In a May 1 webinar hosted by McGuireWoods, Nathan A. Kottkamp, JD, partner at McGuireWoods, David J. Pivnick, JD, and Mary C. DeBartolo, JD, attorneys at McguireWoods, discussed legal implications of the Health Insurance Portability and Accountability Act of 1996. They laid out concepts that healthcare providers should be aware of with regard to HIPAA compliance during litigation.
Ms. DeBartolo began by discussing the ways HIPAA has evolved since it was enacted. She mentioned that the Health Information Technology for Economic and Clinical Health Act, the HIPAA Omnibus Final Rule and real-world events have impacted HIPAA's application.
But the general idea remains the same: HIPAA is supposed to protect patient privacy and personal medical information, said Mr. Pivnick. It is important to note that protected health information is not just restricted to patient names and information related to diagnosis. It also includes Social Security numbers and addresses. "It includes anything by which the patient can be identified," said Mr. Pivnick. "It should not be narrowly defined."
In cases of litigation, however, access to protected health information may be needed. It is necessary for providers to understand their obligations and options when faced with a request for access. The speakers discussed seven concepts regarding HIPAA compliance in litigation.
1. Compliance efforts prior to litigation. If the organization is a covered entity that holds protected health information, it is essential the organization has procedures in place to ensure HIPAA compliance, said Mr. Pivnick. Employees should know these procedures and compliance training should be regularly conducted. Providers should have agreements regarding the handling and disclosure of protected health information with all business associates, including law firms, he said.
2. Primary methods of obtaining medical records pursuant to HIPAA. It is important to be well-versed in the methods of obtaining medical records in accordance with HIPAA, because organizations could find themselves on either side of a litigation case — either requesting access to protected health information or being asked for access. The most common methods are patient requests, patient authorizations of a third party, subpoenas and court orders, said Ms. DeBartolo. In all cases, organizations should look at both HIPAA and state law, and follow the more restrictive of the two, she said.
3. Patient Requests for Medical Records. When the request for access to medical records is coming from a patient, providers need to be especially stringent, said Mr. Pivnick. These requests must always be written and must be from the patient or from the patient's parent or guardian, with the patient's permission. Mr. Pivnick also said that providers should be careful and keep records of patient requests for access for at least six years. Providers should keep track of what has been disclosed.
4. Qualified protective orders. Qualified protective orders are especially important in terms of making sure an organization's bases are covered, said Mr. Pivnick. These orders prohibit the parties involved from disclosing protected health information for any purpose other than litigation, and also require the return or destruction of the information at the end of the case. According to Mr. Pivnick, while preparing draft orders, it is important that it isn't too broad in scope — this could lead to confusion later on. He also suggests adding a requirement stating that the receiving party will certify in writing that they will return or destroy all proprietary information.
5. Subpoenas. Subpoenas are legally binding, said Mr. Pivnick, and can't be ignored even if protected health information is involved. However, in this situation, providers should ask for either a qualified protective order or satisfactory assurance from the party requesting the information. Providers should request satisfactory assurance from the requesting party that reasonable efforts were taken to notify the patient, the patient was given enough information about the case (sufficient for raising an objection) and that the time period for objection elapsed, said Mr. Pivnick.
6. Disclosure without authorization. There are certain disclosures of information that are required by law and do not need authorization, said Mr. Kottkamp. Disclosure is required in cases involving victims of abuse, neglect or domestic violence and for law enforcement purposes.
7. Court order requirements. Under these circumstances, the provider must release information that is requested through a court order. While providers need to be careful about complying with what is written in the order, Mr. Kottkamp said that providers should be careful not to release more information than is necessary.
Being aware of these seven concepts will help providers remain HIPAA compliant and avoid unnecessary complications during litigation, said Mr. Kottkamp.
HIPAA Compliance: What Providers Should Know About HITECH Act Mandatory Audits
Privacy and HIPAA: What Executives Need to Know Now
Ms. DeBartolo began by discussing the ways HIPAA has evolved since it was enacted. She mentioned that the Health Information Technology for Economic and Clinical Health Act, the HIPAA Omnibus Final Rule and real-world events have impacted HIPAA's application.
But the general idea remains the same: HIPAA is supposed to protect patient privacy and personal medical information, said Mr. Pivnick. It is important to note that protected health information is not just restricted to patient names and information related to diagnosis. It also includes Social Security numbers and addresses. "It includes anything by which the patient can be identified," said Mr. Pivnick. "It should not be narrowly defined."
In cases of litigation, however, access to protected health information may be needed. It is necessary for providers to understand their obligations and options when faced with a request for access. The speakers discussed seven concepts regarding HIPAA compliance in litigation.
1. Compliance efforts prior to litigation. If the organization is a covered entity that holds protected health information, it is essential the organization has procedures in place to ensure HIPAA compliance, said Mr. Pivnick. Employees should know these procedures and compliance training should be regularly conducted. Providers should have agreements regarding the handling and disclosure of protected health information with all business associates, including law firms, he said.
2. Primary methods of obtaining medical records pursuant to HIPAA. It is important to be well-versed in the methods of obtaining medical records in accordance with HIPAA, because organizations could find themselves on either side of a litigation case — either requesting access to protected health information or being asked for access. The most common methods are patient requests, patient authorizations of a third party, subpoenas and court orders, said Ms. DeBartolo. In all cases, organizations should look at both HIPAA and state law, and follow the more restrictive of the two, she said.
3. Patient Requests for Medical Records. When the request for access to medical records is coming from a patient, providers need to be especially stringent, said Mr. Pivnick. These requests must always be written and must be from the patient or from the patient's parent or guardian, with the patient's permission. Mr. Pivnick also said that providers should be careful and keep records of patient requests for access for at least six years. Providers should keep track of what has been disclosed.
4. Qualified protective orders. Qualified protective orders are especially important in terms of making sure an organization's bases are covered, said Mr. Pivnick. These orders prohibit the parties involved from disclosing protected health information for any purpose other than litigation, and also require the return or destruction of the information at the end of the case. According to Mr. Pivnick, while preparing draft orders, it is important that it isn't too broad in scope — this could lead to confusion later on. He also suggests adding a requirement stating that the receiving party will certify in writing that they will return or destroy all proprietary information.
5. Subpoenas. Subpoenas are legally binding, said Mr. Pivnick, and can't be ignored even if protected health information is involved. However, in this situation, providers should ask for either a qualified protective order or satisfactory assurance from the party requesting the information. Providers should request satisfactory assurance from the requesting party that reasonable efforts were taken to notify the patient, the patient was given enough information about the case (sufficient for raising an objection) and that the time period for objection elapsed, said Mr. Pivnick.
6. Disclosure without authorization. There are certain disclosures of information that are required by law and do not need authorization, said Mr. Kottkamp. Disclosure is required in cases involving victims of abuse, neglect or domestic violence and for law enforcement purposes.
7. Court order requirements. Under these circumstances, the provider must release information that is requested through a court order. While providers need to be careful about complying with what is written in the order, Mr. Kottkamp said that providers should be careful not to release more information than is necessary.
Being aware of these seven concepts will help providers remain HIPAA compliant and avoid unnecessary complications during litigation, said Mr. Kottkamp.
More Articles on HIPAA:
10 Steps for Ensuring HIPAA ComplianceHIPAA Compliance: What Providers Should Know About HITECH Act Mandatory Audits
Privacy and HIPAA: What Executives Need to Know Now