While many areas of HIPAA compliance result in confusion and misinterpretation, responding to document requests from parties in litigation is one that has been presenting itself frequently. The classic scenario is Party A and Party B are in a lawsuit with each other. Party A’s claim is based upon suffering some sort of injury that resulted in receiving medical treatment. During the course of the lawsuit, Party B sends a request for documents to Party A’s physicians. No surprises have arisen yet and the ability to obtain documents is a classic part of litigation.
However, the “fun” will often start when the physician receives the request. Many physicians receiving a request will look at it and refuse to provide documents until Party B provides a clear authorization from Party A allowing the release or will want a court order. The physician will then blame HIPAA for taking this position. Is the position correct? Not entirely. A written authorization or court order are certainly two means of demonstrating appropriate permission to release records under HIPAA, but those are not the exclusive two means.
In exploring when records can be released, it is first important to understand where in the HIPAA Privacy Rule the ability to produce records for lawsuits exists. The authority is found at 45 C.F.R. § 164.512(e), which is a subsection entitled “Disclosures for judicial and administrative proceedings” (the Proceeding Response Rule). More interestingly, the full Section 164.512 identifies uses and disclosures for which an authorization or opportunity to object is not required (emphasis added). The entire Section of the Privacy Rule is for uses where authorization is not required. The mere location of the rule allowing disclosures undercuts the prototypical response that a patient’s authorization is needed for the release.
A decision from the Connecticut Supreme Court allowed a patient to proceed with an action against their physician’s office when records were disclosed in litigation. The records were produced in response to a subpoena. However, the bare summary of the case is not the end of the story. Diving into the details of the decision, the root of the physician office’s problem was not necessarily providing the documents in response to a subpoena, but not following the requirements set forth in HIPAA before producing the documents. The case, therefore, while premised on a state law basis, wanted to see that the clear requirements in the Proceeding Response Rule are followed before information is divulged.
Breaking down the Proceeding Response Rule, it states that a covered entity (or business associate on behalf of a covered entity) can disclose protected health information (“PHI”) in response to (i) an order of a court or administrative tribunal or (ii) a subpoena if certain conditions are met. The conditions to be met around a subpoena are the factors that trip up so many. The conditions to be met are (i) the covered entity receives satisfactory assurances that reasonable efforts have been made to notify the individual who is the subject of the PHI or (ii) reasonable efforts have been made to obtain a qualified protective order.
What does it mean to receive “satisfactory assurances” of reasonable efforts to notify though? Thankfully, the Proceeding Response Rule does not leave that question unanswered. The Proceeding Response Rule specifies how the requesting party can provide satisfactory assurances, which should be done through a written statement and documentation.
Satisfactory assurances can be provided by (i) showing good faith efforts to provide notice of the request to the subject individual, (ii) including sufficient information about the nature of the proceeding in the notification to enable the subject individual to appropriately object, and (iii) showing the time to object has lapsed and either no objection was filed or any objection has been resolved. As stated, if these elements can be satisfied, then the covered entity receiving the subpoena can provide documents containing PHI without either a court order or written authorization. Further, the means of establishing the reasonable efforts are not overly burdensome, nor likely misaligned with standard discovery procedures.
If a qualified protective order is presented, then the Proceeding Response Rule informs what can be considered a qualified protective order. In short, it will either be agreed upon by the parties and blessed by the court or administrative tribunal or issued in the first place by the court or administrative tribunal.
In light of the explanation of the Proceeding Response Rule, all organizations should get more comfortable with requirements under HIPAA and not unnecessarily block access to information. Once HIPAA is put into the sunlight and broke down part by part, it can be seen that the rules are not arcane or unnecessarily tricky. Instead, HIPAA does a good job of laying out the path to follow.
This article was originally published on Mirick O’Connell’s Health Law Blog.