New Hampshire's Exeter Hospital is not entitled to a protective order that would shield its EHR from the state Department of Health & Human Services (DHHS) investigation of a hepatitis C outbreak at the hospital, according to New Hampshire's Merrimack Superior Court.
Exeter had sought a protective order to require DHHS to provide more information about what it was looking for, citing concerns that unfettered access would violate state and federal privacy laws. Exeter had also said that DHHS was not limiting its access to patient records to the minimum amount necessary to conduct the investigation.
Exeter had originally provided DHHS with "open access" to its EHR database to conduct its investigation, which stems from an alleged drug-seeking hospital employee who is said to have infected patients. DHHS had also signed a security agreement to follow Exeter's security policies and applicable law. Exeter then refused access when DHHS would not share information it had uncovered from the EHR.
DHS argued that it had the authority to conduct an investigation of all of the records in the full EHR, it was only obtaining the minimum amount of patient information necessary to conduct the investigation and that it was not by law allowed to share with Exeter the information gleaned from the EHR during its investigation.
The Court, in a 12 page opinion, denied the hospital's petition, noting that there was "no evidence" that DHHS was not complying with state and federal law.
"In sum, the petitioner's duty to protect its patients' privacy must give way to the DHHS's interest in investigating communicable disease outbreaks," the court said.
HIPAA requires covered entities, such as hospitals, to keep patient protected health information private and secure. However, that requirement is not absolute. Public health officials, law enforcement and courts are entitled to the records under certain circumstances.