HIPAA: Quicksand, Quagmire, or Quantum Leap?

By Melanie D. Bragg

The fact that the U.S. health care system is in transition is obvious to even the most uninformed citizen. At the doctor’s office, we are given new forms to sign and are told that we can now access our own medical information. For lawyers, it is increasingly difficult to obtain medical information before and during litigation.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal regulations that further define and codify the old rules. For the first time in the history of health care in the United States, HIPAA requires nationwide uniformity, mandatory compliance, and meticulous adherence to the new rules.

The Bumpy Road to HIPAA

Rising health care costs prompted Congress to enact HIPAA. Lawmakers were motivated by the fact that much of the increase was attributed to escalating administrative expenses. An estimated 24 percent of each health care dollar went to administrative expenses, not enhanced patient care. In addition Congress wanted to reduce fraud and waste and to alleviate the growing problem of “job-lock” by eliminating insurance companies’ ability to deny coverage to those with “preexisting” conditions.

Part of the growing national problem was that benefit plan providers had their own complex coding systems. They did not share vital diagnostic or billing information. Experts found that this lack of communication prevented the entire health care industry from moving to a single, efficient electronic transaction environment.

These days we hear and read about HIPAA in a variety of settings. To some, it is a nebulous and complex subject, shrouded with confusion.

One day while muddling through the law, I came up with the following metaphor: HIPAA is analogous to a major road construction project in an urban city. Before any work is done, motorists complain about the potholes, the lack of lanes, and the inadequate access to other roads. Upon city approval, construction begins. For a time during the reconstruction phase, motorists are more inconvenienced than before. The detours, the traffic delays, and the congestion make the transition period almost unbearable. But we all know that when the construction is complete and the debris is cleared away, everyone is happier. We have an improved road, traffic flows more smoothly, and our memories of the difficult period fade.

Applying this analogy to the changes required and envisioned by HIPAA, we are in the middle of the construction period. Many aspects of the law are still being interpreted. Implementation, regulation, and enforcement are in the embryonic stages. And experts close to the subject venture that much litigation will ensue because of HIPAA. Indeed, there are many more HIPAA-related cases now than there were two years ago, both in the state and federal courts.

Rest assured that lawyers will interpret HIPAA in many ways according to statute and local practice. Health care providers will vary in terms of their requirements for the procurement of medical information and how they achieve satisfactory HIPAA compliance.

An insurance defense counsel I know gave me an example. She handles auto-PI cases and routinely requests medical records involving claimants. Some health care providers require  only a HIPAA Authorization Form, but one Houston hospital requires a subpoena in addition to the Authorization Form.

Another story came from a probate litigator. After the hearing to admit a will to probate, another relative filed a will contest based on the testator’s alleged lack of testamentary capacity. The court granted the contestant’s motion for new trial and vacated the prior order. When both sides later needed the decedent’s medical records to prove their version of the case, there was no qualified representative to obtain the records.

In some cases, the medical records will be viewed by counsel in camera and then redacted or sealed depending upon the information requested and type of claim involved. A case might arise where only the court views the records to determine whether they are allowable under HIPAA.

If the provider files a motion to quash the subpoena or otherwise objects, you can ask for a writ of attachment or other appropriate motion.

Quicksand, Quagmire, or Quantum Leap?

The question you may ask is, “How much do I, as a lawyer, need to know about HIPAA?” Or you may say, “I am not a health care lawyer. What does this have to do with me?” Whether you are a probate, personal injury, or patent lawyer, it is likely you will run into a HIPAA issue at some point in your practice.

No doubt, HIPAAis complex and multi-faceted. However , I don’t find it nefarious. Your level of knowledge about the HIPAA law can lead to three different conditions. If you know next to nothing, the first time you or your client is faced with a HIPAAissue, you will feel that you are utterly in over your head, drowning in quicksand. If you know a little bit about it, but not enough, you will find yourself confused and in a quagmire. But if you break down HIPAA to its simplest elements and take the time to understand the law and its requirements, it will make sense. You will feel comfortable when you explain it to your clients, and you will be able to deal with HIPAA-related issues that arise in your practice. This is the quantum leap.

HIPAA: An Overview

With the goal of moving toward a unified paperless health care system, lawmakers recognized the importance of protecting patients’ privacy and security. The need to facilitate patients’ rights became paramount as computers, fax machines, and now PDFs are used to transmit medical information. Many of HIPAA’s new rules have long been standard operating procedure for health care workers—privacy and confidentiality have always been the cornerstones of patient care.

Two broad types of regulations are mandated by the legislation: standards related to easier electronic transmission of health care information and stringent procedures intended to ensure the security and privacy of health information.

The basic goals of HIPAA are to improve access to health insurance; to reduce fraud, waste, and abuse; and to increase the efficiency and effectiveness of the health care system. Congress’s idea was that, in the long run, if administrative tasks were simplified and standardized, the industry would save time and money.

HIPAA requires the entire health care industry to fall into step regarding the transmission and protection of health information.

Because Congress wanted HIPAA to be accepted by the entire health care industry, both the public and business had an opportunity to participate in the making of the law. After much debate and significant time for comments, Congress included in HIPAA five Administrative Simplification Provisions, considered the “teeth” of the law: 1) electronic transaction sets, 2) code sets, 3) unique identifiers, 4) privacy, and 5) security. The first three relate to how information is uniformly communicated. The last two relate to how it is protected. It is important to have a general understanding of all five and how they work together.

The law has been enacted in stages, and the deadlines for compliance have varied depending on the size of the entity. October 16, 2003, was the deadline for individual providers to replace their former set of idiosyncratic rules with a new standardized system for the electronic processing of insurance claims and related transactions. Now health care providers can submit the same transaction to any health plan in the United States.

In addition to providing for standardized electronic transmission of information, the law provided for a national system of treatment code sets. And each participant must have a unique identifier, which identifies the entity nationwide.

Privacy and Security

With a general understanding of HIPAA’s first three Administrative Simplification Provisions, we will discuss the two that are most relevant to lawyers and our practices: the privacy and security rules relating to the electronic transmission of medical information. In order to anticipate or prevent your involvement in a privacy or security issue, you must know the players and the basic rules.

The privacy and security rules were designed to balance the need for free exchange of electronic health information against the potential for abuse of patient privacy and confidentiality. Their passage has created a multitude of potential headaches for lawyers attempting to investigate, pursue, or defend claims involving medical information.

It is important for practitioners to understand that the privacy and security rules also apply to health care providers’ business associates. Business associates include consultants, billing companies, accountants, lawyers, accreditation agencies, management companies, business partners, and subcontractors. Litigants will likely find themselves embroiled in disputes involving these entities and how they choose to comply with HIPAA.

The Privacy Rule. Congress required the Secretary of Health and Human Services (HHS) to draft the Privacy Rule. The final version of the Privacy Rule was published December 28, 2000, and entities that transmit medical information electronically had to be compliant by April 4, 2003.

Although most states have laws to ensure confidentiality of medical information, Congress believed a minimum level of national uniform protection was needed. Federal privacy regulations do not preempt state laws that impose more stringent requirements, nor do they limit a state’s ability to require health plan reporting or audits. At least 41 states have amended their medical information statutes to be more stringent than HIPAA, thereby ensuring that the state laws prevail.

The Privacy Rule protects any health information that can be used to identify an individual. Protected health information (PHI) includes any oral or recorded information; information on any past, present, and future physical or mental health condition; all health care treatment; and past, present, or future payment for health care.

The privacy regulations are perhaps the most important area of the Administrative Simplification Provisions. The HIPAA privacy standards provide the first comprehensive federal protection for the privacy of PHI.

The Privacy Rule encompasses the following: 1) it gives consumers control of health information, including the ability to review their own medical records, request corrections, and determine who is looking into their records and why; 2) it sets limits on the use and disclosure of health information without deterring research or undermining care; 3) it provides a balance between privacy protection and public responsibility, allowing access to private records for public uses, including public health, health oversight, research, law enforcement, and investigation of abuse, neglect, and violence; and 4) it establishes accountability for violators, which includes both civil and criminal penalties.

Before uses and disclosures of health information can be made for treatment, payment, and health care operations, HIPAA requires each patient to sign a patient consent form. Several exceptions apply: when a provider has an indirect relationship to the patient, such as a radiologist reading test results; when the care was provided to an incarcerated inmate; or when a reasonable attempt was made to obtain consent after emergency treatment.

The second document each patient must sign is the authorization form. It is different from the consent form in that a doctor cannot withhold treatment if the patient refuses to sign the authorization form. Authorization forms cover such things as fund-raising activities, marketing activities, or research on the part of the physician or covered entity.

The Privacy Rule gives patients the right to copy and inspect much of their medical information. However, they do not have the right to inspect and copy psychotherapy notes; information compiled in anticipation of, or use in, a civil, criminal, or administrative action or proceeding; or certain health information maintained by a covered entity that is subject to or exempted from the Clinical Laboratory Improvements Amendments (CLIA) of 1988.

Covered entities are not required to include in the accounting certain disclosures, such as disclosures for national security or intelligence purposes, disclosures to law enforcement officials, or disclosures made prior to the compliance date.

Security Standards. The fifth Administrative Simplification Provision contains the Security Standards. The final rule was effective April 20, 2005. In order to implement HIPAA’s Privacy Rule, security measures had to be adopted.

Whereas the Privacy Rule addresses how and to whom data is disclosed, the Security Standards deal with how data is stored and accessed.

The Security Standards were designed to take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need for training persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small and rural health care providers.

The Security Standards require each person who maintains or transmits health information to employ reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information; to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information; and otherwise to ensure compliance.

These regulations require communication among vendors and providers, and each party must ensure the entities they interact with are in compliance.

Compliance. HIPAA imposes civil money penalties and prison terms for certain violations. For knowing disclosures, fines can be up to $50,000 and one year in prison. For information disclosed under false pretenses, penalties can reach $100,000 and five years in prison. For information disclosed with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm, penalties can be as high as $250,000 and ten years in prison. These strict penalties are why organizations have taken the HIPAA rules very seriously.


As lawyers, we need to review HIPAA and our state statutes to see whether federal or state law applies. We may need to get an extra subpoena or a specific court order, but we will find a way to litigate our cases. And I’m sure some lawyers will have fun finding HIPAA’s loopholes and creating more litigation.

With a better understanding of the reasoning behind and the purposes for the overhaul of the nation’s health care system, we should be able to help clients navigate their way through the national health care system’s remodeling plan.

In the long run, the U.S. health care system will be more efficient. We will have greater protection of our privacy and security rights. Many lawyers will have more work. Judges will have more decisions to make. Legislatures across the country will continue to adjust state laws. And maybe, just maybe, Congress’s goal of reducing health care costs will be reached. (I won’t hold my breath on that one.) 

Melanie D. Bragg is a practicing lawyer and mediator who is active in children’s programs and bar association activities. She is also president of Legal Insight, Inc., which provides layperson-friendly legal education to health care professionals, lawyers, business, industry, and the public. She may be reached at . This article is excerpted from the author’s book, HIPAA and State Law: Preemption/Confidentiality Laws, forthcoming from ABA Publishing in 2008.

Copyright 2007

Back to Top