In the last couple of years, did you ever hear someone say, “Oh, no, you can’t ask me if I’ve had a COVID-19 vaccine. That’s in violation of my HIPAA rights.” Of course, that’s not true. The Health Insurance Privacy and Accountability Act (HIPAA) does not prohibit any person (i.e., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines. Why? Because HIPAA Rules do not apply to employers or employment records. HIPAA only applies to HIPAA covered entities—health care providers, health plans, and health care clearinghouses—and, to some extent, to their business associates. If an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation, and employees may decide whether to provide that information to their employer. See Katherine Conklin, Charles E. Stoecker, HIPAA Privacy Doesn’t Stop Vaccine Inquiries by Employers and Businesses, 2021-OCT Bus. L. Today 11 (Oct. 2021). So what actually does HIPAA do?
HIPAA’s Goals: Protecting the Handling and Disclosure of Information, Not the Creation of Privilege
HIPAA was enacted in 1996 to achieve two goals: (1) to protect individuals and their families from losing their health insurance if they lost or changed their job; and (2) to reduce waste and fraud in the health care industry by creating a uniform electronic system for storing and sharing health data. See Why Was HIPAA Created?, HIPAA Guide: Healthcare Compliance (Oct. 9, 2017).
HIPAA does not in and of itself create any confidentiality or privilege. It is merely a regulatory scheme regarding the handling and disclosure of protected health information by a covered entity. Once you have the medical information, you may still have to argue whether the information is privileged and is admissible under state laws. See Northwestern Memorial Hospital v. Ashcroft, 262 F.3d 923, 923-26 (7th Cir. 2004).
HIPAA’s Privacy Rule
HIPAA was divided into five Titles that provided protection for health insurance coverage of workers, rules regarding privacy and administrability, and guidelines for ensuring compliance with the Act. Of particular interest to family law attorneys, Title II of HIPAA provides the majority of the provisions regarding the safekeeping, sharing, and enforcement requirements for health care providers and others who handle “protected health information” (PHI). PHI includes individually identifiable health information that is “(i) [t]ransmitted by electronic media; (ii) [m]aintained in electronic media; or (iii) [t]ransmitted or maintained in any other form or medium.” 45 C.F.R. § 160.103. PHI can include both information in individuals’ medical charts 54 and their genetic information.
The first section of Title II, the Privacy Rule, enacted in its final form in 2002, outlines the goal for the entire Title: to prevent fraud and abuse of PHI. In particular, the Privacy Rule protects “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.” This includes information that relates to physical or mental health, the provision of health care, or any form of payment for health care of an individual that “identifies the individual or provides a reasonable basis to believe the information can be used to identify the individual.” Individually identifiable information includes names, addresses, social security numbers, or birth dates when this information is associated with health data. See Summary of the HIPAA Privacy Rule, U.S. Dep’t of Health & Hum. Servs., (July 26, 2013).
Note this well: HIPAA prevents the release of PHI by covered entities or its associates. Covered entities include health plans, health care clearinghouses, and “health care provider[s] who transmit any health information in electronic form in connection with a transaction covered” by the federal regulations implementing HIPAA. 45 C.F.R. § 160.102(a)(1)-(3) (2016). Covered entities can also include “business associates.” Id. § 160.102(b). In general, these are “person[s] or entit[ies] that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provide services to, a covered entity,” but not including a “covered entity’s workforce.” U.S. Dep’t of Health & Human Servs., Business Associates, HHS.gov; see also 45 C.F.R. § 160.103. The Privacy Rule standards “apply to covered entities with respect to protected health information.” 45 C.F.R. § 164.500(a) (2015).Therefore, asking a private person for PHI does not violate HIPAA. Indeed, as noted previously in these pages, HIPAA is not a mechanism by which to compel or disallow the production of medical records or to force or disallow their introduction into evidence. Neither does it create an additional privilege of any kind. Instead, HIPAA provides a procedure governing how qualifying medical-record keepers may disclose information. Peter M. Bryniczka, The HIPAA Hurdle, 30-SPG Fam. Advoc. 22 (Spring 2008). Thus, if the holder of the medical information does not meet the definition of a covered entity, HIPAA does not apply, and you need not spend any more precious time on it. Id.
Under the Privacy Rule, individuals may authorize disclosure of their PHI. This authorization requires written consent from the individual that includes, among other things, a description of the information being disclosed, the individual making the disclosure, the party to whom the disclosure is being made, the expiration date for allowable disclosures, and occasionally, how the information will be used. The Privacy Rule also contains several other requirements pertaining to the notices and copies of authorization that are to be provided to the patient.
The Privacy Rule enumerates six exceptions that allow for, but do not require, disclosure of a patient’s PHI. These six exceptions encompass: (1) disclosures to the individual; (2) disclosures for treatment or payment purposes; (3) authorized disclosures; (4) disclosures of incidental information; (5) disclosures for benefit of public interest; and (6) disclosures where personally identifiable information has been removed.
How to Get Protected Health Information from a Covered Entity in Your Case
First, ask for an authorization for disclosure. 45 C.F.R. § 164.508(a)(1). As we all know, this request is likely to be met with opposition, but it’s always worth a try. Point out that the physical and mental health of a party can be a determinative issue for the court, especially in child custody cases, and it is will save time and judicial resources to not have to go to court to get an order requiring that a party turn over such medical records. See Arons v. Jutkowitz, 9 N.Y.3d 393, 850 N.Y.S.2d 345, 880 N.E.2d 831 (2007) (HIPAA was not meant to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information) (citing 65 Fed. Reg. 82462, 82530). A strong argument can be made that a party’s protected health information is always relevant in child custody cases. See Murphy v. Rodriguez, No. 1 CA-CV 21-0383 FC, 2022 WL 1748055 (Ariz. Ct. App. Div. 1, May 31, 2022); see generally Jacqueline M. Valdespino, Guardians ad Litem: Confidentiality and Privilege, 33 J. Am. Acad. Matrim. Law. 517, 535 fn. 30 (2021).
In the context of a judicial or administrative proceeding, there are two instances where a covered entity may disclose PHI without a patient authorization. 45 C.F.R. § 164.512(e)(1)(i)-(ii) (2021). The first permitted disclosure is in response to a court order, provided that the disclosure is limited to the information expressly authorized in the order. 45 C.F.R. § 164.512(e)(1)(i) (2021). Of course, a subpoena is not a court order.
The second permitted disclosure of PHI in the context of a judicial proceeding is in response to a subpoena, but only if additional conditions are satisfied. 45 C.F.R. § 164.512(e)(1)(ii) (2021). A subpoena, by itself, is insufficient to relieve health care providers of their HIPAA obligations. Rather, a health care provider must also receive “satisfactory assurance” that the requesting party has (a) provided the person whose PHI is sought with notice of the request or (b) made reasonable efforts to secure a qualified protective order. As to the notice provision, satisfactory assurance also requires that the requesting party provide written documentation that a notice was sent to the individual’s last known address advising them of the litigation. As to the procurement of a qualified protective order, satisfactory assurance requires that the requesting party provide documentation that either the parties to the litigation have agreed to a qualified protective order and have presented it to the court or that the party seeking the PHI has requested one. 45 C.F.R. § 164.512(e)(1)(iv) (2021). See generallly, Ike Vanden Eykel, Emily Miskel, The Mental Health Privilege in Divorce and Custody Cases, 25 J. Am. Acad. Matrim. Law. 453, 468-471 (2013) (discussing Privacy Rule of HIPAA particular with reference to divorce).
Let’s take an example. Husband’s lawyer subpoenas a covered entity and is requested to bring the PHI of one of the parties. At the deposition, the lawyer gives the covered entity written documentation demonstrating that either no objections (or protective orders) had been filed, or that they had been denied or resolved in a manner consistent with disclosure. Thus, the health-care provider would be permitted to produce the records.
Of course, it is likely that the subpoena would have been met with opposition by opposing counsel. In that event, a court hearing would have resulted in an order calling for the disclosure or an order or stipulation amounting to a qualified protective order.
It is important to note that under HIPAA a covered entity may disclose protected health information to avert a serious health or safety issue, provided that disclosure is made to a person or entity reasonably able to prevent or lessen the damage. 45 C.F.R. § 164.512(j). Therefore, in the event of such a threat in a family law case, a MHP covered by HIPAA would arguably be allowed to make disclosures to entities such as counsel for minor children, guardian ad litem, law enforcement, a court-appointed custody evaluator, and/or the Department of Children and Families.
To be a bona fide “Qualified Protective Order,” the confidentiality agreement (or court order if the parties cannot so stipulate) must (1) Prohibit the parties from using or disclosing health information for any purpose other than the litigation; and (2) Require either return to the covered entity or destruction of protected information at the end of the litigation or proceeding. See 45 C.F.R. § 164.512(e)(1)(v).