule… requires the filer to know that the patient should be included." Anonymization is a complex process, susceptible to human errors, where someone would learn something shouldn't if the key is not kept confidential.
Document redaction also has its own limitations. While Federal Bankruptcy Rules allow redactions of personal identifiers, they do not apply expressly to PHI. As Churchill warns, "It is ultimately counsel's responsibility to know that other people's PHI is at risk and to take steps to protect it."
Bankruptcy courts cannot "override" HIPAA protections, but the legal requirements of bankruptcy can sometimes conflict with HIPAA rules. For instance, bankruptcy laws might require disclosing information about creditors, which could include patients.
So, lawyers handling healthcare bankruptcies must go to extraordinary lengths to ensure their clients' privacy is not inadvertently compromised. "If the attorney retained to administer the Clinic's bankruptcy case did not specialize in HIPAA or even health care law generally, as most bankruptcy attorneys do not, risks of inadvertent disclosure are high."
Moreover, with more and more healthcare providers going into bankruptcy, patient privacy risks will continue to rise. The current legal landscape has already led to a vulnerability in patients, as lawyers working on these cases might be unfamiliar with HIPAA.
Ultimately, policymakers must design clear guidelines on handling PHI in bankruptcy cases before even more patients have their privacy violated by a system designed to protect them.
Go deeper:
Protected health information (PHI) includes any information on a patient's health status, medical treatment, or payment for healthcare that can identify the individual. It includes names, addresses, birthdates, Social Security numbers, medical records, and other personal identifiers tied to healthcare services.
Personally Identifiable Information (PII) is broader than PHI. It includes any data that can be used to identify an individual, such as a name, phone number, or email address. PHI is a subset of PII that specifically relates to health and medical information protected under HIPAA. In bankruptcy cases, both PHI and PII can be exposed if not safeguarded.
HIPAA violations can occur if a healthcare provider discloses PHI in bankruptcy filings without proper authorization or safeguards, like anonymization or redaction. For example, if a clinic lists its patients as creditors in bankruptcy documents, and those filings include PHI, it could result in a HIPAA breach if appropriate privacy measures aren't taken.