Vol. 78, No. 4, April 2005

The HIPAA Pivacy Rules:
Disclosures of Protected Health Information in Legal Proceedings

by Judith A. Langer

he federal Health Insurance Portability and Accountability Act (HIPAA)¹ is an area of law unfamiliar to many attorneys. Yet it is essential that Wisconsin attorneys have a working knowledge of HIPAA and its accompanying Administrative Simplification regulations,² particularly the HIPAA Privacy Rules.³ Counsel who represent health-care providers,⁴ health plans,⁵ or health-care clearinghouses⁶ (collectively called "covered entities"), or who litigate matters involving individuals' physical or mental health conditions, must have a clear understanding of the HIPAA Privacy Rules (Privacy Rules). Lawyers who fail to understand and comply with HIPAA may be subject to judicially imposed sanctions and other remedial actions.

This article discusses the Privacy Rules' provisions governing a covered entity's use and disclosure of protected health information in judicial and administrative proceedings and pursuant to lawful process. It does not discuss in depth the physician-patient privilege and other issues of evidence. Attorneys should be aware that even if the substantive HIPAA privacy provisions are satisfied, evidentiary privileges may still prevent a covered entity from disclosing protected health information.⁷

Information Subject to HIPAA

The Privacy Rules govern "protected health information" (PHI).⁸ The definition of PHI is very broad and includes many different types of information in addition to medical and hospital records. Medical bills, health insurance claims, applications for health insurance, and even the fact that a person is a physician's patient or a health plan enrollee are all considered to be PHI. Types of records excepted from PHI include education records covered by the Family Educational Rights and Privacy Act (FERPA),⁹ employment records held by a covered entity in its role as employer, and certain other records mentioned in FERPA.¹⁰

Attorneys as Business Associates

Organizations, such as outside counsel, that perform duties for a covered entity involving the use or disclosure of PHI are called "business associates"¹¹ under HIPAA. The Privacy Rules require covered entities to impose contractual limitations on their business associates. Under these business associate agreements, the business associate may only use¹² internally or disclose¹³ externally PHI in performing its duties and may not use or disclose PHI in a manner that violates the Privacy Rules.¹⁴ Thus, under their business associate agreements, attorneys representing health plans, health-care providers, or health-care clearinghouses have contractual duties to their clients to comply with the Privacy Rules.

Application of Stricter State Privacy Laws - HIPAA Preemption

Key to understanding the Privacy Rules is the concept of HIPAA preemption, that is, the relationship and interplay between state and federal privacy laws. The federal Privacy Rules provide for incomplete preemption of state law. In other words, where a state's privacy law is contrary to and more stringent¹⁵ than the HIPAA Privacy Rules, state law will apply. Though the Privacy Rules define several different contexts in which state law is more stringent, generally a state law will be more stringent where it prohibits a use or disclosure of PHI that HIPAA would permit, or where it provides the individual with greater privacy rights than HIPAA affords the individual. HIPAA preemption therefore presents a difficult analysis for attorneys attempting to determine which privacy law or regulation applies in any particular circumstance.

To date, no Wisconsin court has analyzed whether Wisconsin law is stricter than the Privacy Rules, but courts in other states are beginning to do so.¹⁶ However, a collaborative workgroup that included many attorneys, the HIPAA Collaborative of Wisconsin (HIPAA COW), has performed a preemption analysis on several Wisconsin statutes and regulations, including Wis. Stat. sections 51.30, 146.50, 146.81, 146.82, and 610.70, and chapter 252, among others.¹⁷ These preemption analyses will be useful to attorneys evaluating whether and to what extent Wisconsin laws are stricter than the Privacy Rules.

Use and Disclosure of PHI in Legal Process

The Privacy Rules permit attorneys to obtain PHI from covered entities either with or without the individual's permission. HIPAA establishes different requirements for each method of obtaining PHI, and in some situations attorneys will find they are required to take additional steps when requesting PHI or ensure that requesters take additional steps before releasing PHI on behalf of a covered entity client.

Additionally, the U.S. Department of Health and Human Services, Office of Civil Rights, the agency charged with enforcing the Privacy Rules,¹⁸ recently issued a number of frequently asked questions to clarify the use and disclosure of PHI in judicial and administrative proceedings.¹⁹ These frequently asked questions, in some situations, soften the effect of Privacy Rules' strict requirements, and should be read in tandem with the Privacy Rules.

Disclosure with the individual's permission. When a person or entity wants to obtain an individual's permission (or authorization) for the release of PHI, the Privacy Rules require use of a written authorization form containing specific core and required elements, detailed in 45 C.F.R. § 164.508(c)(1) and (2). Most authorization forms used by attorneys probably already include the HIPAA-required core elements. Attorneys will need to add the following HIPAA-required elements to their standard release forms: the individual's right to revoke the authorization and how the individual may do that; the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and the potential for information disclosed by the authorization to be redisclosed by the recipient and thus no longer protected by the Privacy Rules.

One of the instances in which state privacy law may be more stringent is with respect to authorizations. Consequently, due to HIPAA preemption rules, more stringent Wisconsin law requires additional elements to be added to written authorizations used to obtain PHI from Wisconsin health-care providers and health plans. For example, Wisconsin law requires that an individual give specific permission for the release of mental health records and HIV information, and authorizations to request these types of PHI from health-care providers must include this specific permission. Also, the effective length of an authorization to obtain PHI from a health insurer is governed by Wis. Stat. section 610.70(2).

The HIPAA COW Web site also contains sample authorization forms, specifically tailored to comply with both the Privacy Rules and Wisconsin law, which many health-care providers and health insurers in Wisconsin are likely to accept.²⁰ Attorneys can also consider contacting a hospital before requesting records to determine whether the hospital requires a particular authorization form. Difficulties concerning authorization forms may be resolved by contacting the organization's privacy officer, a person required by HIPAA to be responsible for privacy-related forms.²¹

Thus, for example, under Wis. Stat. section 804.10, when counsel obtains or the court orders patient consent to the release of X-rays or other medical records or information by health-care practitioners or facilities, the form of the consent will need to comply with both HIPAA's authorization requirements and stricter Wisconsin law provisions.

Disclosure without the individual's permission. In situations in which it is not possible or practicable to obtain an individual's permission to release PHI in the course of judicial or administrative proceedings, the Privacy Rules permit attorneys to use or obtain PHI from covered entities in several ways.

Use of PHI in legal process or proceedings. The Privacy Rules permit a covered entity to use PHI for its treatment, payment, or health care operations purposes²² without obtaining an individual's authorization.²³ The Office of Civil Rights has interpreted the Privacy Rules as permitting a covered entity that is a party to legal proceedings to "use" PHI in the litigation as part of its "health care operations."²⁴ This interpretation should be understood to mean that a covered entity can share the PHI it possesses as a covered entity with the attorney representing it in a judicial or administrative proceeding, so that the attorney may furnish legal services and advice to the covered entity. For example, the Privacy Rules permit a physician who is a defendant in a medical malpractice action to share a plaintiff patient's PHI in the physician's possession with the physician's attorney, as part of the physician's health care operations.

Disclosure of PHI in legal process or proceedings. Section 512(e) of the Privacy Rules establishes the conditions under which a covered entity may disclose PHI in the course of judicial or administrative proceedings. Importantly, it is the covered entity's compliance duty, not the requesting attorney's legal obligation, to ensure that the section 512(e) provisions are met before disclosing PHI, despite one court's contrary interpretation.²⁵ Nevertheless, as a practical matter, attorneys should familiarize themselves with the section 512(e) requirements to be able to foresee and forestall any potential objections from covered entities that are asked to produce PHI.

Significantly, the Office of Civil Rights has taken the position that the section 512(e) requirements only apply to covered entities that are not parties to a judicial or administrative proceeding.²⁶ The Office of Civil Rights determined that the Privacy Rules permit covered entities that are parties to litigation to disclose PHI in the course of litigation as part of the covered entities' health care operations. Thus, the section 512(e) procedures have practical effect only when PHI is requested of a nonparty covered entity.

In brief, section 512(e) permits covered entities to disclose PHI without the individual's permission in two circumstances. One circumstance is when the covered entity receives a court order. The other circumstance is when the covered entity receives a subpoena, discovery request, or other lawful process unaccompanied by a court order. In the latter situation, the covered entity may disclose the requested PHI without the individual's permission, but only if either notice is given to the individual to whom the PHI pertains, or a qualified protective order is sought or obtained.²⁷ The Privacy Rules dictate the notice and qualified protective order requirements.

Notice requirement. A covered entity is permitted under section 512(e) to disclose PHI in response to a subpoena, discovery request, or other process unaccompanied by a court order, if the covered entity receives "satisfactory assurance" of reasonable efforts to notify the individual who is the subject of the PHI.²⁸ "Satisfactory assurance" means a written statement and accompanying documentation showing that the requester has made a good faith attempt to provide written notice to the individual that his or her PHI will be disclosed.²⁹ The notice must provide sufficient information about the matter, such as case number, name, and court or tribunal where pending, to allow the individual to lodge an objection.³⁰ The assurance must indicate that time for any objections has elapsed or that the court or tribunal has resolved any objections in favor of permitting release of the requested PHI.³¹ If the subpoena or other request on its face documents all these elements, no supplemental documentation is required.³² Additionally, the Privacy Rules allow the covered entity itself to provide notice to the individual to satisfy the notice requirement.³³

Although technically the Privacy Rules permit notice to be given only to the individual or his or her personal representative³⁴ as defined under HIPAA, the Office of Civil Rights issued a frequently asked question that apparently recognizes the ethical principle that attorneys who know that individuals are represented by legal counsel must only contact the individual's legal counsel or obtain that counsel's consent to contact the individual directly.³⁵

Qualified protective order requirement. The Privacy Rules also permit a covered entity to disclose PHI in response to a subpoena, discovery request, or other process unaccompanied by court order if the covered entity receives satisfactory assurance that the requester has made reasonable efforts to obtain a qualified protective order.³⁶ HIPAA defines a qualified protective order as a court or administrative order, or an order issued on the parties' stipulation, prohibiting the parties from using or disclosing the requested PHI for any purpose other than the litigation, and requiring the PHI either to be returned to the covered entity or destroyed at the end of the litigation.³⁷ Satisfactory assurance that the requester has made reasonable efforts to secure a qualified protective order means that the covered entity must receive from the requester a written statement and accompanying documentation showing either that the parties to the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute or that the party seeking the PHI has requested a qualified protective order from the court or tribunal.³⁸ The Privacy Rules also permit the covered entity to obtain a qualified protective order.³⁹

The requirement that PHI subject to a qualified protective order be returned or destroyed at the end of the litigation may present a challenge to attorneys. A malpractice carrier may require its insured attorneys to retain PHI as part of the case files for a certain number of years, or it may not be entirely clear when the end of the litigation occurs, due to multiple or repeated collateral appeals. Moreover, an attorney may have shared the PHI with expert witnesses, and the PHI may be in evidence and part of the court file, in which case return or destruction of the PHI may be difficult or impractical.

One alternative to the "return or destruction" requirement that would likely satisfy the Privacy Rules requirements would be to state in the qualified protective order that, if the attorney receiving PHI could not feasibly return or destroy the PHI at the end of litigation, the attorney would be obligated to protect the confidentiality of the PHI for so long as the attorney retained the PHI and that the attorney would limit further uses and disclosures of the PHI to the purposes making the return or destruction of the PHI infeasible.⁴⁰ This would ensure that indivi-duals' privacy rights were respected while recognizing practical limitations of a strict "return or destruction"requirement.

Also, because section 512(e) establishes the minimum legal requirements for a covered entity to be legally permitted to disclose PHI, attorneys should be aware that health plans and health-care providers may have adopted privacy policies that require more safeguards than HIPAA requires before disclosing PHI. For example, before disclosing PHI, a health-care provider may require an attorney who requests PHI to prove that a qualified protective order has actually been entered, as opposed to merely stating that "reasonable efforts" were made to obtain it. Moreover, a health plan may require that the satisfactory assurance of notice be made by affidavit, as opposed to the mere written statement referred to in section 512(e).

Tips for Attorneys

In nonlitigation context or before litigation commences. The section 512(e) procedures will have little practical application before a judicial or administrative proceeding is commenced. Both the notice and the qualified protective order requirements in section 512(e) by their terms assume that a court will be available to issue the order or resolve objections. Therefore, obtaining PHI before commencing a legal proceeding will usually require the individual's authorization or a court order, if one can be obtained under the circumstances.

When seeking PHI by means of authorization, attorneys must understand that under the Privacy Rules, covered entities are permitted, not required, to disclose PHI in response to a valid authorization.⁴¹ Any difficulties over whether the attorney's authorization is or is not HIPAA-compliant may usually be resolved by using the covered entity's own authorization form or by contacting its privacy officer. A truly recalcitrant covered entity can, under the Privacy Rules, be made to disclose a patient's PHI by means of the patient making a HIPAA request for access to PHI,⁴² assuming there are no valid legal grounds for the covered entity to deny the patient's access request. However, making an access request under HIPAA should be a last resort, due to the lengthy timeframe available to the covered entity to evaluate the request and potential additional costs involved.

After litigation or proceeding commences. As noted above, the Office of Civil Rights limited application of the section 512(e) requirements to covered entities that are not parties to a judicial or administrative proceeding. Under the Office of Civil Rights' interpretation, for example, a defense attorney representing a physician who requests PHI from a codefendant physician in a medical malpractice action would not have to obtain a qualified protective order or provide notice to the plaintiff under HIPAA when serving interrogatories seeking PHI on codefendant's counsel. HIPAA would permit the codefendant physician to disclose the PHI in response to the interrogatories, as a part of the physician's health care operations.

Depending on the situation, it may not be necessary under Wisconsin law for attorneys to satisfy the section 512(e) satisfactory assurance notice requirements when they request PHI from a nonparty covered entity. For example, Wis. Stat. section 804.10(2) states that in a personal injury case the court shall order the plaintiff to execute an authorization permitting the defendant to inspect and copy any hospital or medical records within the scope of discovery. When a patient's authorization has been obtained, it is not necessary to also give satisfactory assurance under section 512(e).

As a practical matter, in cases in which PHI will clearly be at issue and in which attorneys may need to subpoena PHI from nonparty covered entities, it is probably easiest at the outset of the case to either stipulate with opposing counsel or ask the court to issue a qualified protective order applying to any PHI that either attorney may subpoena for the case.

If an attorney chooses to provide notice of the subpoena to the individual whose PHI is being requested, the attorney should consider using a 10-day notice period for objections to be heard and resolved. Although section 512(e) does not specify any particular timeframe for the individual to raise objections, it would be reasonable in a state court proceeding to use a 10-day notice provision similar to that in Wis. Stat. section 805.07(2)(b).

Sanctions Against Attorneys

Wisconsin attorneys should be aware that courts in several jurisdictions have considered, and in one case actually imposed, sanctions on attorneys for failing to comply with the Privacy Rules.⁴³ Though neither HIPAA nor the Privacy Rules contain civil sanctions expressly applicable to attorneys, one California court relied on HIPAA's range of civil administrative fines as guidance in sanctioning defense counsel for failure to follow section 512(e) when communicating with the plaintiff's treating physician.⁴⁴

Conclusion

The HIPAA Privacy Rules add another layer of complexity to existing process and procedures for obtaining and using protected health information in the course of legal proceedings. Attorneys will need to carefully consider the effect of HIPAA's substantive privacy regulations on their requests for protected health information from health-care providers, health plans, and health-care clearinghouses.

Endnotes

¹Pub. L. No. 104-191, 42 U.S.C. § 1320d-1, et seq.

²The Administrative Simplification regulations include the Privacy Rules, the Security Rules, and the Transaction and Code Set Rules (45 C.F.R. parts 160, 162, 164).

³The HIPAA Privacy Rules are codified at 45 C.F.R. parts 160 and 164.

⁴Health-care providers governed by the HIPAA rules are those who transmit electronically the HIPAA standard transactions. See 45 C.F.R. § 160.103(3) (definition of "covered entity").

⁵45 C.F.R. § 160.103 (definition of "health plan").

⁶Id. (definition of "health-care clearinghouse").

⁷See Northwestern Mem'l Hosp. v. Ashcroft, 362 F.3d 923, 925-26 (7th Cir. 2004) (Posner, J.) (drawing distinction between procedural authority granted by Privacy Rules to obtain medical records and admissibility or privileged nature of those records).

⁸45 C.F.R. § 160.103 (definition of "protected health information").

⁹20 U.S.C. § 1232g.

¹⁰20 U.S.C. § 1232g(a)(4)(B)(iv).

¹¹45 C.F.R. §160.103 (definition of "business associate").

¹²Id. (definition of "use").

¹³Id. (definition of "disclosure").

¹⁴45 C.F.R. § 164.504(e). Effective April 21, 2005, the HIPAA Security Rules impose additional duties on business associates to safeguard electronic PHI, as set forth in 45 C.F.R. §§ 164.308(b) and 164.314(a).

¹⁵45 C.F.R. § 160.202.

¹⁶A partial list of cases in which courts have performed HIPAA preemption analyses includes: Crenshaw v. MONY Life Ins. Co., 318 F. Supp. 2d 1015 (S.D. Cal. 2004); National Abortion Fed'n v. Ashcroft, 2004 WL 292079 (N.D. Ill. 2004), rev'd sub nom. Northwestern Mem'l Hosp. v. Ashcroft, 362 F.3d 923 (7th Cir. 2004); Bayne v. Provost, 2005 WL 469360 (N.D.N.Y. 2005); National Abortion Fed'n v. Ashcroft, 2004 WL 555701 (S.D.N.Y. 2004); Law v. Zuckerman, 307 F. Supp. 2d 705 (D. Md. 2004); Lemieux v. Tandem Health Care of Florida Inc., 862 So. 2d 745 (Fla. Dist. Ct. App. 2003); Smith v. American Home Prods. Corp. Wyeth-Ayerst Pharm., 855 A.2d 608 (N.J. Super. Ct. Law Div. 2003); Keshecki v. St. Vincent's Med. Ctr., 785 N.Y.S.2d 300 (N.Y. Sup. Ct. 2004); State ex rel. Cincinnati Enquirer v. Adcock, 2004 WL 3015324 (Ohio Ct. App. 2004); Hawes v. Golden, 2004 WL 2244448 (Ohio Ct. App. 2004).

¹⁷The HIPAA COW preemption charts can be found at http://hipaacow.org/home/PrivacyDocs.aspx (last accessed Feb. 28, 2005).

¹⁸See 65 Fed. Reg. 82,381 (Dec. 28, 2000).

¹⁹These frequently asked questions, or FAQs, are found at http://hipaacow.org/Docs/PrivacyGrid/WI%20%20HIPAA%20Authorization%202-20-03.doc (last accessed Feb. 28, 2005).

²¹45 C.F.R. § 164.530(a)(1)(i).

²²45 C.F.R. § 164.500.

²³See 45 C.F.R. §§ 164.502(a)(1)(ii), .506(c)(1).

²⁴Answer ID 705 of the FAQs at www.hhs.gov/ocr/hipaa.

²⁵Crenshaw, 318 F. Supp. 2d at 1029.

²⁶Answer ID 704 of the FAQs at www.hhs.gov/ocr/hipaa.

²⁷45 C.F.R. § 164.512(e)(1)(i), (ii)(A), (B).

²⁸45 C.F.R. § 164.512(e)(1)(ii)(A).

²⁹45 C.F.R. § 164.512(e)(1)(iii)(A).

³⁰45 C.F.R. § 164.512(e)(1)(iii)(B).

³¹45 C.F.R. § 164.512(e)(1)(iii)(C)(1), (2).

³²Answer IDs 706 and 708 of the FAQs at www.hhs.gov/ocr/hipaa.

³³45 C.F.R. § 164.512(e)(1)(vi).

³⁴45 C.F.R. § 164.502(g)(1).

³⁵See Answer ID 707, found at www.hhs.gov/ocr/hipaa. See also SCR 20:4.2.

³⁶45 C.F.R. § 164.512(e)(1)(ii)(B).

³⁷45 C.F.R. § 164.512(e)(1)(v).

³⁸45 C.F.R. § 164.512(e)(1)(iv)(A), (B).

³⁹45 C.F.R. § 164.512(e)(1)(vi).

⁴⁰Compare similar provisions in 45 C.F.R. § 164.504(e)(2)(ii)(I), in the context of business associate agreements.

⁴¹45 C.F.R. § 164.502(a)(1)(iv).

⁴²See 45 C.F.R. § 164.524.

⁴³See Law, 307 F. Supp. 2d at 712-13 (sanctions contemplated but rejected, because court initially held that HIPAA was inapplicable); Crenshaw, 318 F. Supp. 2d at 1030 (sanctions imposed on defense counsel who had ex parte contact with one of plaintiff's treating physicians).

⁴⁴Crenshaw, 318 F. Supp. 2d at 1029-30.

Wisconsin Lawyer