Whenever asked to hand over protected health information (PHI) for use in litigation one should be mindful of both the Health Insurance Portability and Accountability Act (HIPAA) and the rules regarding litigation and discovery. Providers should make certain that such requests are proper, should not release more PHI than necessary, and should keep a close eye on data security.
Both state and federal laws, most specifically HIPAA, place constraints on the disclosure of private patient data. Providers who receive requests for information need to consult with counsel before acting on any request to confirm that the disclosure in compliance HIPAA, including the reasonable assurance of privacy before responding. At the same time counsel will determine determining the authority and scope of the subpoena.
Once a decision to disclose has been made, providers need to find and identify the relevant records and take steps to ensure that PHI will not be disseminated outside the context of the litigation.
HIPAA places certain conditions on provider responses to a subpoena, discovery request, or other lawful process that is not accompanied by an order of court or administrative tribunal.
A provider’s obligation to respond to a request depends, in large part, on how the request is made. If the request was made by the patient, then HIPAA requires the provider to produce the records in a timely fashion. However, in the course of litigation, a request for PHI usually comes in the form of a subpoena or court order. Subpoenas require a bit more thought than a court order.
Consulting compliance counsel can ensure that the subpoena makes it clear that the party seeking the information will ensure confidentiality of the information or that the patient was notified of the request and failed to object or the objection was overruled. Counsel can further ensure that the subpoena contains a statement that offers assurances as the notice that has been given to the patient. HIPAA forbids the release of such information absent “satisfactory assurance” that “reasonable efforts” have been made to notify the patient of the request. Further, the patient can object by filing a motion to quash the subpoena, and the provider may wish to wait until the time for filing such a motion expires.
Counsel can examine the subpoena for defects; for instance, the subpoena must be signed by the attorney or the Clerk of Court dated, display the attorney’s bar number and contain the attorney’s phone number and address. Counsel can also look to see whether the jurisdiction was proper. A provider may not need to honor a subpoena issued by an out-of-state attorney, he said. An exception applies if both the provider’s state and the home state of the requesting attorney are signatories to the Uniform Foreign Deposition Act, under which the states have agreed to give full faith and credit to subpoenas issued in those states.
Lastly, there also are both federal and state laws restricting disclosure of records related to drug and alcohol treatment and rules governing the release of HIV/AIDs records. Given the complex nature of these requests, counsel should be notified before any response is made to a subpoena or court order.