HIPAA and HITECH
HIPAA is broadly intended to protect the portability of health coverage, although privacy protection for health information is perhaps the act’s most visible component. The privacy rule, 45 CFR Part 160 and Subparts A and E of Part 164, implements the privacy requirements of Title II of HIPAA. Employment litigators should be comfortable with the bounds of the privacy rule and also aware of—and hopefully able to avoid direct familiarity with—the enforcement rule.
Privacy Rule Basics
The privacy rule establishes national standards to protect individuals’ medical records and other personal health information, sets limits on disclosures that may be made of such information without authorization, and gives patients certain rights concerning their information.
Who is covered? The privacy rule applies to “covered entities”—healthcare clearinghouses and healthcare providers who transmit health information in electronic form in specific transactions. Under HITECH, the privacy rule also applies directly to “business associates” of covered entities. Business associates are non-employees who handle individually identifiable health information in capacities including claims processing, utilization review, billing, or the provision of professional services for a covered entity, including legal services “where the provision of the service involves the disclosure of individually identifiable health information.” 45 C.F.R. § 160.103. Lawyers litigating claims for covered entities or responding to requests for health information in connection with such claims could very well be business associates directly subject to HIPAA.
What is PHI? The privacy rule protects individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, referred to as protected health information (PHI). Health information created by a covered entity is individually identifiable if it identifies the individual or provides a reasonable basis to believe it could be used to identify the individual. 45 C.F.R. § 160.103.
Whether the individual subject of the health information can be identified based on the data contained therein is a key aspect to whether health information is “protected.” PHI can be de-identified by removing specified identifiers if the covered entity has no actual knowledge that the remaining information could be used to identify the individual. 45 C.F.R. §164.514(b). The regulations provide a “safe harbor” permitting disclosure of de-identified health information, provided the covered entity follows detailed guidelines for removal of specified identifiers.
How can PHI be used? A covered entity may not use or disclose protected health information except as permitted by the rule or as authorized in writing by the individual who is the subject of the information. 45 C.F.R. § 164.502(a). The privacy rule specifies several instances where covered entities may use or disclose protected information without authorization. See 45 C.F.R. §164.502(a). The rule permits uses and disclosures for litigation, without authorization, under provisions for judicial and administrative proceedings, 45 C.F.R. § 164.512(e), or as part of the covered entity’s healthcare operations, 45 C.F.R. § 164.506(a), or in connection with worker’s compensation actions, 45 C.F.R. § 164.506(l).
A covered entity must make reasonable efforts to disclose only the minimum amount of protected health information needed to accomplish its intended purpose. 45 C.F.R. §§ 164.502(b) and 164.514 (d). There are no limits on use or disclosure of “de-identified health information. See 45 C.F.R. § 164.514(b).
Application to employers generally. The privacy rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities. An entity that conducts both covered and non-covered functions can elect to be a “hybrid entity.” Thus, an employer that is self-insured for employees’ medical benefits may be covered by HIPAA in that capacity. Conversely, covered entities, such as hospitals or long-term care providers, which are also employers, may not be subject to HIPAA in their capacity as employer. See 45 C.F.R. § 160.103 (employment records held by a covered entity in its role as employer are not protected health information, even where such records include individually identifiable health information).
Thus, an employer that is not a covered entity does not become subject to HIPAA merely because it finds itself with medical information about an employee. Although other laws, including the ADA, may require such information to be kept confidential, HIPAA’s privacy rule generally does not limit the use of personnel records in litigating employment matters.
Where a covered entity is a party to a legal proceeding, the covered entity may use or disclose protected health information for purposes of the litigation as part of its healthcare operations to the extent the action is related to its healthcare functions. See 45 C.F.R. § 164.501. However, to the extent that a covered entity is a party to a proceeding solely related to non-covered functions, including in its capacity as an employer, it is not subject to HIPAA’s privacy rule requirements.
Where information is sought from a covered entity that is not a party to the proceeding, the covered entity may disclose protected health information pursuant to the individual’s authorization or, absent authorization, pursuant to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements discussed below are met.
Enforcement Basics
The HIPAA privacy rule is enforced by the Health and Human Services Office for Civil Rights (OCR). OCR may investigate compliance and impose a civil penalty per violation, subject to an annual cap. Violators can also face criminal penalties including fines and imprisonment for knowing disclosures, with increasing penalties if the conduct involves false pretenses or intent to sell, transfer, or use the information for personal gain of malicious harm. HITECH also gives state attorneys general enforcement capabilities.
According to the federal circuits that have addressed the issue, individuals cannot recover directly from an employer or other entity for an alleged improper disclosure of confidential health-related information pursuant to HIPAA. See e.g., Carpenter v. Phillips, 419 Fed. Appx. 658, 658 (7th Cir. 2011); Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010); Crawford v. City of Tampa, 397 Fed. Appx. 621, 623 (11th Cir. 2010); Seaton v. Mayberg, 610 F.3d 530, 533 (9th Cir. 2010), cert. denied, 131 S.Ct.1534 (2011); Wilkerson v. Shinseki, 606 F.3d 1256, 1267 n.4 (10th Cir. 2010); Miller v. Nichols, 586 F.3d 53, 59 (1st Cir. 2009), cert. denied, 130 S.Ct. 1911 (2010); Acara v. Banks, 470 F.3d 569, 572 (5th Cir. 2006).
Authorizations and Protective Orders
Authorizations and protective orders are the two key mechanisms that parties must use to obtain protected health information when litigating employment matters. Employee plaintiffs may be asked to provide an authorization for the release of protected health information. To obtain such information from covered entities and protect privacy rights during the litigation, the parties may also be required to put a qualified protective order in place.
Authorizations
Disclosure of protected health information is permitted with written authorization from the patient. Counsel should develop and keep an updated authorization form for use in health-related employment claims. A valid authorization under this section must be in plain language and identify at least the following:
- the information to be disclosed
- who is authorized to disclose it
- to whom it may be disclosed
- the purpose of the disclosure
- an expiration date or event relating to the purpose of the disclosure
- the signature and date of the individual
45 C.F.R. § 164.508. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
An authorization must also indicate adequate notice of (1) the individual’s right to revoke the authorization in writing, (2) either exceptions to the right to revoke and a description of how the individual may revoke the authorization or, if necessary, a reference to the covered entity’s notice, (3) whether the covered entity may condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, and (4) the potential for information disclosed pursuant to the authorization to be re-disclosed by the recipient and therefore no longer be protected by HIPAA’s privacy protections.
Assurances Required for Disclosure in Judicial or Administrative Proceedings
A covered entity may disclose PHI for use in judicial or administrative proceedings if it receives satisfactory assurances (a written statement and accompanying documentation from the requestor) indicating adequate notice to the individual about whom PHI is sought along with an opportunity to object, or satisfactory assurances that a qualified protective order has been either agreed to or sought by the requestor. Alternatively, the covered entity may notify the individual or seek a qualified protective order. To the extent that the subpoena or other request itself demonstrates sufficient notice to the individual, no additional documentation is required.
To be effective, a qualified protective order must (1) prohibit the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested and (2) require the return to the covered entity or destruction of the protected health information (including any copies) at the end of the litigation or proceeding. 45 C.F.R. § 164.512(e)(1)(v). At least where covered entities are parties, such orders should also ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist in providing legal services to the covered entity will also safeguard the privacy of the protected health information received.
Additional Confidentiality Considerations
Employers and employees must also be aware of other confidentiality obligations that may protect medical information relevant to an employment claim. Even if employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA, other statutes, including the ADA, the Genetic Information Nondiscrimination Act (GINA), and state privacy laws may impose separate requirements. Further, employers typically have policies and procedures requiring employees to maintain confidentiality of such information.
Employees’ Duties to Maintain Confidentiality
Employees must ensure that they comply with employers’ confidentiality policies even when pursuing a claim before the Equal Employment Opportunity Commission (EEOC). In Vaughn v. Epworth Villa, 537 F.3d 1147 (10th Cir. 2008), the Tenth Circuit Court of Appeals examined whether the employer, Epworth Villa, lawfully terminated its employee, Bernadine Vaughn, after she disclosed several pages of unredacted medical records to the EEOC to support her claim of age and race discrimination. Epworth Villa terminated Vaughn’s employment while the charge was still pending, after learning of the disclosure. Vaughn filed suit, alleging that she was terminated in retaliation for her participation in the EEOC process.
The Tenth Circuit held that Vaughn’s actions were “protected activity” under Title VII. However, because her actions were a violation of Epworth Villa’s confidentiality policies, the disclosure provided a legitimate basis for her termination, and Vaughn’s retaliation claim was found to be unsubstantiated absent proof that other employees violated the company policy against disclosure.
ADA and the Rehabilitation Act
Both the ADA and the Rehabilitation Act require that all information obtained regarding the medical condition or history of an applicant or employee be maintained on separate forms and in separate files and be treated as confidential medical records. This confidentiality requirement applies to all medical information, including medical information that an individual voluntarily discloses to an employer, without regard to whether the individual has a disability. See 29 C.F.R. § 1630.14. Improper disclosure is potential basis for ADA liability.See Bennett v. U.S. Postal Serv., 2011 WL 244217 (EEOC Jan. 11, 2011).
GINA
Title II of the Genetic Information Nondiscrimination Act (GINA), which makes it illegal to discriminate, harass, or retaliate against employees or applicants based on genetic information, also strictly limits the disclosure of genetic information by an individual’s employer. With respect to confidentiality, genetic information must be kept confidential and in a separate medical file, such as the employer’s ADA-compliant medical file. 29 C.F.R. § 1635.9.
State Law
HIPAA establishes a national minimum standard for privacy of health information, but parties must also be aware of state laws that may provide additional protections. For instance, under Illinois law, even redacted medical records generally are not to be disclosed in judicial proceedings. 735 ILCS 5/8-802; Dept. of Prof’l Reg. v. Manos, 761 N.E.2d 208, 216–17 (2001). However, such state restrictions may not impose state evidentiary privileges on suits to enforce federal law. Nw. Mem’l Hosp. v. Ashcroft, 362 F.3d 923, 925 (7th Cir. 2004) (finding a more stringent state law may be applied (1) when the suit is in state court, or (2) in federal court when “state law provides the rule of decision.”).
Conclusion
HIPAA’s privacy rule is not without teeth, and for good reason. Notwithstanding, even basic knowledge of who must comply, what is protected, and how to obtain protected health information within the bounds of the act—including the requirements for appropriate authorizations and qualified protective orders—can help avoid protracted discovery battles and potentially illegal inadvertent disclosures.
Keywords: employment and labor relations law, HIPAA, HI-TECH, PHI, Office for Civil Rights, confidentiality, ADA, Genetic Information Nondiscrimination Act
Laurie E. Martin is an associate with Hoover Hull LLP in Indianapolis, Indiana.