Cases highlight tension between records requests and privacy protections
■ Requests for medical documents should be authorized to avoid HIPAA violations, legal experts say.
When physicians receive a legal request to turn over medical records, they should think twice about fulfilling it, attorneys and other experts say.
Under the Health Insurance Portability and Accountability Act, covered entities may use or disclose only the minimum amount of protected information necessary to accomplish the purpose of that use or disclosure — except for purposes of medical treatment and a few other exceptions. The effect of this language is that any other disclosure could violate HIPAA, legal experts said.
“Because it looks very official and it’s on pleading paper and is legally formatted, there’s a presumption that the [request] is valid,” said Catherine J. Flynn, chair of the Health Law Group at Weber Gallagher Simpson Stapleton Fires & Newby LLP in New Jersey. “What happens is the records are turned over and the patient doesn’t know. In many cases, the subpoena is not valid.” Such disclosures could lead not only to HIPAA violations, legal experts said, but also to patient lawsuits claiming negligent infliction of distress.
Sometimes doctors “are caught in the middle,” said Gerald “Jud” DeLoss, an Illinois-based health law attorney and former chair of the Health Information and Technology Practice Group for the American Health Lawyers Assn. “From a HIPAA perspective, it’s the physician’s call. They should decide whether [the records] are for the benefit of the public or what should” be protected.
Claims of confidentiality
Two recent high-profile court cases highlighted the tension regarding legal requests for records and health professionals’ HIPAA obligations.
- On Nov. 1, a Superior Court judge ruled that Exeter (N.H.) Hospital must provide the New Hampshire Dept. of Health and Human Services with access to its electronic medical records database while the state investigates a hepatitis C outbreak at the medical center. Exeter has argued that the scope of the access violates state and federal privacy laws.
- In October, objections against the release of medical records by parents and others were presented to a California judge in a lawsuit against manufacturers of lead-based paint. In January, a judge ordered 10 county health departments to release thousands of children’s medical records to the defendants. The state and county health departments contend that the information is confidential.
The New Hampshire case stems from a hepatitis C outbreak that infected more than 30 people. A medical technician is accused of passing the virus to patients after stealing fentanyl syringes and replacing them with used needles. David Kwiatkowski, the technician, was employed at hospitals in at least eight states. In addition to New Hampshire, hepatitis C cases linked to Kwiatkowski have been reported in Maryland, Nebraska and Pennsylvania. He has pleaded not guilty to obtaining controlled substances by fraud and tampering with a consumer product.
In May, the state launched an investigation into the outbreak in which it reviewed hospital records, according to court records. In August, Exeter requested more information about what the state was searching for and what information it had learned from the investigation. The state refused to provide such details, court documents said. The hospital then sought a protective order against providing access to its electronic record database. The state has not ensured that it is obtaining only the minimum amount of information necessary as required by law, the hospital said.
The state “wants certain information, yet we have state and federal privacy obligations. We can’t comply with both obligations,” said hospital attorney Scott O’Connell. “The state’s request is ridiculously broad. They won’t even tell us the names of the patients they want to review.”
New Hampshire’s request for data complies with HIPAA as it pertains to public health investigations, said Jeanne P. Herrick, an attorney with the New Hampshire Dept. of Justice.
A judge ruled that the state has demonstrated a valid need for the records and proved that the search can be conducted without violating privacy laws.
The hospital said in a statement that the ruling provides “important guidance to both the hospital and the state and will allow the hospital to further fulfill its obligations.”
Evaluating the scope of demand
Under HIPAA, medical records may be disclosed for a variety of public health purposes without patient consent, said Patricia A. Markus, a health law attorney and chair of the Health Information and Technology Practice Group for the American Health Lawyers Assn. However, HIPAA provisions limit the scope of public health-related requests, she said. It’s not always clear that those asking for records understand HIPAA’s limits, Markus said.
“That’s kind of scary when you have someone with unfettered access to your records,” she said. “What if public health is going to look not only at the hepatitis C exposure, but other evidence or mistakes? What if this is a hunting expedition?”
In the California case, 10 counties are suing several makers of lead paint. The plaintiffs want the companies to abate lead in the homes where their paints have been used. The defendants requested health records of children who have been tested for lead in the 10 jurisdictions involved in the lawsuit. A state judge granted the release, but ruled that public notice is necessary. The notice period has ended, and a court is now sifting through patient objections, said Nancy Fineman, outside counsel for Alameda County, Calif. Health department officials have not yet turned over all the requested records to the defendants.
Physicians are safe from privacy violations if a court orders information to be released, Markus said. If records are released outside of a court order, however, doctors could be in trouble.
When receiving medical records requests, doctors should evaluate whether the scope of the demand is overly broad and voice their concerns with health officials or attorneys, if necessary. “I often say to clients served with a subpoena, ‘Do you want to comply, or do you have business reasons for not wanting to comply?’ ” said Brad M. Rostolsky, a Philadelphia-based health law attorney who specializes in HIPAA compliance issues.
Under HIPAA, subpoenas must include proper authorization. This includes the notice that the patient’s consent was obtained or that notice was provided to the patient and that the proper time for an objection has passed. If these satisfactory assurances are not made, the disclosure would violate HIPAA.
“The most practical advice is to have one person who is familiar with [HIPAA] requirements be the person who responds to such requests,” Markus said. “It’s important to have a policy to determine under which circumstances you have to release information and when you can’t.”