October 2004
Volume 1, Number 1
Table of Contents

A Year in the Life of HIPAA:
New Tips, Observations and Suggestions for Improvement 1

by H. Philip Grossman and Anne K. Guillory

On April 14, 2003, the HIPAA Privacy Regulations landed with a resounding thud in the legal community. To many litigators, the regulations appeared intended to complicate our lives with new forms, new procedures, and most importantly, medical records custodians terrified that the United States Department of Health and Human Services would throw them in jail. In an effort to make the post-HIPAA transition easier on both attorneys and records custodians, the Louisville Bar Association developed recommended procedures and model forms with input from members of the Kentucky Medical Association and the Kentucky Hospital Association. The procedures and forms are still available on the LBA’s website at www.loubar.org/HIPAA/. This article will not rehash the information found on the website. Rather, after living with HIPAA and these new forms and procedures for over a year, we have some practice pointers, helpful observations and suggestions to improve the system for obtaining records in Kentucky.

I. Authorizations

Under HIPAA, it is clear, that before medical information is disclosed by a medical provider to someone other than the patient, the requesting party must demonstrate (1) the authority to obtain the information, or (2) that the patient has been notified and does not object to the disclosure. Plaintiff’s attorneys, defense attorneys and their agents cannot get protected health information without proper authority. Unauthorized ex parte conferences are also prohibited.

Medical records authorizations are still the fastest and easiest way to obtain medical records. Out of all the Privacy Regulations, the HIPAA-compliant authorization has been the easiest to implement into the legal world. The post-HIPAA authorizations simply require additional disclosures and give the patient the right to revoke the authorization. HIPAA also requires a more thorough description of the records being sought. Model authorizations are easy to locate and easy to implement in the context of litigation. In fact, HIPAA-compliant authorizations actually make it easier to gather out of state records because the federal regulations are uniform.

On the other hand, some records custodians still refuse to provide records unless their own authorization is executed (i.e., a provider-specific authorization). We recommend including a cover letter with the authorization that ticks off the requirements nearly verbatim from the regulations. Sometimes, however, there is nothing that we can do to convince a records custodian that our authorization is HIPAA-compliant. Not that we blame the records custodians. The thought of being fined or imprisoned for unintentionally disclosing protected health information reasonably would make one paranoid. If a records custodian insists on the execution of their own authorization, you are left with a few options. You can always go to court for an order, but the most practical thing to do is to ask the patient to execute the provider-specific authorization.

Sometimes plaintiff’s counsel cooperates by providing medical authorizations. Unfortunately, defense counsel will sometimes receive executed authorizations that are notHIPAA-compliant. By the same token, defense counsel will sometimes request that non-HIPAA compliant authorizations be executed. If this occurs we suggest simply calling opposing counsel and explaining that their authorization is in violation of federal law. It is a good idea to keep a copy of the specific regulation, 45 C.F.R. § 508, nearby so if you run into this situation you can tell opposing counsel what the authorization needs to say to comply with HIPAA. Talking intelligently about the authorization requirements (or the other HIPAA requirements in general) can quickly put opposing counsel or records custodians more at ease. Of course the easiest thing to do is to have a HIPAA compliant authorization ready to go.

II. Subpoenas with Notice

For many litigators, subpoenas are the most common method of obtaining medical records. Under HIPAA, the simple issuance of a subpoena is no longer sufficient to obtain medical records. However, subpoenas can still be used to obtain records as long as the provider receives written satisfactory assurances that the patient has received notice and the opportunity to object. 2 This translates into the extra step of issuing a notice letter to the patient’s attorney that gives a date certain upon which any objections must be made. Then a copy of the letter must be included when the subpoena is served upon the records custodian. Some attorneys have started responding to notice letters by issuing their own letter stating they have no objection to the subpoena. This is a commendable practice since it enables the requesting party to issue the subpoena before the objection deadline expires. In notifying the records custodians, the requesting party should include a copy of the letter stating no objection. Again, model letters are available at www.loubar.org/HIPAA/. Likewise, if you do plan to object to the requesting of your client’s records, we recommend that you assert the objection in writing to the requesting party as soon as possible. This gives both sides ample time to work out the objection or scrap the use of the subpoena all together.

One final word about the use of subpoenas – under HIPAA, a subpoena that is signed by a judge is treated just like any other court order and the records can be produced without any other requirements or procedures. However, in Kentucky, subpoenas are rarely signed by judges, so for the purposes of HIPAA, they do not constitute court orders. There is some debate over the exact nature and power of these regular subpoenas, but regardless of which side you take, everyone must recognize the conflict created for health care providers. They often find themselves in the unenviable position of having to choose between responding to a subpoena that is not HIPAA-complaint and in violation of federal law, or facing a show cause hearing for failing to respond to the subpoena. This conflict can be avoided by using a subpoena in accordance with the Privacy Regulations, or seeking an actual court order.

III. Suggested Rules Changes for the Use of Subpoenas

In the preceding section we advocated the use of subpoenas with notice letters to the patient’s counsel. The notice provision protects the patient, and gives their counsel an opportunity to object and be heard when sensitive records are requested. However, there are recognized problems with the procedure that require changes to our Civil Rules.

In Kentucky, unlike other state and federal courts, when a party issues a subpoena duces tecum to a records custodian, a deposition of that custodian must also be noticed. 3 However, CR 45.01 also states that “[u]pon order of the Court, with the agreement of the parties, documents may be produced without deposition.” One problem with this rule is that taken literally it may require an order of the court each time this procedure is used. Furthermore, when KRS 422.305 is thrown into the mix there is more confusion. This statute specifically allows hospital medical records custodians to produce a certified copy of the requested records in lieu of giving a deposition. KRS 422.305 only applies to hospitals and thus, technically requires all other medical providers to give a deposition unless a court order allows them to produce the records in lieu of deposition. Despite the Civil Rules and statute, it has become common practice in Kentucky to treat hospital and other health care providers alike. Attorneys are noticing depositions to give lip service to the Rules when they know they will never take those depositions.

We propose a solution that involves both a change to the Civil Rules and the Kentucky Revised Statutes. The benefit of a deposition with a subpoena duces tecum is that a party cannot request records via subpoena unbeknownst to the rest of the parties to the litigation. By requiring the requesting party to issue a notice to take deposition, CR 45.01 insures that all parties are aware of the requests. This sounds similar to HIPAA’s goal of giving a patient notice and the opportunity to object to a records request. However, CR 45.01 is an antiquated way of insuring notice.

In order to streamline the process, first, we advocate eliminating the requirement of taking a deposition whenever a subpoena duces tecum is issued. Civil Rule 45.01 should be amended to track the Rule 45(a) of the Federal Rules of Civil Procedures. Then Civil Rule 34.03 should be amended to track Indiana’s Trial Rule 34(c). Trial Rule 34(c)(2), in pertinent part, states that “[n]either a request nor a subpoena . . . shall be served upon a non-party until at least fifteen (15) days after the date on which the party intending to serve such request or subpoena serves a copy of the proposed request and subpoena on all other parties . . . .” In other words, TR 34(c)(2) codifies the notice requirements of HIPAA and it eliminates the need for noticing a deposition just to insure that all parties are aware of the request. If a provider still refuses to disclose the records, the records custodian’s deposition can always be noticed.

For example, suppose Phil represents a plaintiff and Anne represents a defendant in the same action. If Anne wants to request the plaintiff’s medical records from General Hospital, she simply sends Phil a copy of the records request with a cover letter stating that she is going to request the records unless Phil objects by the close of business fifteen days later. If Phil does not object to the proposed request, then Anne can issue the request to General Hospital, along with documentation that Phil was given the opportunity to object.

The Civil Rules Committee may want to describe a shorter time for objection such as for good cause shown. For example: Phil and Anne are scheduled to try their case in three (3) weeks. Due to some new information that just became available to both parties, Anne would like to request records from Dr. X. With the regular notice requirement, Anne would have little time to receive and digest the records prior to trial. Since Anne and Phil get along and Phil does not object to Dr. X’s records, Anne sends Phil the standard notice letter and then asks him to quickly send her a letter stating that he has no objection to the request. Phil obliges and Anne is able to submit the request to Dr. X immediately because she has the written blessing of all parties. Admittedly, if opposing counsel objects to the request, the emergency procedure will be impossible, unless there is a provision for court order. However, this is no different than under the current Civil Rules and HIPAA, whereby if opposing counsel objects, the matter should be brought before a judge for a ruling that either sustains the objection or issues an order for Dr. X to provide the records.

Finally, we advocate the repeal of so much of KRS 422.305 as would be inconsistent with a general rule on production of documents such as the one we have proposed. The rest of the statute may remain or be incorporated in the Kentucky Rules of Evidence for authentication and admissibility purposes, and it should include all health care providers. The goal of the suggested revisions is to create one source for production of business records. You can look to the Civil Rules for guidance on production, and you can look to the Rules of Evidence for guidance on authentication and admissibility. It would be helpful if the Administrative Office of the Court would create standard forms for non-party document requests and records authentication. This would provide consistency of procedures for health care providers and it would help attorneys develop uniform methods of practice.

IV. Court Orders

HIPAA also allows health care providers to disclose medical records in response to a court order. The order must specifically define the scope of the records to be disclosed, and the order must be signed by a judge. The downside to seeking a court order is in the extra effort needed to draft a motion, place it on the docket, attend motion hour, and take up the court’s time. Nevertheless, court orders are indispensable if you are seeking mental health, chemical dependency and HIV records and the patient refuses to execute an authorization. 4 The key to getting a court ordered disclosure is to draft a good proposed order for the court to review. State the reason for the disclosure (i.e., relevant to the litigation or a specific issue in the litigation), define the scope of records sought (“all mental health records” or “all psychotherapy notes”), mention the specific HIPAA provision (45 C.F.R. § 512(e)), and, if necessary, list the specific providers. Producing a well-drafted proposed order demonstrates competence in understanding the HIPAA requirements and it gives the court a good model for future orders in similar circumstances.

A disadvantage of court orders is that they cannot be enforced in another state without first being domesticated. The process can easily take months. Therefore, if you need records that can only be disclosed through authorization or court order, try to get an authorization first.

V. Qualified Protective Orders

The regulations on Qualified Protective Orders (QPOs), are complex and frustrating. For authorizations and even subpoenas with notice, the Privacy Regulations provide decent instructions on the practical requirements of implementation. However, when it comes to QPOs, the regulatory language leaves you scratching your head. A provider can disclose records in response to a subpoena that is accompanied with satisfactory assurances that the party requesting the records has made “reasonable efforts” to secure a QPO. Does this mean the requesting party has to have a QPO submitted and signed by a judge? Does it mean that the requesting party must show a Notice-Motion-Order they have placed on the docket to obtain a QPO? Does it mean that the requesting party simply has to show that they called opposing counsel and asked about submitting an Agreed QPO? The regulation could not be more opaque.

In addition, the language of the QPO must state that all protected health information will be destroyed or returned to the provider at the end of the litigation. This is impossible if such information is used as a trial exhibit or even as an exhibit to a dispositive motion or Daubert hearing. Even after a year, our opinion of the QPO has not changed – use it at your own risk and only as an absolute last resort. Given the options of using authorizations, subpoenas with notice or regular court orders, the question of using a QPO should never enter your mind.

VI. Conclusion

Take it from us, no one should ever aspire to be a HIPAA expert, but understanding the basics is vital to practicing more effectively. This article has tried to highlight the most common issues for litigators in Kentucky. In looking at HIPAA carefully, the application of the Privacy Regulations over the past year has highlighted the flaws in the Civil Rules in Kentucky. Changes to the rules, along the lines of our modest proposal, will make life with HIPAA easier. We believe these changes are fair to all sides and that they will soon be considered as an effective way to streamline current procedures.

H. Philip Grossman is a partner with the firm of Fernandez, Friedman, Grossman, Kohn & Son, PLLC in Louisville, Kentucky.
Anne K. Guillory practices law with the firm of Woodward, Hobson & Fulton, LLP in Louisville, Kentucky.

1 In addition to making general observations about the implementation of HIPAA’s Privacy Regulations, this article suggests changes based on the current state of the Kentucky Revised Statutes and the Kentucky Rules of Civil Procedure. Please keep this in mind as you read it. However, to the extent that your state is struggling with some of the same procedural issues, this article may provide helpful suggestions and ideas for improvement.

2 45 C.F.R. § 512(e).

3 CR 45.01.

4 See KRS 210.235, KRS 222.271, KRS 214.625, and KRS 304.17A-555.


Back to Top