Medical Examiner

How Did the Doctor’s Office Raid Harold Bornstein Described Not Violate HIPAA?

The former Trump doctor’s story is wild. Which side broke the law?

U.S. President Donald Trump arrives to participate in an event with the Army Black Knights football team from the U.S. Military Academy on May 1, 2018 in the Rose Garden at the White House in Washington, DC.
Photo illustration by Slate. Photo by Alex Wong/Getty Images.

NBC News released a sensational story on Tuesday morning, an exclusive interview with Donald Trump’s former physician Dr. Harold Bornstein, who explains that his office was “raided” by the president’s personal staff, who came in with no warning and took Trump’s medical records. The raid occurred two days after Bornstein told the New York Times that he had prescribed the president a hair-growth medication. Bornstein’s account of the incident raises several questions, such as why Bornstein would compare the incident to the experience of being raped (he did) and whether it would be possible to make up a story that better underscores male fragility (it’s not). It also raises a set of questions about how this entire mess intersects with the Health Insurance Portability and Accountability Act of 1996, or HIPAA.

By virtue of having been patients themselves, most people are at least passingly familiar with HIPAA. The law exists to protect patient privacy, and its central tenet is that a patient’s health information can only be shared on a need-to-know basis during emergencies or else only at the request of the patient or his or her legal representative. In that sense, HIPAA restricts access to information. What is less well-known is that the law was also written to facilitate information exchange between health care providers. In fact, HIPAA not only permits doctors and other care providers to share crucial health information in emergency situations with minimal friction, it explicitly requires it. In nonemergency situations, HIPAA also allows doctors to share health information of their patients with others—the media for example—when it has been requested by the patient. All of this means that parsing Bornstein’s actions in the context of HIPAA is more complicated than it might appear on its face. A full assessment of what happened requires more information than is currently available, but I’m going to give it a shot.

The first question surrounds Bornstein’s original statements about Trump’s health. The doctor released two statements attesting to the then-candidate’s health in 2015 and 2016, and it is almost certain that these documents were requested by the patient himself. It’s also true that while Dr. Bornstein was under an obligation to tell the truth about his patient’s health, if Trump requested that certain aspects be omitted (say, the discovery of a cancerous mole), under HIPAA, the physician would indeed have been obliged to comply. Surprising but true—doctors are expected to commit lies of omission in such circumstances in order to adhere to HIPAA’s provisions. (It should also be said that these lies of omission do not cover Bornstein’s statement that he believed that Trump would unequivocally “be the healthiest individual ever elected to the presidency.” The Hippocratic oath and its modern descendants often state that we can be expected to prioritize our patients’ needs above our own; they mention nothing of sycophancy.)

The problem is that we don’t know whether Trump asked for any omissions, which is critical when assessing whether Bornstein violated HIPAA when he revealed that Trump takes Propecia, the hair-loss medication. At that time, many wondered whether HIPAA had been violated by the disclosure, and the answer, then as now, is that it depends. If Trump had previously instructed Bornstein to, at any time, share any and all medical information he felt necessary to paint a picture of his fitness to serve as president, the physician would be in the clear. Unless Bornstein was explicitly instructed not to reveal his patient’s hair-loss-prevention strategy, he could legally and reasonably presume that his patient had an “opportunity to object” to such a disclosure and chose not to. That is the standard—even if what Trump assumed was that he would know not to share it.

The second question is whether Trump’s staff had a right to seize the president’s medical documents from Bornstein’s office. In the NBC report, Bornstein asserts that on Feb. 3, 2017, three representatives of newly inaugurated president “raided” his medical office and demanded that Mr. Trump’s medical records be surrendered:

Bornstein said he was not given a form authorizing the release of the records and signed by the president—known as a HIPAA release—which is a violation of patient privacy law. A person familiar with the matter said there was a letter to Bornstein from then-White House doctor Ronny Jackson, but didn’t know if there was a release form attached.

These details do not provide what we need to know to draw a conclusion about who, if anyone, violated HIPAA. But here are two potential scenarios:

1. If Bornstein was not given proper documentation that authorized him to release Trump’s medical information, he and his office should not have provided Trump’s men with the documents. If Bornstein was forced to give up the records due to intimidation, that could actually be a HIPAA violation unto itself on the part of Trump’s men. Covered entities (which roughly translates to health care providers or those representing insurance companies or certain government programs) may not intimidate another provider for failing to adhere to what appears to be unlawful action. In an interesting wrinkle, it’s unclear in this scenario whether the president’s personal staff would count as a covered entity. If they were acting on behalf of, say, Medicare officials, they might actually be, though the presidential physician and his staff work under the Department of Defense. And, interestingly, the president may not even have health insurance at all—it appears to be optional and his care is paid for by the White House Medical Unit’s own budget, again under the DOD. In any case, taking the documents without proper documentation should have necessitated one simple course of action by Bornstein’s rattled front-office staff: picking up the telephone, dialing 911, and reporting a robbery in progress. (Although to be fair to Bornstein and his staff, calling 911 might not be as straightforward when the “robbers” appear to be representing the president of the United States.)

2. Alternatively, Bornstein may in fact have been presented with proper documentation. There is no one standard HIPAA release document. Acceptable iterations can take many forms but must include certain features. (The patient’s signature is often but not always required.) If Bornstein’s office was presented with a proper form that then–White House physician Ronny Jackson prepared at the request of the president, that should have indeed sufficed. In this case, not only would the events not amount to a “raid,” it likely would have been a HIPAA violation for Dr. Bornstein’s office had they not complied with the request.

However, there is yet another a twist in this scenario: Trump’s team is alleged to have left with original records, leaving the office with no copies of their own. New York state law requires physicians keep records of all patient care reaching back six years. If Trump’s men compelled this, or if Bornstein’s office did not resist it adequately, one or both sides ran afoul of the law. We don’t yet have the information to know.

In sum: There are a lot of questions and not much clarity. On that note at least, we can conclude that we’re in well-trodden Trump territory.

Disclaimer: The opinions expressed in this article are solely those of the author and do not reflect the views and opinions of Brigham and Women’s Hospital.