Title: Medical Records in Court: Life after HIPAA
1Medical Records in CourtLife after HIPAA
- North Carolina Conference of Superior Court
Judges, October 2003 - Presented by
- Jill Moore, UNC School of Government
2Roadmap
- Fundamentals of the HIPAA privacy rule
- History
- HIPAA vs. state law
- Covered entities
- Protected health information (PHI)
- Disclosures of PHI for court proceedings
- How has HIPAA changed the landscape?
3HIPAA History
- Health Insurance Portability and Accountability
Act of 1996 - Administrative Simplification provisions
- Health care industry conducting electronic
transactions with many different codes and
languages ? high administrative costs - Unable to agree on voluntary standards, so
requested regulation - DHHS directed to establish standards, plus
provide for privacy and security of the
information
4HIPAA vs. state law
- HIPAA privacy rule intended to be a federal floor
of privacy protection, by regulating the use and
disclosure of health information and individuals
rights respecting that information - HIPAA preempts contrary state laws, unless the
contrary law is more stringent - In general, a state law is more stringent if it
affords greater privacy protection or provides an
individual more rights
5HIPAA vs. state law
- The hole in the federal floor State laws that
require disclosures of health information are not
preempted - State laws only preempted if they are contrary to
HIPAA - HIPAA privacy rule specifically allows
disclosures of PHI that are required by state law - State laws requiring disclosures are therefore
not contrary and not preempted
6HIPAA vs. state law
- General rules for NC covered entitiesmust comply
with - HIPAA privacy rule
- State laws requiring disclosures
- Example GS 130A-135physicians shall report
communicable diseases to health department - State laws that are more protective of privacy or
afford greater individual rights - Example GS 130A-143may disclose communicable
disease information only in specified
circumstances
7Covered entities
- HIPAA directly regulates only public and private
covered entities - Health plans
- Health care clearinghouses
- Health care providers that transmit health
information electronically in connection with a
transaction covered by HIPAA
8Protected health information
- The HIPAA privacy rule governs how covered
entities use and disclose protected health
information (PHI) - PHI is information in any form or medium,
including electronic and paper records, and oral
communications
9Protected health information
- PHI is information that
- Identifies an individual (or there is a
reasonable basis to believe it can be used to
identify the individual), and - Relates to one of the following
- the past, present, or future physical or mental
health or condition of the individual, - the provision of health care to the individual,
or - the past, present, or future payment for the
provision of health care.
10Disclosing PHI
- General ruleDisclosure of PHI requires the
individuals authorization - Authorization must be in writing
- Forms must include elements specified by the
HIPAA privacy rule
11Disclosing PHI
- ExceptionsDisclosure without written
authorization is permitted - When disclosure is required by privacy rule (only
two circumstances disclosures to individual
disclosures to US DHHS for compliance or
enforcement purposes) - For treatment, payment, and health care operations
12Disclosing PHI
- Exceptions (continued)Disclosure without written
authorization permitted - For certain purposes, such as hospital
directories, provided the individual is given an
opportunity to agree or object to the disclosure - For national priority purposesamong other
things, child abuse reporting, public health
purposes, judicial and administrative proceedings
13Disclosing PHI for court proceedings
- Must consider both HIPAA and state law
- HIPAA permits disclosure of PHI in judicial
proceedings without the individuals written
authorization, provided certain requirements are
met - But in North Carolina, much PHI will be
privileged and may only be disclosed in
accordance with applicable privilege statutes - State privilege statutes afford greater privacy
protection and are therefore not preempted
14Disclosing PHI for court proceedings
- Medical records and information usually will be
privileged, so disclosure will require either - the individuals authorization, or
- a court order compelling disclosure, if in the
courts opinion disclosure is necessary for a
proper administration of justice - But information that is PHI per HIPAA but not
privileged per state law may be disclosed in
accordance with HIPAA procedures
15Disclosing PHI for court proceedings
- If the information is privileged and disclosure
is made with the individuals authorization - A covered entity may not disclose the record or
information unless the authorization is in
writing and includes all the elements required by
HIPAA - Entities covered only by state law will also
require written authorization, but their forms
may look different
16Disclosing PHI in court proceedings
- If the information is privileged and the
individual has not authorized disclosure, the
information cannot be disclosed without the
requisite findings and court order - This applies equally to HIPAA-covered entities
and entities that are subject only to state law
17Disclosing PHI in court proceedings
- If the information is not privileged but it is
PHI, a covered entity may only disclose it - With the individuals written authorization, or
- According to the procedures set forth in the
HIPAA privacy rule for disclosing without the
individuals authorization.
18Disclosing PHI in court proceedings
- A covered entity may disclose PHI that is not
privileged without the individuals authorization
in response to - A court order, provided the entity discloses only
the PHI expressly authorized by the order. - A subpoena, a discovery request, or other lawful
process without a court order if - Reasonable efforts are made to notify the
individual that disclosure is sought, or - Reasonable efforts are made to secure a qualified
protective order (as defined in the privacy rule).
19How has HIPAA changed the landscape?
- Many holders of health information are covered
entities and must comply with both HIPAA and
state lawsincluding some that are not ordinarily
seen as health care providers.
20How has HIPAA changed the landscape?
- Confusion abounds. Expect
- To hear the term HIPAA used to refer to all of
medical confidentiality lawfederal and state. - Misperceptions about who is covered by HIPAA.
- Misunderstandings about how a covered entity may
(and must) respond to subpoenas for medical
records or information. - False beliefs about when a covered entity can and
cannot disclose under HIPAA. - False beliefs about the continued viability of
state law.
21What has HIPAA changed? What remains the same?
- Disclosures in court proceedings Privileged
information - Changed
- Disclosures with individuals authorization must
be in writing and include specific elements - Unchanged
- Disclosures without individuals authorization
require court order
22What has HIPAA changed? What remains the same?
- Disclosures in court proceedings PHI that is not
privileged - Changed
- Disclosures with individuals authorization must
be in writing and include specific elements - Disclosures without individuals authorization
only permitted in response to - a court order
- a subpoena, discovery request or other lawful
process with notice or protective order
23What has HIPAA changed? What remains the same?
- Disclosures in court proceedings Health
information held by an entity that is not a
covered entity under HIPAA - Unchanged by HIPAA
- Other disclosures that may be litigated
- Unchanged by HIPAA
- But will HIPAA ultimately change standard of care?
24Jill Moore UNC School of Government CB 3330 Knapp
Building Chapel Hill, NC 27599-3330 919-966-4442 j
ill_moore_at_unc.edu www.medicalprivacy.unc.edu