The privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) protect the confidentiality and integrity of protected health information (PHI). HIPAA’s Privacy Rule protects PHI by restricting its disclosure by “covered entities.” PHI is defined as personal medical information, including name, address, Social Security number, and all medical information about an “individual.”
Is the information protected by HIPAA? Under the Privacy Rule, if the information is not created or received by a health care provider, health plan, or health care clearinghouse, it is not protected and can be gathered under applicable discovery rules. Under HIPAA, a covered entity can be a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. Covered entities must not disclose PHI unless an exception applies. Covered entities do not include employers that sponsor group health plans. The use of PHI received from a covered entity is governed by HIPAA, and employers must be sure that this information is protected so that only the necessary employees have access to it.
HIPAA does not grant a private cause of action for violations. Instead, a complaint must be filed under the established administrative procedures. Courts may impose penalties on parties in litigation who wrongfully disclose PHI, including penalties for ethics violations and the range of penalties available under Federal Rule of Civil Procedure 37. State laws may allow civil actions to be brought for violating state health care information laws.
Does the information fall under an exception? Under HIPAA, a covered entity can disclose PHI without an individual’s written authorization in specific circumstances: When complying with a court order, subpoena, or summons; when responding to an administrative subpoena, investigative demand, or other administrative request; for a proceeding before a health oversight agency; and for law enforcement purposes. Covered entities can share PHI in order to provide treatment, to refer patients for treatment, to coordinate patient care, for payment purposes, for use in a facility directory that can be used to let others know if a person is in the facility and the person’s general condition, and as necessary to identify or locate family members or others responsible for an individual’s care. Providers can share PHI to prevent imminent and serious threats to public health and safety. If the covered entity is a party in a lawsuit, PHI may be disclosed as part of its health care operations.
How does one discover PHI? A litigant has three choices. First, a litigant can seek a signed individual authorization for access to the information. The signed authorization must meet the specific HIPAA requirements of Section 164.508 and any applicable state requirements. The second method is a court order allowing access to specific medical information. Third, a litigant can propound a subpoena, discovery request, or other lawful process and either give notice of the request to the individual or enter into a HIPAA-approved protective order.
Can one obtain PHI without using HIPAA procedures? Suppose that a party needs PHI from a third party that is uninvolved in the lawsuit and will be unaffected by it. Can the party seek this information for litigation without going through the individual or the three procedures outlined above? No. Although this would not involve contacting a represented party, the health information, if collected by a covered entity, falls under HIPAA. Unless the third party agrees to give it to the requesting party, or the request fits into a HIPAA exception, covered entities cannot disclose that information without subjecting themselves to penalties. However, if a qualified protective order is sought, this could be sufficient to allow a party to obtain medical records so that the third party does not need to be contacted directly.
There are only a few situations in which the covered entity does not need to provide the individual with information about what was disclosed. These include disclosures authorized by the individual and disclosures made for treatment, payment, or health care operations. The entity also does not need to provide disclosure to the individual when information was used in a lawsuit in which the covered entity was a party and the information used was part of the entity’s health care operations.
Responding to discovery requests. A party must assess whether the information requested is health information under HIPAA. Covered entities should have procedures in place for handling requests for PHI. Other entities that may be subject to some form of HIPAA requirements include business associates and employers that sponsor group health plans. Employers that offer group health plans are not covered entities and are not subject to HIPAA rules. However, employers must protect PHI they obtain and cannot use this information for employment-related actions.
Business associates are those who assist in the performance of covered entity functions that involve the use or disclosure of individually identifiable health information. Attorneys who work with covered entities must determine whether they are business associates. Business associates must have agreements with the covered entities they work with that set out how information will be shared and protected.
A law firm or attorney who is not a business associate can protect PHI if it is covered by the attorney-client privilege. According to one analysis, outside counsel usually should not be in a position where he or she must report to an individual what health information has been disclosed. Rather, this function should rest with the covered entity. Under HIPAA, individuals do not have a right to access their PHI if it is created in anticipation of litigation.
If a client’s PHI is being sought, the opposing attorneys likely need to follow HIPAA procedures and seek a court order or subpoena or use other lawful process to obtain it. Both parties may enter into a stipulated qualified protective order so that the information will only be used for litigation.
Parties may seek medical records in diverse situations. First, when a party requests records of other patients a physician has treated, HIPAA requires that the patients give authorization or that the party follow HIPAA procedures. The article’s authors suggest that attorneys subject to such requests object to the request using HIPAA and state law that protects that information. Attorneys may seek medical records from previous and subsequent health care providers to ascertain the individual’s condition. In this situation, if the party does not voluntarily hand over the records, an authorization or the appropriate HIPAA procedure is required to obtain the information. To limit liability for disclosure of PHI without authorization in these and other situations, attorneys can adjust the records or remove personal data so no individual is identifiable. If this does not suffice, an attorney should be careful to keep privileged records separate and clearly marked, and to keep track of PHI so that the attorney does not disclose it in violation of HIPAA.
After litigation, HIPAA requires that the PHI be returned to the individual or destroyed. However, this may conflict with a lawyer’s ethical considerations and his or her need to maintain records. Business associates should be sure that, if information is retained, it is marked and kept confidential and privileged after the relationship ends. The attorney should inform the covered entity that he or she will retain and safeguard the information.
More Information About the Tort Trial & Insurance Practice Section
This article is an abridged and edited version of one that originally appeared on page 32 of The Brief, Spring 2011 (40:3).
For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
Periodicals: The Brief, quarterly magazine; Tort Trial & Insurance Practice Law Journal, quarterly law review; TortSource, quarterly newsletter; e-TIPS news, monthly electronic newsletter.
Books and Other Recent Publications: The Reference Handbook on the Comprehensive General Liability Policy; A Practitioner’s Guide to Class Actions; Litigating the Workplace Harassment Case; The Surety and Bankruptcy; ERISA Survey of Federal Circuits, 2010 ed.; The Amicus Brief: How to Write It and Use It Effectively, 3d ed.; The Lawyer’s Guide to Lead Paint, Asbestos and Chinese Drywall. To view a complete listing of our publications, visit www.americanbar.org/groups/tort_trial_insurance_practice/publications.html.
Member Benefits: TIPS is unique within the ABA and the legal community because of our focus on balance and diversity, bringing together plaintiffs, defense, corporate, and in-house counsel to tackle issues confronting our profession. By joining TIPS, you will stay up-to-date with section periodicals and substantive committee newsletters, receive discounts on TIPS books and CLE programs, benefit from complimentary membership in three committees, and have opportunities to attend quarterly section meetings.
CLE: TIPS has one of the most comprehensive and well-established arrays of CLE programming in the nation, presenting more than 50 diverse practice area programs each year. TIPS also makes CLE convenient for you by offering teleconferences, webinars, and online programming and is the only Section in the ABA with its own National Trial Academy.