Article Title

 

Obtaining Medical Records After HIPAA: New Federal Privacy Protections Change the Rules for Attorneys

 

Author

 

Robert R. Harrison

 

Article Type

 

Article

 

Article

 

I. INTRODUCTION On April 14, 2003, the first phase of new federal regulations governing the privacy of medical records became law. The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")1 creates a complex array of rules governing the secure storage and exchange of information in connection with electronic data transactions ("the Transactions Rule")2 and a distinct set of requirements regarding the confidentiality and privacy of individually identifiable health information ("the Privacy Rule"). This article focuses on the requirements and implications of the Privacy Rule for attorneys needing to obtain protected health information from covered entities for litigation or administrative proceedings. II. BASIC PRIVACY RULE CONCEPTS A. Protected Health Information Protected health information is broadly defined as any individually identifiable health information. That includes any information which derives from or relates to the individual's past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present or future payment for the provision of health care to the individual, and which either identifies the individual or could reasonably be used to identify the individual.3 In other words, it includes virtually any information about an individual's health care or medical condition and any directly associated costs. B. Covered Entities The Privacy Rule identifies as "covered entities" three categories of enterprise: health plans, health care clearinghouses, and virtually all health care providers who transmit health information electronically. Although there are some possible exceptions under limited circumstances, as a general rule attorneys should assume that any health care provider is a covered entity. C. Business Associates A covered entity is required to enter into a contractual relationship with "business associates." A business associate is any person or entity who performs functions on behalf of the covered entity if those functions involve the use or disclosure of individually identifiable health information. Attorneys engaged by covered entities are business associates of those entities and must comply with any requirements of the mandatory Business Associate Agreement which governs that relationship. Other attorneys requesting records from covered entities are not business associates. D. General Rules for Disclosure Covered entities may use and disclose protected health information without consent4 and without authorization under a wide range of circumstances. Most of the uses and disclosures for which authorization are not required are identified in three primary categories defined as Treatment, Payment, and Health Care Operations.5 Although certain legal services fall within the definition of Health Care Operations, the process of disclosing medical records to attorneys for use in litigation does not. The Privacy Rule provides separate requirements governing the disclosure of protected health information to attorneys in connection with judicial or administrative proceedings. III. DISCLOSURES IN JUDICIAL AND ADMINISTRATIVE PROCEEDINGS There are three alternatives in obtaining protected health information from a covered entity for use in judicial or administrative proceedings. Records may be disclosed (1) pursuant to a court order; (2) pursuant to a subpoena with required additional documentation; or (3) pursuant to an authorization meeting specific new requirements. A. Obtaining Protected Records With a Court Order The Privacy Rule does not affect the release of records in response to a court order. There remains the potential for delay in obtaining a signed order, but the Privacy Rule imposes no additional restrictions. However, this option is not available in prelitigation proceedings in medical malpractice actions as there is no court of competent jurisdiction to issue the order. B. Obtaining Protected Records With a Subpoena Medical records and other protected health information no longer may be obtained with a subpoena alone. The Privacy Rule preempts less-restrictive state laws, including the Rules of Civil Procedure, and any state laws contrary to its provisions. For purposes of preemption analysis, "contrary" means that the covered entity could not comply with both state and federal requirements, or that the state requirement (though not explicitly inconsistent with the federal requirement) may be inconsistent with accomplishing the purposes and objectives of the provisions of HIPAA. Attorneys utilizing a subpoena must provide additional privacy assurances. There are two approaches to satisfying the "subpoena-plus" requirements of the Privacy Rule. First, counsel may serve a subpoena with satisfactory assurances of notice to the subject of the records. The second approach is to serve a subpoena with satisfactory assurances of reasonable efforts to secure a qualifying protective order. Subpoena with satisfactory assurances of notice The Privacy Rule provides that medical records may be disclosed in response to a subpoena, without a court order or protective order, if the subpoena includes satisfactory assurances that reasonable efforts have been made to notify the patient (or appropriate family member of a decedent or unemancipated minor) of the request. The definition of satisfactory assurances, however, includes more than just notice. For this notice provision, there is a four-part test for satisfactory assurances: (1) written notice to the individual (2) containing sufficient information to allow the individual to raise an objection to the subpoena; (3) expiration of "the time for the individual to raise objections," and (4) a statement that either (a) no objections were filed, or (b) objections filed have been resolved in favor of the disclosure requested. Differing interpretations already have caused a variety of frustrations. For example, although the Rules of Professional Conduct prohibit an attorney from contacting a represented party, some providers have been advised to release records only if they receive satisfactory assurances that the attorney requesting the records gave notice directly to the patient (almost always the plaintiff) at the patient's last known address. As another example, although the Privacy Rule contains no such requirement, some providers have been advised that a letter from an attorney containing the assurances is not enough, rather the requesting attorney must submit an affidavit. Other providers have stated that they will not recognize or accept the satisfactory assurances unless those assurances are included in the subpoena itself rather than in accompanying separate documentation as described in the Privacy Rule.6 Yet another issue arises from the lack of precise definition of the time allowed for an objection to be raised, though there appears to be an emerging consensus that ten days is appropriate. Despite the relatively clear language of the subpoena provisions, it is inevitable that physicians and hospitals have differing advice on what they can or cannot accept as satisfactory assurances. Counsel should be prepared for a range of entity-specific requirements which go beyond the requirements of the Privacy Rule, as well as differing and perhaps conflicting legal advice regarding the required assurances. Some relief from this patchwork of inconsistency will soon be available. Additional guidance is anticipated from the Office of Civil Rights, and efforts are underway through the Utah Hospital Association to provide a website resource summarizing the requirements of individual hospitals.7 Judicial development of the contours of these provisions will be longer in coming. Subpoena with documentation that a protective order has been requested Requesting a protective order is an option which seems deceptively easy in that it requires only satisfactory assurances from the party seeking the information that reasonable efforts have been made to secure a qualified protective order.8 However, there is ambiguity in what constitutes reasonable efforts. It is not clear that merely attaching a motion for protective order to the subpoena satisfies that test. Moreover, it is unclear whether a covered entity must or even may disclose the records if advised of the filing of a memorandum in opposition to the motion for protective order, nor is there an explicit requirement for informing the covered entity that an opposition memorandum has been filed. In theory, a stipulated protective order could be agreed to, perhaps as part of the attorney planning meeting required by Rule 26 of the Utah Rules of Civil Procedure, but that approach is not available in the medical malpractice prelitigation process. "Minimally Necessary Disclosure" Issues With Subpoenas The Privacy Rule requires most disclosures to be limited to those which are minimally necessary for the purpose of the disclosure. However, a specific exception exists for records produced or disclosed pursuant to subpoena.9 Covered entities need not make a minimal necessary determination when responding to a HIPAA-compliant subpoena request. A related misconception is that subpoenas must specify the dates of treatment for which records are requested and may not request the entire medical record. The Office of Civil Rights has clearly stated that a request for the entire medical record is valid. C. Obtaining Protected Records With an Authorization Authorizations from the subject of the records are another option. This approach will require, in each case, a tailored document that reflects compliance with ten required elements. There are several potential problems with using authorizations. First, they are available subject to the cooperation of the patient, and counsel may not always have that. Second, they may be revoked at any time. Third, and perhaps most significant, they are subject to rejection by the covered entity with no recourse other than revision or further legal process. The latter issue is already arising where, as with subpoena requests, covered entities impose institution-specific requirements beyond the Privacy Rule threshold. Despite these limitations, there are situations in which an authorization may be the preferred approach. For example, counsel for a plaintiff may find it easiest to use an authorization to obtain that client's health care records, and in some cases defense counsel may consider authorizations the easiest approach. An authorization may be the preferred choice where records are sought from areas beyond the subpoena power of the court, and may be required under litigation agreements in multi-district litigation. Authorizations also may be necessary for matters submitted to contractually-mandated arbitration. The following minimum core requirements must be met in each authorization: The authorization must be written in plain language, implicitly meaning that it must be understandable at the eighth grade reading level. The authorization must include a specific and meaningful description of the protected information to be disclosed. The authorization must identify the entity or class of entities authorized to make the disclosure. The Office of Civil of Rights has confirmed that where records are sought from multiple sources, each individual entity need not be identified as long as the categories of entities are adequately identified. The authorization must have an expiration date or event. The Privacy Rule does not specify a maximum time limit. Individual covered entities may have internal limitations on the expiration of an authorization, and state law may impose specific time limits. Counsel relying upon authorizations in other states should consider those states' requirements when preparing authorizations. The authorization must indicate the purpose or use of the disclosure. The authorization must state the individual's right to revoke the authorization at any time. The authorization must state the process by which the authorization may be revoked. The authorization must state any exceptions to the right to revoke. The exceptions are (a) to the extent the receiving party has relied upon the authorization in using or further disclosing the records, and (b) in relation to insurance agreements which include a right in the insurer to object to the revocation. The authorization must state that information disclosed may be subject to redisclosure and may no longer be protected by the Privacy Rule. The authorization must have a signature of the individual or legally authorized personal representative and the date signed. The Privacy Rule restricts the definition of personal representative to persons legally authorized to make health care decisions. The Privacy Rule does not require a notarized signature, but does not preclude adoption of that requirement by covered entities. An additional requirement not applicable in the subpoena context, but required elsewhere, is that treatment may not be conditioned on the signing of an authorization. There are special authorization provisions for psychotherapy notes. However, the rule that a separate authorization is required for psychotherapy notes is misleading. The rule does not apply to psychotherapy or mental health notes maintained in the patient's medical record, it only applies to notes created for the use of the physician or therapist and maintained separately from the medical record. Thus, most psychotherapy or mental health notes maintained in hospital and physician office records may be released without a separate authorization. Covered entities may not legitimately argue that an authorization for "the complete medical record" is inadequate to obtain psychotherapy notes maintained in that medical record, or that HIPAA requires an authorization rather than a subpoena for such records. A prohibition against compound authorizations applies in the context of psychotherapy notes. Multiple authorizations for protected health information other than psychotherapy notes may be combined as long as none of the authorizations conditions treatment on signing the authorization, but authorizations for disclosure of psychotherapy notes may be combined only with other authorizations for disclosure of psychotherapy notes. IV. SPECIAL CIRCUMSTANCES A. The Medical Malpractice Prelitigation Process The Privacy Rule does not address the special situation in states such as Utah in which an administrative prelitigation process is mandated by state law as a prerequisite to filing a medical malpractice action. The Utah Health Care Malpractice Act requires a potential medical malpractice plaintiff to file, with the Division of Occupational and Professional Licensing of the Department of Commerce ("DOPL"), a Notice of Intent to Commence an Action and a Request for Prelitigation Panel Hearing.11 The hearing process must be concluded before a complaint may be filed.10 Because there is no court with jurisdiction prior to the filing of a complaint, medical records for these administrative prelitigation hearings are obtained through subpoenas issued by DOPL upon an affidavit of the requesting attorney that the records requested are necessary for the process. Upon completion of the review panel's deliberations, a non-binding opinion is issued on the merits of the claims and the matter is closed. The entire process is conducted under strict confidentiality, and no part of the record may be used in a subsequent lawsuit. The Privacy Rule imposes no obligation on DOPL, and subpoenas may be issued by DOPL in the same manner, and upon the same affidavits, as in the past. As in litigation, the new privacy provisions are required between the requesting party and the covered entity from whom the records are requested. The only difference is that the subpoena is signed by DOPL rather than the requesting attorney. Authorizations may be used to obtain the records in preparation for the prelitigation hearing, but care must be taken to draft them broadly enough to cover both the prelitigation process and the subsequent lawsuit. Otherwise, the records will need to be either returned or destroyed and then obtained again if a lawsuit is filed. As in litigation, another possible approach is the use of a protective order. However, the only potential source of a protective order is DOPL, and even assuming the authority of DOPL to enter a protective order in this limited circumstance, that authority ends at the conclusion of the prelitigation process and there would be no provision for enforcing the protective order once the administrative process is concluded. Further, a qualified protected order requires return or destruction of the records at the conclusion of the use for which the disclosure is initiated. B. Independent Medical Examinations Although there is no specific provision for medical examinations performed for the purpose of establishing the medical or health condition of a claimant in a civil or administrative action, there is no exception stated or implied. Physicians performing independent medical examinations most likely will require the patient to acknowledge receipt of the physician's notice of privacy practices and will require a compliant authorization or court order prior to performing the requested examination and releasing the results. V. ENFORCEMENT AND SANCTIONS Health care providers are experiencing a high level of uncertainty and anxiety regarding enforcement of HIPAA. There are civil money penalties of $100 per occurrence, not to exceed $25,000 per year. Criminal fines and imprisonment range from a maximum of $50,000 and 12 months for a simple knowing violation up to $250,000 and ten years for an intentional disclosure for financial gain or for malicious harm. The Department of Health and Human Services and the Office of Civil Rights have consistently indicated that the initial focus of enforcement will be on guidance and education rather than on sanctions.12 Even so, ambiguity in portions of the statute, the lack of regulatory13 and judicial enforcement guidance, and the significant criminal penalties and civil money fines conjoin to leave many covered entities taking defensive positions of strict and narrow interpretation, causing frustration for counsel attempting to secure records. VI.CONCLUSION The Privacy Rule establishes a federal threshold of protection for the privacy of protected health information. It does not limit more restrictive state or federal law, nor does it mandate replacement of existing institutional practices that do not conflict with its provisions. As providers become more comfortable with their understanding of the Privacy Rule, and especially as the Office of Civil Rights, the new CMS Office of HIPAA Standards, and the courts create a body of guidance interpreting those requirements, the acquisition of records will become a more routine process. Until that time, litigation counsel will need to exercise considerable flexibility and cooperation in order to obtain the documents essential to representation of their client's interests. Footnotes 1. Pub. L. 104-191. 2. An additional subset of technical requirements, the Security Rules, are not effective until 2005. 3. 45 C.F.R. ¤ 160.103. 4. Although consent was required in the Proposed Rule, DHHS responded to hundreds of concerns that a consent requirement would impair the very system that HIPAA intended to facilitate. The consent requirement was dropped from the Final Rule and consent has no relevance to HIPAA other than in the context of an authorization. 5. 45 C.F.R. ¤ 164.501. 6. 45 C.F.R. ¤ 164.512(e)(1)(iii). 7. www.uha-utah.org 8. 45 C.F.R. ¤ 164.512(e)(1)(ii)(B). 9. 45 C.F.R. 164.502(b)(2)(v). 10. Utah Code Ann. ¤¤ 78-14-8, 78-14-12 (1986). 11. Waiver is permitted if all parties agree. 12. 45 C.F.R. 160.304 (2001). 13. In the Interim Final Enforcement Rule, the Office of Civil Rights defers defining violation until the conclusion of the notice-and-comment rulemaking process. The Utah HIPAA Preemption Analysis is available at www.attygen.state.ut.us, under Consumer Assistance.