Law firm, Day Pitney LLP, has issued a warning to healthcare professionals to be cautious about disclosing Protected Health Information, even when asked to provide medical records to attorneys under subpoena.
A Connecticut Supreme Court ruling in November 2014 permitted a negligence claim to be filed against a healthcare provider for non-compliance with HIPAA Rules governing the disclosure of PHI to third parties. The court ruled that HIPAA Privacy Rules cover Protected Health Information even when that information is required by attorneys, and requested through proper legal processes.
In Connecticut at least, PHI can only be released under subpoena if certain criteria are met. The court cited the Code of Federal Regulations, 45 C.F.R. § 164.512(e)(1)(ii) , which only permits the transfer of Protected Health Information if “satisfactory assurances” have been received that the person whose medical records have been requested to be disclosed has received a notice of the access request.
As pointed out by Susan R. Huntington of Day Pitney, in order for PHI to be released under HIPAA Regulations, the “satisfactory assurances“ are as follows, and all must be met:
- Written notice has to have been provided to the individual whose PHI has been requested
- Sufficient information must have been provided to allow an objection to be raised; and
- Sufficient time provided for an objection, if any, to be raised and for it to have been resolved or for confirmation to be received that there is no objection.
There is another method under which PHI can be released, while remaining compliant with HIPAA Rules.
According to Huntington, in cases where a secure a qualified protective order has been made – and provided the party seeking PHI has made “reasonable efforts” to secure a qualified protective order, under 45 C.F.R. §165.512(e)(1)(ii)(B), “satisfactory assurances” are:
- The parties have agreed to a qualified protective order; or
- The party seeking the PHI has already requested a qualified protective order.
Simple Steps to Ensure HIPAA Compliance
Huntington suggests that In order for healthcare providers to be able to respond correctly to subpoenas, maintain HIPAA-compliance and protect the privacy of patients, the simplest step to take is to call that patient and tell them about the subpoena and simply ask if they object to the release of their PHI.
This gives the patient the opportunity to grant or refuse the subpoena, the issue can be dealt with quickly and efficiently, and HIPAA rules governing the disclosure of PHI can be adhered to. Should the request be authorized, the PHI can be released as per the organization’s – HIPAA-compliant – procedures. If access is denied, the party requesting the information can be informed and the records not provided.
High Risk of Medical Negligence Lawsuits
Using the Connecticut ruling as a legal precedent, attorneys would be able to file negligence lawsuits for patients seeking damages as a result of the disclosure of their PHI and for the emotional distress that was caused.
The healthcare industry is currently under the spotlight following the massive data breaches at Community Health Systems, Anthem and Premera Blue Cross. It is therefore essential that all healthcare organizations are aware of the rules covering the disclosure of PHI including how, to whom, and under what circumstances, PHI can be disclosed to unauthorized individuals in order to avoid both a HIPAA penalty for non-compliance and negligence lawsuits from individuals whose PHI has been disclosed.