HIPAA AND MEDICAL MALPRACTICE: How the right release form can make all the difference.
The Health Information and Patient Accountability Act (HIPAA) has been an important part of personal injury litigation for a little more than a year. As of April 2003, all large health care organizations were required to become “HIPAA compliant” while small health care organizations were required to be compliant by April 2004. While HIPAA involves all types of personal injury claims, this article focuses solely on situations involving medical malpractice.
HIPAA is a relatively straight forward act. It is designed to protect a patient’s “individually identifiable health information.”1 While it has several sections, for litigation the most important section is the so-called “privacy rule.” The privacy rule was designed to give patients control over their individually identifiable health information and to restrict access to this information to others unless specifically authorized by the patient. At the heart of the privacy rule was concern that doctors, health care organizations, pharmacies and other organizations were selling patient’s medical records for profit.2 With a new era of genetic testing and easy accessibility to electronic databases via internet, Congress created HIPAA and its privacy rule.3
For most patients, HIPAA has only meant that before treatment, a basic release is generally signed. This limited release is designed to allow the health care provider to provide health information not only to the patient’s insurance company, but also allows the treating practitioner to discuss a case with other practitioners. If a patient later sues the health care practitioner or provider in medical malpractice, this limited release is not sufficient to release medical information for litigation.
In litigation for medical malpractice, the patient’s entire medical history and medical records are required. This will include records from other practitioners and potentially other states. In addition, these records need to be shared not only with legal counsel, but also experts retained to defend the health care practitioner or institution. In order to obtain and share these medical records, the patient must sign a new HIPAA compliant waiver to release the medical records.4 The original treatment releases were not signed in contemplation of litigation, do not release important aspects of the patient’s records, nor do they allow counsel or expert witnesses to review the records. It is also erroneous to assume that a waiver is not necessary because the plaintiff put his or her health at issue. This argument is one frequently used in discovery motions, but is of no importance to HIPAA. Even though the plaintiff has placed his or her medical condition at issue, a HIPAA compliant release remains necessary.
A HIPAA waiver for use in litigation requires careful tailoring to meet the requirements of HIPAA. While all valid HIPAA releases must contain nine elements, a release which will be used in litigation is crafted so the party requesting the documents receives everything which may be necessary in a potential trial. The nine elements required by HIPAA in a health information waiver are as follows:
(1) A description of information to be used or disclosed.5 This element requires a detailed list of medical records that may be disclosed. While some releases only state “entire medical record for all dates” HIPAA requires specificity to satisfy the request. Thus, a release stating “entire record for all dates” may result in the rejection of the release, or production of only a limited selection of the records. By including more detail, such as specifically requesting records from a history/physical, AIDS/HIV records, consultation reports, pathology report, discharge summary, psychological tests/reports, operative reports, mental illness, chemical dependency, and/or alcohol abuse records, x-ray reports and films, laboratory reports, and any and all chart notes, narrative reports, billings and medical records, the information released is more likely to be complete.
(2) The identity of the person who is authorized to make the disclosure of the protected information.6 This is simply a requirement that the release contain the name of a health care facility which is required to release the documents.
(3) The identity of the person or class of persons to whom the facility is authorized to make the disclosure.7 This will generally be retained counsel on the case and allow for further disclosure to independent medical evaluators, adjusters, in-house counsel, vocational evaluators, photocopying services, and any other individual or entity necessary for litigation, including the defendant(s).
(4) A description of the purpose for disclosure. 8 In medical malpractice cases, litigation is generally listed.
(5) An expiration date or event.9 Generally, one year after the date of signature.
(6) The individual’s signature and date, if signed by a personal representative, a description must be given of his or her authority to act for the individual.10 If the plaintiff is a minor, a valid guardian must sign. If the plaintiff is deceased, a trustee, as appointed under law, may sign the release (generally this is the individual given the right to sue on behalf of the deceased).
(7) A statement that the individual may revoke an authorization in writing.11
(8) That receiving treatment, payment, enrollment or eligibility of benefits is not conditional on the patient signing the medical record authorization.12 While this is generally not applicable to litigation, it must be included for a valid release.
(9) That there is the possibility for the health information to be redisclosed by the recipient and potentially no longer protected by HIPAA.13 While this is required language, it is also highly important so the plaintiff is on notice that any and all medical records disclosed could be brought into the public domain, including being introduced at trial, where it will become a part of the public record.
It is essential that each of these elements be strictly followed. The penalty for failing to comply with the Privacy Rule requirements can result in $100/per failure (not to exceed $25,000/year) in civil penalties.14 Criminal penalties may be imposed on a person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA. The penalty includes a fine of $50,000 and/or one year in prison.15 Moreover, medical records not obtained validly may result in a court order forbidding their use at trial or any testimony regarding them. This result could effectively eliminate many, if not all, defense strategies.
The importance of a valid HIPAA release for litigation in the medical malpractice area is enormous. Once a valid HIPAA release is obtained, the responsibility to protect the information does not end. Any expert reviewing information released under HIPAA must sign a HIPAA compliance letter prior to the records being released for review. Moreover, defense counsel must also signed HIPAA compliance agreements with their clients before the released information may be shared. The duty to protect a plaintiff’s individually identifiable health information is an on-going concern, even after the information is released. By following the requirements of HIPAA, the plaintiff’s medical records may be released and used by experts and disclosed at trial, thus allowing for the best possible defense of a medical malpractice claim.
About the Author: Kit is an associate at Arthur, Chapman who focuses her practice in the areas of commercial litigation, professional liability, and employment law. Prior to becoming an Associate in late 2002, Kit worked as a law clerk at the firm for a year.
1 45 CFR §160.103 (B)(2). This includes names, social security numbers, or any information which can reasonably connect the medical information with an individual.
2 The most common example is selling a patient’s diagnosis to pharmaceutical companies so the drug manufactures could directly market the patient, i.e. selling John Smith’s diagnosis of heartburn to Drug Company X so they could send promotional literature about their heartburn prescription Z directly to Smith.
3 Although Congress created HIPAA, Health and Human Services (HHS) was responsible for actually creating and promulgating the rules and regulations that became HIPAA as it is currently written.
4 Receiving a HIPAA waiver does not automatically entitle the defense to receive the entirety of the plaintiff’s medical records. Often, plaintiff will attempt to conceal or limit the authorizations to limit the type or number of medical records. This is often dealt with in pre-trial discovery motions.
8 45 CFR 164.508 (c)(1)(iv). Generally, litigation.
9 45 CFR 164.508 (c)(1)(v). Generally, one year from date of signature.
12 45 CFR 164.508 (c)(2)(ii). While this statement is not applicable to litigation, it must be included.
14 These penalties cannot be imposed if the violation is due to reasonable cause or does not involve willful neglect and the covered entity corrects the violation within 30 days (42 U.S.C. §1320d-5).