Contact Us Client Extranet Register / Login
Jackson Lewis
Search:

Register for Email Alerts
Home > Legal Updates > email this article  printer friendly version

Jumping the Hurdles of the HIPAA Privacy Rule

Posted: August 1, 2003
Page Tools:
For More Information Contact:
Related Practice Areas:

The following article was first published in the July 2003 issue of South Carolina Lawyer, (Vol. 14, No. 6) and is reprinted with permission of the South Carolina Bar.

If your law practice involves the routine use of medical records in the prosecution or defense of litigation, around April of this year you may have noticed a change in attitude among many recipients of your standard medical record subpoena duces tecum. Welcome to the new world of the HIPAA Privacy Rule.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is perhaps best known for its employee health insurance "portability" features which took effect soon after passage by Congress. The privacy, security and standardization requirements of HIPAA became effective, for most "covered entities" on April 14, 2003, in the form of regulations issued by the United States Department of Health and Human Services (HHS). The title of the new regulations is "Standards for Privacy of Individually Identifiable Health Information," more commonly known, collectively, as the Privacy Rule. These regulations have a direct, far-reaching and often misunderstood impact on the way most entities within the health care system conduct their most basic daily business activities. The reader may obtain a copy of the Rule from the HHS website.

Because the whole point of these regulations is to maintain the privacy of "protected health information" (PHI), the Privacy Rule inevitably impacts entities outside the health care system as well - lawyers for instance. Many covered entities, such as hospitals, pharmacies and physicians, suddenly have begun responding to records subpoenas with vague references to regulatory provisions completely unfamiliar to many members of the Bar. This article will provide legal practitioners with some basic background information regarding the pertinent provisions of the Privacy Rule, a review of the Rule's impact on routine discovery practices, and suggestions for practitioners to this significant development in all litigation which involves the acquisition and/or use of medical records.

Pertinent HIPAA Provisions

Congress, in passing HIPAA, set for itself a three-year deadline for enacting subsequent comprehensive legislation for protecting the privacy of PHI collected and transmitted under HIPAA's data standardization rules. As Congress failed to enact such legislation by August 1999, the Act automatically authorized - in fact, mandated - the promulgation of privacy regulations by HHS, an agency somewhat foreign to the regulation of health benefits and benefit claims.

The Department issued the "final" Privacy Rule in December 2000 and a modified final Rule on August 14, 2002. The modifications were meant to address certain "unintended negative effects of the Privacy Rule on health care quality or access to health care" and to provide relief for certain "unintended administrative burdens." The provisions of the Privacy Rule were effective, for most covered entities, as of April 14, 2003.

As with many employment-related federal laws, analysis of fundamental terms is essential. If the entity from which a lawyer is seeking medical information is not a "covered entity," it will almost always indicate you are not seeking PHI protected by HIPAA. If not protected by HIPAA or other law, the disclosure should follow prior practice.

In general, the Privacy Rule applies to three (3) categories of entities: health plans, health care clearinghouses, and certain health care providers. HHS has expressly stated that it has no jurisdiction over employers acting in that capacity. The focus is on how the medical information was obtained, not on the fact that it is medical information in determining whether the source of the information sought is a "covered entity." It is also important to note that the Rule expressly excludes employment records held by an entity in its role as an employer. As a result, medical information in the possession of employers obtained for employment purposes such as evaluating employee issues under the Americans with Disabilities Act, the Family and Medical Leave Act, the Workers' Compensation Act and the like are not PHI and the employer is not a "covered entity." If a company has a self-funded medical plan and is involved in the claim process or has a medical clinic which engages in certain electronic transmissions involving payment and billing information, the employer may be a covered entity and may be in the possession of some PHI. It is important to note that there is a lot of misinformation and disinformation from consultants and others misleading employers and health care providers about their obligations under HIPAA. Consider, for example, that recently an internet search using the incorrect acronym "HIPPA" identified more information than the correct acronym, HIPAA. As a consequence, it is not uncommon currently to encounter resistance to the actual requirements of HIPAA and the Privacy Rule.

Preemption of State Law

Preemption under HIPAA is a complicated issue. Unlike the preemption provisions of other federal laws, like ERISA, HIPAA preempts state law unless the state law is more stringent than under HIPAA. In that event, the more stringent state law applies. There are also other exceptions to preemption dealing with minors and controlled substances that are beyond the focus of this article.

The South Carolina HIPAA Office has posted on its website a list of one hundred eighty-two (182) South Carolina statutes and regulations that it says are "possibly preempted" by the Privacy Rule. Even this lengthy - if ambivalent - list is not exhaustive, because the preamble to the modified final Rule comments that the preemptive effect of the Rule also reaches the common law established by judicial opinion. These rather arcane rules are not particularly helpful to the legal practitioner who wants to present a subpoena duces tecum without prompting drawn-out objections or challenges that add cost and delay to the underlying litigation. However, if the procedures discussed below are not followed, each objection must be researched to determine whether HIPAA or other federal law protects the information sought or whether some state law or regulation provides more privacy protection than HIPAA.

The General Rule Governing Disclosures

The general rule is that use or disclosure of PHI is prohibited except as permitted or required by the Rule. This circular rule, which is typical of federal regulations, does little more than establish the regulation as the starting point for analysis. For purposes of this article, which is focused on matters of discovery, we are concerned only with the term "disclosure," since the term "use" generally applies to internal transmissions of PHI within a covered entity, as well as marketing research. As defined by the Rule, "disclosure" refers to the circumstances under which a covered entity may or may not lawfully release PHI to others, whether to other covered entities or otherwise. The term includes "the release, transfer, provision of access to, or divulging in any other manner" of PHI outside of the entity possessing the information. These provisions, then, encompass not only the release of hard-copy medical records, but control related deposition and trial testimony as well.

Disclosures Permitted or Required by HIPAA

The Rule categorizes uses and disclosures into several broad groups according to the requirements, or lack of requirements, associated with the particular groupings. These are: (1) use or disclosure related to certain covered entity functions, such as payment and treatment activities; (2) use or disclosure requiring authorization by the individual; (3) use or disclosure requiring notice and an opportunity for the individual to object; and, (4) as otherwise permitted by the Rule. (References in this article to the "individual" should be taken to mean the person to whom PHI relates).

The Rule effectively shifts the onus for protecting the privacy interests of the individual in the course of litigation to the legal practitioner seeking the disclosure. Otherwise, the covered entity will object and not provide the information sought. As a practical matter, it is the lawyer seeking the information who must (1) obtain an express court order for the desired information, (2) provide the individual with notice and an opportunity to object to the request, or (3) obtain a qualified authorization from the individual.

Court Order

Not surprisingly, a covered entity may lawfully respond under the Privacy Rule to an express order to release information that is issued by a court or administrative tribunal. The only proviso is that the disclosure must be strictly limited to the scope expressly authorized by the order. However, for legal actions in federal or state court, this provision ignores the fact that judges abhor discovery generally and, predictably, would not be excited about receiving hundreds of requests for HIPAA-compliant orders for medical records. As a practical matter, obtaining a court order is a matter of last resort after attempting the next two options.

Subpoenas and Discovery Requests without Court Order

Pursuant to Notice. A covered entity may respond to a subpoena or other similar legal process if it obtains "satisfactory assurances" from the requesting party that the party has made reasonable efforts to provide notice to the individual regarding the request and that the individual has not responded or that any objections have been resolved. "Satisfactory assurances" is a defined term. It requires provision of a written statement, and accompanying documentation, demonstrating that the requesting party has made a good faith attempt to advise the individual, in writing, regarding the nature of the request and providing sufficient information regarding the associated litigation to permit the individual to raise a timely objection to the relevant court. The Rule does not specify how much time the covered entity must be permitted to respond. Presumably, the time must be at least as long as would normally apply under the particular legal process, such as is specified under Rule 45 of the federal or state rule of civil procedure. In any event, the statement to the provider also must document that the deadline for response has transpired without objection. If an objection was raised, the statement must document a resolution of the objection that justifies the requested disclosure.

Pursuant to a Qualified Protective Order. As an alternative to the Notice requirements, a covered entity may respond to a subpoena or other process if it obtains satisfactory assurances from the requesting party that the party has made reasonable efforts to obtain a "qualified protective order." A qualified protective order must (1) prohibit use or disclosure for any purpose other than the associated litigation, and (2) require the disclosed information to be returned to the disclosing entity or destroyed at the end of the litigation.

Interestingly, the Rule does not expressly require proof that a qualified protective order has been approved or signed by the court. The Rule only requires a showing that either the parties to the litigation have submitted an agreed qualified protective order to the court or that the requesting party has sought such an order from the court.

Many attorneys may be tempted to simply jump to the step of obtaining an agreed qualified protective order before issuing subpoenas or discovery whenever possible. However, the requirement for return or destruction of the disclosed information at the end of the litigation is troubling. Without this documentation, for example, the attorney may have difficulty defending himself/herself if subsequently accused of malpractice associated with the litigation. Even so, in circumstances where the individual does challenge disclosure pursuant to the notice procedures described above, the individual or the court may use the provisions for a qualified protective order to fashion a resolution of the objection. If counsel wishes to avoid the return/destruction of the PHI, the malpractice conundrum can be asserted as a reason to enter a court order requiring the disclosures sought.

Disclosures Authorized By The Individual

If the individual executes an authorization consistent with the Privacy Rule requirements (which are specific, particularized and different from customary practice), the health care provider may lawfully provide PHI specified in the authorization. A valid authorization must contain six (6) core elements:

  • A specific and meaningful description of the information to be used or disclosed
  • The identity of the individual or the class of persons authorized to make the use or disclosure
  • The identity of the individual or the class of persons authorized to make use of or to receive the information
  • A description of each purpose of the use or disclosure, if know; otherwise, it is proper to simply state "at the request of the individual" if the requesting individual does not disclosure the purpose
  • An expiration date or specified event that will automatically terminate the effectiveness of the authorization, and
  • The date and signature of the individual making the request (special rules may apply where an individual's authorized representative makes the request)

Authorizations must also adequately inform the authorizing individual of: 1) his or her revocation rights and how to make use of them, 2) the extent to which the covered entity may or may not condition treatment or benefits enrollment or eligibility upon receipt of the authorization, 3) the consequences of not executing the authorization where the covered entity may lawfully place conditions upon receiving treatment, and 4) the potential for subsequent disclosure by the receiving party such that the PHI may no longer be subject to the protections of the Privacy Rule. All information in an authorization must be drafted in a "plain language" format. Authorizations for psychotherapy notes or for purposes of marketing must be separate and apart from other authorizations seeking PHI.

Ordinarily, obtaining an authorization would seem to be the best practice whenever practicable. In cases where the information is relevant to defending against an action by the individual, it is difficult to imagine a plausible argument for refusing the request to execute an authorization. In fact, providing valid authorizations should become common practice early in the course of any litigation that necessarily involves medical information regarding a party to the litigation. Obstacles may exist in the form of delay by opposing counsel or a disagreement over whether the information sought is discoverable. In its worst form, it could be that opposing counsel will not recommend that his/her client sign the authorizations to avoid disclosure of potentially damaging information, for example, by providers not identified in discovery responses. Resolution of any disagreement in this respect would seem an appropriate candidate for a court order requiring the disclosure and, in appropriate circumstances, an award of fees and costs for having to file the motion.

Using PHI In Litigation

Where PHI is to be obtained pursuant to an authorization, the use of that information in the course of litigation depends upon the scope of permitted use specified by the authorization. In order to ensure such PHI can be used as evidence at trial, for purposes of depositions, or in support of summary judgment and other motions, the best practice is to ensure the description of the classes of persons authorized to receive the released information specifically contemplates disclosure to the court, to experts and other witnesses, to representatives of the party (e.g., management employees) engaged in preparation and prosecution of the litigation, as well as to the party's attorneys and support staff. To the extent disclosures will be necessary in the form of testimony by a covered entity (e.g., by a treating physician) in deposition or at trial, the description of the information authorized for disclosure should specifically encompass permission for such oral disclosures, including, but not limited to, expert opinion testimony.

The Rule permits disclosures by a covered entity pursuant to reasonable assurances that the requesting party has sought a "qualified" protective order or that the parties have stipulated to the requirements that constitute a qualified protective order. However, a qualified protective order must include - in addition to limiting use or disclosure to purposes of litigation - a requirement that the PHI will be returned or destroyed at the end of the litigation. This is a problematic requirement because information submitted to the court as evidence or in support of motions cannot be returned or destroyed at the end of the litigation. Therefore, the best practice is to obtain a court order (not one denominated as a "protective order") from the court that is sufficiently detailed to permit the same litigation-related uses and disclosures discussed above with respect to PHI obtained via an authorization.

Conclusion

While HIPAA presents some obstacles to obtaining certain health information which previously has been obtained routinely with little effort, following the particular strategies discussed above can take most of the headaches out of the process and obtain the needed information. For those health care providers who insist that a court provision have been fulfilled, a little re-education may be necessary.

Related Links
Home | About Us | Offices | Attorneys | Practice Areas | Events | Legal Updates | Employment

Copyright © 1998-2010 Jackson Lewis LLP | Disclaimer | Privacy Policy | Site Map
Email: info@jacksonlewis.com | Phone: (800) 648-2551
Attorney Advertising