With the April 14, 2003 deadline for compliance with the Health Insurance Portability and Accountability Act ("HIPAA") privacy rule rapidly approaching, hospitals, doctors, insurance companies and other health care organizations are hurriedly making last minute preparations to comply. Many of those affected by the rule, however, have not yet realized the implications of Section 164.512(e) of the rule, which creates new procedures for the use of protected health information ("PHI") in all judicial and administrative proceedings nationwide. This article explains those procedures and some important implications.
One reason for the extraordinary attention paid to the privacy rule is the severity of fines that may be levied against covered health care entities for violations. Civil violations, including such infractions as disclosures of electronic PHI made in error, can bring civil penalties ranging from $100 per violation and up to $25,000 per year[FN1]. Criminal violations range from $50,000 and one year in prison for intentionally disclosing PHI and $100,000 and five years in prison for intentionally disclosing PHI under false pretenses.[FN2] The maximum penalty is $250,000 and 10 years in prison for intentionally obtaining PHI with the "intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm …."[FN3] Given the substantial possible sanctions for non-compliance, it is of particular importance that attorneys have a working knowledge of the basics of the HIPAA privacy regulations, including the litigation-related aspects discussed in this article. Section 164.512(e) (the "judicial provision") actually exists as an exception to the general HIPAA rule, which allows release of medical records only with the affirmative consent of the patient. The drafters of the rule indicated that requiring consent from the patient in all litigation and administrative disputes would be impracticable, both because a patient might act strategically in litigation to shield medical records, and because there may be disputes where it is either not possible or is excessively costly to get patient consent. For instance, consider litigation between a hospital and an insurance company that involves discovery about the workings of the hospital's computer system. Should that litigation be put on hold until every patient named in the system is located and gives consent?
Fortunately, the rule attempts to create choices for litigators involved in disputes involving medical records. In disputes after the compliance date of April 14, 2003, PHI can be disclosed by a covered health care entity by court order, by individual consent or a strong enough attempt to get consent, or if a Qualified Protective Order ("QPO") is created to shield the records. Section 164.512(e) has a broad scope, applying to both federal and state courts and to both judicial and administrative proceedings. Attorneys working in this full range of settings, therefore, must familiarize themselves with the new discovery rules for medical records.[FN4]
The full scope of issues relating to the judicial provision of HIPAA cannot be known until after the April 14, 2003 compliance deadline. At this time, however, this article can highlight and forecast specific issues dealing with disclosure of PHI during judicial and administrative proceedings. Additionally, this article draws attention to how the judicial provision in HIPAA may affect the evolution of the doctor-patient privilege at both the state level, where the privilege has been widely accepted, and at the federal level, where there are signs that HIPAA may hasten acceptance of the privilege.
A Guided Tour of Section 164.512(e)
Under the judicial provision, medical disclosures may be made pursuant to a judicial or administrative hearing in three separate circumstances. The first circumstance provides that disclosures may be made by a covered entity in response to a court or administrative order.[FN5] This method of disclosure is restricted to the PHI "expressly authorized" by the judicial order. Therefore, the covered entity is bound by law only to disclose the specific information covered by the order and cannot simply disclose a patient's entire medical file. The regulation does not provide criteria to judges concerning what to authorize. One risk in implementing the rule, therefore, is the risk that there may be a lack of uniformity in judicial decision-making when considering the "need" for disclosure of PHI.
The second circumstance in which medical disclosures may be made pursuant to a judicial or administrative proceeding is in response to a "subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal."[FN6] Disclosure is permitted by the covered entity, such as a hospital, when it receives "satisfactory assurance" from the party seeking the PHI that "reasonable efforts" have been made by the party to ensure that the individual whose records are at issue has been given notice of the request and adequate time to object. Pursuant to this provision, "satisfactory assurance" is demonstrated if the covered entity receives a "written statement from the person whose information is sought that the entity made a good faith attempt to notify the last known address, and the notice included sufficient detail about the litigation, and the time for the individual to object has elapsed (and either no objections were filed or the objections are resolved by the court or agency)."[FN7]
Third, PHI in medical records may sometimes be disclosed after receiving a subpoena, discovery request, or other lawful process without receiving "satisfactory assurance" that "reasonable efforts" were made to give notice to the individual. To qualify for disclosure, the covered entity must make "reasonable efforts" to secure a qualified protective order.[FN8] Pursuant to this option, a covered entity can demonstrate it has received "satisfactory assurances" if the covered entity and parties to the dispute have voluntarily agreed to a QPO and presented it to a qualified court or agency, or the party seeking the information has requested a QPO from a qualified court or agency.[FN9]
Covered health care entities and third party information seekers share the common ability under the HIPAA privacy rule to secure a QPO. An important distinction exists, however. To receive medical records, a third party information seeker is required to show "satisfactory assurance" that a QPO has been secured in the absence of an individual record owner's consent. Even where a QPO or "satisfactory assurance" exists, however, a covered entity can choose to deny the disclosure request. As is true generally under the HIPAA privacy regulation, the judicial provision is permissive and not mandatory, that is, the covered entity is allowed to disclose the medical records, but is not required to do so by the HIPAA regulation.[FN10]
While at first glance these three provisions of the judicial provision may seem quite discrete, in reality, they have taken traditional, routine practices of discovery and added an extra twist. Consequently, special attention should be paid to the new, national process by which consent is obtained from individuals whose records are at issue and the procedural and substantive requirements of utilizing QPOs. These new developments will undoubtedly engender many litigation-related issues.
The first option a covered health care entity may rely on when contemplating the disclosure of PHI after receiving a subpoena, discovery request or other lawful process is requiring "satisfactory assurance" that the party seeking the PHI has made "reasonable efforts" to give notice to the individual whose records are at issue.[FN11] According to the judicial provision, the "satisfactory assurance" requirement is satisfied when the party seeking PHI submits a written statement and any accompanying documentation to prove:
(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address); (B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and (C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and: (1) No objections were filed; or (2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.[FN12]
Practically speaking, one important factor to keep in mind when dealing with the individual consent requirement is that the judicial provision only requires a "good faith" attempt to deliver notice to the provider of the PHI -- not actual notice. Therefore, if an individual's actual location is unknown at that time notice is attempted, it is acceptable under the HIPAA regulations to mail the notice to the individual's last known address. This caveat is, of course, subject to a good faith effort to locate the individual, but a reasonable attempt will likely provide the record holder with a general good faith defense against a HIPAA enforcement action by the office of Health and Human Services ("HHS") for improper disclosure.
Minimum Procedural Protections Required for a QPO
The second option a covered entity may rely on when contemplating the disclosure of PHI after receiving a subpoena, discovery request or other lawful process is requiring that the party seeking the PHI secure a QPO from a proper court or administrative tribunal.[FN13] A QPO is quite similar to a standard protective order entered under Fed. R. Civ. P. 26(c), to protect against the disclosure during civil litigation of trade secrets or proprietary or confidential commercial information. Effectively, the HIPAA privacy regulations have codified certain standard practices in protective order procedure in federal court:
"an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: (A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and (B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding."[FN14]
In effect, the HIPAA regulations have created certain minimum standards for judicial and agency protective orders where PHI is or may be requested.
In order to comply with a PHI disclosure request by means of a QPO, the covered entity must receive from the party requesting the PHI "satisfactory assurance" that a QPO has been secured. Therefore, compliance by practitioners seeking PHI disclosures for judicial or administrative proceedings hinges on the fulfillment of the proper procedural process articulated by the regulation. To fully comply with this provision, a party seeking PHI must submit to the covered entity a written statement along with any accompanying documentation demonstrating one of the following:
(A) That the parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or (B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.[FN15]
What does this section of the judicial provision mean for attorneys who request a PHI disclosure through a QPO for judicial or administrative proceedings? The simple response is probably additional effort, especially at the beginning and end of litigation. Early in a case, practitioners will have to provide detailed statements assuring covered entities that a QPO has either been secured or that a consensual agreement has been worked out between the parties. After the use of PHI in litigation is completed, effort will be necessary to properly destroy or return all disclosed PHI immediately and to document and certify its destruction. The burdens will fall on attorneys and clients for both sides, to assure requests are made properly and that they are granted only when in compliance with the rule's requirements.
QPOs vs. Traditional Protective Orders
HIPAA's judicial provision expands the standing or ability or persons to obtain a QPO beyond that available for traditional protective orders under Fed. R. Civ. P. 26(c). In traditional civil litigation, the party or nonparty whose confidential commercial information is being requested in discovery has standing to request entry of a protective order. The comparison in HIPAA would be the ability of the patient, whose records are being disclosed, to request the protective order. Under the judicial provision of HIPAA, however, covered entities and third parties that do not otherwise own the confidential PHI now may seek a QPO.
The underlying policy behind allowing either a party to the dispute or the covered entity to secure a QPO is designed to satisfy the twin goals of the HIPAA privacy rule--individual privacy and the free flow of information. Privacy is protected by creating protective orders where they did not previously exist, and the flow of information is permitted where the required safeguards are in place. However, this policy may be a source of potential litigation as well. For instance, Rule 26(c) lists six types of protective orders that may be used at the court's discretion. One of those subsections, Rule 26(c)(6), concerns sealed depositions, which are kept out of the public domain.[FN16] Although not expressly authorized by Rule 26(c)(6), orders have been made pursuant to this rule sealing documents other than depositions that have been produced and keeping them out of the public record.[FN17] However, the judicial provision of the HIPAA regulations does not expressly authorize a court to seal PHI from the public record. Unless federal and state courts choose to use their inherent authority to seal PHI produced in judicial or administrative proceedings, there is the potential for private medical information to leak into the public domain. This scenario conflicts with the purpose of the HIPAA privacy rule policy to protect strictly the individual's PHI and certainly could be the source of contentious litigation.
What Constitutes "Reasonable Efforts" Under HIPAA
Another area of considerable uncertainty under the judicial provisions of the HIPAA regulations is the scope of "reasonable efforts" required by covered entities to give notice to the individual whose PHI is sought or to obtain a QPO. Neither the HIPAA statute nor the regulations define "reasonable efforts." Although various other regulations promulgated by HHS use the term, they also do not define the term and the other contexts in which that term is used are not particularly helpful.[FN18]
In general, commercial and contract law "reasonable efforts" clauses are considered less stringent than "best efforts" requirements. Reasonable efforts" are frequently provisions included in real estate contracts and leases and in those instances the context and overall intent of parties guides interpretation of "reasonable efforts."
In the context of the judicial provision, "reasonable efforts" to give notice to the owner of PHI appear not to be an onerous burden. After all, the regulation only requires a "good faith attempt" to provide written notice to the individual's "last known address." However, more problematic is "reasonable efforts" as applied to sending a notice including "sufficient information about the litigation or proceeding in which [PHI] is requested…." Does this mean a complete history and assessment of the litigation that a layman can comprehend in order to raise objections to use of PHI? If so, that may stretch the normal commercial understanding of "reasonable efforts." In any event, this is an area that will likely be raised in future HIPAA related litigation and defined on a case-by-case basis.
Relationship Between HIPAA and the Doctor-Patient Privilege
Noticeably absent from the judicial provision is any reference to a doctor-patient privilege related to the disclosure of PHI for judicial or administrative proceedings.[FN19] The doctor-patient privilege, the duty to refrain from disclosing confidential medical information, is traditionally a state-based statutory creation.[FN20] The privilege, however, is far from being uniform in either its makeup or application. In those states that have doctor-patient privilege laws, violations may be based on a variety of causes of action including breach of confidentiality, invasion of privacy, breach of implied contract and breach of fiduciary relationship. However, the doctor-patient privilege is not absolute and can be overcome in situations typically involving the protection of third parties from harm, public health safety issues and medical emergencies. Federal recognition of the doctor-patient privilege, however, is not as easily outlined.
Currently there is no federal statute that creates a doctor-patient privilege and the federal courts have not per se recognized the privilege. Additionally, there have been no overriding general privacy law(s) that cover medical record disclosures. However, with the enactment of HIPAA and its protection of health information transmitted electronically, the privacy of medical records has taken center stage and the distinction of whether or not something close to a federal doctor-patient privilege exists has been blurred. Thus, the failure of Congress to create or the federal courts to recognize a federal doctor-patient privilege does not seem to be an absolute bar to its future creation and should be viewed carefully from a litigation standpoint.
Take for an example the 1996 Supreme Court ruling in Jaffee v. Redmond in which the Court affirmed the existence of a federal psychotherapist-patient privilege.[FN21] The Court, relying heavily on the fact that most states had enacted some form of the psychotherapist-patient privilege, reasoned that policy decisions of the states should have a bearing on whether federal courts recognize new privileges.[FN22] The Supreme Court explained that although common law rulings were once the mainstay of new federal privileges, it is now appropriate to recognize consistent policy decisions by state legislatures.[FN23] The Court, however, stopped short of any broader federal recognition of the doctor-patient privilege. Interestingly, two recent district court cases in Virginia have framed some of the preliminary effects of the commingling of the HIPAA privacy rule and the doctor-patient privilege.
In U.S. v. Sutherland, the District Court for the Western District of Virginia considered a government subpoena of the medical records of a doctor's patients.[FN24] The hospital, standing behind the doctor-patient privilege under state law, argued that if it disclosed the protected medical information it would be subject to civil liability.[FN25] The court rejected this argument based on the grounds that although Virginia did have a doctor-patient privilege statute, the matter before the court was a federal criminal question, and, therefore, the state law privilege could not be asserted.[FN26] Likewise, because no per se federal doctor-patient privilege existed it could not be asserted either.[FN27] Notwithstanding these rulings, however, the court acknowledged the importance of protecting the privacy of medical records not only through judicial precedent but also based on enactment of HIPAA. Reasoning that the enactment of HIPAA was evidence that Congress was furthering a "strong federal policy to protect the privacy of patient medical records," the court found that it would have been "unreasonabl[e] or oppressive" to allow disclosure of patient medical records without first allowing the patient to receive notice and the opportunity to object.[FN28] Although the court only utilized HIPAA as persuasive authority for its ruling, it is probably a good indicator of the direction federal courts may take in the future in terms of protecting individual PHI under the auspices of HIPAA and beyond.
A year later, the District Court for the Eastern District of Virginia in 2002 in In re: Grand Jury Subpoena, entertained a similar issue, in the different setting of a grand jury subpoena.[FN29] The court confronted whether the doctor-patient privilege or general privacy concerns could restrict the production of hospital patient records.[FN30] Finding, as the court had concluded in Sutherland, that no express federal doctor-patient privilege existed, the court turned to the issue of a general federal right to privacy.[FN31] The court reiterated that although established authority recognized a patient's right to privacy in their medical records, that privacy interest was not absolute in all circumstances.[FN32] The court also rejected the argument used successfully in Sutherland that HIPAA should guide the court. The court ultimately found this argument unpersuasive because the HIPAA regulation specifically allows grand jury subpoenas to trump the privacy right in a patient's medical records. The court also explained in dicta that not all circumstances would necessarily weigh in favor of disclosing private medical information, thus leaving open the question of federal protection in the future.[FN33]
Although these two cases are the first judicial attempts at applying the new HIPAA privacy regulations to specific factual situations involving production of patient medical records, they are a fair barometer of future litigation. Certainly, until the privacy rule compliance deadline, there will be litigation opportunities to question how HIPAA, in combination with "a strong federal policy to protect the privacy of patient medical records," will span the privacy gap in regard to the disclosure of private medical records. Therefore, it will be important to keep these policy considerations in mind when contemplating disclosure of PHI in connection with judicial or administrative litigation prior to April 14, 2003. Further, after the privacy rule compliance deadline, it will be worth observing whether or not the federal judiciary moves towards adoption of a federal common law doctor-patient privilege beyond the scope of HIPAA's specified protections of PHI communications transmitted electronically. Given the strong historical federal policy of protecting patient medical records, the abundance of state statutory doctor-patient privilege laws, and the acceptance of the a federal psychotherapist-patient privilege in Jaffee v. Redmond, it is likely that there will be future opportunities for courts to examine this potential federal privilege.
Finally, the impact of the new HIPAA privacy regulations upon the doctor-patient privilege will be evident in the treatment of state privilege law. Although not referenced in the judicial provision, Sections 160.202-.205 explicitly provide that where state law regarding the disclosure of PHI is more lenient than federal law, state law will be preempted. Only in those instances where the state law is stricter than the HIPAA privacy rule will state law be allowed to operate, thus enhancing the privacy of patient medical records. Hence, where state doctor-patient privilege law allows for the disclosure of certain information in a way that conflicts with federal privacy law under HIPAA, privacy protection will extend to the disclosure. Consequently, questions in a litigation context will most likely arise as to how much further the overriding national privacy protection of patient information brings us toward the existence of a federal doctor-patient privilege and its accompanying concerns.
In summary, the judicial provision presents an important change in ways in which litigation involving patient medical records has traditionally occurred. The HIPAA privacy regulation contains specific procedural changes such as new requirements for notice and consent by patients before medical records are disclosed and minimum standards for qualified protective orders involving health information. Further, the regulations impact traditionally held views of the doctor-patient privilege. Not only does the HIPAA privacy rule implement a system of medical privacy protection that parallels the doctor-patient privilege on the state level, the privacy rule also may serve as a springboard for future litigation concerning the expansion of that coverage outside the scope of HIPAA's protection of electronically transmitted health information.
In assessing how to react to these new regulations it is important to realize what exactly is at stake. On one end of the spectrum, if the judicial provision did not exist and liberal discovery under the Fed. R. Civ. P. were allowed to determine the disclosure of PHI, many of the protections of HIPAA could be circumvented in civil litigation. Because HIPAA privacy regulations were not intended to act as an absolute shield that would allow litigants to permit selective discovery of some material and claim HIPAA protection of others, the judicial provision balances the need for legitimate discovery and use of PHI in litigation by imposing requirements of "reasonable efforts" to give notice to and obtain consent from patients or to obtain consensual or court ordered QPOs. In essence, these requirements attempt to balance the privacy of individual medical records with the demand for the free flow of information in judicial and administrative proceedings.
1: 42 U.S.C. � 1320d-5(a)(1).
2: 42 U.S.C. �� 1320d-6(b)(1), (2).
3: 42 U.S.C. � 1320d-6(b)(3).
4: The recently amended final HIPAA regulations, published on August 14, 2002, did not revise the judicial provision. Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53182 (Aug. 14, 2002).
5: Disclosures for Judicial and Administrative Proceedings, 45 C.F.R. � 164.512(e)(1)(i) (2002).
6: Id. at �� 164.512(e)(1)(ii).
7: Id. at � 164.512(e)(1)(iii).
8: Id. at � 164.512(e)(1)(ii)(B).
9: 45 C.F.R. � 164.512(e)(iv).
10: There are two sorts of disclosures required under the privacy rule: (1) patient access to their own medical records, and (2) disclosure in certain circumstances to the Department of Health and Human Services to investigate or to determine compliance with the privacy rule by the covered entity. 45 C.F.R. �� 164.502(a)(2)(i), (ii).
11: Id. at � 164.512(e)(1)(iii).
13: Id. at � 164.512(e)(1)(iv).
14: Id. at � 164.512(e)(1)(v) (emphasis added).
15: Id. at �� 164.512(e)(1)(iv)(A), (B).
16: Id. at � 26(c)(6).
17: United States v. $9,041,598.68, 163 F.3d 238, 250 (5th Cir. 1998).
18: E.g. 45 C.F.R. � 146.115 ("Reasonable efforts" required for certification of dependent access under health care plans).
19: It is likely that HHS, whose jurisdiction in the privacy rule is over medical providers and other covered entities listed in the statute, did not have jurisdiction to instruct courts how to treat medical records, such as in decisions about what evidence to admit. The judicial provision governs when medical records may be released in the absence of a decision by a court to order release.
20: For example, N.Y.C. PLR � 4504(a) and VA Code Ann. �� 8.01-.399(2002).
21: Jaffee v. Redmond, 518 U.S. 1 (1996).
22: Id. at 12-13.
23: Id. at 13.
24: United States v. Sutherland, 143 F. Supp. 2d 609 (W.D. Va. 2001).
25: Id. at 610.
26: Id. at 611.
28: Id. at 611-12.
29: In re Grand Jury Subpoena, 197 F. Supp. 2d 512 (E.D. Va. 2002).
30: Id. at 513.
31: Id. at 514-515.
32: Id. at 514.
33: Id. at 515.