Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas & Discovery Presented by:RACHEL B. RUBIN Kansas Bar Association Annual Meeting June.

Copyright 2006 Rubin Law Firm, LLCCopyright 2006 Rubin Law Firm, LLC

Drafting HIPAA Compliant Drafting HIPAA Compliant Subpoenas & Discovery Subpoenas & Discovery

Presented by:Presented by: RACHEL B. RUBINRACHEL B. RUBINKansas Bar Association Annual MeetingKansas Bar Association Annual Meeting

June 10, 2006June 10, 2006

Rubin Law Firm, LLCRubin Law Firm, LLC4601 College Blvd., Suite 2804601 College Blvd., Suite 280

Leawood, KS 66211Leawood, KS 66211(913) 322-8950(913) 322-8950

[email protected]

www.rrubinlaw.com


Drafting HIPAA Compliant SubpoenasDrafting HIPAA Compliant Subpoenas

HIPAA privacy regulations protect patient medical information.

“Protected Health Information” or “PHI”

Definition of PHI: Individually Identifiable Health Information that is transmitted by or maintained in electronic or any other form.


PROTECTED HEALTH INFORMATIONPROTECTED HEALTH INFORMATION

“Individually Identifiable Health Information” 45 CFR 160.103.

Very broad definition:

• Includes all types of medical information regarding an individual’s past, present or future physical or mental health or condition, the provision of health care, or payment for

health care, that identifies the individual.


GENERAL RULE UNDER HIPAA:GENERAL RULE UNDER HIPAA:

– A Covered Entity CANNOT use or disclose PHI without obtaining a WRITTEN AUTHORIZATION from the patient.

– “Covered Entity” includes a health care provider (physician, dentist, hospital, ASC, etc); health plan, or health care clearinghouse (e.g. a hospital/physician billing company).


EXCEPTIONSEXCEPTIONS

• Primary Exception: treatment, payment or healthcare operations.

• Minimum Necessary Information: Disclose ONLY the minimum necessary to accomplish the intended purpose of the use, disclosure or request.


OTHER EXCEPTIONSOTHER EXCEPTIONS (45 CFR 164.512)(45 CFR 164.512)

Additional exceptions allow Covered Entity to use or disclose PHI without written patient authorization:

• Required by law;• Public health activities;• Victims of abuse, neglect or domestic violence;• Health oversight activities (e.g., Board of Healing Arts)• Judicial or administrative proceedings;• Law Enforcement purposes;• Decedents;• Organ, eye or tissue donation at death;• Research purposes;• To avert a serious threat to health or safety;• Specialized government functions (e.g. military);• Worker’s Compensation


Worker’s CompensationWorker’s Compensation

• Worker’s Comp treatment records may not include all records you want.– General treatment records are (or should be)

maintained separately from Worker’s Comp treatment records.

– Should request specific authorization to obtain patient’s general treatment records.


OTHER EXCEPTIONS OTHER EXCEPTIONS (45 CFR 164.512)(45 CFR 164.512)

• Always check the regulations--the requirements to meet any of these exceptions are hyper-technical.


REQUEST FOR PHI PURSUANT TO REQUEST FOR PHI PURSUANT TO SUBPOENA OR COURT ORDERSUBPOENA OR COURT ORDER

• HIPAA requires a Covered Entity to respond differently to a subpoena or discovery request, and an order of a court or administrative tribunal.

• Distinction between Subpoena (KSA 60-245 & 60-245a) & Court Order


PURSUANT TO COURT ORDER PURSUANT TO COURT ORDER

• Covered Entities MUST DISCLOSE PHI if it receives a court order specifically ordering it to release an individual’s PHI.

• Covered Entity may only disclose the PHI that is expressly authorized under the court order, and not more.

• Court order should demonstrate to the Covered Entity that HIPAA was considered & that the patient had opportunity to be heard & object to disclosure.


PURSUANT TO SUBPOENA, DISCOVERY PURSUANT TO SUBPOENA, DISCOVERY OR OTHER LAWFUL PROCESS OR OTHER LAWFUL PROCESS

Under HIPAA, Covered Entities should NOT provide PHI based solely on receipt of a subpoena or discovery request.

Additional requirements must be met:

1. Satisfactory assurance from the Requestor that reasonable efforts have been made to ensure that the patient has been

given notice of the request; OR

2. Satisfactory assurance from the Requestor that a qualified

protective order has been obtained.


ALTERNATIVE 1:ALTERNATIVE 1: NOTICE TO PATIENT NOTICE TO PATIENT

In addition to subpoena, Requestor must provide Covered Entity with written statement and documentation which demonstrates that:

– Good faith attempt to provide written notice to the individual;– Notice included sufficient information to permit individual to raise

objection in court; &– Time for individual to raise objections in court has expired & no

objections were filed; or all objections have been resolved by court.


ALTERNATIVE 2:ALTERNATIVE 2: QUALIFIED QUALIFIED PROTECTIVE ORDERPROTECTIVE ORDER

Requestor must provide Covered Entity with written statement and documentation which demonstrates that:

– The parties to the request for information have agreed to a qualified protective order & have presented it to the court; or

– Requestor has sought a qualified protective order from the court.


DEFINITION OF “QUALIFIED DEFINITION OF “QUALIFIED PROTECTIVE ORDER” PROTECTIVE ORDER” 45 CFR 164.512(e)(1)(v)45 CFR 164.512(e)(1)(v)

– Prohibits parties from using or disclosing the PHI for any other purpose;

– An order of a court or administrative tribunal, or a stipulation by the parties; and

– Requires return of PHI to Covered Entity or destruction of PHI,

including all copies made, at end of litigation or proceeding.


HIPAA Enforcement HIPAA Enforcement

• Office for Civil Rights (Civil); DOJ (Criminal)

• Potential Civil & Criminal Penalties for Violations of HIPAA

– Civil Money Penalties– Criminal sanctions for individuals/entities whose

conduct is governed by HIPAA– No private cause of action set forth in statute or

regulations


Other Applicable Privacy Laws:Other Applicable Privacy Laws:

• Alcohol & Drug Abuse Treatment Records

(42 U.S.C. 290dd; 42 U.S.C. 290ee, 42 C.F.R. 2.1 et seq.)

– Protects identity, diagnosis, prognosis or treatment of patient

• Participation in Medicare/Medicaid subjects a hospital or facility to this statute


Alcohol & Drug Abuse Treatment RecordsAlcohol & Drug Abuse Treatment Records

• Such records may not be used in any civil, criminal, administrative or legislative proceedings conducted by federal, state or local authority.

• Disclosures limited to information necessary to carry out purpose of disclosure.

• Answer to request for disclosure may not reveal patient’s identity or whether they have sought treatment.


Alcohol & Drug Abuse Treatment Records

(See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a).(See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a). • Disclosure is permitted with prior written consent of patient.• Consent must contain certain elements:

– Name of program & patient; purpose of disclosure; type of information to be disclosed; signature of patient; expiration date.

– Regulations contain model written consent form. (42 CFR 2.31).

Similar to HIPAA, but different statutory scheme.

Protections continue regardless of individual’s status as patient.


Alcohol & Drug Abuse Treatment Records (See 42 USC 290dd-2(b) & 42 CFR 2.61)(See 42 USC 290dd-2(b) & 42 CFR 2.61)

• Provision in statute for Court Order:– Must show good cause, including need to avert

substantial risk of death or serious bodily harm.– Court to weigh public interest & need for disclosure

against injury to patient, the physician-patient privilege, & treatment.

– Court must impose appropriate safeguards against unauthorized disclosure.


Alcohol & Drug Abuse Treatment Records (See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a).(See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a).

• No preemption of state law, if state law more restrictive. (42 CFR 2.20).

• Criminal penalty for violation of statute:– Not more than $500 for 1st offense; Not more than

$5,000 for each subsequent offense. (42 CFR 2.4).– Reports of violations made to U.S. Attorney where

violation occurred.– No private cause of action set forth in statute or

regulations.


Other Applicable Privacy LawsOther Applicable Privacy Laws

• No preemption of state law, so long as state law is more stringent, e.g. state has more protections for patient information. (See 45 CFR 160.201.)

HIV/AIDS STATUS UNDER KANSAS LAW:

– Confidential; no disclosure– K.S.A. 65-6002 – no disclosure of HIV/AIDS status, upon

subpoena or otherwise, unless patient consents in writing– No provision in statute for Court Order to disclose HIV/AIDS

status


SummarySummary

Safest route for Covered Entity is to obtain patient’s written authorization to use or disclose patient’s PHI.

Subpoena for PHI by itself will not satisfy requirements under HIPAA; opens door to motion to quash.

Subpoena must be accompanied with written statement & supporting documentation that:

1) patient has been notified of request for PHI & has

not objected to disclosure, OR 2) protective order has been obtained.

Attorney who wants PHI may need to obtain court order to ensure compliance by Covered Entity.


SummarySummary

• Other state and federal privacy laws may also apply; HIPAA is NOT the end of inquiry

• Common law doctrines of privacy & confidentiality; breach of fiduciary duty;

• Potential violation of Healing Arts Act for “unprofessional conduct,” even if no private cause of action exists.


SummarySummary

Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas & Discovery Presented by:RACHEL B. RUBIN Kansas Bar Association Annual Meeting June.

Documents