Medical Records in Court: Life after HIPAA

1
Medical Records in CourtLife after HIPAA

• North Carolina Conference of Superior Court
  Judges, October 2003
• Presented by
• Jill Moore, UNC School of Government

2
Roadmap

• Fundamentals of the HIPAA privacy rule
• History
• HIPAA vs. state law
• Covered entities
• Protected health information (PHI)
• Disclosures of PHI for court proceedings
• How has HIPAA changed the landscape?

3
HIPAA History

• Health Insurance Portability and Accountability
  Act of 1996
• Administrative Simplification provisions
• Health care industry conducting electronic
  transactions with many different codes and
  languages ? high administrative costs
• Unable to agree on voluntary standards, so
  requested regulation
• DHHS directed to establish standards, plus
  provide for privacy and security of the
  information

4
HIPAA vs. state law

• HIPAA privacy rule intended to be a federal floor
  of privacy protection, by regulating the use and
  disclosure of health information and individuals
  rights respecting that information
• HIPAA preempts contrary state laws, unless the
  contrary law is more stringent
• In general, a state law is more stringent if it
  affords greater privacy protection or provides an
  individual more rights

5
HIPAA vs. state law

• The hole in the federal floor State laws that
  require disclosures of health information are not
  preempted
• State laws only preempted if they are contrary to
  HIPAA
• HIPAA privacy rule specifically allows
  disclosures of PHI that are required by state law
• State laws requiring disclosures are therefore
  not contrary and not preempted

6
HIPAA vs. state law

• General rules for NC covered entitiesmust comply
  with
• HIPAA privacy rule
• State laws requiring disclosures
• Example GS 130A-135physicians shall report
  communicable diseases to health department
• State laws that are more protective of privacy or
  afford greater individual rights
• Example GS 130A-143may disclose communicable
  disease information only in specified
  circumstances

7
Covered entities

• HIPAA directly regulates only public and private
  covered entities
• Health plans
• Health care clearinghouses
• Health care providers that transmit health
  information electronically in connection with a
  transaction covered by HIPAA

8
Protected health information

• The HIPAA privacy rule governs how covered
  entities use and disclose protected health
  information (PHI)
• PHI is information in any form or medium,
  including electronic and paper records, and oral
  communications

9
Protected health information

• PHI is information that
• Identifies an individual (or there is a
  reasonable basis to believe it can be used to
  identify the individual), and
• Relates to one of the following
• the past, present, or future physical or mental
  health or condition of the individual,
• the provision of health care to the individual,
  or
• the past, present, or future payment for the
  provision of health care.

10
Disclosing PHI

• General ruleDisclosure of PHI requires the
  individuals authorization
• Authorization must be in writing
• Forms must include elements specified by the
  HIPAA privacy rule

11
Disclosing PHI

• ExceptionsDisclosure without written
  authorization is permitted
• When disclosure is required by privacy rule (only
  two circumstances disclosures to individual
  disclosures to US DHHS for compliance or
  enforcement purposes)
• For treatment, payment, and health care operations

12
Disclosing PHI

• Exceptions (continued)Disclosure without written
  authorization permitted
• For certain purposes, such as hospital
  directories, provided the individual is given an
  opportunity to agree or object to the disclosure
• For national priority purposesamong other
  things, child abuse reporting, public health
  purposes, judicial and administrative proceedings

13
Disclosing PHI for court proceedings

• Must consider both HIPAA and state law
• HIPAA permits disclosure of PHI in judicial
  proceedings without the individuals written
  authorization, provided certain requirements are
  met
• But in North Carolina, much PHI will be
  privileged and may only be disclosed in
  accordance with applicable privilege statutes
• State privilege statutes afford greater privacy
  protection and are therefore not preempted

14
Disclosing PHI for court proceedings

• Medical records and information usually will be
  privileged, so disclosure will require either
• the individuals authorization, or
• a court order compelling disclosure, if in the
  courts opinion disclosure is necessary for a
  proper administration of justice
• But information that is PHI per HIPAA but not
  privileged per state law may be disclosed in
  accordance with HIPAA procedures

15
Disclosing PHI for court proceedings

• If the information is privileged and disclosure
  is made with the individuals authorization
• A covered entity may not disclose the record or
  information unless the authorization is in
  writing and includes all the elements required by
  HIPAA
• Entities covered only by state law will also
  require written authorization, but their forms
  may look different

16
Disclosing PHI in court proceedings

• If the information is privileged and the
  individual has not authorized disclosure, the
  information cannot be disclosed without the
  requisite findings and court order
• This applies equally to HIPAA-covered entities
  and entities that are subject only to state law

17
Disclosing PHI in court proceedings

• If the information is not privileged but it is
  PHI, a covered entity may only disclose it
• With the individuals written authorization, or
• According to the procedures set forth in the
  HIPAA privacy rule for disclosing without the
  individuals authorization.

18
Disclosing PHI in court proceedings

• A covered entity may disclose PHI that is not
  privileged without the individuals authorization
  in response to
• A court order, provided the entity discloses only
  the PHI expressly authorized by the order.
• A subpoena, a discovery request, or other lawful
  process without a court order if
• Reasonable efforts are made to notify the
  individual that disclosure is sought, or
• Reasonable efforts are made to secure a qualified
  protective order (as defined in the privacy rule).

19
How has HIPAA changed the landscape?

• Many holders of health information are covered
  entities and must comply with both HIPAA and
  state lawsincluding some that are not ordinarily
  seen as health care providers.

20
How has HIPAA changed the landscape?

• Confusion abounds. Expect
• To hear the term HIPAA used to refer to all of
  medical confidentiality lawfederal and state.
• Misperceptions about who is covered by HIPAA.
• Misunderstandings about how a covered entity may
  (and must) respond to subpoenas for medical
  records or information.
• False beliefs about when a covered entity can and
  cannot disclose under HIPAA.
• False beliefs about the continued viability of
  state law.

21
What has HIPAA changed? What remains the same?

• Disclosures in court proceedings Privileged
  information
• Changed
• Disclosures with individuals authorization must
  be in writing and include specific elements
• Unchanged
• Disclosures without individuals authorization
  require court order

22
What has HIPAA changed? What remains the same?

• Disclosures in court proceedings PHI that is not
  privileged
• Changed
• Disclosures with individuals authorization must
  be in writing and include specific elements
• Disclosures without individuals authorization
  only permitted in response to
• a court order
• a subpoena, discovery request or other lawful
  process with notice or protective order

23
What has HIPAA changed? What remains the same?

• Disclosures in court proceedings Health
  information held by an entity that is not a
  covered entity under HIPAA
• Unchanged by HIPAA
• Other disclosures that may be litigated
• Unchanged by HIPAA
• But will HIPAA ultimately change standard of care?

24
Jill Moore UNC School of Government CB 3330 Knapp
Building Chapel Hill, NC 27599-3330 919-966-4442 j
ill_moore_at_unc.edu www.medicalprivacy.unc.edu