Printer Friendly

Understanding the boundaries of the HIPAA preemption analysis: who is regulated by the privacy rule and what information does HIPAA protect?

I. Introduction

THE Department of Health and Human Services (DHHS) published the final Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) on August 14, 2002. (1) The compliance date for covered entities subject to the Privacy Rule was April 14, 2003 (April 14, 2004 for certain small health plans). The Privacy Rule, found at 45 C.F.R. Part 160 and Part 164, provides comprehensive federal protection for the privacy of certain health information. The Privacy Rule has been described as providing a "federal floor" of safeguards to protect the confidentiality of medical reformation. (2) State laws which provide stronger privacy protection will continue to apply over and above the federal privacy protection. However, in litigated cases involving the application of state privacy laws, it is not apparent at this point which state laws will survive the HIPAA preemption analysis. These issues will likely be decided by judges on a case-by-case basis, which may lead to multiple, conflicting decisions within judicial districts. HIPAA also prescribes several methods by which a covered entity may release information in a judicial or administrative proceeding. This article will describe these various requirements for releasing this information.

II. Who is Regulated by the Privacy Rule?

Familiarity with the vocabulary of HIPAA aids in understanding how medical information may be released. The Privacy Rule regulates "covered entities." A covered entity (CE) is defined under the Code of Federal Regulations as:

1. A health plan;

2. A health care clearinghouse; and

3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by [this] subchapter. (3)

When litigants seek discoverable information, it is likely that they will at some point in the litigation seek medical information in the possession of a covered entity, usually a hospital subject to the Privacy Rule as a "health care provider."

III. What Information is Protected?

The Privacy Rule protects Individually Identifiable Health Information (IIHI) in the possession of covered entities. Individually identifiable health information is defined as "information that is a subset of health information, including demographic information collected from an individual ..." (4)

Additionally, IIHI:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

i. That identifies the individual; or

ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. (5)

When IIHI is transmitted or maintained by a covered entity, it becomes Protected Health Information, or PHI:

Protected health information means individually identifiable health information:

1. Except as provided in paragraph (2) of this definition, that is:

i. Transmitted by electronic media;

ii. Maintained in electronic media; or

iii. Transmitted or maintained in any other form or medium.

2. Protected health information excludes individually identifiable health information in:

i. Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g;

ii. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv) (related to records of students held by post secondary educational institutions or of students 18 years of age or older, used exclusively for heath care treatment and which have not been disclosed to any one other than a health care provider at the student's request); and

iii. Employment records held by a covered entity in its role as an employer. (6)

The difference between IIHI and PHI is explained in the following Preamble to the Final Privacy Rule:
   We use the phrase 'protected health
   information' to distinguish between the
   individually identifiable health information
   that is used or disclosed by the
   entities that are subject to this rule and the
   entire universe of individually identifiable
   health information. 'Individually identifiable
   health information' as defined in
   the statute is not limited to health
   information used or disclosed by covered
   entities, so the qualifying phrase 'protected
   health information' is necessary to define
   that individually identifiable health
   information to which this rule applies. (7)

Generally, any litigant seeking medical information regarding a party to the litigation or medical information regarding a third party which the litigant believes will be useful in he litigation, will be seeking PHI from a CE. The litigant must therefore be familiar with the Privacy Rule's requirements for releasing protected health information.

IV. Disclosure of Protected Health Information

The Privacy Rule states that a CE may not use or disclose PHI, except as required or permitted by the Privacy Rule.

A. Required Disclosures

HIPAA requires disclosure of PHI to an individual when the individual requests it, unless the information is exempt from access (as is the case with psychotherapy notes prepared in anticipation of or for use in a civil, criminal or administrative proceeding, or certain information covered by the Clinical Laboratory Improvements Amendments (CLIA) of 1988 (8)), or unless denial of access is permitted and the individual is given a fight to have the denial reviewed by a licensed health care professional who is designated by the CE to act as a reviewing official and who did not participate in the original decision to deny access. (9) HIPAA also requires disclosure when necessary to provide an accounting of prior disclosures. Additionally, disclosure is required upon request of DHHS to investigate a complaint under the Privacy Rule, or to determine a covered entity's compliance with the Rule. 10

B. Permitted Disclosures

There are a number of disclosures of PHI which are permitted under the Privacy Rule and which do not require an individual's authorization. For example, an individual's PHI may be used or disclosed by a covered entity for three purposes: (1) treatment of the individual; (2) payment for services; or (3) for the operational requirements of the CE.

In the Final Rule, DHHS developed essentially a four step approach for the release or disclosure of PHI. (11) First, a CE may use or disclose information for its own treatment, payment, or healthcare operations. Second, a CE may disclose PHI to another healthcare provider for treatment purposes. Third, a CE may disclose PHI to another CE for payment activities. Fourth, disclosure of PHI between CEs is permissible with certain limitations, such as for healthcare operations and the detection of fraud and abuse or for compliance issues. Other disclosures may require a written authorization.

An individual may provide a written authorization to a CE requesting the release of his or her PHI that conforms with the Privacy Rule requirements. This process is the most expedient way in which a litigant could access his or her own PHI. If a party seeks the PHI of a non-party to the litigation, having that individual provide a valid HIPAA authorization would expedite the production of the medical information.

V. HIPAA Authorization to Release PHI

An individual may authorize the release of her own medical information if such release is not otherwise required or permitted by the Privacy Rule. Prior to the passage of HIPAA, written authorizations were routinely used in litigation to grant access to medical information. The Privacy Rule sets out the elements of a valid authorization for purposes of HIPAA:
   Authorization required: general rule.
   Except as otherwise permitted or
   required by this subchapter, a covered
   entity may not use or disclose protected
   health information without an
   authorization that is valid under this
   section. When a covered entity obtains
   or receives a valid authorization for its
   use or disclosure of protected health
   information, such use or disclosure must
   be consistent with such authorization. (12)

The requirements for a valid HIPAA authorization are:

Implementation specifications: core elements and requirements.

1. Core elements. A valid authorization under this section must contain at least the following elements:

i. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

ii. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;

iii. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;

iv. A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

v. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of research study", "none", or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.

vi. Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

2. Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

i. The individual's right to revoke the authorization in writing, and either:

A. The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or

B. To the extent that the information in paragraph (c)(2)(i)(a) of this section is included in the notice required by [section] 164.520, a reference to the covered entity's notice.

ii. The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:

A. The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

B. The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

iii. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this rule.

3. Plain language requirement. The authorization must be written in plain language.

4. Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. (13)

VI. Permitted Release of PHI in Judicial and Administrative Proceedings

What can be done in litigation when an individual refuses to give an authorization to release his or her PHI or when an individual cannot be located to give authorization for such release? When that occurs, in the context of certain judicial and administrative activities, HIPAA provides for disclosure under 45 C.F.R. [section] 164.512(e):

Standard: disclosures for judicial and administrative proceedings.

1. Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

i. In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or

ii. In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:

A. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or

B. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.

iii. For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protecting health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

A. The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);

B. The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

C. The time for the individual to raise objecttions to the court or administrative tribunal has elapsed, and:

1. No objections were filed; or

2. All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.

iv. For the purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

A. The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or

B. The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.

v. For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(1)(ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:

A. Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and

B. Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding. (14)

Under this section, PHI may be released without an individual's authorization. However, "satisfactory assurances" of notice, as set out in the regulation, are required of such a release. The explanatory comments to this section are helpful in determining DHHS' intent with regard to this section: (15)

The nuances of the procedural requirements of the HIPAA Privacy Rule are important. A covered entity "may" disclose protected health information in the course of any judicial or administrative proceeding in response to a court order or to "traditional" discovery methods: a subpoena, discovery request or other lawful process, unaccompanied by a court order. (16) However, if a court order is not obtained, the covered entity has a further obligation to determine either that the party seeking the information has made attempts to give notice and an opportunity to object to the individual, or that reasonable efforts have been made to secure a qualified protective order (QPO) with regard to the protected health information. (17) The covered entity also has the option independently to pursue a QPO and to attempt to give notice to the individual whose records are sought. (18) The covered entity is required to make "reasonable efforts" to provide notice to the individual or to seek a QPO. (19)

The rule further requires that the covered entity be given "satisfactory assurance" that reasonable efforts have been made to give the individual notice or to seek a QPO. (20) "Satisfactory assurance" in both cases requires a written statement to the covered entity and some level of appropriate documentation.

HIPAA presents a number of practical challenges to the practitioner in obtaining medical records containing PHI. Fortunately, the rule attempts to create choices for litigants involved in disputes over medical records. In disputes arising after the compliance date of April 14, 2003, PHI may be disclosed by a covered health care provider entity by individual authorization, legally reasonable efforts to contact the individual (whether successful or not), or an effort to get individual authorization, court order, or issuance of a QPO to shield the records upon joint motion of the parties or motion of one of the parties or the covered entity. The regulations will require judicial interpretation, but, until that time, key issues may be identified by asking the following questions:

1. What constitutes "reasonable efforts" to contact the individual when PHI is sought? For example, do "reasonable efforts" imply less effort than "best efforts?" Will evidence of a good faith effort provide a complete defense to a covered entity against the allegation of a wrongful release of PHI?

2. Is the QPO consistent with Federal Rule of Civil Procedure 26(c) regarding protective orders or has a new "type" of order been created? A QPO seeks to shield the privacy of a third party's information in the hands of non-party CE, who acts as the custodian of the PHI.

3. Has the Privacy Rule created new "minimum standards" for the production of medical information in litigated cases for state and federal courts?

4. What is the interplay between these standards and any state physician-patient privilege? Obviously each state will treat the privacy of medical information differently. The Privacy Rule is silent on state privileges, and the controlling U.S. Supreme Court precedent, Jaffe v. Redmond, (21) concerns only a psychotherapist privilege situation.

5. Could a health care covered entity refuse production of a medical record containing PHI based on a state physician/patient privilege? The information release requirements of [section] 164.512(e) of the Code of Federal Regulations are, after all, permissive.

What does this section of the Privacy Rule mean for attorneys seeking medical information? It is difficult to assess, but it seems apparent that additional efforts will be required especially early and late in the case. Early in the case, attorneys will need to provide detailed statements to CE health care providers assuring that a QPO has been applied for or granted. Without an authorization or QPO, the attorney will need to provide "satisfactory assurance" of attempts to contact the individual where PHI is sought. If PHI is issued pursuant to a QPO, efforts will have to be made at the close of the litigation to handle the PHI in a manner consistent with the terms of the QPO. The burden will fall to the attorneys on both sides to handle the PHI in an appropriate manner.

Additional considerations with the QPO require the return or destruction of the PHI held by the lawyer or law firm. This requirement may be potentially a severe burden on a law firm conducting business under such an order and may have further implications for law firm risk management practices, insofar as file retention issues are concerned.

On January 14, 2005, DHHS published nine new Frequently Asked Questions ("FAQ") with responses specifically addressing the production and use of PHI in litigated matters. The FAQ can be accessed on the Internet at The FAQ cover issues such as use of subpoenas and authorizations, the role of attorneys as business associates, and disclosure of PHI to third parties who provide services to attorneys.

VII. Preemption of State Laws

The Privacy Rule contains a state law preemption provision that can be found at 45 C.F.R. [section] 160.203. The preemption provides:

A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:

A determination is made by the Secretary under [section] 160.204 that the provision of State law:

1. Is necessary:

i. To prevent fraud and abuse related to the provision of or payment for health care;

ii. To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation;

iii. For State reporting on health care delivery or costs; or

iv. For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementtation specification under part 164 of this subchapter is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or

2. Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

b. The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.

c. The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.

d. The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals. (22)

To analyze the HIPAA preemption issue, one must understand how the statute defines certain terms, including "state law," which is defined as "a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law." (23) In order to determine if a HIPAA preemption issue is present, one must determine if the affected state law is contrary to HIPAA requirements. Under the statute, "contrary" when used to compare a provision of state law to a standard, requirement, or implementation specification adopted under HIPAA, means:

1. A covered entity would find it impossible to comply with both the State and federal requirements; or

2. The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable. (24)

The next step in analyzing the preemption issue is determining whether the law "relates to the privacy of individually identifiable health information." To better dissect the statute, one may, once again, refer to the definition which clarifies that this phrase means that "with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way." (25)

Finally, one must analyze whether the affected state law is "more stringent" than a requirement under HIPAA:

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

1. With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

i. Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or

ii. To the individual who is the subject of the individually identifiable health information.

2. With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.

3. With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

4. With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.

5. With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

6. With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information. (26)

VIII. Relevant Case Law

To date, the most informative reported case relevant to HIPAA and drug and medical device litigation is an opinion from the Superior Court of New Jersey. (27) In Smith v. American Home Products, the court considered a unified motion by defendant, manufacturers of phenylpropanolamine (PPA), to compel ex parte physician interviews and to seek judicial approval of the use of a revised medical authorization form. Plaintiffs, consumers of PPA, responded that HIPAA privacy regulations preempted certain informal state discovery procedures permitted under New Jersey case law. The trial court held that while HIPAA expressly preempted New Jersey law, it did so only where the informal discovery techniques permitted under New Jersey common law conflicted with HIPAA regulations.

In 1985, the New Jersey Supreme Court ruled that a defendant in certain actions may conduct discovery in the form of ex parte interviews of the plaintiff's healthcare provider, (i.e., treating physician) provided the defendant complied with the specific patient authorization requirements. Such an interview is referred to as a "Stempler interview." (28) In Stempler, the court held, among other things, that "[p]ersonal interviews, although not expressly referred to in our rules, are an accepted, informal method of assembling facts and documents in preparation for trial. Their use should be encouraged as should other informal means of discovery that reduce the cost and time of trial preparation." (29)

The court in Smith recognized a strong difference in judicial reasoning between those states that permit informal discovery techniques and those that do not. (30) In declining to hold that HIPAA privacy laws and regulations preempted the New Jersey state law, the court found that the privacy regulation does not adhere to the issue of ex parte interviews with treating physicians as an informal discovery device. The court could find no congressional intent to intrude in New Jersey's general authority and its administrative proceedings and noted that Stempler advocated the use of authorizations similar to those required by the HIPAA privacy rule. (31) The court did note that the broad use of Stempler in New Jersey must be readjusted to insure compliance with the federal privacy objectives under HIPAA. Given the procedural stance of the case, the court in Smith found it most practical at that point to deny the use of Stempler interviews. However, it was careful to point out that Stempler interviews should be available in mass tort cases, provided special hearings early during case management to specifically design HIPAA compliant authorization forms may, by necessity, become the custom. (32)

Crenshaw v. MONY Life Insurance Co. (33) is another decision addressing ex parte contacts with treating physicians. The Crenshaw court held that defense counsel's ex parte contacts with a physician who treated the plaintiff was permissible under California law but not under HIPAA. While the court did impose sanctions for this contact, it declined to disqualify defense counsel or to bar the expert from testifying.

Courts have only recently begun to examine the issue of the impact of HIPAA on ex parte interviews with plaintiffs' treating physicians. In many cases, interviews which otherwise have been permitted by state law have been denied with courts citing the preemptive effect of the HIPAA regulations or the specific requirements for producing PHI in litigated matters.

HIPAA and Discovery Issues

Federal courts also have considered the impact of the HIPAA Privacy Rule as it affects the production of medical records in civil and criminal cases in several instances. In Northwestern Memorial Hospital v. Ashcroft, (34) the hospital challenged a Department of Justice subpoena seeking medical records of certain patients upon whom late-term abortion procedures had been performed. The federal district court quashed the subpoena based upon an Illinois state statute and HIPAA regulations. On appeal, Judge Posner held that: (1) the supersession clause of the HIPAA Privacy provisions does not impose state evidentiary privileges on suits to enforce federal law; (2) the procedure under the HIPAA regulations for obtaining authority to use medical records in litigation is purely procedural in nature and does not create federal physician-patient or hospital-patient privileges; (3) there is no federal common law privilege for abortion records, but, (4) the subpoena as issued imposed an undue burden on the hospital, when the limited probative value of the records in question was weighed against the patient's fear of identification and consequent harm to the hospital. The Seventh Circuit affirmed the district court's motion to quash.

Additionally, a Virginia court held that the HIPAA Privacy regulations did not preclude production by a hospital of patient medical records pursuant to a grand jury subpoena where the records were relevant and material to a legitimate law enforcement inquiry. (35) The court, citing 45 C.F.R. [section] 164.512(f)(1)(ii), held that the HIPAA Privacy regulations "make clear that any privacy interest patients have in their medical records is trumped by a grand jury subpoena [seeking medical information] that is relevant and material to a legitimate law enforcement inquiry." (36)

Finally, in Means v. Independent Life & Accident Insurance Company, (37) the court discussed the preemptive effect of the HIPAA regulation on an insured's state law claims for fraud, breach of fiduciary duty, and "outrage" against a hospitalization insurer. The court held that HIPAA did not completely preempt such claims and that the "complete preemption" exception to the well-pleaded complaint rule did not permit removal to federal court based on federal question jurisdiction. This opinion contains a discussion of congressional legislative intent with respect to HIPAA preemption. The court in Wright v. Combined Insurance Company of America, (38) addressed a similar question when it analyzed removal and federal question jurisdiction and HIPAA preemption and held that HIPAA did not completely preempt state law causes of action so as to support removal.

Several state courts have also examined the HIPAA Privacy regulation in the context of civil discovery. In Law v. Zuekerman, (39) the court concluded that defense counsel in a medical malpractice case violated the HIPAA Privacy Regulations through ex parte discussions with the plaintiff's treating physician. The court in United States ex rel. Stewart v. The Louisiana Clinic, No. Civ. A. 99-176, (40) examined the preemptive effect of the HIPAA regulation on a state statute related to production of medical records in a federal False Claims Act case. The court held that the Louisiana discovery statute was no more stringent than the HIPAA regulations, and thus, it was preempted. In Favor v. Horne, (41) the court discussed the administrative changes in New York City civil courts that were adopted with regard to the subpoena process of medical records, and found that HIPAA and changes in the New York Public Health Law placed the burden of protecting an individual's medical confidentiality on the health provider producing medical information pursuant to a state subpoena, not on the court system. At the administrative level, the Kentucky Attorney General has discussed the interplay of HIPAA and a state law concerning a state open records request for nursing home records. (42)

IX. Conclusion

State and federal courts have yet to deal in a comprehensive manner with the effect of HIPAA on informal and formal discovery in personal injury litigation involving drugs and medical devices. Give the fact that IIHI and PHI are of critical importance to defendants in those cases, the boundaries of HIPAA as protecting disclosure of that information will be tested as this law develops.

(1) 67 Fed. Reg. 157, 53181 (Aug. 14, 2002).

(2) Office for Civil Rights HIPAA Privacy Guidance, December 3, 2002, pg. 5.

(3) 45 C.F.R. [section] 160.103.

(4) Id.

(5) Id.

(6) Id.

(7) 65 Fed. Reg. 82612 (Dec. 28, 2000).

(8) See 45 C.F.R. [section] 164.524(a)(2).

(9) See 45 C.F.R. [section] 164.524(a)(4); For permissible bases of denial, see 45 C.F.R. [section] 164.524(a)(3), including that access to PHI may endanger the life or safety of the individual or another person. 45 C.F.R. [section] 64.502 (a)(2)(i).

(10) 45 C.F.R. [section] 164.502(a)(2)(ii).

(11) 45 C.F.R. [section] 164.506(c)(1) through 45 C.F.R. [section] 164.506(c)(4).

(12) 45 C.F.R. [section] 164.508(a)(1).

(13) 45 C.F.R. [section] 164.508(c).

(14) 45 C.F.R. [section] 164.512(e).

(15) 65 Fed. Reg. 82529-82530 (Dec. 28, 2000).

(16) 45 C.F.R [section] 164.512(e)(1)(i) and (ii).

(17) 45 C.F.R. [section] 164.512(e)(1)(i)(ii)(A)(B).

(18) 45 C.F.R. [section] 164.512(e)(1)(vi).

(19) 65 Fed. Reg. 82529-82530 (Dec. 28, 2000).

(20) 45 C.F.R. [section] 164.512 (e)(1)(ii)(A) and (B).

(21) 518 U.S. 1 (1996).

(22) 45 C.F.R [section] 160.203.

(23) 45 CRF [section] 160.202.

(24) Id.

(25) Id.

(26) 45 C.F.R. [section] 160.202.

(27) See Smith v. American Home Prod. Corp., Wyeth-Ayerst Pharm., 855 A.2d 608 (N.J. Super. Ct. 2003).

(28) See Stempler v. Speidell, 495 A.2d 857 (N.J. 1985).

(29) Smith, 855 A.2d at 864.

(30) Id. at 620 citing J. Christopher Smith, Recognizing the Split: The Judicial Treatment of Defense Counsel's Ex Parte Contact with Plaintiffs Treating Physician, 23 J. LEGAL PROF. 247, 252-55 (1999).

(31) Smith, 855 A.2d at 622-23.

(32) Id. at 627; see also Law v. Zuckerman, 307 F. Supp.2d 705, 710 (D. Md. 2004); Kan. Op. Atty. Gen. 04-21 (2004).

(33) 318 F. Supp. 2d 1015 (S.D. Cal. 2004).

(34) 362 F.3d 923 (7th Cir. 2004).

(35) In re Grand Jury Subpoena John Doe No. A01 209, 197 F. Supp. 2d 512 (E.D. Va. 2002).

(36) Id. at 515.

(37) 963 F. Supp. 1131 (M.D. Ala. 1997).

(38) 959 F. Supp. 356 (N.D. Miss. 1997).

(39) 307 F. Supp. 2d 705 (D. Md. 2004).

(40) 2004 WL 257690 (E.D. La. Feb. 22, 2002).

(41) 767 N.Y.S.2d 205 (N.Y. City. 2003).

(42) Ky. Op. Att'y Gen. 03-ORD-194 (2003).

IADC member John F. Olinde is a partner at Chaffe, McCall, Phillips, Toler & Sarpy, LLP in New Orleans, Louisiana where he defends pharmaceutical and medical device manufacturers. Mr. Olinde graduated with highest honors from Emory University in 1979. In 1982, he received a Juris Doctorate degree from Louisiana State University Law School. Following law school, he worked for the Louisiana Supreme Court as a law clerk to Justice Fred A. Blanche, Jr.

Hal McCard is of counsel at Chaffe, McCall, Phillips, Toler & Sarpy, LLP in New Orleans, Louisiana where he practices in the area of hospital, health system, and health care law. Mr. McCard is a 1985 graduate of Princeton University and a 1988 graduate of the Walter F. George School of Law, Mercer University, in Macon, Georgia, where he was a member of the Moot Court Board. He is past Chair of the Georgia Academy of Healthcare Attorneys In House Counsel Section.
COPYRIGHT 2005 International Association of Defense Counsels
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Health Insurance Portability and Accountability Act of 1996
Author:Olinde, John F.; McCard, Hal
Publication:Defense Counsel Journal
Date:Apr 1, 2005
Previous Article:What's age got to do with it? Recent developments in employment law in the United States Supreme Court.
Next Article:Perils of third party practice in construction litigation: avoiding substantive and procedural pitfalls to preserve and assert your rights.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters