From The Corporate Counsel

Coverage B in Your Mutual Insurance Policy: Reimbursement For Disciplinary Proceedings

By Savannah Sellman, Esq., Corporate Counsel

HIPAA privacy rules generally prohibit healthcare providers ("Providers") from disclosing their patients’ protected health information (“PHI”) even in response to subpoenas and other government demands unless certain conditions are satisfied. In this article, we offer information and recommendations for responding to such demands while complying with HIPAA’s patient privacy requirements.

Civil Subpoena or Court Order

If a Provider receives a subpoena or court order that requires disclosure of PHI:

  1. The Provider should immediately notify The Mutual if the Provider is named as a party (e.g., the defendant) in the action.
  2. The Provider should determine if the entity that issued the subpoena or order has jurisdiction over the Provider. If the entity that issued the subpoena or order does not have jurisdiction over the Provider, the Provider is not obligated to respond to the subpoena or order.
  3. If the entity that issued the subpoena or order has jurisdiction, the Provider's response will depend on the type of entity issuing the subpoena or order as described below.
    1. Court Order or Subpoena Signed by a Judge or Magistrate. If the order or subpoena is issued by a court (i.e., signed by a judge or magistrate) or an administrative tribunal, the Provider should strictly comply with the terms of the order or subpoena and disclose the information expressly authorized by the document. Failure to do so may result in fines or penalties against the Provider.
    2. Grand Jury Subpoena. If the subpoena is issued by a grand jury, the Provider should strictly comply with its terms. Grand jury proceedings are confidential, so HIPAA does not require additional protections.
    3. Subpoena Signed by Court Clerk, Lawyer, Prosecutor or Other. If the subpoena or other lawful process is signed by a person other than a judge, magistrate or administrative tribunal (e.g., it is signed by a lawyer, prosecutor, court clerk, etc.), the Provider may not disclose information unless and until one of the following is satisfied:
      1. The Provider should contact the patient orally or by letter, explain that the Provider has received a subpoena requiring disclosure of the patient's PHI and notify the patient that the Provider is required to respond unless the patient quashes the subpoena and notifies the Provider before the deadline for responding to the subpoena. If the Provider does not know the current address of the patient, the Provider should send the letter and a copy of the subpoena to the patient's last known address and document that the Provider did so. Once the Provider sends this notice, the burden is on the patient to quash the subpoena if he or she wants to prevent disclosure of the information.
      2. The Provider may obtain satisfactory written assurances from the entity issuing the subpoena that either: (a) the entity made a good faith attempt to give the patient written notice of the subpoena, the notice included sufficient information to permit the patient to object to the subpoena and the time for raising objections has passed or the court ruled against the patient's objections; or (b) the parties have agreed on a protective order or the entity seeking the information has filed for a protective order.
      3. The Provider may obtain a valid HIPAA authorization executed by the patient. To be valid, the authorization must contain the following elements and statements:

        (a) Core Elements

        (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

        (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

        (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

        (iv) A description of each purpose of the requested use or disclosure.

        (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.

        (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

        (b) Required Statements.

        (i) The individual's right to revoke the authorization in writing.

        (ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

        (iii) The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart.

        (c) Plain Language.

        The authorization must be written in plain language.

        (d) Copy to the Patient.

        If a covered entity seeks an authorization from an individual for a use or disclosure of PHI, the covered entity must provide the individual with a copy of the signed authorization.

  4. If for some reason the Provider cannot satisfy one of the foregoing, it may not disclose PHI, but neither may the Provider ignore the subpoena without subjecting him or herself to possible contempt sanctions. The Provider may need to appear in response to the subpoena, assert an objection based on HIPAA and wait for the court to order disclosure.
  5. In all cases where disclosure is required, the Provider must ensure that it complies with the strict terms of the subpoena, including the scope of the information disclosed and the timing of disclosure. If the subpoena or order only requires disclosure of written items, the Provider should not disclose the information orally. If the subpoena requires disclosure at a specific time, the Provider should not disclose the information before the deadline without the patient's consent because doing so may deprive the patient of the opportunity to quash the subpoena.
  6. The Provider should maintain a copy of the subpoena, order or warrant, and document the facts of the disclosure in the Provider's disclosure log as required by HIPAA.

Law Enforcement

A Provider may disclose PHI for a law enforcement purpose to a law enforcement official if the conditions for a Permitted Disclosure are met.

Permitted disclosures

A Provider may disclose protected health information:

  1. As required by law including laws that require the reporting of certain types of wounds or other physical injuries, or
  2. In compliance with and as limited by the relevant requirements of:
    1. A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;
    2. A grand jury subpoena; or
    3. An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

      (i) The information sought is relevant and material to a legitimate law enforcement inquiry;

      (ii) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and

      (iii) De-identified information could not reasonably be used.

      Except for disclosures required by law, a Provider may disclose PHI in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the Provider may disclose only the following information:

      (i) Name and address;

      (ii) Date and place of birth;

      (iii) Social security number;

      (iv) ABO blood type and rh factor;

      (v) Type of injury;

      (vi) Date and time of treatment;

      (vii) Date and time of death, if applicable; and

      (viii) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

      In general, the Provider may not disclose for the purposes of identification or location any PHI related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.

Please note that if state or federal laws are more restrictive in a particular case, the more restrictive law usually will apply.