[ Wednesday, February 02, 2005 ]
Releases of PHI in litigation:
I've received this blurb a couple of times in emails I get from one of the Hospital Compliance Wire services, and keep thinking I ought to blog it since it's such a good shorthand answer. It's not complete, but as a quick reference it's pretty good:
If your facility gets served with a subpoena -- but no court order -- can you still disclose protected health information without driving headlong into a privacy rule violation?
Yes, you can, according to new answers from the HHS Office of Civil Rights -- as long as you check off one of these criteria.
Scenario 1: When you are neither a plaintiff nor a defendant in litigation, you may disclose PHI if:
(1) you have made reasonable efforts to notify the individual whose PHI will be disclosed; or
(2) the party seeking the PHI has made similar efforts -- and provides documentation proving that it provided the individual enough details and time to file objections to the disclosure.
Otherwise, qualified protective court orders for the information may be secured by your facility or by the party seeking the PHI, the OCR says. If it is by the other party, they should provide you with documentation that demonstrates the dispute's parties have agreed to the order and have presented it to the court.
Scenario 2: If you are a party to a legal proceeding, such as a defendant in a malpractice action or a plaintiff in a suit to obtain payment, you may use or disclose PHI "as part of your health care operations," the OCR says. However, you must make "reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose."
A couple of other things we're currently wrestling with: If you are a covered entity and you get a request for information from a regulatory agency, you really need determine if the disclosure is one that is "required by law" or is instead a "health care operation." The former will need to be accounted for, while the latter won't. In either case, the minimum necessary rule will apply. And if you determine whether it's required by law, you'll need to go through the steps of 45 CFR 164.512 to see what subset best fits the disclosure: public health activities, health oversight activities, judicial and administrative proceedings, and law enforcement all have separate specific requirements applicable to them.
Secondly, what if you aren't a covered entity, but are a business associate and you receive a request for information from a governmental agency that has regulatory control over your covered entity client (or what if you are a covered entity and your business associate gets hit with such a request for information)? What if the request comes from a regulatory agency that has oversight of the BA, but not the CE? The BA isn't exactly covered by HIPAA, but as we've seen in the Gibson
case, that might not matter. The real key to the BA's obligations lies in the Business Associate Agreement; you should make sure your BAAs truly follow the language of the regulations in 164.504(e). Would the disclosure be for the "proper management and administration" of the BA, or for the BA's "legal responsibilities"? And is the issue a use, or a disclosure? In the case of a request for information, it's a disclosure, and some BAAs got tripped up in the langauge in the implementation specifications of 504(e) where disclosures and uses are treated differently. The regs state that uses by the BA for "management and administration" or "legal responsibilities" of the BA are OK, and disclosures for the same purposes
are OK but only if they are required by law or the recipient of the disclosure agrees to keep it confidential and notify the BA of any breaches. Many BAAs note the distinction between uses and disclosures by the BA, but don't note the management vs. legal responsibilities distinction that is clearly outlined with regard to uses but only noted referentially with regard to disclosures.
Sure, that's a fine line, but you want to make sure your BAs don't hang you out to dry. Check your BAAs; if they make a distinction between uses and disclosures by the BA for purposes other than directly related to the business relationship between the BA and the CE (example: uses and disclosures by a billing company BA that are related to billing are different than uses and disclosures by the billing company to a state consumer credit agency), make sure that the "same purposes" language is in the "disclosures" reference.
Jeff [8:47 AM]
Blogger: HIPAA Blog - Edit your Template