Oh, Doctor Strange. While this is an excellent movie, and the Marvel filmmakers should be commended for their commitment to verisimilitude when it comes to neurosurgery and physics, having apparently consulted with both neurosurgeons and astrophysicist Adam Frank, their legal research as regards healthcare law, especially HIPAA, appears to have been… lacking.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is designed to protect individuals’ personal healthcare information from wrongful disclosure, i.e., disclosures made without patient authorization and not otherwise allowed under the Act, such as for research purposes. 45 CFR 164.508; 45 C.F.R. § 164.512. HIPAA protects against the disclosure of information, both oral and recorded, that “‘[i]s created or received by a health care provider […] and ‘[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.’” In re Am. Med. Sys., Inc. Pelvic Repair Sys. Prod. Liab. Litig., 946 F. Supp. 2d 512, 515–16 (S.D.W. Va. 2013); 42 U.S.C. § 1320d(4).
While no private cause of action is created under HIPAA (meaning that individuals whose private medical information has been wrongfully disclosed cannot sue using HIPAA), there are penalties which the US Department of Health and Human Services can impose on a person for knowingly disclosing “individually identifiable health information to another person.” These penalties range from a $50,000 fine and up to 1 year of imprisonment to a $250,000 fine and up to 10 years of imprisonment “if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.” 42 U.S.C.A. § 1320d-6(b). Individuals whose information has been wrongfully disclosed may also be able to sue under State tort law.
After Doctor Stephen Strange has his hands crippled in a car accident and is forced into attending physical therapy with an orderly, Strange and the orderly get into a fight. Strange yells at the man that physical therapy will never work on injuries as extensive as his and that he, Strange, would know this because he, unlike the orderly, is ACTUALLY a doctor. The orderly challenges Strange’s self-satisfied pessimism, telling him that one of his previous patients had cured himself of quadriplegia through some special physical therapy. At this point, the orderly has not related any individually identifiable information to Strange—only that there was some previous, nonspecific, patient who had cured himself of quadriplegia, so it’s unlikely that a HIPAA violation has occurred at this point.
The orderly keeps talking, however, which is a problem. Because the orderly lets himself get emotionally involved in proving Strange wrong, he offers to get the cured patient’s file and bring it to Strange. Strange accepts the proposal, finds the cured patient (Jonathan Pangborn), and uses the information Pangborn provides him to travel to Nepal and further the plot on his way to becoming the Sorcerer Supreme. The problem with this is that Strange’s mystical journey stems from a clear HIPAA violation. The orderly passed on healthcare documents relating to Pangborn’s past medical treatments and current physical condition to a totally unauthorized person. Strange was not part of Pangborn’s medical team, and there is nothing to suggest that Pangborn authorized the orderly to release his confidential medical records to anyone who might benefit from magical medical intervention.
Although, as mentioned above, there are circumstances under which personally identifiable healthcare information can be disclosed without authorization, none appear to apply here (as an example, Strange would have a hard time arguing that he took Pangborn’s files for researching the Ancient One’s healing practices because Strange would have needed board approval before taking the files in the first place, and that seems unlikely when the subject of the research is a long-lived bald woman’s magical powers).
The fact that Strange used to work for the same hospital which treated Pangborn (or perhaps still works for the hospital in some fashion) also does not cure the violation. A patient’s private information must be screened even from other employees unless those employees need the information to go about their daily tasks. 45 C.F.R. § 164.514(d). Because medical files can essentially only be accessed on a need-to-know basis, they should only be given to staff actively working with Pangborn or perhaps going through Pangborn’s files for some kind of internal quality control review. Again, as Strange has never treated Pangborn, and as he does not appear to fall under any of the exceptions to HIPAA, he should not have been given access to Pangborn’s files.
In conclusion, that orderly (as well as the hospital he works for) are in for one HELL of a fine. Maybe once Doctor Strange conquers alchemy, he’ll be able to help them out.