From HIPPA for the General Practitioner, Chapter 6
- Learn how to help clients navigate through the the national health-care system remodeling plan.
Where Lawyers Come In
The question you may ask is, “How much do I, as a lawyer, need to know?” Or you may say, “I am not a healthcare lawyer. What does this have to do with me?” Whether you are a probate, personal injury, or patent lawyer, it is likely you will run into a HIPAA issue at some point in your practice.
As lawyers, we need to review our state statutes and the HIPAA law to see whether state or federal law applies. We may need to get an extra subpoena or a specific court order, but we will find a way to prove up and defend our cases. And I’m sure some of you will have fun finding HIPAA’s loopholes and creating more litigation.
With a better understanding of the reasoning behind and the purposes for the overhaul of the nation’s healthcare system you should be able to help clients navigate their way through this national health-care system remodeling plan.
Quicksand, Quagmire, or Quantum Leap?
HIPAA is vast, complex, and multifaceted. Your level of knowledge about it can lead to three different conditions: If you know next to nothing, the first time you are faced with a HIPAA issue, you will feel like you are in over your head, as though you just walked into quicksand; or, if you know a little bit about it but not enough, you will find yourself confused and in a quagmire; or, if you break it down to its simplest elements and make the effort to learn the law and its requirements, it will make sense. You will feel comfortable when you explain it to your clients. You will be able to deal with HIPAA-related issues that arise in your practice. And you will have a quantum leap experience.
HIPAA has been interpreted in a variety of ways according to statute and local practice. Health-care providers have implemented a variety of schemes to achieve satisfactory HIPAA compliance.
Some states formed task forces to go through their state laws relating to medical information, advise the legislature on which laws were more stringent, and make recommendations on those that needed to change. Many state legislatures have responded and changed their laws to trump HIPAA. The following are some issues the Texas task force recognized as being recurring issues in the law.1
Although HIPAA requires a written authorization before PHI is disclosed, most states also have laws that provide the same protections. However, many state laws use different terms, such as “consent,” “consent form,” “release,” “written release,” “written consent,” and “waiver.”2 The Texas task force concluded that state laws should use uniform language to refer to written authorizations to facilitate compliance with HIPAA.
Authorization forms were discussed in Chapter Two, and the elements for a valid authorization are found in 45 C.F.R. § 164.508(c)(1). HIPAA requires that the authorization contain certain statements, such as the individual’s right to revoke the authorization.3 State authorization forms must take into account both HIPAA and state laws.
Regarding written authorizations, several courts have stated that in the absence of a HIPAA-compliant authorization, a covered entity may still respond to a court-ordered disclosure. In Rosales v. City of Bakersfield, Victoria Rosales brought a civil rights survival action against the Bakersfield Police Department following the shooting death of Gabriel Angel Garcia.4 The police shot Garcia during a confrontation on February 21, 2004, and Rosales filed the both as administrator of the estate and individually. During discovery, the defendants presented the plaintiff’s treating psychiatrist with a subpoena duces tecum demanding that the psychiatrist produce medical records. The psychiatrist refused to honor the subpoena because he had not been provided with a HIPAA-compliant authorization. After three attempts to induce the plaintiff to sign a HIPAA-compliant authorization, the defendants then filed a motion to enforce the subpoena under Federal Rule of Civil Procedure 45(c)(2)(B). The plaintiff did not object to the motion.
HIPAA authorizes a covered entity “to disclose private health information in judicial or administrative proceedings in response to an order of a court.”5 The Rosales court found for the defendants, stating that HIPAA permits disclosure in a proceeding if it is “in response to a subpoena, discovery request, or other lawful process . . . if the party seeking the information either notifies the patient . . . or makes a reasonable effort to secure a qualified protective order.”6 The court found that the defendants’ efforts to secure authorization from the plaintiff provided “written notice to the individual.” That, combined with the plaintiff’s failure to object to the motion to enforce the subpoena, led the court to hold that there was no basis for the psychiatrist to withhold disclosure of his medical records.7
Request for Accounting
In addition, under HIPAA, an individual has a right to an accounting from a covered entity of certain disclosures made by the covered entity during the previous six years.8 Again, commentary from the Office of Civil Rights (OCR) indicates that this six-year requirement was selected to dovetail with the other six-year retention requirements:
In the final rule, we provide that individuals have a right to an accounting of the applicable disclosures that have been made in the six-year period prior to a request for an accounting. We adopt this time frame to conform with the other documentation retention requirements in the rule. We also note that an individual may request, and a covered entity may then provide, an accounting of disclosures for a period of time less than six years from the date of the request.9
OCR also indicated that the accounting requirement is designed to provide a mechanism to alert individuals that there may be a problem with their records that justifies the filing of a complaint:
The provision serves multiple purposes. It provides a means of informing the individual as to which information has been sent to which recipients. This information, in turn, enables individuals to exercise certain other rights under the rule, such as the rights to inspection and amendment, with greater precision and ease. The accounting also allows individuals to monitor how covered entities are complying with the rule. Though covered entities who deliberately make disclosures in violation of the rule may be unlikely to note such a breach in the accounting, other covered entities may document inappropriate disclosures that they make out of ignorance and not malfeasance. The accounting will enable the individual to address such concerns with the covered entity.10
The absence of an explicit records-retention period in the Privacy Rule is exceedingly difficult to reconcile with the enforcement rights of HHS and the rights of an individual to a meaningful accounting. In declining to adopt a retention period for the documents underlying an accounting, HHS took note of variation in state retention laws, as well as the cost to some entities of increasing the retention period.11
HHS declined to balance the financial burden of a records-retention period against the interests of enforcement and, more important, the interests of individual citizens in a meaningful accounting of the disclosures of their protected health information. This exercise was properly left to state legislatures.
In sum, HIPAA’s six-year records-retention requirements expressly apply to certain records described in the Privacy Rule, not to PHI generally. But a shorter state law retention period for records or documents containing PHI arguably would be an obstacle to the right to an accounting of disclosures under HIPAA.
Another recurring issue identified by the Texas task force is in the area of decedents. HIPAA provides that a deceased individual has privacy rights, but allows disclosure in certain instances.12 Covered entities can disclose a decedent’s PHI to law enforcement officials if necessary to determine the cause of a suspicious death.13 A coroner or medical examiner can obtain PHI to identify a dead person, to determine the person’s cause of death, or to perform any other duties authorized by law. Funeral directors can get PHI if necessary to carry out their duties. An organ procurement organization can get PHI for the purpose of facilitating organ, eye, or tissue donation and transplantation, and for research under strict conditions.14
In some states, the common law provides that the right to privacy is purely personal and terminates upon the death of the person whose privacy is at issue.15 Each state must reconcile its common law and statutory law to determine whether HIPAA or state law is more stringent.
In In re Estate of Broderick, the Kansas Court of Appeals evaluated a decedent’s right to privacy.16 The niece of Esther Broderick, deceased, opposed the probate of Broderick’s will. The niece alleged that Broderick was mentally incompetent when she executed the will and filed a motion for the production of Broderick’s medical records from the nursing home where the deceased had resided, citing 45 C.F.R. §164.512(e)(2004) for authorization.17 The niece asserted that the records were necessary “to assess and document” decedent’s mental condition at the time that the will was executed.18 The district court denied the motion, acknowledging that the nursing home could disclose the records under an order from the court, but found that in this case the court had no authority to issue such an order. The niece appealed the decision, but the Kansas Court of Appeals held that her motion for production did not meet any of the four authorized methods for obtaining medical records. Permissible methods for obtaining records include the following:19
- Provide the covered entity with a subpoena, discovery request, or other lawful process without a court order accompanied with a statement and documentation to the covered entity that the party made reasonable efforts (or a good-faith attempt to do so) to notify the individual whose health information is protected.20
- Provide the covered entity with a subpoena, discovery request, or other lawful process without a court order accompanied with the party’s satisfactory assurance to the covered entity that reasonable efforts were made to secure a qualified protective order.21
- The covered entity may release the protected information “in response to a lawful process” without any assurances from the requesting party if the covered entity makes reasonable efforts to provide notice to the individual that meets the requirements of the first method or seeks a qualified protected order that meets the requirements of the second method.22
- The covered entity may release PHI “[i]n response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order.”23
Costs for Copies
Another area with a wide range of differences in state law and administrative rules is that of copying records. For many years, patients did not even really believe they had the right to get their own records. Some providers could dampen patients’ desire to get their own medical records by charging costs that were prohibitive. A covered entity can charge a reasonable fee that covers only the cost of copying, including the cost of supplies and labor; postage, if mailed; and preparing an explanation or summary of the protected health information if the explanation or summary is agreed to by the individual ahead of time.24
In drafting the final rule, HHS stated that, for enforcement purposes, “[f]ees for copying and postage provided under state law, but not for other costs excluded under this rule, are presumed reasonable.”25
In Webb v. Smart Document Solutions, LLC, the U.S. Court of Appeals for the Ninth Circuit addressed whether the term “individual” used in the HIPAA regulation encompassed the law firm when it acted as the client’s agent, thereby qualifying the law firm to obtain medical records at the individual’s lower rate.26 The defendant, Smart Document Solutions, charged more for providing copies to patients who requested their records through agents, such as personal injury lawyers.
HIPAA regulations restrict fee limitations to requests made by individuals and concretely defines “individual” in a way that excludes agents. The regulatory history was clear that the regulations did not intend for private attorneys to receive the reduced fees. Under HIPAA, an individual has the right to obtain copies of his medical records for a reasonable, cost-based fee, while third parties who seek the same records may be charged at a higher rate.27
This case is unusual, because HIPAA itself does not provide a private right of action for individuals to bring suit, but in this California case, the attorneys are using a violation of HIPAA to support their section 17200 claim. California Business and Professional Code section 17200 grants a private right of action for unfair competition. The attorney’s claim was based on the alleged unlawful and unfair conduct of Smart Document Solutions in violating HIPAA.
In implementing HIPAA, HHS has determined that, except in limited circumstances, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”28 Upon an “individual[’s] request[ ]” to inspect or obtain his or her records, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:
(i) Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
(iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by [the regulation].29
The question raised by Webb is whether designated agents, such as personal attorneys, can be considered the “individual” in order to obtain the reasonable, cost-based fee. HHS defined “individual” as “the person who is the subject of the protected health information.”30
The court interpreted this to mean that HIPAA restricts the fee limitations to requests made by the individual. The court further explains that “individual” is concretely defined in a way that excludes others acting on that individual’s behalf. The court applied various canons of construction that supported this conclusion. Under the plain meaning canon, HIPAA clearly favors Smart Document Solutions. The canon of statutory construction, expressio unius est exclusio alterius,31 further supports Smart’s argument.
HHS has provided for one situation in which another person may be treated as the individual: when that person is authorized to make health-care-related decisions for an individual:
As specified in this paragraph, a covered entity must, except [in limited circumstances], treat a personal representative as the individual for purposes of this subchapter. . . . If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to personal representation.32
Application of this canon suggests that because HHS explicitly defined “individual” to encompass “personal representatives,” it was fully capable of delineating an even broader definition of the term.
Despite this, the attorney urged the court to read the term “individual” to include authorized attorneys, because such an interpretation would be more consistent with the purpose of HIPAA. The plain-meaning canon can be overridden where there is “some indication of the regulatory intent that overcomes plain language . . . [as is] referenced in the published notices that accompanied the rulemaking process.”33
The Webb court was not persuaded that regulatory intent overcomes plain meaning. The plaintiff did not provide the court with any evidence that the drafters intended “individual” to mean “anything other than ‘the person who is the subject of the protected health information,’ and, when applicable, that person’s personal representative.”34
In the proposed rules, HHS explicitly considered adopting a broader definition of “individual” that would have included legal representatives but, in the final rule, ultimately decided against it.35 Additionally, in 2002, HHS clarified that “the Rule . . . limits only the fees that may be charged to individuals or to their personal representatives.”36
The attorney’s final attempt to argue that the definition of “individual” should include the individual’s attorney asserted that California agency law grants an attorney the authority to do all necessary acts for a case.37 He argued that HIPAA did not preempt California agency law because it “imposes requirements, standards, or implementation specifications that are more stringent” than HIPAA’s.38 “More stringent” laws are defined, inter alia, as those that “permit[ ] greater rights of access” for the “individual who is the subject of the individually identifiable health information.”39
The plaintiff argued that California agency law provided the individual with greater rights of access by allowing attorney-agents to obtain the records at the limited cost and, therefore, trumps the HIPAA regulations to the extent they require a contrary interpretation. The court decided that California law did not support the plaintiff’s claim.
Having found no justification for the plaintiff’s claim within HIPAA or California law, the court refused to grant the plaintiff the right to obtain copies at the reduced cost guaranteed to individuals.
Another area where numerous state laws vary is in the area of records retention. There is no records-retention requirement for PHI in HIPAA.40 But covered entities must keep their own policies and procedures for any “action, activity, or designation . . . required by this subpart to be documented, [and] maintain a written or electronic record of such action, activity, or designation.” HIPAA also requires a covered entity to keep records as necessary to ensure that regulatory agencies can investigate and enforce compliance.41 HIPAA specifies that these records may include PHI:
A covered entity must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable requirements of this part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.42
Statute of Limitations
HIPAA provides for a six-year statute of limitations upon the Office of Civil Rights (OCR) to bring an action against a covered entity for noncompliance.43 Commentary indicates that HIPAA’s six-year documentation period44 was selected to complement the six-year statute of limitations on OCR investigations: “We established the retention period at six years because this is the statute of limitations for the civil monetary penalties. This rule does not apply to all pharmacy records, but only to the documentation required by this rule.”45
HIPAA defines personal representatives as persons who have the authority under applicable law to make health-care decisions on behalf of adults or emancipated minors, as well as parents, guardians, or other persons acting in loco parentis, who have the authority under applicable law to make health-care decisions on behalf of unemancipated minors.46
Persons who are authorized under state law to make health-care decisions on behalf of other individuals will also be personal representatives under HlPAA.
In In re Berg, the Supreme Court of New Hampshire analyzed the privacy rights of unemancipated minors. In Berg, the court was asked to settle a dispute between a divorced mother and father over visitation rights. The parents had joint custody, but the children resided with their mother. The children did not always visit their father as scheduled because they either refused or their mother refused to allow them. The children complained of their father’s inappropriate conduct as the reason they did not want visitation. The mother arranged for each child to have counseling with a therapist to address their concerns with their father’s inappropriate conduct.
The father filed a motion alleging the mother was interfering with his relationship with the children and in contempt for violating the visitation order. The mother responded with a motion to modify the visitation schedule. The father requested that the children’s therapists produce their records and notes, arguing that he would find evidence of the mother’s interference. The therapists refused, claiming that such disclosure would not be in the best interest of the children.
The guardian ad litem for the children moved to have their records sealed. The mother agreed, but the father objected, so the court denied the motion. The children’s guardian ad litem appealed.
The court acknowledged that for unemancipated minors, “a parent must . . . be treated as the minor’s personal representative, so long as the parent, under applicable law, has the authority to act on behalf of the minor in making decisions related to health care.”47 However, the court further explained that a covered entity “may not disclose or provide access to protected health information about an unemancipated minor to a parent if doing so is ‘prohibited by an applicable provision of State or other law, including applicable case law.’”48 In this particular case, New Hampshire state law49 prohibited the father from accessing the children’s records without a court order. The court reasoned further that section 164.502(g) permits a covered entity to withhold information, even if disclosure is not prohibited by state law, if the covered entity determines that it is not in the best interest of the children. Thus HIPAA does not provide parents with an absolute right to access their child’s records.
In Med 4 Home, Inc. v. Geriatric Services of America, the defendant sought to bring the claim in federal court, alleging that the HIPAA implications demanded the claim have federal question jurisdiction.50 The plaintiff filed a motion to remand to state court because the claim did not present a federal question.
The U.S. district court for the District of Arizona found that since HIPAA does not provide a private cause of action and the plaintiff’s claims all arose under state law, federal jurisdiction was not appropriate. The court did not say that no HIPAA-related claims arise under federal law. Instead, the court applied the test derived from Grable & Sons Metal Products, Inc. v. Darue Engineering & Manufacturing to ascertain whether HIPAA permitted federal jurisdiction.51
In Grable, the Supreme Court held that federal-question jurisdiction may still exist absent a private right of action.52 The Court explained that federal-question jurisdiction “will lie over state law claims that implicate significant federal rights.”53 To determine whether a state law claim implicates significant federal rights, the court must answer whether “a state-law claim necessarily raise[s] a stated federal issue, actually disputed and substantial, which a federal forum may entertain without disturbing any congressionally approved balance of federal and state judicial responsibilities.”54 After examining Grable, the district court stated that jurisdiction exists if:
1) federal issues are essential to the claims,
2) there is substantial federal interest in resolving such issues, and
3) a federal forum may entertain the state-law claims without disturbing the balance of federal and state responsibilities.
Grable, 545 U.S. at 314. In the case before the district court, the plaintiff’s complaint alleged that the defendants stole information that the plaintiff had purchased and used that information to their advantage.
HIPAA was implicated because the information allegedly purchased/stolen was confidential patient health-care information. The court reasoned that even though the information subject to litigation was protected by HIPAA, the claim was a traditional tort case—one business claimed that another business stole confidential and proprietary information. HIPAA perhaps added an extra layer of protection to the information, but it was not enough for the court to find a “substantial federal claim” or a “federal interest” in resolving the claim. The court found that the claims did not arise under federal law.55
In White v. Arkansas, James Al White was convicted of rape, fourth-degree sexual assault, and exposing another person to Human Immunodeficiency Virus (HIV) after having sexual intercourse with his girlfriend’s 15-year-old daughter and her friend.56 At the trial, White had filed a motion to exclude testimony by a nurse practitioner that White had tested positive for HIV three years prior to the trial. White argued that HIPAA does not permit disclosure by his health-care provider.
The Arkansas Supreme Court explained that the “purpose of HIPAA is to increase privacy surrounding medical records; however . . . [HIPAA] provides that nothing within the Act is to be construed to limit a state’s authority to investigate crimes.”57 The court held that “the trial of a person accused of rape is a legal process qualifying for disclosure.”58
1. Report of the Office of the Attorney General of Texas: Preemption Analysis of Texas Laws Relating to the Privacy of Health Information and The Health Insurance Portability and Accountability Act and Privacy Rules (HIPAA) (Nov. 1, 2004).
2. See, e.g., Tex. Health & Safety Code Ann. §§ 44.072–44.073 (Vernon 2001); 47.008 (Vernon Supp. 2004-05); 81.103 (Vernon 2001); 161.0073 (Vernon Supp. 2004–05); 611.004; 611.006; 773.092-093 (Vernon 2003); Tex. Occ. Code Ann. §159.005 (Vernon 2004).
3. 45 C.F.R. § 164.508(c)(2).
4. Rosales v. City of Bakersfield, 2006 U.S. Dist. LEXIS 22382 (E.D. Cal. Apr. 12, 2006).
5. 45 C.F.R. § 164.512(e)(1)(i).
6. 45 C.F.R. § 164.512(e)(1)(ii).
7. Rosales, 2006 U.S. Dist. LEXIS 22382 (E.D. Cal. Apr. 12, 2006).
8. 45 C.F.R. § 164.528(d).
9. 65 Fed. Reg. at 82,744.
10. Id. at 82,462.
11. 65 Fed. Reg. 82,743, 82,749–50.
12. 45 C.F.R. § 164.502(f).
13. 45 C.F.R. § 164.512(f)(4).
14. 45 C.F.R. § 164.512(g).
15. Cox Texas Newspapers v. Wooten, 59 S.W.3d 717 (Tex. App. – Austin 2001, pet. denied); Moore v. Charles B. Peirce Film Enters., Inc., 589 S.W.2d 489 (Tex. Civ. App. – Texarkana 1979, writ ref ’d n.r.e.).
16. In re Estate of Broderick, 34 Kan. App. 2d 695, 697 (Kan. Ct. App. 2005).
19. In re Estate of Broderick, 34 Kan. App. 2d 695, 703-704 (Kan. Ct. App. 2005).
20. 45 C.F.R. § 164.512(e)(1)(ii)(A), (iii)(A).
21. 45 C.F.R. § 164.512(e)(1)(ii)(B).
22. 45 C.F.R. § 164.512(e)(1)(vi).
23. 45 C.F.R. § 164.512(e)(1).
24. 45 C.F.R. § 164.524.
25. 65 Fed. Reg. 82,557.
26. Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1080 (9th Cir. Cal. 2007).
27. 45 C.F.R. § 164.524(c)(4).
28. 45 C.F.R. § 164.524(a)(1) (emphasis added).
29. Id. § 164.524(c)(4) (emphasis added).
30. 45 C.F.R. § 160.103.
31. This canon “creates a presumption that when a statute designates certain persons, things, or manners of operation, all omissions should be understood as exclusions.” Silvers v. Sony Pictures Entm’t, Inc., 402 F.3d 881, 885 (9th Cir. 2005) (en banc) (internal quotation marks omitted)
32. 45 C.F.R. § 164.502(g).
33. Id. at 1098.
34. Id. at 1085.
35. 65 Fed. Reg. 82,492.
36. 67 Fed. Reg. 53,254.
37. Clark Equip. Co. v. Wheat, 92 Cal. App. 3d 503, 154 Cal. Rptr. 874, 884 (Cal. Ct. App. 1979).
38. Webb, 499 F.3d at 1087, citing 42 U.S.C. § 1320d-2 note.
39. 45 C.F.R. § 160.202.
40. 65 Fed. Reg. 82,462 (Dec. 28, 2000).
41. HIPAA, 45 C.F.R. § 160.310(a).
42. 45 C.F.R. § 160.310(c)(1).
43. 45 C.F.R. § 160.522.
44. 45 C.F.R. § 164.530(j).
45. 65 Fed. Reg. at 82,750.
46. 45 C.F.R. § 164.502(g).
47. In re Berg, 152 N.H. 658, 668 (N.H. 2005), citing 45 C.F.R. §164.502(g)(3)(i).
48. Id., citing 45 C.F.R. §164.502(g)(3)(ii)(b).
49. N.H. Rev. Stat. Ann. § 330-A:32.
50. Med 4 Home, Inc. v. Geriatric Servs. of Am., 2008 U.S. Dist. LEXIS 95211 (D. Ariz. Nov. 12, 2008).
51. Grable & Sons Metal Products, Inc. v. Darue Eng’g & Mfg., 545 U.S. 308, 312 (2005).
52. Id. at 318.
53. Id. at 312.
54. Id. at 314.
55. Med 4 Home, Inc., 2008 U.S. Dist. LEXIS 95211 at *10.
56. White v. State, 370 Ark. 284 (Ark. 2007).
57. Id. at 291.
58. Id. at 292.