Each day, attorneys request medical records pertaining to their clients that are related to a certain case, including personal injury, commercial lawsuit or a dispute between two doctors. Now, attorneys must deal with objections from the custodians of medical records where they decline to release the desired information due to HIPAA requirements. A typical response by an attorney requesting such information might be, ‘huh?’
Understanding HIPAA requirements are important to handle document discovery in an efficient manner related to medical records. This article was written to provide an overview to attorneys on current HIPAA requirements and how they are related to statutory laws in Oregon that involve privacy of medical records and the Oregon Rules of Civil Procedure. Please go over the HIPAA rules carefully as they apply to different legal practices and cases in various ways.
It was 1996 when Congress passed the new law for medical records privacy, also known as the Health Insurance Portability Accountability Act or HIPAA, 42 USC 1320D. In 1999, the Department of Health and Human Services issued regulations and final regulations at the end of December 2000. Final modifications were made in August 2002, which fully implemented the privacy provisions of HIPAA. The purpose of HIPAA was to boost the effectiveness and efficiency of insurance and healthcare industries through the proper delivery of electronic information. With new electronic disclosures, there was a concern about protecting the privacy of patient medical information. Generally, HIPAA privacy rules limit the disclosure and use of a person’s private health information; this is referred to as PHI.
HIPAA requirements relate to what is known as ‘covered entities’ that include health care clearinghouses, group health plans, and healthcare providers. HIPAA provides broad categorizations of these terms. A covered entity is only allowed to disclose certain, protected health information related to an exception or signed authorization from the individual. HIPAA has harsh penalties for disclosing medical records improperly that contain PHI. It can cost from $100 per violation up to $25,000. Discovery from an entity that is covered under HIPAA can be done in three ways.
Three Ways To Receive Medical Records
A covered entity is barred from disclosing medical records unless it is disclosed as it relates to an individual authorization or exception. To meet the requirements, you have three choices as an attorney. First, you can use a subpoena or administrative order. You also can use a judicially signed court order. Last, you can provide a signed individual authorization regarding the specific medical data that was requested.
Getting Medical Records Related to Discovery Request
Defense counsel will normally get the medical records of the plaintiff via a discovery request. According to HIPAA, an attorney in an OR state court cannot use a subpoena duces tecum to request medical records from the covered entity, wait two weeks and then obtain the disclosure, per the previous rules noted in ORCP 551. According to HIPAA regulations, a subpoena duces tecum now must include ‘satisfactory assurances’ to the covered entity that the attorney gave notice to the person whose medical records are being requested.
Satisfactory assurances have the following definition:
- The party who made the request made a reasonable attempt to provide notice of the individual’s request.
- The notice featured enough information and a certain time period so that the person had the chance to object.
- No objection was filed, or if it was, it has been resolved.
An attorney can meet this requirement by submitting a letter to the person whose medical records are being requested. Or, if the person has an attorney, it can be sent to him or her. The letter has to have notice that the person or lawyer has 14 days from the date of the letter to make an objection. If the 14 days pass and there has been no objection filed, the party making the request may issue the subpoena per ORCP 55. The need for a satisfactory assurance for the covered entity may be met with a cover letter that is attached to the subpoena that details the type of notice given to the person before the subpoena was issued.
An attorney also can make an application for a qualified protective order to fulfill the requirement for a satisfactory assurance. The qualified protective order may be an order from the court that limits the use of information and requires a return or the destruction of information after it was used in the case. There have been common requests for qualified protective orders; they are the discovery method often preferred by both sides. The qualified protective order shows assurance that HIPAA requirements were net. But this is more expensive than a mere discovery request.
Judicial Order Signed
HIPAA does allow for medical records to be disclosed by a covered entity related to a signed court order that authorizes the information to be disclosed. If the request for discovery is signed by a judge, no satisfactory assurance is required.
Signed Individual Authorization
The safest and simplest way to get someone’s protected health information is to get a signed, single authorization. But getting this authorization is difficult.
The authorization of the person to disclose their medical records as they relate to HIPAA must meet the requirements of 45 CFR 164.508. It is important for attorneys to look out for standardized forms that do not include reference to specific state requirements, which can be in addition to federal HIPAA requirements.
Because of these possible additional requirements, an attorney may want to draft and send a custom authorization form. Also, consider sending a cover letter that explains that the authorization is enclosed and meets federal and state requirements to disclose medical records.
HIPAA mandates more notice and care be involved in the disclosure of PHI, even as it relates to most litigation. But rumors you may have heard about the downfall of medical information discovery have been exaggerated. Experience shows that difficulties regarding this matter are often due to simple misunderstandings and changing practices about HIPAA and the state laws as they apply to a certain case. Just know that HIPAA allows for three types of discovery methods. Complying with these rules is necessary to obtain the records you need for your client’s case. But they are relatively straightforward and are usually just a matter of the revision of your current legal procedures.