Handling Electronic Medical Records for Trial Lawyers Sidney S. Welch, JD, MPH 404.815.6036 swelch@kilpatricktownsend.com www.kilpatricktownsend.com Presented to: National CLE Conference on January 11, 2014 Vail, Colorado © 2013 Kilpatrick Townsend Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 2 Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) • In 1996, Congress passed HIPAA, which among other things offers protection for “protected health information,” including electronic medical records. HIPAA requirements and security rules give patients more control over their health information, set limits on the use and release of their medical records, and establishes a series of privacy standards for health care providers which provides penalties for those who do not follow these standards. 3 HIPAA Provisions • HIPAA is made up of certain key sections and works in conjunction with state law to govern the use, disclosure, privacy and security of “protected health information” by “covered entities” and their respective “business associates” – – – – Privacy Rule Security Rule Enforcement Rule Breach Notification Rule 4 HIPAA Provisions • Privacy Rule – The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by “covered entities” and their “business associates” and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. • Security Rule – The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic PHI. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. 5 HIPAA Provisions • Enforcement Rule – The Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E. • Breach Notification Rule – Interim final breach notification regulations, issued in August 2009, implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. Similar breach notification provisions implemented and enforced by the Federal Trade Commission, apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. (See, e.g., 45 C.F.R. 164.400) 6 Protected Health Information • Under the HIPAA Privacy Rule, protected health information (“PHI”) refers to individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person. Specifically, this information can relate to: – The individual's past, present or future physical or mental health or condition, – The provision of health care to the individual, or, – The past, present, or future payment for the provision of health care to the individual. See • Common identifiers of health information include names, social security numbers, addresses, and birth dates. (See 45 C.F.R. 160.103; 45 C.F.R. 164.501) 7 Covered Entity • The term “covered entity” is defined as: – A health plan – A health care clearinghouse – A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter (See 45 C.F.R. 160.103) 8 “Business Associate” • The term “business associate” is defined as, with respect to a covered entity, a person who: – – – “On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits PHI for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of PHI from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. A covered entity may be a business associate of another covered entity.” 9 “Business Associate” • Business associates include: – A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI. – A person that offers a personal health record to one or more individuals on behalf of a covered entity. – A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. See 45 C.F.R. 160.103 10 The Health Information Technology for Economic and Clinical Health of 2009 (the “HITECH Act”) • The HITECH Act of 2009 expanded the scope of the privacy and security provisions of the HIPAA and its enabling regulations. Some of the significant changes for health care providers include: – Applying privacy and security provisions and penalties to business associates – Imposing new notification requirements in the event of a breach of PHI. – Creating stricter disclosure requirements, such as: Restricting the disclosure of PHI by a health care provider at the request of a patient if it is for purposes other than treatment and the health care service or item has been paid out-of-pocket and in full (except as otherwise required by law); Limiting the disclosure of PHI to a limited data set or to the minimum necessary to accomplish the intended purpose; and Requiring health care providers to make available an accounting of certain disclosures of PHI that occurred over the past three years at the patient's request – Strengthening enforcement procedures and penalties 11 Final Omnibus Rule Implementing HITECH • • January 25, 2013, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) published the longawaited final rule, entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule), 78 Fed. Reg. 5566 (Jan. 25, 2013). The Omnibus Rule: – Finalizes modifications to the Privacy, Security, and Enforcement Rules to implement the HITECH Act – Finalizes modifications to the Privacy Rule, proposed in July 2010, to increase the workability of the Privacy Rule; – Modifies the Breach Notification Rule, adopted by interim final rule in August 2009; and – Finalizes modifications to the Privacy Rule to implement the Genetic Information Nondiscrimination Act of 2008 (GINA), proposed in October 2009 12 Disclosures under HIPAA 13 Methods for Obtaining Patient Records Under HIPAA • There are various methods for obtaining patient records under HIPAA – Patient requests (subject to certain restrictions) • 45 C.F.R. 164.502(a)(i); 45 C.F.R. 164.524 – Disclosure upon “valid authorization” • 45 C.F.R. 164.502(a)(iv); 45 C.F.R. 164.508 – Subpoena, discovery order, court or administrative order • 45 C.F.R. 164.512(e) 14 Patient Requests 15 Patient Requests • • • • HIPAA permits patients to request copies of their medical records (in either paper or electronic format). See 45 C.F.R. 164.502(a)(i); 45 C.F.R. 164.524 – “An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for (i) Psychotherapy notes; (ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and (iii) PHI maintained by a covered entity that is: (A) Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or (B) Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2). The request must be made in writing and the requestor must be the patient, the patient’s parent, guardian or caregiver Subject to state law which may impose stricter requirements, providers are required to keep HIPAA patient records for six (6) years Providers must provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. 16 Cignet Health (Feb. 4, 2011); Civil Monetary Penalty of $4.3 Million • • Failure to provide a patient with access to their medical records may lead to severe penalties, including civil monetary penalties. See Cignet Health of Prince George’s County, Notice of Final Determination (February 4, 2011): OCR imposed a civil monetary penalty of $4,351,600 against Cignet Health d/b/a Uplift Medical, P.C., Cignet Health Center, Cignet Health Plan, and/or Cignet Healthcare (referred to collectively as “Cignet”) for failure to produce the medical records of 41 patients when requested by such patients between September 2008 and October 2009. The civil monetary penalties for these violations is $1.3 million. – – During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million. 17 Disclosure in Response to a Subpoena or Court Order • The HIPAA Privacy Rule permits the disclosure of PHI for judicial and administrative proceedings by covered entities if certain conditions are met (See 45 C.F.R. 164.512(e)) – A covered entity may disclose PHI in the course of any judicial or administrative proceeding: (i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order; or (ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: • (A) The covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the PHI that has been requested has been given notice of the request; or • (B) The covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets certain requirements. 18 Disclosure in Response to a Subpoena or Court Order • For purposes of paragraph (A) above, a covered entity receives “satisfactory assurances” from a party seeking PHI if the covered entity receives from such party a written statement and accompanying documentation demonstrating that: – – – • (A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address); (B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and (C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and (1) No objections were filed; or (2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution. For the purposes of paragraph (B) above, a covered entity receives “satisfactory assurances” from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that: – – (A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or (B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal. 19 Disclosure in Response to a Subpoena or Court Order • A “qualified protective order” means an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: – (A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and – (B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding • A covered entity may disclose PHI in response to lawful process without receiving satisfactory assurance if the covered entity makes reasonable efforts to provide notice to the individual or secures a qualified protective order 20 Recent Action where State Law Trumps HIPAA Disclosure • • Although HIPAA permits disclosure in connection with a discovery request or court order, state laws may impose stricter restrictions HIPAA is the “floor” 21 Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010). • Rejecting a defense based on compliance with HIPAA, a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury: “As a general rule, an individual’s medical records are confidential. [… ] Under [HIPAA], a hospital’s release of medical records to law enforcement is permitted under certain circumstances. Indeed, HIPAA specifically authorizes a hospital to release a patient’s medical records in response to a grand jury subpoena. 45 C.F.R. §164.512(f)(1)(ii)(B). Ohio’s physician-patient privilege, however, codified in O.R.C. § 2317.02(B)(1), provides that a physician shall not testify as to “a communication made to the physician . . . by a patient in that relation or the physician’s . . . advice to a patient.” […] Ohio courts have found that O.R.C. § 2317.02(B) is more stringent than HIPAA, and therefore is not preempted, because it “prohibits use or disclosure of health information when such use or disclosure would be allowed under HIPAA.” Grove v. Northeast Ohio Nephrology Assocs., 844 10 N.E.2d 400, 406-07 (Ohio Ct. App. 2005) […] Thus, while HIPAA allows disclosure of protected health information in response to a grand jury subpoena, O.R.C. § 2317.02(B) permits disclosure only in certain limited circumstances. 22 Disclosure upon Valid Authorization • • HIPAA permits the disclosure of medical records upon “valid authorization” (See 45 C.F.R. 164.502(a)(iv); 45 C.F.R. 164.508) A valid authorization under this section must contain at least the following elements: – (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion; – (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure; – (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure; – (iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose; – (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; – (vi) Signature of the individual and date 23 Disclosure upon Valid Authorization • • • In addition to the core elements, the authorization must contain statements adequate to place the individual on notice. The authorization must be written in plain language. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization 24 Disclosure Without Authorization • HIPAA Privacy Rule permits disclosure without authorization in certain limited cases which must nonetheless comply with required laws (See 45 C.F.R. 164.512) – Instances involving victims of abuse, neglect or domestic violence (See 45 C.F.R. 164.512(c)): “A covered entity may disclose [PHI] about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence […]” – Certain law enforcement purposes (See 45 C.F.R. 164.512(f)), including the reporting of certain types of wounds or other physical injuries, for purposes of locating a suspect, fugitive, material witness or missing person, and where a person may be a victim to a crime 25 Specific Orders 26 Specific Orders • Qualified protective orders – 45 C.F.R. 164.512(e)(1)(ii), (v) – An order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: • (A) Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested; and • (B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding. 27 Specific Orders • Subpoenas and discovery requests not accompanied by a court or administrative tribunal order – 45 C.F.R. 164.512(e)(1)(ii) (A), (iii) – A covered entity may disclose PHI in response to a subpoena if it receives “satisfactory assurance” from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the PHI protected health information that has been requested has been given notice of the request 28 Specific Orders • “Satisfactory Assurance” – A covered entity receives “satisfactory assurance” if it receives from such party a written statement and accompanying documentation demonstrating that: (A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address); (B) The notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal; and (C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and (1) No objections were filed; or (2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution. 29 Specific Orders • Court or Administrative Tribunal Order – 45 C.F.R. 164.512(e)(1)(i) – A covered health care provider or health plan may disclose protected health information required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information “expressly authorized by such order. • Due to the foregoing, it is necessary to be as specific as possible when drafting orders for medical records depending on the purpose 30 Other Laws Impacting Disclosure of Certain Types of Medical Records • Drug and Alcohol Treatment Records – Limits disclosure, redisclosure and use of drug and alcohol treatment records and requires a court order after showing good cause (See 45 U.S.C. 290dd-2(b)(2)(c)) – In assessing “good cause,” the court shall weight the public interest and the need for disclosure against the injury to the patient, to the physician-patient relationship, and to the treatment services – No records may be used to initiate or substantiate criminal charges against a person or to conduct any investigation of a patient • HIV/AIDS Information – HIPAA is silent on this issue but state laws apply 31 Other Laws Impacting Disclosure of Certain Types of Medical Records • Mental Health Records/ Psychotherapy Notes – Patient authorization is required prior to disclosure (See 45 C.F.R. 165.508(a)(2)) • Workers Compensation – Permits the disclosure of PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness (See 45 C.F.R. 164.512(l)) 32 Patient Safety • In light of recent current events, the OCR has taken steps to publicly address the disclosure of necessary information to law enforcement agencies, family members of a patient, or others, if the patient’s safety is threatened or the patient is a threat to others • See, e.g. OCR, Message to our Nation’s Health Care Providers (January 15, 2013). Available at http://www.hhs.gov/ocr/office/lettertonationhcp.pdf 33 Remember • Familiarize yourself with state law requirements concerning patient records and use, disclosure or redisclosure of such records – HIPAA is the “floor” • Monitor business associate responses to subpoenas and other court orders and requests • Carefully draft orders to describe with sufficient specificity the patient records that are being requested and for what purpose 34 Questions? 35