The HIPAA Learning Curve Practical Application Of The Law Is Not Always A Matter Of Black And White

By now, it is expected that every health care practitioner’s office, hospital, and clinic has conformed with the Health Insurance Portability and Accountability Act (HIPAA.) All staff members should be familiar with the privacy regulations and have taken the mandated steps required to protect patient data.
In the real world, however, practical application of the law is not necessarily always so black and white. Circumstances arise that are not necessarily detailed in the policy. For example, how should phone and written requests for information be handled? What should be done when a legal request, such as a subpoena, is made for patient records? How can health care staff members balance a patient’s right to privacy with their legal responsibility to release requested information?

It is strongly recommended that health care providers establish a protocol for dealing with such requests and ensure that every staff member follows the protocol.
Compliance with HIPAA, or lack thereof, is serious business. A system of checks and balances must be implemented to ensure that only the absolute minimal amount of Protected Health Information (PHI) is released to conform with each valid request. As a general rule, phone calls or letters from persons other than the patient are not considered to be valid requests, and should not result in release of information. Even subpoenas are to be treated with caution, as several steps are legally necessary to comply with HIPAA.

Once a request is received, the patient has the right to refuse release of his/her own medical records. Once refusal is established, legal steps must ensue. That said, even legal requests must be carefully regarded because specific courses of action are mandated for various requests. There are even specific language requirements that must be included in judicial orders requesting “sensitive information.” This applies to requests for such information as HIV/AIDS, psychiatric, alcohol, and drug abuse records.

To further complicate matters, compliance regulations for hospitals and clinics are different than for other health care providers, and distinct courses of action arise depending whether or not the patient is a party named in the case from which a subpoena is issued.

With regards to a hospital or clinic receiving a civil deposition subpoena in which PHI is requested and the party is named in the case, satisfactory assurances must be met before the information is released. Reasonable efforts must be made to notify the individual that a request for their record has been made, and that a qualified protective order is in place. The qualified protective order is a stipulation that neither side of the litigation will use the PHI information outside of the litigation and that the information will be returned or destroyed at the conclusion of the legal action.

The notification requirement is met when the hospital or clinic receives a written document that states that a good faith effort has been made to notify the patient that his/her record has been subpoenaed, the individual has had enough time to object to the release of his/her information, and that no objection has been filed, or all objections have been resolved.

This, in effect, ensures that information cannot be obtained secretly. It must also be mentioned that if the patient is not named in the case, a subpoena should not be considered sufficient. A court order or patient authorization should be required for release of PHI.

The protocol for release of PHI is different for other health care providers, including practitioners’ offices. The standard is more strict in these circumstances, and requires patient authorization or a court order to release records. A subpoena is not sufficient, regardless of satisfactory assurances and a qualified protective order being in effect.

The only exception is a “serious danger to health and safety” clause. In this case a reasonable effort must be made to avert harm, by alerting law enforcement or other authorities who may be in a position to prevent harm, however only the absolute minimal amount of PHI should be released.

The HIPAA Privacy Rule permits all health care providers to disclose PHI to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization. Care must be taken with regards to what specific information is released however. Surrendered information must be relevant to the particular workers’ compensation claim, and nothing more can be released without going through the standards established above.

The HIPAA regulations were written to protect the privacy of patient records, but as with all new laws, we are going through a learning curve as to specific application.

The information included here has been condensed and simplified for the benefit of the general readership of this publication. Specific circumstances are best referred to professional counsel to ensure compliance with the law.

Robert S. Murphy, Jr., Esq., is an experienced trial attorney with Springfield-based Bacon & Wilson, P.C, handling all types of litigation in both state
and federal courts; (413) 781-0560 or rmurphy@bacon-wilson.com.