Medical Records in Court:Life after HIPAA

North Carolina Conference of Superior Court Judges, October

2003Presented by

Jill Moore, UNC School of Government

Roadmap

Fundamentals of the HIPAA privacy rule History HIPAA vs. state law Covered entities “Protected health information” (PHI) Disclosures of PHI for court proceedings

How has HIPAA changed the landscape?

HIPAA History

Health Insurance Portability and Accountability Act of 1996

Administrative Simplification provisions Health care industry conducting electronic

transactions with many different codes and languages high administrative costs

Unable to agree on voluntary standards, so requested regulation

DHHS directed to establish standards, plus provide for privacy and security of the information

HIPAA vs. state law

HIPAA privacy rule intended to be a federal floor of privacy protection, by regulating the use and disclosure of health information and individuals’ rights respecting that information

HIPAA preempts contrary state laws, unless the contrary law is more stringent In general, a state law is more stringent

if it affords greater privacy protection or provides an individual more rights

HIPAA vs. state law

The hole in the federal floor: State laws that require disclosures of health information are not preempted State laws only preempted if they are

contrary to HIPAA HIPAA privacy rule specifically allows

disclosures of PHI that are required by state law

State laws requiring disclosures are therefore not contrary and not preempted

HIPAA vs. state law

General rules for NC covered entities—must comply with: HIPAA privacy rule State laws requiring disclosures

Example: GS 130A-135—physicians shall report communicable diseases to health department

State laws that are more protective of privacy or afford greater individual rights

Example: GS 130A-143—may disclose communicable disease information only in specified circumstances

Covered entities

HIPAA directly regulates only public and private “covered entities”: Health plans Health care clearinghouses Health care providers that transmit

health information electronically in connection with a transaction covered by HIPAA

Protected health information

The HIPAA privacy rule governs how covered entities use and disclose “protected health information” (PHI)

PHI is information in any form or medium, including electronic and paper records, and oral communications

Protected health information

PHI is information that: Identifies an individual (or there is a

reasonable basis to believe it can be used to identify the individual), and

Relates to one of the following: the past, present, or future physical or

mental health or condition of the individual, the provision of health care to the

individual, or the past, present, or future payment for the

provision of health care.

Disclosing PHI

General rule—Disclosure of PHI requires the individual’s authorization Authorization must be in writing Forms must include elements

specified by the HIPAA privacy rule

Disclosing PHI

Exceptions—Disclosure without written authorization is permitted: When disclosure is required by

privacy rule (only two circumstances: disclosures to individual; disclosures to US DHHS for compliance or enforcement purposes)

For treatment, payment, and health care operations

Disclosing PHI

Exceptions (continued)—Disclosure without written authorization permitted: For certain purposes, such as hospital

directories, provided the individual is given an opportunity to agree or object to the disclosure

For “national priority” purposes—among other things, child abuse reporting, public health purposes, judicial and administrative proceedings

Disclosing PHI for court proceedings

Must consider both HIPAA and state law HIPAA permits disclosure of PHI in judicial

proceedings without the individual’s written authorization, provided certain requirements are met

But in North Carolina, much PHI will be privileged and may only be disclosed in accordance with applicable privilege statutes State privilege statutes afford greater privacy

protection and are therefore not preempted

Disclosing PHI for court proceedings

Medical records and information usually will be privileged, so disclosure will require either the individual’s authorization, or a court order compelling disclosure, if in

the court’s opinion disclosure is necessary for a proper administration of justice

But information that is PHI per HIPAA but not privileged per state law may be disclosed in accordance with HIPAA procedures

Disclosing PHI for court proceedings

If the information is privileged and disclosure is made with the individual’s authorization: A covered entity may not disclose the

record or information unless the authorization is in writing and includes all the elements required by HIPAA

Entities covered only by state law will also require written authorization, but their forms may look different

Disclosing PHI in court proceedings

If the information is privileged and the individual has not authorized disclosure, the information cannot be disclosed without the requisite findings and court order This applies equally to HIPAA-covered

entities and entities that are subject only to state law

Disclosing PHI in court proceedings

If the information is not privileged but it is PHI, a covered entity may only disclose it: With the individual’s written

authorization, or According to the procedures set forth

in the HIPAA privacy rule for disclosing without the individual’s authorization.

Disclosing PHI in court proceedings

A covered entity may disclose PHI that is not privileged without the individual’s authorization in response to: A court order, provided the entity discloses only

the PHI expressly authorized by the order. A subpoena, a discovery request, or other lawful

process without a court order if: Reasonable efforts are made to notify the

individual that disclosure is sought, or Reasonable efforts are made to secure a

qualified protective order (as defined in the privacy rule).

How has HIPAA changed the landscape?

Many holders of health information are covered entities and must comply with both HIPAA and state laws—including some that are not ordinarily seen as health care providers.

How has HIPAA changed the landscape?

Confusion abounds. Expect: To hear the term “HIPAA” used to refer to all of

medical confidentiality law—federal and state. Misperceptions about who is covered by HIPAA. Misunderstandings about how a covered entity

may (and must) respond to subpoenas for medical records or information.

False beliefs about when a covered entity can and cannot disclose under HIPAA.

False beliefs about the continued viability of state law.

What has HIPAA changed? What remains the same?

Disclosures in court proceedings: Privileged information Changed:

Disclosures with individual’s authorization must be in writing and include specific elements

Unchanged: Disclosures without individual’s

authorization require court order

What has HIPAA changed? What remains the same?

Disclosures in court proceedings: PHI that is not privileged Changed:

Disclosures with individual’s authorization must be in writing and include specific elements

Disclosures without individual’s authorization only permitted in response to

a court order a subpoena, discovery request or other

lawful process with notice or protective order

What has HIPAA changed? What remains the same?

Disclosures in court proceedings: Health information held by an entity that is not a covered entity under HIPAA Unchanged by HIPAA

Other disclosures that may be litigated: Unchanged by HIPAA But will HIPAA ultimately change standard

of care?

Jill MooreUNC School of Government

CB 3330 Knapp BuildingChapel Hill, NC 27599-3330

919-966-4442jill_moore@unc.edu

www.medicalprivacy.unc.edu