Why PHI is considered a trade secret

October 12, 2018

The suspension of a New York nurse highlights the intersection between HIPAA and trade secrets.

Previously, I wrote about what’s legal and illegal regarding protected health information (PHI) disclosures. I addressed scenarios where it may be permissible to disclose PHI to the government and/or an attorney. The protections given to individuals reporting suspected HIPAA violations or other healthcare fraud are derived from two laws: HIPAA (45 C.F.R. § 164.502(j)(1)) and the Defend Trade Secrets Act of 2016 (Section 7).

I received a number of questions from readers asking me why PHI is considered a trade secret, so I thought it might be helpful to explore the topic further. Let’s start with the basic definitions.

The Uniform Trade Secrets Act (UTSA) has been adopted by 47 states and the District of Columbia. This means that it is binding law in those jurisdictions. In the remaining states, UTSA is not binding by statute, but it may be utilized in a court opinion and become law in a certain court. Given its broad acceptance, let’s look at the USTA’s definition of a trade secret:

Information, including a formula, pattern, compilation, program, device, method, technique, or process that: derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

Let’s switch gears. HIPAA defines PHI as follows:

Health information means any information, whether oral or recorded in any format that – (A) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearing house; and (B) relates to the past, present, or future physical or mental health condition of any individual, the provision of healthcare to an individual, or the past, present or future payment for the provision of the healthcare to an individual.

ePHI, which falls under the Security Rule, is fundamentally PHI in an electronic format. This means that covered entities, business associates, and subcontractors have an obligation to uphold the confidentiality, integrity, and availability of the data whether the person is creating, receiving, maintaining, or transmitting PHI.

Now, let’s consider the nexus between PHI and trade secrets. Both are highly sensitive types of information that derive an economic value and are not generally known. The example of the state of New York suspending a nurse at the University of Rochester Medical Center underscores this notion. The nurse admitted to disclosing PHI when she took a patient list of more than 3,000 individuals from the University of Rochester to her new employer, Greater Rochester Neurology.

Patient lists are client lists and are therefore considered a trade secret, as is PHI. In this case, the list included patients’ names, addresses, dates of birth, and diagnoses. Neither the University of Rochester nor the individual patients gave permission for the nurse to take the list.

The University of Rochester paid for not adequately protecting the PHI, and the nurse signed a consent order with the New York Board of Nursing for a one-year suspension, a one-year stayed suspension, and three years of probation.

The University of Rochester’s scenario could have happened to an individual physician’s practice. It is important for physicians and their staff to understand the nexus between trade secrets and PHI-and the consequences of a breach. Liability could be far greater than just a fine pursuant the Breach Notification Rule.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.